Steg Tool

Privacy Policy

1. Our Privacy Commitment

StegTool is a fully client-side image steganography engine. We do not collect, store, transmit, or process any user data on remote servers. Every image you load, every text you encode, and every steganographic payload you extract stays entirely within your browser's sandboxed memory space. This privacy commitment is not a marketing claim — it is an architectural guarantee enforced by the technical design of our application.

StegTool was specifically engineered as a zero-server application because we recognize that steganography tools, by their nature, handle highly sensitive data: confidential text, proprietary images, copyright metadata, and in some cases legally protected communications. A server-based steganography platform would create an unacceptable concentration of secrets — a single point of failure that would attract malicious actors, legal demands, and insider threats. By ensuring that no data ever leaves your device, we make it mathematically impossible for us to access, leak, or surrender your information.

2. No Data Collection

StegTool does not collect, request, or retain any of the following:

  • Personal information — names, email addresses, phone numbers, physical addresses, or any other personally identifiable information.
  • Image files or image contents — the images you drop into the encode or decode panels are read exclusively by your browser's FileReader API into volatile JavaScript memory. No pixel data, no file metadata, and no thumbnail previews are transmitted to any server.
  • Hidden text payloads — the text you type into the encode textarea and the text extracted during decode operations exist only in your browser's DOM and JavaScript variables. They are never serialized to disk (beyond the output PNG files you explicitly choose to download) and never sent over the network.
  • Browser fingerprints — we do not use canvas fingerprinting, WebGL fingerprinting, font enumeration, or any other passive device identification technique.
  • Behavioral analytics — we do not track which buttons you click, which tabs you switch between, how long you spend encoding, or any other interaction-level telemetry.
  • IP addresses or geolocation — our web server logs are configured to exclude client IP addresses. We do not use the Geolocation API or any IP-to-location database.

3. Client-Side Execution Model — Technical Verification

Every steganographic operation in StegTool executes through a pipeline of standardized browser APIs that operate exclusively on your local device hardware:

  • File Ingestion: The FileReader API reads your selected images as data URIs directly into JavaScript memory. At no point is a file descriptor, file path, or file content transmitted to any external endpoint.
  • Image Rasterization: The HTML5 Canvas API decompresses your images into a raw RGBA pixel matrix. This canvas is an offscreen DOM element — it is never attached to the document tree and never serialized for network transmission.
  • LSB Encoding/Decoding: Pure JavaScript bitwise operators (AND, OR, shift) modify individual channel values within the Canvas pixel buffer. This computation uses only your device's CPU cycles and RAM.
  • PNG Export: Canvas.toBlob('image/png') serializes the modified pixel matrix into a downloadable binary. The resulting Blob is converted to an object URL and delivered through a programmatically triggered download link — standard browser download mechanics with no server interaction.

You can independently verify this architecture at any time: load StegTool in your browser, open Developer Tools (F12 or Ctrl+Shift+I), navigate to the Network tab, and then perform any steganography operation — encoding a batch of images, decoding a stego file, or switching between tabs. The only network requests you will observe are the initial static asset loads (HTML, CSS, JavaScript, fonts, and the Google Analytics script) and GA4 page-view beacons. Furthermore, disconnect your internet connection after the page finishes loading — all encode and decode functions will continue to operate without interruption, confirming that no external API call is required for core functionality.

4. Temporary Browser Memory — Data Lifecycle

All user data processed by StegTool exists exclusively within volatile browser memory (RAM) for the duration of a single page session:

  • No persistent storage: StegTool does not write to localStorage, sessionStorage, IndexedDB, the Cache API, or any other browser persistence mechanism. No data survives a page refresh or tab closure.
  • No file system access: StegTool does not use the File System Access API (showOpenFilePicker/showSaveFilePicker). Files are loaded through standard <input type="file"> elements and downloaded through standard anchor-click mechanics. The application never writes to your device's file system beyond the explicit PNG downloads you initiate.
  • Automatic garbage collection: When you close or refresh the StegTool page, the browser's JavaScript engine immediately marks all Canvas objects, Image objects, ArrayBuffer allocations, and Blob references as eligible for garbage collection. The underlying memory pages are released back to the operating system within seconds.
  • Thumbnail URLs: File thumbnail previews displayed in the file list are created using URL.createObjectURL(), which generates ephemeral blob: URLs tied to the document's lifetime. These URLs are programmatically revoked via URL.revokeObjectURL() when files are removed or the list is cleared.

5. Cookies and Local Tracking

StegTool's core steganography engine does not set, read, or require any cookies. The encode and decode tools operate in a completely stateless mode — there is no user session, no authentication token, no preference cookie, and no tracking identifier associated with tool usage.

The only cookies that may be present in your browser when using StegTool are first-party Google Analytics cookies (_ga, _ga_*) set by the gtag.js script for anonymous traffic measurement. These cookies are governed by Google's privacy policy, not StegTool's. You may block them entirely through browser settings, ad-blocking extensions, or Google's official Analytics opt-out browser add-on without affecting any steganography functionality.

6. Google Analytics 4 (GA4)

StegTool uses Google Analytics 4 (GA4) for lightweight, anonymous site traffic measurement. Specifically:

  • What GA4 measures: Page view counts, approximate session duration, country-level geographic distribution, browser type and version, device category (desktop/mobile/tablet), and referral source (search engine, direct, social media).
  • What GA4 does NOT receive: File contents, image pixel data, hidden text payloads, encode/decode parameters, file names, file sizes, text character counts, or any other data entered into or generated by the steganography tool. Our GA4 implementation uses only the default page_view event with no custom dimensions, custom metrics, or event parameters that could carry tool-specific data.
  • IP anonymization: GA4 anonymizes IP addresses by default — the full IP address is never stored or exposed in reports.
  • Data retention: GA4 data is retained for 14 months, which is the minimum allowed by Google's platform.
  • Opt-out: You can opt out of GA4 tracking by installing Google's official opt-out browser add-on, or by configuring your browser to block requests to googletagmanager.com and google-analytics.com.

