Privacy-first operation
Privacy policy
Last updated: July 5, 2026. PageMine.xyz is a browser diagnostics and utility site. It is designed to show you what a normal website can read from your own browser, connection and request. The project is intentionally built without user accounts, without a project-side user database, without behavioral advertising code in this build and without secret collection workflows.
This policy is written to be direct and specific. It explains what is read, where it runs, when another service may receive request metadata, what the project does not intentionally store, and what limits still exist because normal web hosting and infrastructure can process technical logs.
Plain-English summary
The site displays diagnostics for the browser and network request that you are currently using. It does not ask you to sign in. It does not ask for your name, email, phone number or address. The project code does not write your IP address, fingerprint hash, generated password, QR text, 2FA secret or speed-test results into a custom database.
Some data must still be processed to make the site work. For example, a web server receives your IP address when you request a page, the IP endpoint receives request headers so it can display them, and the hosting platform may keep operational logs.
What the browser reads locally
The Browser info tool reads values exposed by standard browser APIs. These can include User-Agent, browser language, platform, timezone, cookies enabled status, Do Not Track, Global Privacy Control, CPU core count, device memory, touch points, WebDriver flag, PDF viewer support, Clipboard API availability, screen size, viewport, device pixel ratio, color depth, orientation and legacy plugin capability checks.
Fingerprint-related signals such as Canvas, WebGL, Audio, Fonts and Client Rects are calculated in your browser. They are shown so you can compare browsers, profiles, privacy settings, VPN/proxy setups and extensions. These signals are not used by this project to create an account, follow you across websites or build a behavioral profile.
What the server endpoint reads
The /api/ip endpoint reads the request received by the deployment. It can return the public IP address, IP version, request source, approximate country/region/city when deployment headers provide them, selected allowlisted request headers, HTTP protocol, timestamp and edge/request metadata.
Cookie and Authorization headers are not intentionally echoed back. The endpoint is built for diagnostics, not identity verification. IP geolocation is approximate and can be affected by VPNs, proxies, mobile networks, CDN routing, hosting-region behavior and data-provider accuracy.
ISP, ASN and approximate location lookup
ISP, ASN and location values may come from hosting/deployment headers or from server-side public registry, BGP, RDAP or IP lookup sources configured by the site. These values usually identify a network operator or routing organization, not a specific person.
The browser-side third-party ISP fallback has been removed in this build. Your browser is not given a UI toggle to call public IP lookup providers directly, and the Content Security Policy is configured so browser network connections are limited to this site. Server-side external IP lookup is limited to the approved providers ipinfo.io and ipwho.is. The lookup tries ipinfo.io first and calls ipwho.is only if IPinfo fails, is disabled, or does not return enough ISP/ASN data. That request is made by the deployment backend rather than by your browser.
WebRTC check
The default WebRTC check does not call an external STUN server. It checks whether RTCPeerConnection is available, whether local ICE candidates appear, whether mDNS .local masking is used and whether local/private candidates are exposed. Because external STUN is not used, this page cannot prove every possible public WebRTC leak scenario.
Speed test
The speed test calls internal /api/speed-download and /api/speed-upload endpoints on this deployment. It measures approximate download, upload, latency and TTFB between your browser and this site. Test requests necessarily reach the deployment and may appear in normal hosting/function logs. The results are diagnostic estimates, not a certified ISP measurement.
Generators and sensitive inputs
Random number, password, QR code and TOTP generation run client-side in the browser. In the intended workflow, QR content, generated passwords and TOTP secrets are not sent to a project API. Paste buttons use the Clipboard API only after your interaction and may be blocked by browser permissions.
You should still treat any website input area carefully. Browser extensions, compromised devices, shared computers, screen recorders, remote-control tools, network monitoring and future third-party scripts can change your real-world risk. Do not enter secrets on devices or browsers you do not trust.
What is not intentionally stored by this project
The project code is designed not to write the following into a custom project database: raw IP addresses, fingerprint hashes, request-header snapshots, QR text, generated passwords, TOTP secrets, copied values, exported JSON or speed-test results.
Generated values can remain visible in the page until you reload, clear the field or close the tab. Your browser may also keep form history, cache, autofill data, clipboard data or downloads depending on your own settings. Those browser-level behaviors are controlled by your browser and device.
Local storage and cookies
The site may use local browser storage for small preferences, such as the selected theme. Clearing site data in your browser removes those local preferences.
This build does not require project-side login cookies. If advertising, analytics, a consent banner or other third-party scripts are added later, this policy should be updated before those scripts are enabled.
Hosting logs and infrastructure
Even when the project does not keep its own database, the hosting platform, CDN, DNS provider, security systems and function runtime may process technical logs to deliver the site, prevent abuse, debug errors, measure reliability and protect infrastructure. Such logs can include IP address, request time, URL path, User-Agent, region derived from IP address, status code and function errors.
The retention period and handling of those platform logs are controlled by the hosting and infrastructure providers, not by browser JavaScript on this page.
Advertising and analytics status
In this build, the project does not include behavioral advertising code or a custom analytics pipeline. If ads or analytics are added later, they should be disclosed clearly, and consent controls may be required depending on user location and the provider's rules.
Because the Generators section can involve passwords, QR content and 2FA secrets, the privacy-safe approach is to avoid placing advertising, remarketing pixels or behavioral tracking scripts near those sensitive inputs.
Legal and privacy classification
Different laws classify IP addresses, online identifiers, browser signals and location data differently. This site treats them as privacy-sensitive technical data even when the site cannot directly identify you by name. The site is intended to minimize collection, avoid project-side retention and be clear about data flow.
Your controls
You can avoid clipboard reads by not pressing Paste, avoid exporting JSON, clear generated values, reload the page, clear site data, use a private browsing session, disable JavaScript or choose browser privacy settings/extensions that block specific APIs. Some features will stop working if the browser blocks the APIs they need.
Data rights and deletion requests
Depending on your location, you may have rights to ask for information, correction, deletion or objection regarding personal data. Because this project is designed without a custom user database, the operator may not have a project-side record to search or delete. Hosting and third-party providers may still have their own operational logs under their own controls.
If you operate a deployment of this code, add a real contact channel here before public launch. If you are a user of a public deployment, contact the operator listed by that deployment.
Changes to this policy
This policy may be updated when the code, hosting provider, lookup providers, advertising status, analytics status or legal requirements change. Public deployments should review this page before enabling new third-party scripts or data flows.