DedupeLines

Privacy at DedupeLines · Zero upload of your input

Your input is processed entirely inside your browser. Only anonymous page-view telemetry — separate from your text — is collected through standard web-analytics tooling.

TL;DR

Effective: 18 May 2026. What this site does today: your input is processed entirely in your browser. Sections below describing Google Analytics 4 and Google AdSense are not yet active — they document what will happen when those features are enabled in a later release. We never enable a new data practice retroactively.

  • The text you paste / upload / type never leaves your browser. There is no upload step, no server endpoint that accepts your input.
  • We treat your input and your page-view telemetry as two completely separate streams. The two are never combined.
  • The web server keeps standard access logs (IP / path / status / UA / timestamp) for 14 days, then deletes them.
  • When enabled, anonymous page-view counts are measured by Google Analytics 4 (IP automatically anonymized) and the site is supported by Google AdSense display ads. Neither touches your input text.
  • EU / UK / Switzerland visitors will see a Google-certified consent banner the first time analytics or ads are active — nothing tracking-related runs until you choose.

Your input is yours

DedupeLines treats two kinds of information very differently. Your input — the lines you paste, type, or upload — is processed by JavaScript running inside your own browser tab and never sent to our servers. We cannot read it, store it, or recover it after you close the tab. Anonymous site telemetry — which page you opened, from which country, on which browser — is collected separately through standard web-analytics tooling so we can measure usage trends and decide what to build next. The two streams are never combined, and the telemetry stream does not include any of your input.

The engine source is at /static/js/dedupe.js, served as plain JavaScript without a minifier so you can read it. This is technically different from server-side tools like SmallPDF or TinyPNG, where your files are uploaded to a third-party server, processed there, then deleted within a retention window. With DedupeLines there is no server-side processing step at any point. The text stays on your machine.

You can verify this in 30 seconds: open DevTools → Network, reload the page, then paste any text and click Process. You will not see any request containing your pasted text. You will see analytics and font requests on page load (covered below), but those carry only page-level metadata, never your input.

Anonymous page-view telemetry

Separate from your input, the site collects anonymous page-view data so we can keep it healthy and decide which tools to build next. This is described in detail in the sections below. The data is governed by the third-party providers' own privacy policies (linked in each section), and the telemetry stream never includes your input text.

What we collect through page-view telemetry, at a high level:

  • Which URL you visited and from which referring page
  • Anonymized IP-derived country and city-level region (no full IP stored on our end)
  • Browser, browser version, operating system, device class (desktop / mobile / tablet)
  • Approximate session duration and exit page

None of these are joined to your input text, your email (we don't collect one), or any account identifier.

What we collect

The web server hosting this site keeps standard access logs: IP address, request path, HTTP status, user-agent string, timestamp. These logs are used for security (blocking abuse / rate-limit violations) and capacity planning. They are not joined to any other dataset, not sold, not shared with analytics processors, and they expire after 14 days.

When Google Analytics 4 is enabled (see the dedicated section below), GA4 also collects the page-view telemetry listed in the previous section. When Google AdSense is enabled, ad-serving partners collect the cookies listed in the AdSense section below.

Beyond access logs, GA4 telemetry, and ad cookies, that's the entire data inventory. No account system, no email collection (unless you write to us — see Contact), no profile data, no behavioural events on your input content.

What we don't collect

  • The text you process. There is no server endpoint that accepts your text. The dedup, regex match, reverse, shuffle, trim, line-numbering, and blank-line removal all happen via the JavaScript engine that ships with the page — see /static/js/dedupe.js. No analytics partner, no ad partner, and no log entry sees your input.
  • Fingerprinting. No canvas fingerprint, no WebGL probe, no audio-context probe, no font enumeration. We rely only on standard cookies declared in the cookies section.
  • Cross-site / cross-device tracking. Google Signals is off in our GA4 configuration. Personalised advertising is off by default in the EU / UK / Switzerland (we serve non-personalised ads unless you opt in via the consent banner).
  • Your input for ad targeting. Ads served by AdSense (when enabled) are based on page content and your country — not on the text you paste into our tools.

