Your privacy is not a feature. It is the foundation.
This page explains in plain language exactly what information RevealURL processes, what it does not collect, which third-party services are involved, and why we made each choice.
Last updated: March 2026
What we do not collect
The following data is never collected, stored, sold, or shared:
- ✓Your name, email address, or any form of account information
- ✓A persistent record of the URLs you have checked
- ✓Your browsing history or behaviour across sessions
- ✓Device fingerprints, browser identifiers, or operating system details
- ✓Geolocation data beyond what is inherent to an IP address
- ✓Advertising identifiers or cross-site tracking data
- ✓Any data sold to or shared with third parties for commercial purposes
What is processed when you check a URL
Your IP address, held in memory for up to 60 seconds
Your IP address is read from the incoming request and held in server memory solely to enforce the rate limit of 10 requests per minute. It is never written to disk, never logged alongside the URL you submitted, and is discarded automatically when the 60-second window expires.
The URL you submitted, processed in memory and then discarded
The URL is passed to our analysis engine, checked against threat databases, and used to fetch the destination page. It exists only in server memory for the duration of the request. Once the response is sent back to your browser, the URL is gone from our systems.
Your scan history, stored in your browser only
After a successful scan, a summary is saved to your browser's local storage so you can revisit recent results without re-checking the same URL. This data never leaves your device and is never transmitted to our servers. You can clear it at any time using the clear button in the history panel.
Third-party services
Running a meaningful URL safety check requires querying external threat intelligence databases. Below is a full list of every third-party service we contact during a scan, what information is sent to each one, and why.
Google Safe Browsing
We use the privacy-preserving fullHashes endpoint. Rather than sending the raw URL to Google, we compute a SHA-256 hash of the URL and transmit only the first four bytes of that hash. Millions of completely different URLs share any given four-byte prefix, so Google receives no meaningful information about which specific URL you checked. The full hash is verified locally only if Google returns a potential match.
URLhaus, PhishTank, AlienVault OTX, and VirusTotal
The final destination URL is sent to these services in order to check it against their threat databases. These queries are made from our server, not your browser, so the services see our server IP rather than yours. Each service has its own privacy policy governing how submitted URLs are handled on their end. If this concerns you for a particular URL, the scan still provides meaningful results from the other checks even when API keys are not configured.
AbuseIPDB
After resolving the destination domain to its IP address, we query AbuseIPDB with that IP to check its reputation. Your own IP address is never submitted to AbuseIPDB. Results are cached for one hour to reduce the number of API calls made for frequently checked destinations.
RDAP, Wayback Machine, and DNS
The destination domain name is sent to the RDAP registry to look up its registration date, to the Internet Archive CDX API to check whether the domain has any historical presence, and to standard DNS resolvers for record analysis. None of these queries carry any information that could identify you as the person who initiated the scan.
Cloudflare Turnstile
To prevent automated abuse, submissions are verified using Cloudflare Turnstile. We chose Turnstile specifically because it is substantially more privacy-preserving than alternatives such as Google reCAPTCHA. Turnstile does not track you across websites or build an advertising profile. In most cases the challenge completes invisibly without any interaction on your part. Cloudflare privacy policy
Cookies and analytics
RevealURL sets no tracking cookies, session cookies, or any other persistent identifiers in your browser. There is no analytics platform running on this site. We do not use Google Analytics, Mixpanel, Hotjar, or any similar service. We do not display advertising of any kind, and we have no advertising partners. The only browser storage this site touches is the local storage entry that saves your scan history, which stays on your device and is never read by our servers.
How your IP address is shielded from the destination
One of the core privacy benefits of using RevealURL is that you never have to visit a suspicious link directly. All HTTP requests to the destination URL are made from our server, not from your browser. The destination site sees our server IP address and not your personal IP address. We also deliberately omit the Referer header from outbound requests, which prevents the destination from knowing that the visit originated from this tool. Your identity and location are never exposed to the site you are investigating.
Security measures
All traffic between your browser and RevealURL is transmitted over HTTPS. Outbound requests from our server to destination URLs are validated against SSRF protections before being made, which prevents the tool from being used to probe private networks, internal services, or local addresses.
Input validation is enforced using Zod schema parsing on all API endpoints. Requests that do not conform to the expected schema are rejected before any processing occurs.
Children's privacy
RevealURL is a general-purpose tool with no age restriction. Because we do not collect personal information from any user, we do not knowingly collect personal information from children either. If you believe a child has submitted personal data through this service, please contact us and we will investigate. In practice, the tool does not request or store any personal data from any user regardless of age.
Changes to this policy
If we make material changes to how this service handles data, the updated policy will be published on this page with a revised date at the top. We will not introduce data collection practices that conflict with the commitments on this page without prominently disclosing the change. Because we do not collect email addresses or account information, we cannot notify users directly, so we encourage you to review this page periodically if you use the service regularly.
Contact
If you have questions about this privacy policy or about how RevealURL handles data, you can reach EarthBeLost through the information listed on his website. We are happy to explain any aspect of our data practices in more detail.