Privacy Policy

This Privacy Policy describes how Ai Sleads ("we," "our," or "the tool"), accessible at https://aisleads.com, handles your information. Ai Sleads is a browser-based password security utility operated by the 345tool Team, providing two integrated functions: a real-time password strength checker (entropy calculation via H = L × log₂(N), multi-factor composite scoring, crack-time estimation across three attack vectors calibrated to hashcat v6.2.6 benchmarks, pattern detection against 35 breached credentials and 14 keyboard walks, and actionable improvement suggestions) and a cryptographic random password generator using the Web Crypto API's crypto.getRandomValues() CSPRNG.

The central principle governing this policy is straightforward: Ai Sleads is engineered so that there is nothing to collect, nothing to store, and nothing to share. Every aspect of the tool's architecture — from the JavaScript engine design to the server configuration — was built to make data collection architecturally impossible, not merely procedurally avoided. This policy explains how that works in technical detail.

1. Zero-Server Architecture — Technical Implementation

1.1 The JavaScript Engine Runs Exclusively in Your Browser

The entire password analysis pipeline is implemented in a single self-contained vanilla JavaScript file — password-checker.js — with zero external dependencies and zero network calls. The file contains no fetch() invocations, no XMLHttpRequest objects, no navigator.sendBeacon() calls, no WebSocket constructors, and no beacon pixels. You can verify this by opening your browser's Developer Tools, navigating to the Network tab, typing a password into the input field, and observing that no outbound requests are generated — the network panel remains completely silent during all password analysis operations.

1.2 Specific Functions Executed Client-Side

Every computational function operates inside your browser's JavaScript sandbox:

• calcEntropy(password): computes Shannon entropy H = L × log₂(N) by analyzing character-set cardinality at runtime — detecting whether lowercase (a-z, 26), uppercase (A-Z, 26), digits (0-9, 10), and symbols (32 characters) are present in the input.
• calcStrengthScore(password): derives a 0–100 composite score from weighted entropy (40%), length bonus (capped at 30), character diversity (0–20 points for four character classes), and subtractive pattern penalties (common passwords, keyboard walks, sequential runs, repeated characters, type-homogeneity).
• estimateCrackTime(password): computes search-space size from detected character sets, divides by 2 for average-case, then estimates crack time against three hashcat-calibrated speeds: online throttled (1,000 guesses/sec), offline fast hash MD5 (100 billion/sec via 8× RTX 4090), offline slow hash bcrypt (10,000/sec). Results are formatted with adaptive time unit scaling from seconds to millennia.
• getSuggestions(password, score): generates contextual improvement suggestions by matching input against a 35-entry common-password blacklist (password, 123456, qwerty, iloveyou, etc.), 14 keyboard walk patterns across QWERTY/AZERTY/numeric keypad layouts, sequential character detectors, and repeated character detectors.
• generatePassword(length, useLower, useUpper, useDigits, useSymbols): produces cryptographically random character sequences via crypto.getRandomValues(new Uint32Array(length)) — not the predictable Math.random() — with a post-generation enforcement pass guaranteeing at least one character from each selected set.

1.3 No Local Storage Persistence

Password data exists exclusively in your browser's volatile RAM while the tab is open. The tool does not write to localStorage, sessionStorage, IndexedDB, document.cookie, or any other browser storage API in connection with password content, analysis results, or generated passwords. Closing or refreshing the browser tab permanently and irrecoverably destroys all entered text. There is no server-side session, no database row, and no log entry to reconstruct it from.

1.4 Offline Functionality Verification

After the initial page load (which fetches HTML, CSS, JavaScript, and font assets), you can disconnect your device from the internet entirely — disable Wi-Fi, unplug Ethernet, enable airplane mode — and the password strength checker and random password generator continue to operate at full functionality. This serves as a practical verification that no server round-trips are required for any core operation.

2. Information We Do NOT Collect

To eliminate ambiguity, Ai Sleads does not collect, store, transmit, or process any of the following categories of information:

2.1 Password Content & Analysis Results

• Password text, characters, or content of any kind
• Password strength scores, entropy values (in bits), or crack-time estimates (in seconds/minutes/hours/days/years)
• Character-set composition analysis (which of lowercase/uppercase/digits/symbols are present)
• Pattern detection results (common password matches, keyboard walk matches, sequential/repeated character detections)
• Improvement suggestions generated for the entered password
• Generated random passwords — generation and display are entirely local; the output is never transmitted

2.2 Behavioral & Biometric Data

• Keystroke dynamics, typing speed, typing rhythm, or inter-key latency
• Mouse movements, click coordinates, scroll depth, or dwell time
• Copy/paste events involving password content
• Toggle interactions (show/hide password visibility, character-set checkbox toggles, slider adjustments)

2.3 Personal & Device Identifiers

• IP addresses — no server-side logging infrastructure captures or stores IP addresses in connection with tool usage
• Browser fingerprints, User-Agent strings, or device identifiers beyond what GA4 collects (see Section 3)
• Geolocation data (GPS, Wi-Fi triangulation, or IP-derived location at a granular level)
• User names, email addresses, or registration credentials — there is no registration, login, or account system
• Referring URLs, search query terms, or navigation history tied to individual users

The tool is fundamentally a stateless computational utility: it accepts character input in your browser, performs all analysis locally, renders results to the DOM, and retains absolutely nothing when you navigate away.

