Privacy & data handling

How your scans are handled

Site Behavior Lab inspects how a website behaves, so it would be a poor tool if it were careless with your own data. A URL can itself be sensitive (query strings often carry tracking ids, tokens, or email addresses), so here is exactly what happens to the address you type, in plain terms.

← Back to Site Behavior Lab

What leaves your browser when you scan

Submitting a scan sends the following to the scanner:

The address: reduced to origin and path first. Before the request leaves your browser, the query string (everything after ?) and fragment (after #) are stripped. example.com/account?user=you&token=abc becomes example.com/account. The page in the box is updated so you can see exactly what will be scanned.
Your scan options: the device profile (desktop or mobile), whether to send a Global Privacy Control signal, and which run mode (single, GPC diff, or Shields comparison).
A Cloudflare Turnstile token, used to confirm the request is not automated abuse (see Third parties below).

What the scan itself does

The scanner makes one automated browser visit to the page and records what the page did: the network requests it made, the cookies and storage it set, fingerprinting-style API calls, and a screenshot of the page (never of you or your device). That observation is the report. The scanned site sees a visit from the scanner’s infrastructure, not from your IP address.

What is stored, and for how long

Each scan is saved as a shareable report so its permalink works. The address stored in the report is origin and path only. Query strings, URL credentials, and fragments are removed before anything is written or shared.
Stored reports are automatically deleted after about 7 days on the reference deployment (configurable by whoever runs the instance).
No report is linked to your identity, and reports do not record your IP address.

Rate limiting and abuse prevention

To keep the public scanner available, requests are rate-limited per client. Your IP address is used transiently for that limit and for the Turnstile bot check. It is not attached to stored reports and is not used to profile or track you across visits.

Third parties

Cloudflare provides hosting, network protection, and the Turnstile check. The Turnstile token (and, for that check, your IP) is processed by Cloudflare under its own terms.
The site you scan receives the automated visit and may log it like any other request, but it receives the scanner’s request, not your browser session or IP.

What this site does not do

No accounts, sign-ups, or passwords.
No advertising, analytics profiles, or cross-site tracking cookies of our own.
No selling, renting, or sharing of scan data with data brokers.
No storing of the query strings or fragments you remove before scanning.

Open source and self-hosting

Site Behavior Lab is open source, so all of the above is verifiable in the code rather than taken on trust. Anyone running their own instance controls their own storage and retention. This statement describes the reference deployment’s defaults and may be updated as the tool changes.