Why we collect it (legal basis)

Under GDPR Article 6, processing personal data requires a lawful basis. Ours is narrow:

  • Access logs (14-day retention) — legal basis: legitimate interest (Art. 6(1)(f)) in maintaining site security and detecting abuse. We've assessed that the necessity (operating the site) is balanced against your interests because logs are short-lived (14 days), not joined to other data, and not used for profiling.
  • Page-view analytics cookies (Google Analytics 4, when enabled) — legal basis: consent (Art. 6(1)(a)). EU / UK / Switzerland visitors see a consent banner; no GA cookies are set until you choose. The cookie is also subject to the ePrivacy Directive Art. 5(3), which is why consent (not legitimate interest) is the only valid basis.
  • Advertising cookies (Google AdSense, when enabled) — legal basis: consent (Art. 6(1)(a)) for personalised ads in the EU / UK / Switzerland. Outside those regions, non-personalised ads may be served on a legitimate-interest basis with an opt-out available.
  • Language-preference cookies — legal basis: consent (Art. 6(1)(a)). The cookie is only set after you take an explicit action (clicking a language in the banner or switcher). No cookie is set on first visit.
  • Email correspondence — if you email us, legal basis: legitimate interest in responding to your request. Stored only as long as the support conversation requires.

We don't process any data for automated decision-making, profile building against your name, or transfer outside what's described above.

Analytics — Google Analytics 4

Status: Not yet active. This section describes what will happen when the feature is enabled in a later release. As of the Effective date above, no related scripts load on this site and no related cookies are set.

What we use it for. DedupeLines uses Google Analytics 4 (GA4) to count anonymous page-views, referrers, country-level geography, browser, and device class. GA4 uses cookies and similar identifiers to do this.

What GA4 does by default in our configuration:

  • IP addresses are automatically anonymised — this is non-configurable in GA4 (unlike the older Universal Analytics). We do not store full IP addresses ourselves.
  • Event data is retained for 14 months and then deleted.
  • Google Signals (cross-device tracking) is off.
  • Ad personalisation signals from GA4 are off.
  • The data is processed by Google as a data processor under our Google Analytics terms; Google's own description of this flow is at policies.google.com/technologies/partner-sites.

How to opt out: use the cookie consent banner (EU / UK / Switzerland visitors get this on first visit), the Cookie settings link in the footer, or install Google's Analytics Opt-out Browser Add-on which works site-wide.

Advertising — Google AdSense

Status: Not yet active. This section describes what will happen when the feature is enabled in a later release. As of the Effective date above, no related scripts load on this site and no related cookies are set.

What we use it for. DedupeLines is supported by display ads served by Google AdSense. Ads keep the tools free for everyone — there is no paywall and no “upgrade for more” tier.

What AdSense uses: Google and other third-party vendors use cookies (including __gads, IDE, and NID) to serve ads based on your prior visits to this site or other sites on the internet. Per Google's required disclosure: “Google's use of advertising cookies enables it and its partners to serve ads to your users based on their visit to your sites and/or other sites on the internet.”

Regional defaults:

  • EU / UK / Switzerland: non-personalised ads only unless you opt in through our consent banner. The banner is required and is served via Google's Funding Choices certified consent manager.
  • California: a “Do Not Sell or Share My Personal Information” link is provided in the page footer per CCPA / CPRA.
  • Other regions: personalised ads on a legitimate-interest basis with opt-out via the Cookie settings link.

Crucially: ads are targeted based on page content and your country — never on the text you paste into our tools. Your input never reaches the ad network.

How to opt out or change preferences: visit Google Ads Settings or aboutads.info at any time.

Third-party network requests

The outbound network calls this page makes are:

  • Google Fontsfonts.googleapis.com (CSS) and fonts.gstatic.com (woff2 files). Loads the Manrope and JetBrains Mono families, plus Noto Sans JP on pages that need Japanese glyphs. Google's privacy policy covers this connection.
  • Google Analytics 4 (when enabled) — www.googletagmanager.com (script) and region1.google-analytics.com (data). See the Analytics section above for what's collected.
  • Google AdSense (when enabled) — pagead2.googlesyndication.com, googleads.g.doubleclick.net, and other ad-delivery domains. See the Advertising section above.

That is the complete list. No CDN handles your input data, no analytics endpoint receives your pasted text, no embedded social widgets, no chat-bot scripts. If you open DevTools → Network and process a file, you will not see any request containing your input — only the analytics and ad calls listed above, which carry page metadata.

