Privacy Policy

1. Zero-Server Architecture — How Client-Side Execution Works

JCP Tool is engineered under a zero-server-footprint mandate: every computational operation in the data format conversion pipeline executes exclusively within your browser. There is no backend API, no cloud processing service, no database, no session store, and no server-side application logic that touches user data. This is not a privacy preference — it is an architectural invariant enforced by the code structure itself.

1.1 The Conversion Engine — ~956 Lines of Client-Side JavaScript

The entire conversion engine lives in a single self-contained file: /js/converter.js (~956 lines, unminified, publicly inspectable). It has one external dependency — js-yaml v4.1.0 loaded from jsDelivr CDN for YAML parsing/dumping — and zero outbound network calls for data processing. The source code contains no fetch() calls targeting external endpoints, no XMLHttpRequest objects for content transmission, no navigator.sendBeacon() invocations, no WebSocket constructors, and no tracking pixel elements. You can verify this by opening your browser's Developer Tools (F12), navigating to the Network tab, entering data, clicking Validate or Convert, and observing that zero outbound data requests are generated during any conversion or validation operation.

1.2 Function Inventory — What Runs Where

Every computational function executes inside your browser's JavaScript sandbox (V8/SpiderMonkey/JavaScriptCore, depending on browser). No function offloads computation to a server:

• detectFormat(text): Strictness-ordered auto-detection (JSON → XML → YAML → CSV) with early exit. All parsing local.
• validateFormat(text, format): Re-parses input; returns { valid, error } with line/column diagnostics. No server round-trip.
• convertTo(data, targetFormat, sourceFormat): Routes parsed JS objects to format-specific serializers. Source-agnostic by design.
• tryCSV(text) / csvSplitLines(text) / parseCSVLine(line): Custom RFC 4180 tokenizer — quoted fields, escaped quotes, embedded delimiters.
• xmlToJS(xmlDoc) → parseNode(node): Recursive DOM walker handling ELEMENT_NODE, TEXT_NODE, CDATA_SECTION_NODE. Attributes under @attributes.
• flattenJSON(data) / unflattenJSON(flat): Bidirectional nested↔flat conversion with dot-path keys and bracket array indices.
• downloadResult(): UTF-8 Blob construction with correct MIME type, object URL lifecycle, zero server involvement.

1.3 No Persistent Browser Storage

Input data, parsed JavaScript objects, conversion results, validation reports, format detection metadata, and downloaded file content exist exclusively in your browser's volatile RAM while the tab is open. The tool does not write to localStorage, sessionStorage, IndexedDB, document.cookie, Cache API, or any other browser storage API in connection with user data. Closing or refreshing the browser tab permanently and irrecoverably destroys all entered data and computed results. There is no server-side session, no database row, and no log entry from which data could be reconstructed.

1.4 Offline Functionality — Practical Verification

After the initial page load fetches HTML, CSS, JavaScript, font assets, and the js-yaml CDN library, you can disconnect your device from the internet entirely (disable Wi-Fi, unplug Ethernet, enable airplane mode) and all JSON, CSV, and XML conversion/validation operations continue functioning at full capacity. YAML operations require the CDN-loaded js-yaml library (loaded once, then cached by the browser) and may not function if the CDN resource is unavailable or blocked. This offline capability serves as practical verification that no server round-trips are required for core operations.

2. Information We Do NOT Collect — Exhaustive Enumeration

To eliminate ambiguity, the following is an exhaustive catalog of information categories that JCP Tool does not collect, store, transmit, or process in any form:

2.1 Data Content & Conversion Artifacts

• Text content, data structures, or values entered into the input textarea
• Uploaded file contents (JSON, CSV, YAML, XML, or plain text of any type)
• Parsed JavaScript objects, arrays, or any intermediate data representations
• Conversion results (formatted JSON, CSV, YAML, or XML output strings)
• Validation reports (detected format, error messages, line:column positions)
• Flattened/unflattened JSON structures, downloaded file Blob data, or auto-generated filenames
• Preview canvas rendered content, syntax-highlighted code, or theme state