3. What Limited Data IS Collected — Analytics & External Resources

3.1 Google Analytics 4 (GA4) — Measurement ID G-XKLCTXFJPB

Ai Sleads uses Google Analytics 4 (GA4) with measurement ID G-XKLCTXFJPB for aggregated, anonymized page-view analytics. GA4 is loaded via the standard gtag.js snippet in the page and is configured with the following privacy-preserving constraints:

• Page-level metrics only: GA4 collects standard aggregated metrics — page URL path, page title, referrer source, browser type, device category (desktop/mobile/tablet), screen resolution, and approximate geographic region derived from IP-anonymized data (GA4 applies IP truncation by default for all properties).
• No password content: GA4's gtag('config', ...) call sends only the measurement ID and page parameters. No password text, strength scores, entropy values, crack-time estimates, generated passwords, or any form-input data is ever passed to GA4 as custom dimensions, events, or parameters.
• No cross-session user tracking: We do not implement User-ID, Google Signals, or any cross-device/cross-session identification features. Session identifiers are GA4's default ephemeral client IDs, which are not linked to any personal identity.
• No remarketing or advertising features: GA4 is used strictly for aggregated traffic analysis. We do not enable remarketing, advertising reporting, Demographics and Interests, or any feature that would feed data into Google's advertising ecosystem.
• No custom events on the password input field: No GA4 events are fired in response to typing, pasting, toggling visibility, generating passwords, or any interaction with the password analysis interface.

If you wish to opt out of GA4 entirely, you can use a browser extension such as uBlock Origin, or Google's own GA Opt-out Browser Add-on. The password checker functions identically with or without GA4 loaded.

3.2 Cookies

Ai Sleads does not deploy any first-party cookies — no authentication cookies, no session cookies, no preference cookies, no analytics cookies, and no tracking cookies. GA4 may set its own first-party cookies (_ga, _ga_*) in your browser as part of its standard operation; these are Google's cookies, not ours, and are governed by Google's privacy policy. We do not read, write, or interact with these cookies in any way. There is no cookie consent banner on this site because we do not deploy any cookies ourselves.

3.3 External Static Resources (CDN Fonts & Icons)

The following third-party resources are loaded for typography and UI rendering. These are static asset fetches — they do not transmit user data or password content:

• Google Fonts (fonts.googleapis.com): loads the Inter, JetBrains Mono, and Sora typeface families. Google may log the referring page URL and browser metadata as part of standard CDN operation.
• Google Material Symbols (fonts.googleapis.com): loads the Material Symbols icon font for UI elements (menu icon, visibility toggle icons, warning icons, etc.).
• Google Tag Manager (googletagmanager.com): serves the GA4 gtag.js library. This is the standard delivery mechanism for GA4.

No other third-party scripts, analytics services, behavioral tracking tools, heatmapping services, session recording platforms, advertising networks, Facebook Pixel, or marketing tracker integrations are loaded on Ai Sleads.

4. Data Sharing, Sale & Third-Party Access

Ai Sleads does not share, sell, rent, trade, or disclose any user data to any third party for any purpose — because there is no user data to share.

Specifically:

• No data brokers: we do not sell or transfer data to data brokers, aggregators, or information resellers.
• No advertisers: we do not share data with advertising networks, demand-side platforms, or ad exchanges.
• No analytics resale: GA4 aggregate statistics remain within Google's ecosystem and are not exported, sold, or shared with additional parties.
• No legal disclosure history: we have never received a subpoena, court order, or law enforcement request for user data — because we hold none. Should such a request ever arrive, we would have nothing responsive to provide.
• No affiliates or partners with data access: the 345tool Team is the sole operator of Ai Sleads. No third-party affiliates, partners, or contractors have access to any operational systems that could theoretically capture user data.

5. Hosting Infrastructure & Server-Side Configuration

Ai Sleads is hosted on a dedicated virtual private server running Nginx as the web server with PHP-FPM for server-side page assembly. The server-side role is strictly limited to:

• Serving static assets: HTML templates, CSS stylesheets (tailwind.min.css, style.css), JavaScript files (password-checker.js, script.js), images (PNG screenshots, favicon), and font files.
• PHP header/footer assembly: the header.php and footer.php files inject navigation, metadata, and GA4 tags into each page at the server level before delivering HTML to the browser.