Cookies and your choices

This site uses three categories of cookies:

  • Strictly necessary (always on) — none beyond the optional language cookies below; the tools themselves run without any cookies.
  • Language preference (opt-in by action): preferred_lang (1 year) — set when you click a language in the top banner or the language switcher. We never read this cookie server-side to decide what content to send you (URL is the single language signal); it only suppresses the language-suggestion banner. lang_banner_dismissed (session) — set when you click ✕ on the language suggestion banner.
  • Analytics & advertising (consent-gated, opt-in in EU / UK / Switzerland): when enabled, GA4 cookies (_ga, _ga_*) and AdSense cookies (__gads, IDE, NID). See the Analytics and Advertising sections above for what each does.

How to manage your choices:

  • EU / UK / Switzerland visitors: a consent banner appears on the first visit when analytics or ads are active. Until you choose, no analytics or ad cookies are set.
  • All visitors: use the Cookie settings link in the page footer to review or change your choices at any time.
  • California residents: use the footer link to exercise the “Do Not Sell or Share My Personal Information” right.
  • Anywhere: clear cookies in your browser settings — clearing them just resets the consent banner on the next visit.

No tracking cookies set without consent in the EEA / UK / Switzerland. No fingerprinting. No Facebook pixel. No Google Tag Manager beyond what GA4 / AdSense need for their own delivery.

Data retention

  • Server access logs: 14 days, then deleted by the log rotation job. We don't archive older logs to cold storage.
  • GA4 event data (when enabled): 14 months in Google's analytics data store, then automatically deleted per our property configuration.
  • AdSense ad cookies (when enabled): see Google's Ad cookie policy for specific durations (most expire within 13 months).
  • Language cookies: preferred_lang 1 year; lang_banner_dismissed session only. Both can be cleared from your browser at any time.
  • Support email: kept as long as the conversation is active, plus a reasonable archival window (typically 12 months) for context if you write back later. You can request deletion at any time.
  • Your input text: never retained on our side — it never left your browser in the first place.

Your rights under GDPR / CCPA

If you are in the EU/EEA, UK, or California, you have the following rights regarding any personal data we hold about you. Given how little we hold (logs for 14 days; cookies you set yourself; aggregated GA4 telemetry when enabled), most of these are trivially satisfied — but they apply nonetheless.

  • Access — request a copy of any personal data we hold about you (typically: log entries containing your IP within the 14-day window).
  • Rectification — correct inaccurate data. Rarely applicable here since we don't store profile data.
  • Erasure (“right to be forgotten”) — request deletion of log entries containing your IP. We honour this within 30 days.
  • Restriction — request we stop processing your data while a dispute is resolved.
  • Portability — receive your data in a machine-readable format. Since we hold only short-lived logs, this is rarely meaningful, but the right is yours.
  • Objection — object to processing based on legitimate interest (the legal basis for access logs).
  • Withdraw consent — for anything we process under consent (the language cookies, GA4, AdSense). Use the Cookie settings link in the footer or clear cookies in your browser.
  • California CCPA / CPRA — Do Not Sell or Share My Personal Information (use the footer link); right to know, right to delete.
  • Lodge a complaint with your supervisory authority. EU users: the DPA in your country of residence. UK: the ICO. California: the California Privacy Protection Agency or the California Attorney General's office.

To exercise any of these rights, email [email protected] with the right you're invoking and (if asking about logs) the approximate date/time of your visit so we can locate the right entries.

How to verify all of this

This is a single-page tool that runs entirely in JavaScript — you can audit it yourself in under a minute:

  1. Open DevToolsNetwork tab
  2. Reload this page, watch the requests load. You'll see Google Fonts, plus GA4 and AdSense requests once those are active.
  3. After the page finishes loading, paste any text into the tool and click Process.
  4. Confirm: no new request appears in the Network tab that contains your pasted text. Search the request bodies for a unique substring from your input — you won't find it.

If you ever see a request to a domain we didn't disclose above, or a request body that contains your input, that's a bug — please file it at [email protected] with a Network tab screenshot.

Contact

Questions about privacy, requests to delete log entries containing your IP, GDPR / CCPA / CPRA inquiries: [email protected].

We respond to data-subject requests within 30 days, usually much faster. For urgent matters please write “PRIVACY URGENT” in the subject line.

Last updated: 2026-05-18