2.2 Behavioral & Interaction Data

• Keystroke dynamics, typing rhythm, mouse movements, click coordinates, scroll depth, or hover events
• Copy/paste events (clipboard never read beyond what is intentionally pasted)
• Format pill selections, button clicks on Validate/Convert/Clear/Download, or flatten checkbox toggles
• File upload drag-and-drop interactions, file metadata, or file selection patterns
• Textarea auto-resize, focus/blur events, or tab visibility changes

2.3 Personal & Device Identifiers

• IP addresses — no server-side application logic captures or stores IPs (see Section 6 for Nginx access log disclosure)
• Browser fingerprints (canvas, WebGL, font enumeration) or any active/passive device fingerprinting
• User-Agent strings beyond standard HTTP request headers and Nginx access logs
• Precise geolocation data (GPS, Wi-Fi/cell tower triangulation)
• User names, email addresses, or registration credentials — there is no login or account system
• Referring URLs, search query terms, UTM parameters, or per-user navigation history

The tool is fundamentally a stateless computational utility: it accepts data input in your browser, performs all parsing/conversion/validation locally, renders results to the preview canvas, and retains absolutely nothing when you navigate away, close the tab, or refresh the page.

3. What Limited Data IS Collected — GA4 Analytics, CDN Resources & Server Logs

3.1 Google Analytics 4 (GA4) — Measurement ID G-2NK5059S76

JCP Tool loads Google Analytics 4 (GA4) via the standard gtag.js snippet in the page (Measurement ID: G-2NK5059S76). GA4 is configured with the following privacy-preserving constraints:

• Page-level metrics only: gtag('config', 'G-2NK5059S76') sends standard page parameters (path, title, referrer). No custom dimensions or event parameters carry data content.
• Automatic events only: GA4 may collect page_view, scroll, click, and session_start via default enhanced measurement. No custom gtag('event', ...) calls are triggered by converter interactions.
• IP anonymization: GA4 applies IP truncation by default. Full IP addresses are not stored.
• No cross-session tracking: No User-ID, Google Signals, or cross-device identification. Sessions use GA4's default ephemeral client IDs.
• No advertising features: GA4 is used strictly for aggregated traffic analysis. No remarketing audiences, advertising reporting, or Demographics/Interests features. Data retention: default 2 months.

To opt out of GA4 entirely, you can use a browser extension such as uBlock Origin, or install Google's official GA Opt-out Browser Add-on. The format converter functions identically with or without GA4 loaded — GA4 is a passive measurement layer with zero impact on tool functionality.

3.2 Third-Party CDN Resource Loads

The following external resources are fetched for typography, UI rendering, and YAML processing. These are static asset fetches — they retrieve library/stylesheet bytes and do not transmit user data, conversion content, or interaction metadata beyond what is inherent in a standard HTTP GET request (referring URL, User-Agent, IP address seen by the CDN edge):

No other third-party scripts, analytics services, behavioral tracking tools, heatmapping services, session recording platforms, advertising networks, Facebook Pixel, LinkedIn Insight Tag, Twitter Pixel, or marketing tracker integrations of any kind are loaded on JCP Tool.

3.3 Nginx Access Logs — Standard HTTP Server Logging

Our hosting infrastructure runs Nginx as the web server. Like virtually every web server on the internet, Nginx maintains standard access logs (access.log) that record each HTTP request with the following fields: timestamp, requested URL path, HTTP method, HTTP status code, bytes transferred, User-Agent string, and client IP address. These logs:

• Are retained for a limited period for operational purposes: troubleshooting, DDoS mitigation, traffic volume analysis, and abuse detection.
• Are not analyzed at the individual-request level, not cross-referenced with any other data source, and not used to identify, profile, or track individual users.
• Are not linked to data conversion activity because all conversion processing happens entirely in the browser and generates zero HTTP requests to the server beyond the initial page load assets.
• Are rotated and purged on a standard schedule; no long-term archival of access logs occurs.

No application-level logging of input data, conversion results, validation reports, format detection outcomes, or user interactions exists at any layer of the stack — not in Nginx, not in PHP-FPM, not in any database, not in any external logging service, and not in any monitoring or observability platform.

4. Cookie Disclosure — Complete Inventory

4.1 First-Party Cookies (jcptool.com)

JCP Tool sets zero first-party cookies. We do not deploy authentication cookies, session cookies, preference cookies, analytics cookies, tracking cookies, or any other type of cookie from the jcptool.com domain. There is no cookie consent banner on this site because we do not deploy any cookies ourselves — there is nothing to consent to.