Server access logs (standard Nginx access.log) record HTTP requests including timestamp, requested URL path, HTTP status code, bytes transferred, and User-Agent string. These logs are retained for a limited period for operational purposes (troubleshooting, DDoS mitigation, traffic analysis). They are not analyzed at the individual-request level, not cross-referenced with any other data source, and not used to identify or profile individual users. IP addresses in access logs are not linked to password analysis activity because the password analysis happens entirely in the browser and generates no server requests.

No application-level logging of password content, analysis results, or user interactions exists at any layer of the stack — not in Nginx, not in PHP, not in any database, and not in any external logging service.

6. Data Security — Architectural Guarantees

Because Ai Sleads collects and stores no user data, the traditional data-security threat model (database breaches, server compromise, insider threats) does not apply in the conventional sense. There is no database to breach, no user table to exfiltrate, and no stored credentials to leak.

6.1 TLS/HTTPS

All communication between your browser and the aisleads.com server is encrypted via TLS (HTTPS). While no password data traverses this connection (all processing is client-side), TLS protects the integrity of the JavaScript and CSS files delivered to your browser, preventing man-in-the-middle injection of malicious code that could compromise the client-side analysis.

6.2 Subresource Integrity

External resources (Google Fonts, GA4) are loaded from Google's CDN. We do not currently implement Subresource Integrity (SRI) hashes for these resources; however, the password analysis engine (password-checker.js) has no external JavaScript dependencies, meaning the core security functionality is isolated from CDN compromise risks.

6.3 Breach Notification

In the unlikely event of a server compromise, the impact on users is architecturally bounded: no password data, analysis results, or personal information exists on the server to be exfiltrated. If we become aware of any security incident affecting the aisleads.com domain or its hosting infrastructure, we will post a notice on this page and update the "Last Updated" date.

7. Your Rights Under GDPR (EU/EEA Users)

The European Union's General Data Protection Regulation (GDPR, Regulation 2016/679) grants specific rights to individuals in the EU and EEA. Because Ai Sleads does not collect, store, or process personal data, many of these rights are satisfied by architectural design:

• Right to Information (Art. 13 & 14): This Privacy Policy serves as the complete disclosure of our data-handling practices. There is no additional processing to disclose because no personal data processing occurs beyond what is described here.
• Right of Access (Art. 15): There is no personal data stored to provide access to. All password processing is ephemeral and client-side only. If you submit a Subject Access Request, we will confirm that we hold no personal data about you.
• Right to Rectification (Art. 16): Not applicable — no personal data is held that could be inaccurate.
• Right to Erasure / "Right to be Forgotten" (Art. 17): No personal data exists on our servers to erase. Closing your browser tab permanently destroys all locally processed password data from RAM. We have no backup systems, replication databases, or log archives containing password content.
• Right to Restriction of Processing (Art. 18): No processing of personal data occurs. The password analysis is performed locally by your own device, which is outside the scope of GDPR's processing restrictions.
• Right to Data Portability (Art. 20): Not applicable — no personal data is held in any structured, machine-readable format on our servers.
• Right to Object (Art. 21): No profiling, direct marketing, or automated decision-making concerning individuals occurs. You may object to GA4 tracking by using the opt-out methods described in Section 3.1.
• Rights Related to Automated Decision-Making (Art. 22): The password strength scoring algorithm operates locally on your input and displays results to you. It does not make decisions about you, profile you, or produce legal effects concerning you.

7.1 Legal Basis for Processing

To the extent that GA4 page-view analytics constitutes "processing" under GDPR, the legal basis is Legitimate Interest (Art. 6(1)(f)): aggregated, anonymized traffic analysis is necessary for the operation and improvement of the website, and this processing does not override the fundamental rights and freedoms of users given that no personal or sensitive data is involved. GA4's IP anonymization and our configuration restrictions (no User-ID, no Signals, no remarketing) ensure this processing is proportionate and minimally intrusive.

7.2 International Data Transfers

GA4 data is processed by Google on servers that may be located outside the EU/EEA, including in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF), which provides a legal mechanism for such transfers. No other international data transfers occur because no other data is collected.

