← Home
PrivBatch / FAQ
Launch FAQ

Frequently asked questions

The questions a privacy-conscious developer is most likely to ask before trying PrivBatch. If yours isn't here, email [email protected] or file an issue on github.com/PrivBatch/PrivBatch.

Privacy and verification

How can I trust PrivBatch doesn't send my data anywhere?

Don't trust, verify.

Three verifications, easiest first:

  1. Turn off your internet. Open the tool you need (e.g. /tools/csv-json) while online, then disconnect - airplane mode, wifi off, unplug ethernet, doesn't matter. Now run the conversion with real data. It still works. If your data were going to a server, the conversion would fail. It doesn't.
  2. Paste into the DevTools console. Press F12, click Console, paste fetch('https://example.com'). Watch the counter at the top of the page tick from 0 to 1. On the CLI page, the whole bar turns red. The interception wraps window.fetch and XMLHttpRequest.prototype.open; code is in js/gold-standard.js lines 30 to 45.
  3. Watch the Network panel. Press F12, click Network, run any tool with real data. Zero new requests. The full 60-second walkthrough is on /privacy-audit.

What about the CDN libraries you load?

PrivBatch loads JavaScript libraries (Papa Parse, SheetJS, jsPDF, JSZip, crypto-js, marked, cronstrue, js-yaml, jsonpath) from cdnjs.cloudflare.com and cdn.sheetjs.com. The CLI page additionally loads xterm.js and minimist from jsdelivr.net because cdnjs delisted those. Every library is listed at /built-with with version, licence, and source.

They serve static assets. No analytics, no telemetry. The initial page load fetches them; after that the network counter stays at 0 for any actual tool use.

What about localStorage? Isn't that also data?

localStorage stores two things: your tool preferences (theme, last-used settings per tool) and your Pro licence key after Gumroad verifies it. No file contents, no PII, no user data. Clear localStorage and you lose preferences only.

What about Pro licence verification?

The single network request in the entire Pro upgrade flow is a call to Gumroad's /v2/licenses/verify endpoint to confirm your licence key is valid. The counter honestly increments to 1 when this happens. After verification, the unlock is stored locally and Pro features keep working offline.

What happens with my data when I process a file?

It stays in your browser. The file is read into memory via the standard FileReader API, processed by JavaScript that runs in the tab, and output is downloaded back to you via a generated Blob URL. Nothing leaves the tab. If you blocked every outbound request with a firewall, every tool would still work.

About the builder

Who built PrivBatch?

One person. I'm not a developer by trade. I built it over about 3 weeks using Claude Code as a coding assistant, after deciding to try shipping something on the internet. The code is vanilla JavaScript, no build step, no framework, fully readable in view-source.

Was this built with AI?

Yes. I worked iteratively with Claude Code to build PrivBatch. Each tool was hand-tested for the privacy claim (DevTools Network panel = 0 requests during processing) before shipping. The security-sensitive parts use native Web Crypto (AES-256-GCM, PBKDF2 600k iterations) or pinned crypto-js >=4.2.0 (the CVE-2023-46233 fix). No custom cryptography was written; the LLM never had a chance to introduce subtle crypto bugs because it never wrote crypto primitives.

The full source is open at github.com/PrivBatch/PrivBatch (17 of 23 tools, MIT). Audit it.

What happens if you stop maintaining it?

Three layers of resilience. (1) The open-source MIT subset at github.com/PrivBatch/PrivBatch covers 17 of 23 tools. You can self-host the static files forever. (2) Lifetime licences keep working offline regardless of whether privbatch.com exists. (3) The entire site is static HTML/CSS/JS so anyone can fork it.

Can I trust security-sensitive code that an LLM helped write?

For the security-sensitive parts (AES encryption, JWT decoding, hash generation), PrivBatch uses well-known, audited primitives rather than custom code. Web Crypto API natively for AES; pinned crypto-js >=4.2.0 for hashes; pure base64 for JWT decoding (no signature verification - that's intentional, the use case is inspecting tokens). No custom crypto code means the LLM never had a chance to introduce subtle bugs in that layer.

Don't take my word for it. The code is open source. File an issue with anything questionable.

Pricing

What's free vs Pro vs Pro Business?

Free: all 23 tools, 20-file batch limit, watermark on batch output.

Pro (€29 lifetime): unlimited batch, no watermark, File Detective unlimited.

Pro Business (€59 lifetime): everything in Pro plus the GDPR Documentation Suite (RoPA, DPA template, Consent Receipts, processing log) and Bundle Mode for multi-tool audit ZIPs.

Both are a one-time payment - lifetime access, no subscription, no account required.

Why pay for tools that exist for free elsewhere?

Most free dev tools online (jsonformatter.org, csvjson.com, jwt.io, etc.) work by uploading your data to their server. PrivBatch never uploads anything. The Pro tier removes batch limits and watermarks for users running this at scale.

If the free tier covers your needs, just use it. No account, no email required.

Why lifetime pricing instead of subscription?

PrivBatch has no recurring infrastructure cost. The site is static, hosted on Cloudflare Pages, no servers, no databases, no auth backend. The marginal cost of a Pro user is approximately zero, so I charge once.

Can I get a refund?

Yes, via Gumroad's standard 30-day return policy. Email [email protected] if you need help.

Technical

Why vanilla JS with no framework?

Three reasons. (1) Auditable in a way a 50-layer framework isn't, which matters for a privacy-claiming product. (2) No build step means the code you see in DevTools is the code that actually runs. (3) Survives framework churn. Vanilla JS from 2015 still works; can't say the same for last year's framework hotness.

How does the browser CLI work?

xterm.js for the terminal, minimist for argument parsing, plus a small schema-driven command runner. Drag files onto the terminal, they become a virtual filesystem indexed by name. Pipes work because each command takes input via stdin (a string or Blob) and outputs to stdout. The schema registry maps CLI commands to the same process() functions the GUI tools use.

Full implementation in js/cli-runner.js and js/cli-commands.js.

What about CyberChef, regex101, jsonlint?

The honest comparison: those are great tools. CyberChef is much more powerful for crypto experimentation; regex101 has better regex visualisation. PrivBatch is more focused on common dev workflows (CSV/JSON/JWT/hash batch processing) with consistent UX across all 23 tools and a unified browser CLI on top.

Compare-to pages exist at /vs-jsonformatter, /vs-csvjson, /vs-jwt-io, /vs-base64encode, /vs-convertcsv. More coming post-launch based on what readers actually ask about.

Can I self-host this?

Yes, for the 17 free tools. Clone github.com/PrivBatch/PrivBatch and serve the static files with any web server (python -m http.server, nginx, anything). No build step required.

The Pro features (unlimited batch, GDPR suite) are not in the open-source repo.

Found a problem?

I found a privacy bug. What do I do?

Email [email protected] with the request log attached, or file an issue on GitHub. Privacy bugs are top priority. I'll respond and fix within hours of confirmation.

I have a feature request

File it as a GitHub issue with the feature-request label. The roadmap is data-driven from what's actually requested. Anything tracked in the issue tracker is something I'm thinking about.

How do I contact you?

Email: [email protected]

GitHub: github.com/PrivBatch/PrivBatch