4.2 Third-Party Cookies (Set by External Services)

The following cookies may be set in your browser by third-party services that JCP Tool loads. We do not read, write, control, or have access to these cookies — they are governed by the respective third party's privacy policy:

Note: The __cf_bm cookie is only present if the site is routed through Cloudflare's network. This is a standard Cloudflare bot-management token and does not correspond to any user identifier, tracking profile, or cross-site behavioral data. Cloudflare's privacy policy governs this cookie.

You can manage or delete these third-party cookies through your browser settings (Chrome: chrome://settings/cookies; Firefox: about:preferences#privacy; Safari: Preferences → Privacy; Edge: edge://settings/privacy). Blocking GA4 cookies does not affect tool functionality. Blocking the Cloudflare __cf_bm token (if present) may result in a Cloudflare challenge page before accessing the site.

5. Data Sharing, Sale & Third-Party Access

JCP Tool does not share, sell, rent, trade, disclose, or make available any user data to any third party for any purpose — because there is no user data to share. This is not a policy choice subject to change; it is a direct consequence of the zero-server architecture.

Specifically:

• No data brokers: We do not sell, license, or transfer any data to data brokers, aggregators, information resellers, or data marketplaces.
• No advertisers: We do not share data with advertising networks, demand-side platforms (DSPs), supply-side platforms (SSPs), ad exchanges, or programmatic advertising intermediaries.
• No analytics resale or export: GA4 aggregate statistics remain within Google's ecosystem and are not exported, sold, shared, or piped to additional analytics platforms, data warehouses, or business intelligence tools.
• No legal disclosure history: As of the Last Updated date above, we have never received a subpoena, court order, national security letter, warrant, or law enforcement request for user data — because we hold none. Should such a request ever arrive, we would have nothing responsive to provide and would respond accordingly.
• No affiliates or partners with data access: The 345tool Team is the sole operator of JCP Tool. No third-party affiliates, contractors, consultants, or service providers have access to any operational systems that could theoretically capture user data.
• No merger/acquisition data transfer risk: Because no user data is collected or stored, there is no database of user information that could be transferred in the event of a business restructuring, acquisition, or asset sale.

6. Hosting Infrastructure & Server-Side Configuration

JCP Tool is hosted on a dedicated virtual private server (VPS) running the following software stack:

• Web server: Nginx — serves static assets (HTML, CSS, JavaScript, images, font files) and proxies PHP requests to PHP-FPM.
• Application server: PHP-FPM — handles server-side page assembly only: injecting header.php (navigation, metadata, GA4 tag, CSS/JS includes) and footer.php into each page template before delivering the complete HTML document to the browser.
• TLS termination: HTTPS is enforced for all connections. TLS certificates are provisioned and renewed automatically.
• Static asset delivery: combined.css (merged single-file stylesheet), converter.js (~956 lines unminified), script.js (site-wide UI logic), and all image/favicon assets are served as static files with appropriate cache headers.

The server-side role is strictly limited to asset delivery. There is no application-level request handler that receives, reads, or processes user-submitted data. There is no database server (no MySQL, PostgreSQL, MongoDB, Redis, or any other data store). There is no session management system. There is no user authentication or authorization infrastructure.

Nginx access logs (see Section 3.3) are the only server-side record of HTTP traffic. These are standard operational logs, not application-level data processing logs.

7. Data Security — Architectural Guarantees & TLS

Because JCP Tool collects and stores no user data, the traditional data-security threat model — database breaches, credential leaks, server compromise leading to data exfiltration — does not apply. There is no database to breach, no user table to exfiltrate, no stored data content to leak, and no authentication credentials to compromise.

7.1 TLS/HTTPS Encryption

All communication between your browser and jcptool.com is encrypted via TLS (Transport Layer Security). While no conversion data traverses this connection (all processing is client-side), TLS protects the integrity and authenticity of the JavaScript, CSS, and HTML files delivered to your browser — preventing man-in-the-middle (MITM) attackers from injecting malicious code that could compromise the client-side conversion engine or exfiltrate data from the browser's JavaScript sandbox.

