"Your data is private" is a marketing line. "The processing happens in your browser and nothing is uploaded" is a technical claim you can verify. The difference matters, because the JSON you paste into a tool is often more sensitive than it looks.
Two ways a tool can work
A server-sidetool takes your text, sends it to a backend, processes it there, and returns the result. Your payload left your machine — it sat in someone's server memory and possibly their logs.
A browser-local (client-side) tool runs the formatting, decoding, or conversion in JavaScript on your own device. The data is read from the textarea, transformed in memory, and shown back — it never travels. Same result, but the bytes stay with you.
Why it matters
API responses are rarely just "data." A single payload can contain access tokens, a customer's email and address, internal record IDs, or a JWT that is still valid. Paste that into a server-side formatter and you have, in effect, shared a working credential or personal data with a third party you know nothing about. For anything under a privacy or compliance obligation, that is a reportable event, not a convenience.
How to verify the claim
You don't have to take anyone's word for it. Open your browser's developer tools, go to the Network tab, and process some input. If the tool is genuinely local, no request fires when you click format/decode/convert:
1. Open DevTools (F12 or Cmd/Ctrl+Shift+I)
2. Network tab → clear it
3. Paste input, run the tool
4. Watch the request list:
- stays empty → processing is local
- new POST appears → your data was sent somewhereA second tell: disconnect from the network (or use airplane mode). A truly local tool keeps working offline; a server-side one stops.
When to care most
Be strictest with secrets and tokens, customer or employee personal data, anything from a production system, and anything covered by GDPR, HIPAA, or a customer contract. For a throwaway example with no real data, it matters less — but it costs nothing to default to a local tool and never have to make that judgment call.
Common mistakes
- Equating "free online tool" with "private." Free usually means server-side; the two are unrelated.
- Pasting production payloads into unknown sites. You can't un-send data.
- Sharing URL links that encode the data. A "share" link with your JSON in the hash exposes it to anyone who gets the URL.
- Assuming HTTPS means private. HTTPS protects data in transit; it says nothing about what the server does with it after.
How PayloadIQ handles it
Every transform in PayloadIQ — formatting, decoding, generating types — runs in your browser. The server is contacted only for sessions, usage limits, payments, and license checks, and those calls never include your payload. The utilitiesupload nothing at all: open the Network tab and you'll see them stay quiet. That's the claim, and it's one you can check in about thirty seconds.