Privacy Policy

This Privacy Policy describes how Rosenav ("we," "our," or "the tool"), accessible at https://rosenav.com, handles your information. Rosenav is a browser-based text processing utility operated by the 345tool Team, providing three integrated functions: a line-by-line text diff checker (LCS dynamic programming algorithm with added/removed/unchanged line classification), a cosine similarity detector (TF vectorization with color-coded 0–100% scoring tiers), and line deduplication, sorting, and numbering utilities (hash-set dedup with first-occurrence preservation, locale-aware A→Z/Z→A sort, Fisher-Yates CSPRNG shuffle, and zero-padded line numbering).

The central principle governing this policy is straightforward: Rosenav is engineered so that there is nothing to collect, nothing to store, and nothing to share. Every aspect of the tool's architecture — from the JavaScript engine design to the server configuration — was built to make data collection architecturally impossible, not merely procedurally avoided. This policy explains how that works in technical detail.

1. Zero-Server Architecture — Technical Implementation

1.1 The JavaScript Engine Runs Exclusively in Your Browser

The entire text processing pipeline is implemented in a single self-contained vanilla JavaScript file — text-tools.js — with zero external dependencies and zero network calls. The file contains no fetch() invocations, no XMLHttpRequest objects, no navigator.sendBeacon() calls, no WebSocket constructors, and no beacon pixels. You can verify this by opening your browser's Developer Tools, navigating to the Network tab, typing or pasting text into any of the three tool panels, clicking Compare/Deduplicate/Sort, and observing that no outbound requests are generated — the network panel remains completely silent during all text processing operations.

1.2 Specific Functions Executed Client-Side

Every computational function operates inside your browser's JavaScript sandbox:

• lcsMatrix(a, b) and backtrack(dp, a, b, i, j): compute the Longest Common Subsequence between two arrays of text lines using dynamic programming (O(m×n) 2D DP table), then reconstruct the edit sequence classifying each line as same, added, or removed — producing the diff output with green + / red - / space prefixes.
• tokenize(text) and termFrequency(tokens): tokenize input text by lowercasing, stripping punctuation (preserving CJK characters U+4E00–U+9FFF), splitting on whitespace, and building sparse word-frequency maps for both input texts.
• cosineSimilarity(tfA, tfB): constructs a shared vocabulary space from both frequency maps, builds aligned numeric vectors, and computes cosine = dot_product ÷ (magnitude_A × magnitude_B) — returning a 0–1 score displayed as 0–100% with color-coded progress bar.
• dedupLines(): removes duplicate lines using hash-set membership testing (O(n) expected time), preserving the first occurrence's position in the original order.
• sortLinesAZ() and sortLinesZA(): sort lines alphabetically using localeCompare with base sensitivity for locale-aware, accent-correct comparison.
• shuffleLines(): randomizes line order via Fisher-Yates shuffle powered by crypto.getRandomValues() — the Web Crypto API's cryptographically secure PRNG — guaranteeing unbiased permutations.
• addLineNumbers(): prepends zero-padded sequential line numbers with auto-calculated padding width based on total line count.

1.3 No Local Storage Persistence

Text data exists exclusively in your browser's volatile RAM while the tab is open. The tool does not write to localStorage, sessionStorage, IndexedDB, document.cookie, or any other browser storage API in connection with text content, diff results, similarity scores, dedup statistics, or generated output. Closing or refreshing the browser tab permanently and irrecoverably destroys all entered text and computed results. There is no server-side session, no database row, and no log entry to reconstruct it from.

1.4 Offline Functionality Verification

After the initial page load (which fetches HTML, CSS, JavaScript, and font assets), you can disconnect your device from the internet entirely — disable Wi-Fi, unplug Ethernet, enable airplane mode — and all three text tools (diff, similarity checker, dedup/sort/lines) continue to operate at full functionality. This serves as a practical verification that no server round-trips are required for any core operation.