7.2 Subresource Integrity & CDN Risks

External resources (Google Fonts, GA4 gtag.js, js-yaml via jsDelivr) are loaded from third-party CDNs. We do not currently implement Subresource Integrity (SRI) hashes for these resources. However, the core conversion engine (converter.js) has only one external dependency (js-yaml for YAML processing), meaning JSON, CSV, and XML operations are fully isolated from CDN compromise risks. If the js-yaml CDN fails to load, the typeof jsyaml === 'undefined' guard in tryYAML() ensures YAML features degrade gracefully without breaking other functionality, and no uncaught ReferenceError is thrown.

7.3 Breach Notification

In the event of a server compromise affecting the jcptool.com domain or its hosting infrastructure, the impact on users is architecturally bounded: no data content, conversion results, validation reports, or personal information exists on the server to be exfiltrated. If we become aware of any security incident, we will post a notice on this page and update the "Last Updated" date within 72 hours of confirming the incident.

8. GDPR Compliance (EU/EEA Users) — Articles 5–22 Analysis

The European Union's General Data Protection Regulation (GDPR, Regulation 2016/679) grants specific rights to individuals in the EU and European Economic Area (EEA). Because JCP Tool does not collect, store, or process personal data, many GDPR obligations are satisfied by architectural design rather than by procedural compliance:

• Art. 5 — Principles Relating to Processing: The principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality are satisfied by the zero-collection architecture. GA4 page-view analytics process anonymized, aggregated data under the legitimate interest basis (Art. 6(1)(f)).
• Art. 13 & 14 — Right to Information: This Privacy Policy serves as the complete disclosure of all data-handling practices. There is no additional processing to disclose because no personal data processing occurs beyond what is exhaustively described in Sections 3 and 4.
• Art. 15 — Right of Access: We hold no personal data to provide access to. If you submit a Subject Access Request (SAR) to [email protected], we will confirm in writing that we hold no personal data about you and provide the information required by Art. 15(1)(a)-(h) where applicable.
• Art. 16 — Right to Rectification: Not applicable — no personal data is held that could be inaccurate or incomplete.
• Art. 17 — Right to Erasure ("Right to be Forgotten"): Not applicable — no personal data exists on our servers to erase. Closing your browser tab permanently destroys all locally processed data from volatile RAM. We maintain no backups, replication databases, log archives, or offline storage containing conversion data.
• Art. 18 — Right to Restriction of Processing: No processing of personal data occurs on our servers. Data format conversion and validation are performed locally by your own device, which is outside the scope of GDPR's processing restrictions (the household exemption, Recital 18).
• Art. 20 — Right to Data Portability: Not applicable — no personal data is held in any structured, commonly used, machine-readable format on our servers. You can self-serve data portability by downloading your conversion results via the tool's built-in download button.
• Art. 21 — Right to Object: No profiling, direct marketing, or automated decision-making concerning individuals occurs. You may object to GA4 tracking by using the opt-out methods described in Section 3.1.
• Art. 22 — Automated Individual Decision-Making: The format detection, conversion, and validation algorithms operate on your input data and display results to you. They do not make decisions about you as an individual, do not profile you, and do not produce legal effects or similarly significant effects concerning you.

8.1 Legal Basis for GA4 Processing

To the extent that GA4 page-view analytics constitutes "processing" of personal data under GDPR, the legal basis is Legitimate Interest (Art. 6(1)(f)). Our legitimate interest is aggregated, anonymized traffic analysis necessary for understanding website usage patterns and maintaining service quality. This processing does not override the fundamental rights and freedoms of data subjects because: (a) GA4 applies IP anonymization by default, (b) we have disabled all advertising, remarketing, and cross-session identification features, (c) no special category data (Art. 9) is processed, and (d) data subjects have a clear, accessible opt-out mechanism (GA opt-out browser add-on).

8.2 International Data Transfers

GA4 data is processed by Google LLC on servers that may be located outside the EU/EEA, including in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, which provide legal mechanisms for such transfers under Art. 45 GDPR. No other international data transfers occur because no other data is collected. Our VPS hosting infrastructure is located within the European Union.

8.3 Supervisory Authority

If you believe our data practices infringe GDPR, you have the right to lodge a complaint with a supervisory authority in your EU/EEA member state. However, we encourage contacting us first at [email protected] so we can address your concern directly.

