Edit text in place, sign, redact, reorganize. True content-stream rewrite, not stamp-on-top.
LaunchEdit, sign, redact, and reorganize PDF files in your browser. The Adobe Acrobat alternative that runs on your device — no upload, no subscription.
Pixel-perfect PDF diff with word-level text view, metadata + form-field compare, ruler, and exclusion zones.
LaunchSide-by-side or overlay PDF diff with a document-type selector — Document (contracts, reports), AEC / Blueprint (drawings, schematics), or Image-Scan. Highlights pixel-level differences plus a word-level text diff in a modal.
Open any PCB Gerber bundle in your browser. Gerber X2, Excellon, layer compare, snap-to-pad measure, snapshot URLs.
LaunchOpen RS-274X / X2 Gerber and Excellon files. Inspect layers, measure traces, export to PNG / SVG / DXF.
Compress, merge, split, convert, and manipulate PDF files.
Resize, compress, convert, and transform images.
Format, encode, decode, and validate code and data — safe for production secrets.
Convert, compress, and cut audio and video — MP3, WAV, MP4, WebM, Opus — all in your browser, nothing uploads.
Sourdough baker math, canning processing times — kitchen math you should not memorize.
AES-256 file encryption and self-destructing encrypted notes.
Analyze packet captures and run sysadmin diagnostics in your browser — nothing uploads. PCAP Analyzer ships first.
Chart-overlay technical analysis and precision financial math — your screenshots and numbers never leave your device.
Open CAD, BIM, medical, and enterprise files without paying $300-30K/year for the native software. Gerber Viewer ships first.
Effective: May 10, 2026 · Updated: May 22, 2026 · Version 1.1
This Cookie Policy explains what storage technologies Loft Tools uses on your device, what they’re for, and how to control them. It supplements our Privacy Policy.
Loft Tools sets no advertising cookies, no third-party trackers, and no cross-site fingerprinting. We run our own first-party analytics on a same-origin endpoint (/_/c) — no data leaves Cloudflare, our infrastructure provider. For each page view we record only: path, UTC timestamp, country (from request headers), referring site host, and a one-way SHA-256 hash of (rotating daily salt + IP + User-Agent + site host). The salt is regenerated every 24 hours and the previous salt is destroyed, so the hash cannot be linked across days. Raw IP, User-Agent, and any file content are never written to disk.
We do use device-local storage (localStorage, IndexedDB, and a Service Worker cache) to make tools work offline and to remember your preferences. None of this data leaves your browser or is shared with us or anyone else.
We will update this page at least 14 days before anything material changes — for example, before we change analytics providers or before we serve any advertising.
When privacy laws (the EU ePrivacy Directive, the UK PECR, the CCPA, etc.) talk about “cookies,” they often mean any technology used to read or store information on your device. That includes:
| Technology | What it is |
|---|---|
| Cookies | Small text files set by a website and sent back to the server with each request. |
| localStorage | A larger key-value store kept by your browser per site. Stays until cleared. |
| sessionStorage | Like localStorage but cleared when you close the tab. |
| IndexedDB | A larger structured database kept by your browser per site. |
| Service Worker cache | Files saved by your browser so the site can work offline. |
| Pixels / web beacons | Tiny invisible images that report back when loaded. |
| Browser fingerprinting | Building a “fingerprint” from the combination of your browser settings and capabilities. |
We refer to all of these as “storage technologies” below. Where a particular law uses the word “cookies” we mean it in the broad sense.
We use the following storage technologies, all of which are strictly necessary to provide a function you’ve explicitly requested. Under the ePrivacy Directive (recital 25 / Art. 5(3)) and equivalent rules, strictly necessary storage does not require prior consent.
| What | Where | Purpose | Lifetime |
|---|---|---|---|
| App shell cache | Service Worker cache | Make the Service work offline and load fast | Until you clear browser site data, or we update the cached version |
| Tool preferences | localStorage / IndexedDB | Remember your last-used unit, theme (dark/light), most-recently-used tools, draft text in a notepad-style tool | Until you clear browser site data |
| Recent files index (where applicable) | IndexedDB | Show “recent” entries inside a tool that you reopened. Files themselves are not stored unless the tool offers an explicit “save” option. | Until you clear browser site data |
These do not identify you, are not shared with anyone, and are not used for advertising or analytics.