8. Your Rights Under CCPA/CPRA (California Residents)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants specific rights to California residents. Our compliance posture is as follows:

• Right to Know (CCPA § 1798.100/110): This Privacy Policy discloses all categories of information collected (see Section 3 for GA4 page-view analytics) and all categories not collected (see Section 2). We collect no personal information beyond what GA4 collects automatically for aggregated analytics.
• Right to Delete (CCPA § 1798.105): We hold no personal information about California residents to delete. Password data is ephemeral and client-side only.
• Right to Opt-Out of Sale/Sharing (CCPA § 1798.120): We do not sell or share personal information because we do not collect any. We have no financial incentive to collect data — our monetization model (see Section 9) is designed to be compatible with zero data collection.
• Right to Correct (CCPA § 1798.106): Not applicable — no personal information is held that could be inaccurate.
• Right to Limit Use of Sensitive Personal Information (CCPA § 1798.121): We do not collect, use, or disclose sensitive personal information (as defined by CCPA categories: government IDs, financial account credentials, precise geolocation, biometric data, communications content, etc.). Password content entered into the tool is processed locally and is never received by us.
• Right to Non-Discrimination (CCPA § 1798.125): The tool is fully functional for all users regardless of privacy choices. There are no features, pricing tiers, or service levels tied to data sharing because there is no data sharing.

To exercise any CCPA rights, contact us at [email protected]. We will respond within the timeframe required by applicable law. We do not use authorized agents for CCPA request processing.

9. Children's Privacy (COPPA Compliance)

The Children's Online Privacy Protection Act (COPPA) in the United States and similar regulations in other jurisdictions (e.g., GDPR Art. 8, UK Age Appropriate Design Code) impose requirements on services that collect personal information from children.

Ai Sleads does not knowingly collect personal information from children under the age of 13 — nor from any user of any age. The tool operates without registration, login, or any form of user identification. No user-generated content is stored or transmitted. No communication features (comments, direct messaging, forums, social features) exist on the platform. No behavioral advertising, attention metrics, or engagement tracking is deployed.

If you are a parent or guardian and believe that your child has provided personal information through this website (which is architecturally impossible for password content but theoretically possible if a child emailed us), please contact us at [email protected] and we will promptly address the concern.

10. Monetization Model & Economic Incentives

Ai Sleads is a free tool with no premium tiers, subscriptions, or paywalled features. Our monetization strategy is designed to be compatible with the zero-data-collection architecture:

• Current state (June 2026): Ai Sleads is operated as a public-good utility by the 345tool Team with no active monetization. Operating costs (server, domain, bandwidth) are covered by the parent organization.
• Future monetization: If monetization is introduced, it will rely on static, contextually relevant banner placements positioned outside the core password-analysis interface — never interstitials, never popups, never forced interactions. Over time, these may transition into premium B2B link partnerships with verified technical organizations in adjacent fields (cybersecurity, authentication, enterprise IT).
• What will never happen: We will never collect, package, sell, or share user password content, analysis results, or behavioral data with advertisers, data brokers, or any third party. The zero-server architecture makes this commercially impossible, not just a policy choice.

11. External Links & Third-Party Websites

Ai Sleads contains links to external websites that are not operated by us:

• 345tool.com — the parent developer collective's primary domain
• Linked partner sites listed on the Team page — other 345tool satellite tools
• External references cited in educational content (NIST, hashcat, Verizon DBIR, Microsoft DDR)

We are not responsible for the privacy practices, content, or security of these external websites. Clicking external links navigates you away from Ai Sleads, and those sites are governed by their own privacy policies. We encourage you to review the privacy policy of any website you visit, particularly before entering any personal information.

12. Policy Updates & Version History

We may update this Privacy Policy to reflect changes in the tool's architecture, operational practices, or applicable regulations. Updates are published directly on this page with the "Last Updated" date revised accordingly.

12.1 Material Change Notification

If we ever introduce a feature that collects, stores, or transmits user data of any kind — which would represent a fundamental architectural departure — we will:

1. Post a prominent notice on the homepage at least 30 days before the change takes effect.
2. Update this Privacy Policy with a detailed description of what data is collected, how it is processed, and the legal basis for processing.
3. Provide a clear opt-out mechanism where technically feasible.

We encourage periodic review of this page. The "Last Updated" date at the top of the policy indicates when the most recent changes were published.

12.2 Governing Law & Jurisdiction

This Privacy Policy and any disputes arising from it are governed by applicable data protection laws in the jurisdictions where users reside, including but not limited to the GDPR (EU/EEA), CCPA/CPRA (California, USA), COPPA (USA), and PIPEDA (Canada).

13. Contact & Verification

For privacy-related inquiries, data protection questions, GDPR/CCPA rights requests, or technical verification of our zero-server architecture, contact the 345tool Team:

• Email: [email protected]
• Parent Organization: 345tool.com
• Physical Address: Available upon request via email for formal legal correspondence.
• Response Time: We aim to acknowledge all privacy-related inquiries within 48 hours and provide substantive responses within 14 calendar days.

If you are a security researcher and wish to verify our zero-server claims, we welcome independent technical audits. You can verify client-side-only operation by opening the browser Developer Tools Network panel (F12 → Network), typing a test password, and confirming that zero outbound requests are generated. The unminified source code of password-checker.js is publicly accessible at /js/password-checker.js for direct inspection.