9. CCPA/CPRA Compliance (California Residents)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants specific rights to California residents. Our compliance posture:

• Right to Know (CCPA § 1798.100/110/115): This Privacy Policy discloses all categories of personal information collected (Sections 3-4: internet/electronic activity via GA4 page-view analytics) and all categories not collected (Section 2: exhaustive enumeration). We collect personal information in the categories of "Internet or other electronic network activity information" (page URLs, referrer, browser type) solely via GA4, and "Identifiers" (GA4 client ID) solely via GA4. We have not collected personal information in any other CCPA category in the preceding 12 months.
• Right to Delete (CCPA § 1798.105): We hold no personal information about California residents beyond what GA4 stores. For GA4 data deletion, contact us at [email protected] and we will provide instructions for requesting deletion through Google's data management tools. Conversion data is ephemeral and client-side only — there is nothing to delete.
• Right to Opt-Out of Sale/Sharing (CCPA § 1798.120): We do not sell personal information as defined by CCPA. We do not share personal information for cross-context behavioral advertising. We have no actual knowledge of selling or sharing personal information of consumers under 16 years of age.
• Right to Correct (CCPA § 1798.106): Not applicable — no personal information is held that could be inaccurate.
• Right to Limit Use of Sensitive Personal Information (CCPA § 1798.121): We do not collect, use, or disclose "sensitive personal information" as defined by CPRA (government identifiers, financial account credentials, precise geolocation, biometric data, communications content, genetic data, etc.).
• Right to Non-Discrimination (CCPA § 1798.125): The tool is fully functional for all users regardless of privacy choices. There are no features, pricing tiers, or service levels tied to data sharing — because there is no data sharing.

To exercise any CCPA/CPRA rights, contact us at [email protected]. We will respond within 45 calendar days as required by CCPA. We may require verification of your identity to process requests, which is limited to confirming you are a California resident since we hold no personal data to match against.

9.1 Data Retention for CCPA Purposes

GA4 data retention is 2 months (default setting). We do not retain any personal information beyond this period. We have no backup, archive, or offline storage containing personal information of California residents.

10. Children's Privacy — COPPA & International Equivalents

The Children's Online Privacy Protection Act (COPPA) in the United States, GDPR Article 8 in the EU/EEA, the UK Age Appropriate Design Code, and similar regulations in other jurisdictions impose requirements on services that collect personal information from children.

JCP Tool does not knowingly collect personal information from children under the age of 13 (COPPA threshold), under 16 (GDPR Art. 8 threshold in many member states), or from any user of any age. The tool:

• Operates without registration, login, account creation, or any form of user identification
• Does not store or transmit any user-generated content
• Has no communication features: no comments, no direct messaging, no forums, no social features, no user-to-user interaction mechanisms
• Deploys no behavioral advertising, interest-based advertising, retargeting, or engagement tracking
• Does not use attention metrics, session duration tracking (beyond GA4's default session_start), or gamification mechanics that collect behavioral data

If you are a parent or legal guardian and believe that your child has provided personal information through this website (which is architecturally impossible for conversion data but theoretically possible if a child emailed us directly), please contact us at [email protected]. We will promptly investigate and, if any personal information is found, delete it within 30 calendar days and confirm deletion to you in writing.

11. Monetization Model — Privacy-Compatible Revenue Strategy

JCP Tool is currently a free, unrestricted tool with no premium tiers, no subscriptions, no paywalls, no feature gating, and no usage limits. Our monetization strategy is deliberately designed to be compatible with the zero-data-collection architecture:

• Current state (June 2026): JCP Tool is operated as a public-good utility by the 345tool Team with no active monetization. Operating costs — server, domain registration, bandwidth, and infrastructure — are covered by the parent organization (345tool.com).
• Future monetization (if introduced): Any future monetization will rely on static, contextually relevant banner placements positioned outside the core converter interface — never interstitials, never popups, never forced interactions, never paywalls that gate conversion features. Over time, static banners may transition into premium B2B link partnerships with verified technical organizations in adjacent fields (developer tooling, data processing platforms, API development services).
• What will never happen: We will never collect, package, sell, share, or monetize user data, conversion results, format detection metadata, or behavioral interaction data. The zero-server architecture makes this commercially impossible — there is no data pipeline to monetize. This is an architectural guarantee, not merely a policy statement.

