Privacy Policy — Your Logs Never Leave Your Browser

Think of LogAnalytics like a calculator. When you punch numbers into a calculator, those numbers don't get sent to Texas Instruments' headquarters for processing. The calculator does the math locally and shows you the result. That's exactly how we work, except instead of math, we're running SQL queries on your logs.

This isn't just good privacy practice—it's the only architecture that makes sense. Uploading gigabytes of logs to a server for processing is slow, expensive, and creates a massive attack surface. We skip all that nonsense.

DuckDB-WASM Sandbox

The engine that parses your logs is DuckDB-WASM—a WebAssembly-compiled database that runs entirely in your browser. WebAssembly is a sandboxed execution environment. Here's what that means in practice:

• No network access: WASM modules can't make HTTP requests. It's physically impossible without JavaScript glue code, which we don't include.
• No file system access: Can't read or write files outside the browser's isolated storage (IndexedDB). Your operating system's files are completely inaccessible.
• Memory isolation: WASM runs in a separate memory space from the main webpage. Even if someone exploited a bug in DuckDB's query parser, they'd be trapped in the WASM sandbox.
• No process spawning: Can't execute shell commands, spawn child processes, or interact with system APIs.

This sandbox is enforced by your browser's security model—the same system that protects you when visiting untrusted websites. Chrome, Firefox, Safari, and Edge all implement these restrictions at the operating system level using site isolation and process sandboxing.

No Network Requests

Don't take our word for it—verify yourself. Open DevTools (F12), go to the Network tab, and watch what happens when you upload a log file:

DevTools Proof

For the paranoid (we respect that), here's a step-by-step verification:

Seriously. These are explicit non-features:

You can verify this using browser extensions like Privacy Badger or uBlock Origin. They should show zero trackers blocked, because there are zero trackers to block.

Okay, we're not running a charity. Here's what minimal data we do collect—and why:

1. Optional Plausible Analytics

If you consent (via settings), we use Plausible—a privacy-focused analytics tool. Here's what it collects:

• Page views: Which pages you visit (e.g., /docs, /privacy)
• Referrer: Where you came from (e.g., Google search, direct link)
• Device type: Desktop vs. mobile (not specific model)
• Country: Derived from IP address, but IP is not stored

Plausible is GDPR compliant, doesn't use cookies, and aggregates data so individual users can't be identified. Importantly: this is opt-in. Disabled by default.

2. GitHub API (Public Data Only)

Our documentation links to GitHub issues and pull requests. When you click those links, GitHub's API is queried to fetch metadata (issue title, author, date). This data is:

• Public (anyone can access it without authentication)
• Cached in your browser (subsequent clicks don't hit GitHub)
• Not logged or stored on our servers

3. Opt-In Telemetry (Future Feature)

We're considering adding opt-in crash reporting to catch DuckDB parsing bugs. If implemented, this would:

• Be disabled by default
• Send only error stack traces, not log content
• Include a "Review Report" button before transmission
• Use Sentry with IP anonymization and data scrubbing enabled

As of November 2025, this feature doesn't exist yet. When it launches, we'll update this policy with 60 days' notice.

SOC 2 / GDPR / HIPAA Considerations

Because all processing happens locally, LogAnalytics is compliant by design with most data protection regulations. Here's the breakdown:

Real-World Use Cases

According to 2024 GDPR statistics, trust in data processing has increased from 71% in 2021 to 88% in 2024—but 30% of European businesses are still non-compliant. The most common violation? Transferring personal data to third parties without proper legal basis (€2.4 billion in fines since GDPR's inception).

LogAnalytics eliminates this risk entirely. No data transfer = no compliance violation. We've seen teams use this in:

• Defense contractors: Analyzing classified system logs on air-gapped workstations (SCIF environments)
• Healthcare providers: Auditing EHR access logs containing PHI without triggering HIPAA breach protocols
• Financial institutions: Investigating fraud patterns in transaction logs without violating PCI DSS data flow requirements
• European SaaS companies: Internal devs troubleshooting production issues without creating GDPR transfer records

Fun fact: The log management market is projected to reach $11 billion by 2034, driven largely by compliance requirements. The average cost of a data breach is now $4.88 million. Using browser-based processing isn't just convenient—it's a legitimate security strategy.

MIT License (Open Source)

Our source code is publicly available on GitHub under the MIT license. You can:

• Audit every line of code
• Fork it and self-host on your own domain
• Modify it for internal use without asking permission
• Verify that we're not lying about "no tracking" (check for fetch() calls in the codebase)

Build Reproducibility

We use deterministic builds. That means if you clone our repo and run npm run build, you'll get byte-for-byte identical output to what's deployed on our website. Verify this with:

# Clone repo
git clone https://github.com/loganalytics/loganalytics.git
cd loganalytics

# Build from source
npm install
npm run build

# Compare SHA-256 hash with production build
sha256sum out/_next/static/chunks/main-*.js
# Should match: https://loganalytics.org/_next/static/chunks/main-*.js

Security Disclosure Policy

Find a vulnerability? Email security@loganalytics.org (PGP key on our GitHub). We commit to:

• Acknowledge receipt within 24 hours
• Provide a fix or mitigation within 7 days for critical issues
• Publish a security advisory after patching
• Credit researchers (unless you request anonymity)

We don't have a bug bounty program because we're a free tool. But if you find something serious, we'll send you a nice t-shirt and eternal gratitude.

Data Ownership

You own your data. 100%. We don't claim any rights to logs you analyze, queries you write, or results you export. This should be obvious, but some SaaS providers bury clauses like "we can use your data for model training" in their ToS. Not us.

Right to Deletion

Under GDPR Article 17 ("Right to Erasure"), you can request deletion of personal data. Here's the thing:we don't store your data in the first place. There's nothing to delete.

Your logs live in your browser's memory. When you close the tab, they're garbage-collected by JavaScript's memory manager within seconds. If you want to be extra paranoid, clear your browser cache: Settings → Privacy → Clear browsing data → Cached files.

GDPR Automatic Compliance

Because we don't collect personal data, most GDPR requirements don't apply. But let's map them out for completeness:

California Privacy Rights (CCPA/CPRA)

For California residents: You have the right to know what personal information we collect. The answer is simple:none. We don't sell personal information (because we don't collect it). We don't share it with third parties (because it doesn't exist).

If you want to exercise your CCPA rights anyway, email privacy@loganalytics.org. We'll respond with: "We have zero data about you. Have a nice day."

If we ever change our privacy practices (e.g., adding that opt-in crash reporting), we'll:

1. Update this page with a "Last Updated" timestamp at the top
2. Show a banner on the homepage for 60 days
3. Send an email to users who opted into our newsletter (if we ever create one)
4. Post an announcement on GitHub Discussions

We will never retroactively change terms to make past data collection "legal." If we collect new data, it applies only to users who consent after the policy update.