7. Third-Party Services and External Dependencies

StegTool's steganography engine has zero runtime dependencies on third-party services. The LSB encoding and decoding algorithms are implemented in vanilla JavaScript using only standardized browser APIs (TextEncoder, TextDecoder, CanvasRenderingContext2D, FileReader, URL, Blob). No external API endpoints are called during encode or decode operations.

The following external resources are loaded during page initialization only — none of them receive any steganography data:

  • Google Fonts (fonts.googleapis.com): Delivers the Inter, JetBrains Mono, and Sora typeface files used for page styling. No user data is transmitted as part of font requests.
  • Google Material Symbols (fonts.googleapis.com): Delivers icon font files. No user data is transmitted.
  • Google Tag Manager / GA4 (googletagmanager.com): Delivers the gtag.js analytics script. No steganography data is transmitted (see Section 6).

We do not use any CDN resources for JavaScript libraries, CSS frameworks, or image assets beyond the above. All application logic, including Tailwind CSS (via a static minified file), is served directly from our origin server.

8. Transport Security and Integrity

StegTool is served exclusively over HTTPS with HSTS (HTTP Strict Transport Security) enforcement. While the steganography engine itself transmits no user data — making transport security less critical than for a traditional web application — HTTPS ensures:

  • Asset integrity: The HTML, CSS, and JavaScript files that constitute StegTool are delivered without tampering, preventing man-in-the-middle attackers from injecting malicious code that could exfiltrate data or alter steganography results.
  • Certificate validation: Your browser verifies that you are connected to the genuine StegTool server, not an imposter domain attempting to serve a compromised version of the application.
  • Encryption in transit: All static assets are encrypted during delivery, preventing network observers from determining which specific tool pages you are accessing.

We recommend that users who require the highest level of assurance verify the integrity of served assets by comparing file hashes or using browser extensions that enforce Subresource Integrity (SRI) checks where applicable.

9. Steganography-Specific Privacy Considerations

Because StegTool is a steganography tool, users should be aware of several privacy considerations that extend beyond the application itself:

  • Downloaded PNG files: The stego-encoded PNG files you download from StegTool contain your hidden text embedded in their pixel data. These files exist on your device's file system and are subject to your operating system's file permissions, backup systems, cloud sync services, and any malware present on your machine. StegTool has no control over how you store, transfer, or dispose of these files after download.
  • Network transmission of stego files: If you choose to email, upload, or otherwise transmit a stego-encoded PNG over a network, that file — including its hidden payload — will traverse the network in the clear (unless transmitted over an encrypted channel). LSB steganography hides the payload from visual inspection; it does not encrypt it. For sensitive payloads, we strongly recommend encrypting your text before encoding it into the image, creating a two-layer security model.
  • Forensic detectability: While LSB steganography at single-bit depth produces no visual artifacts, statistical analysis tools (chi-square tests, RS steganalysis, sample pair analysis) can detect anomalies in the LSB distribution of encoded images. StegTool makes no claim of resistance to statistical steganalysis. Users requiring steganalytic resistance should combine StegTool's LSB encoding with content-aware adaptive embedding techniques not provided by this application.
  • Canvas anti-aliasing: StegTool explicitly disables Canvas image smoothing (imageSmoothingEnabled = false) to prevent anti-aliasing interpolation that could corrupt embedded bits. However, if a user subsequently opens the stego PNG in an image editor that applies smoothing, resampling, or lossy compression, the hidden payload may be partially or fully destroyed.

10. Children's Privacy and COPPA Compliance

StegTool does not collect personal information from any user, regardless of age. Since no user data is gathered, stored, or processed, our service is inherently compliant with the Children's Online Privacy Protection Act (COPPA) in the United States and analogous child privacy regulations in other jurisdictions (GDPR-K in the EU, Age Appropriate Design Code in the UK). There are no accounts to create, no forms to submit, and no mechanisms through which a user of any age could provide personal information to us.

11. International Data Protection Compliance

Because StegTool processes zero personal data, it operates outside the scope of most data protection regulations' core requirements:

  • GDPR (EU/EEA): StegTool does not act as a data controller or data processor because no personal data is collected or processed. The tool's client-side-only architecture means that any personal data a user chooses to embed as steganographic payload is processed exclusively on the user's own device and never enters our infrastructure.
  • CCPA/CPRA (California): StegTool does not collect, sell, or share personal information as defined by California law.
  • LGPD (Brazil), PIPEDA (Canada), PDPA (Singapore): These frameworks regulate the collection and processing of personal data by organizations. Since StegTool collects no personal data, these regulations impose no operational requirements on our service.

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in our technical architecture, legal obligations, or operational practices. Material changes will be noted on this page with an updated effective date. We encourage users to review this policy periodically. Continued use of StegTool after any modifications constitutes acceptance of the updated policy. If a material change introduces data collection where none previously existed, we will provide prominent notice on the StegTool homepage at least 30 days before the change takes effect.

13. Contact

For questions about this privacy policy, requests for technical clarification of our client-side architecture, or reports of potential security vulnerabilities, contact us at [email protected].

Last updated: June 05, 2026