SSysLeak

Reference

Privacy policy

SysLeak exists to show you what your browser leaks. A privacy tool that abuses privacy is worthless, so this policy is short, specific, and matches what the code actually does — the code is open to inspection and the claims below are enforced by automated tests.

What we process, transiently

When you load a page, our server reads your connection data — IP address, and from it your approximate location, timezone and network operator (via a locally hosted GeoLite2 database; your IP is never sent to a third-party geolocation service). This is computed per request, shown to you, and discarded. Your IP address is never written to a database and never written to a log file. For rate limiting, a one-way hash of the IP briefly exists as a counter key and expires with the rate window.

What happens in your browser, stays there

The fingerprint collectors, the WebRTC leak test and the Exposure Score all run in your browser. Raw values — your user agent, canvas hash, font list, WebRTC candidates, all of it — are displayed to you and sent nowhere by us. The one exception you should know about: the WebRTC test asks your browser to contact a public STUN server (stun.l.google.com), because that reflection is the mechanism being tested. That request comes from your browser, not from us, and the page discloses it where the test runs.

What we store: anonymous counters, nothing else

To tell you “you are more unique than X% of visitors,” your browser sends one salted-and-hashed summary of its signal values plus coarse buckets (“Chrome”, “Windows”, “1920x1080”, “Europe/*”). We store counters: how many visits share that hash, how many fall in each bucket. The hash is salted with a server secret, so even someone with a copy of the database cannot check whether a known fingerprint is in it. No raw signal values, no IPs, no timestamps finer than a day. Idle counters are deleted after 90 days.

What we don't do

  • No cookies — this site sets none, for anything.
  • No third-party trackers, ad scripts, or analytics that profile you.
  • No accounts, no emails, no personal data at rest of any kind.
  • No selling, sharing, or transferring of data — there is nothing to sell.
  • No fingerprinting of you for our purposes: the analysis is shown to you and discarded, not used to recognize you on a return visit.

Questions

The scoring methodology is public on the methodology page, and the security measures behind these claims are documented in the project's SECURITY.md. Contact: privacy@sysleak.com.