Our economic incentives are aligned with user privacy: the tool's value proposition is its capability (fast, accurate, private format conversion), not its data. Monetizing through static, privacy-neutral channels ensures the incentive structure never pressures us toward data collection.

12. External Links & Third-Party Websites

JCP Tool contains hyperlinks to external websites not operated by us:

• 345tool.com — the parent developer collective's primary domain and portfolio hub
• Linked satellite sites listed on the Team page — other 345tool matrix tools (each with their own privacy policies)
• External technical references cited in educational content: JSON specification (RFC 8259 / ECMA-404), CSV RFC 4180, YAML 1.2 specification, W3C XML 1.0 standard, js-yaml GitHub repository, and related technical documentation
• Google Analytics opt-out link referenced in Section 3.1

We are not responsible for the privacy practices, content, data handling, or security of external websites. Clicking an external link navigates you away from JCP Tool, and those sites are governed by their own privacy policies and terms of service. We encourage you to review the privacy policy of any website you visit, particularly before entering personal information or uploading files.

13. Policy Updates, Version History & Material Change Notification

We may update this Privacy Policy to reflect changes in the tool's architecture, operational practices, service providers, or applicable data protection regulations. Updates are published directly on this page with the "Last Updated" date revised accordingly. We encourage periodic review of this page, particularly if you are a regular user.

13.1 Material Change Notification

If we ever introduce a feature that collects, stores, or transmits user data of any kind — which would represent a fundamental architectural departure from the current zero-server design — we commit to the following:

1. Advance notice: Post a prominent, clearly visible notice on the JCP Tool homepage at least 30 calendar days before the change takes effect.
2. Policy update: Revise this Privacy Policy with a detailed, specific description of: (a) what data is collected, (b) how it is processed and stored, (c) the legal basis for processing, (d) retention periods, (e) any third-party recipients, and (f) whether the data is transferred internationally.
3. Opt-out mechanism: Provide a clear, accessible mechanism for users to opt out of the new data collection where technically feasible.
4. Version history: Maintain a changelog at the bottom of this page documenting what changed, when, and why.

13.2 Governing Law & Jurisdiction

This Privacy Policy and any disputes arising from it are governed by applicable data protection and privacy laws in the jurisdictions where our users reside, including but not limited to: the GDPR (EU/EEA), the UK GDPR and Data Protection Act 2018 (United Kingdom), the CCPA/CPRA (California, USA), COPPA (USA), PIPEDA (Canada), LGPD (Brazil), and the Personal Data Protection Act (Singapore). In the event of any conflict between this policy and applicable law, the law prevails.

14. Contact, Verification & Independent Audit

For privacy-related inquiries, data protection questions, GDPR/CCPA/COPPA rights requests, or technical verification of our zero-server architecture, contact the 345tool Team:

• Email: [email protected] — primary contact channel for all privacy matters
• Parent Organization: 345tool.com — the developer collective operating JCP Tool
• Physical Address: Available upon verified request via email for formal legal correspondence, service of process, or regulatory inquiry
• Response Time: We aim to acknowledge all privacy-related inquiries within 48 hours (business days) and provide substantive, complete responses within 14 calendar days
• GDPR Representative: As a non-EU entity processing limited personal data (GA4 only), we are evaluating whether appointment of an EU Representative under Art. 27 GDPR is required. Contact us by email for the most current information on representative designation

14.1 Technical Self-Verification

We welcome and encourage independent technical verification of our claims. You can self-verify the zero-server architecture using the following procedure:

1. Open JCP Tool in your browser and launch Developer Tools (F12 or Ctrl+Shift+I).
2. Navigate to the Network tab and clear any existing entries.
3. Paste or type data into the input textarea.
4. Click Validate or select a target format and click Convert.
5. Observe the Network panel: no new outbound requests should appear during or after the conversion/validation operation.
6. For offline verification: after initial page load, disconnect your internet connection and confirm that JSON, CSV, and XML conversion/validation continue functioning.
7. Review the unminified source code at /js/converter.js — the file is publicly accessible and contains zero outbound data transmission calls.

If you are a security researcher, privacy advocate, or regulatory body and wish to conduct a more thorough audit, contact us at [email protected] to arrange access or discuss findings.