Cloudflare, our hosting provider, may set the following cookies for security and abuse prevention. These are considered strictly necessary and do not require prior consent under EU/UK rules.
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
__cf_bm | Cloudflare | Bot management — distinguish humans from automated traffic | 30 minutes |
cf_clearance | Cloudflare | Records that you have passed a security challenge so you don’t have to repeat it | 30 days (only set when triggered) |
We don’t read or share these cookies. Cloudflare’s cookie policy: cloudflare.com/cookie-policy.
When you open the sponsorship checkout on /sponsor, Stripe loads its hosted Checkout form inside an iframe served from js.stripe.com and checkout.stripe.com. Stripe sets cookies on its own domains to operate that form — for example, to maintain your checkout session, to fingerprint for fraud detection, and to remember “Link” saved cards across other Stripe-powered sites. Those cookies are governed by Stripe’s Privacy Policy and Stripe’s Cookie Settings, not by us. We do not read or share Stripe’s cookies.
/_/c)We run our own analytics on a same-origin endpoint. No third-party scripts, no advertising cookies, no fingerprinting, no cross-site tracking.
What we collect per page view:
/tools/pdf-tools/compare-pdf/)What we DO NOT collect:
Salt rotation: the daily salt is regenerated every 24 hours and the previous salt is destroyed. This means the visitor hash cannot be linked across days — your visit on Monday cannot be associated with your visit on Tuesday by us or anyone else, even with database access.
Storage: rows live in our Cloudflare D1 database (managed by Cloudflare, region pair selected at infrastructure-provision time). Raw event rows are retained for 90 days; aggregate daily counts are kept indefinitely.
Lawful basis (GDPR): Article 6(1)(f) — legitimate interest in audience measurement, with CNIL Article 82 audience-measurement exemption criteria met (first-party, no cross-site tracking, anonymised, no third-party sharing). We do not consider this analytics setup to require a prior consent banner.
To opt out: enable the Global Privacy Control (GPC) signal in your browser (we honour Sec-GPC: 1 server-side — when the header is present we drop the beacon write entirely, before any hashing or D1 insert), or use a privacy extension that blocks lofttools.com/_/c. See §6.
Rate limit: we apply a per-IP soft cap (120 page views / minute) at the beacon endpoint. Excess beacons are silently dropped — no error is returned to the client — and never stored.
When you click through to another third-party donation platform (Buy Me a Coffee, Ko-fi, GitHub Sponsors, or similar), that platform may set its own cookies on its own domain, governed by its own cookie/privacy policy. We do not see or share those cookies.
For clarity, we do not currently use:
We will update this list and section 5 before any of this changes.
We expect to add the following:
We are honest about our roadmap: advertising is planned for free-tier surfaces (likely a small number of category and tool pages). When advertising goes live:
We do not plan to use any of the following: tracking children under 13, building cross-device identity graphs, retargeting based on sensitive categories (health, religion, sexual orientation, financial distress), or selling personal data for monetary consideration.
You can control storage technologies through your browser. Each browser handles this slightly differently; the major ones are:
You can also:
Sec-GPC: 1 server-side: when present, the analytics beacon write is dropped before any data is processed, regardless of jurisdiction);If you block strictly necessary cookies (e.g., the Cloudflare bot-management cookie), parts of the Service may not work correctly.
Material changes will be highlighted at the top of this page for at least 30 days, and announced via a banner on the home page. We will not enable any new tracking, analytics, or advertising technology without first updating this page and giving at least 14 days’ advance notice.
A complete change history is available on request to [email protected].
Email: [email protected] Mail: 577 East Chartres Street, Anaheim, CA 92805, U.S.A.