We added analytics — here's exactly what we can and can't see

For the first few months, this site flew completely blind. No analytics, no dashboard, no idea whether ten people or ten thousand were using it. That sounds principled, and in a way it was — but it also meant I couldn't answer the most basic question about my own project: is this actually useful to anyone?

So I turned on analytics. I want to be upfront about that, because the entire pitch of this site is privacy, and adding any measurement at all deserves an honest explanation. Here it is — including the one rule I refused to break, exactly what the analytics can and can't see, and how to check all of it yourself in about thirty seconds.

The one rule: your data never leaves your browser

This hasn't changed, and it never will. Everything you paste, type, or drop into a tool — JSON, a JWT, a password, an image — is processed entirely in your browser using native Web APIs. It is never uploaded, never logged, never stored. The analytics I added cannot see any of it, because it only ever knows which page you opened, not what you did on it.

That distinction is the whole point. There's a world of difference between "how many people opened the JWT decoder" and "which JWT they pasted into it." The first is a number I find genuinely useful. The second is none of my business — and the tools are built so that it's impossible for it to ever become my business.

What I use: Vercel Web Analytics

The tool I chose is Vercel Web Analytics, specifically because it is the most privacy-respecting option I could find that still answers the question. It is cookie-less, and it does not fingerprint your browser. Here's the honest breakdown of both sides.

What the analytics can see

• Which pages get visited, and how often.
• The referrer — the link or search that sent you here, when your browser chooses to share it.
• A rough country, derived from your IP address at the edge.
• Coarse device info: desktop vs. mobile vs. tablet, plus browser and operating system.

That's the entire list. It's the kind of aggregate "roughly this many people opened the JSON formatter from Germany on mobile this week" data that tells me what's worth building and what nobody touches.

What it can't see — by design

• Anything you type into a tool. The script only ever sees the page address; your input is never part of any event.
• Your IP address.It's used once, at the edge, to guess a country, then immediately discarded. It is never stored or attached to anything.
• Who you are across visits.Visitors are counted with a hash that resets every 24 hours, so there's no identifier that follows you from one day — or one site — to the next.
• You, specifically. No cookies are set, no fingerprint is taken, and the data is aggregate-only. There is no profile of you, because there is nothing to build one from.

A practical upshot: because it sets no cookies and stores nothing on your device, it falls outside the EU's cookie-consent rules — which is why you'll never get an annoying "accept cookies" banner on this site. It's GDPR-friendly because there's no personal data to protect in the first place. And it's first-party: the script is served from this domain, not some ad network, so nothing is ever sold, shared, or shipped off to a third party.

Why not Google Analytics?

Because Google Analytics — and most of its competitors — is built to do the exact thing this site exists to avoid: identify and follow individuals across sessions and sites, usually with cookies, often in service of ad targeting. I don't want that data, I don't want the consent banner it forces on you, and I don't want to ask you to trust a third party with your visit. A cookie-less, aggregate page-view counter is the smallest possible amount of measurement that still answers "is this useful?" — so that's all I run.

Don't trust me? Pull the plug.

You don't have to take my word for any of this. Two checks, both quick:

1. Watch the network.Open DevTools → Network. When a page loads you'll see one tiny ping to /_vercel/insights— that's the page-view counter, and it carries none of your input. Now use any tool: format, hash, decode, generate. Zero further requests fire. The work is happening on your machine.
2. Turn off your Wi-Fi. This is the real test. Load a tool, kill your connection, and keep working — format JSON, decode a JWT, generate a password. Everything still works with no network at all. Something that needed to phone home would break the instant you went offline. These don't — because they were never going to phone home in the first place.

And if you're working with something genuinely sensitive and you simply don't want to think about it: disconnect first, then use whichever tool you like. Offline isn't a fallback here — it's the default the entire site is built around.

The short version

I added an anonymous, cookie-less page-view counter so I can tell whether this project is worth continuing. It can count visits; it cannot see your data, store your IP, or know who you are. The tools themselves still run entirely in your browser, exactly as before. If that's still a deal-breaker for you, the off switch is your Wi-Fi toggle — and the tools will keep working anyway.

The full, plain-English version lives on the privacy page. And if you want the deeper argument for why these tools run locally at all, I wrote about that in why offline-first developer tools matter.