2. Information We Do NOT Collect

To eliminate ambiguity, Rosenav does not collect, store, transmit, or process any of the following categories of information:

2.1 Text Content & Analysis Results

• Text content, characters, words, or lines entered into any textarea field (diff left/right, similarity text A/B, dedup input)
• Diff results: which lines were added, removed, or unchanged between two compared texts
• Similarity scores (0–100% cosine similarity), TF vectorization data, token counts, or qualitative similarity tier labels
• Dedup statistics: original line counts, processed line counts, removal deltas, or hash-set contents
• Sorting output: A→Z, Z→A, or randomized line orderings
• Line-numbered output with zero-padded prefixes
• Character-set composition, language detection, or any derived metadata about analyzed text

2.2 Behavioral & Biometric Data

• Keystroke dynamics, typing speed, typing rhythm, or inter-key latency
• Mouse movements, click coordinates, scroll depth, or dwell time
• Copy/paste events involving text content
• Tab switching interactions (diff → similarity → dedup toggles)
• Button click events on Compare, Deduplicate, Sort, Randomize, Line Numbers, or Clear actions

2.3 Personal & Device Identifiers

• IP addresses — no server-side logging infrastructure captures or stores IP addresses in connection with tool usage
• Browser fingerprints, User-Agent strings, or device identifiers beyond what GA4 collects (see Section 3)
• Geolocation data (GPS, Wi-Fi triangulation, or IP-derived location at a granular level)
• User names, email addresses, or registration credentials — there is no registration, login, or account system
• Referring URLs, search query terms, or navigation history tied to individual users

The tool is fundamentally a stateless computational utility: it accepts text input in your browser, performs all analysis locally, renders results to the DOM, and retains absolutely nothing when you navigate away.

3. What Limited Data IS Collected — Analytics & External Resources

3.1 Google Analytics 4 (GA4) — Measurement ID G-XKLCTXFJPB

Rosenav uses Google Analytics 4 (GA4) with measurement ID G-XKLCTXFJPB for aggregated, anonymized page-view analytics. GA4 is loaded via the standard gtag.js snippet in the page and is configured with the following privacy-preserving constraints:

• Page-level metrics only: GA4 collects standard aggregated metrics — page URL path, page title, referrer source, browser type, device category (desktop/mobile/tablet), screen resolution, and approximate geographic region derived from IP-anonymized data (GA4 applies IP truncation by default for all properties).
• No text content: GA4's gtag('config', ...) call sends only the measurement ID and page parameters. No text content, diff results, similarity scores, dedup statistics, or any textarea input data is ever passed to GA4 as custom dimensions, events, or parameters.
• No cross-session user tracking: We do not implement User-ID, Google Signals, or any cross-device/cross-session identification features. Session identifiers are GA4's default ephemeral client IDs, which are not linked to any personal identity.
• No remarketing or advertising features: GA4 is used strictly for aggregated traffic analysis. We do not enable remarketing, advertising reporting, Demographics and Interests, or any feature that would feed data into Google's advertising ecosystem.
• No custom events on textarea fields: No GA4 events are fired in response to typing, pasting, clicking tool action buttons, switching tabs, or any interaction with the text processing interface.

If you wish to opt out of GA4 entirely, you can use a browser extension such as uBlock Origin, or Google's own GA Opt-out Browser Add-on. The text tools function identically with or without GA4 loaded.

3.2 Cookies

Rosenav does not deploy any first-party cookies — no authentication cookies, no session cookies, no preference cookies, no analytics cookies, and no tracking cookies. GA4 may set its own first-party cookies (_ga, _ga_*) in your browser as part of its standard operation; these are Google's cookies, not ours, and are governed by Google's privacy policy. We do not read, write, or interact with these cookies in any way. There is no cookie consent banner on this site because we do not deploy any cookies ourselves.

3.3 External Static Resources (CDN Fonts & Icons)

The following third-party resources are loaded for typography and UI rendering. These are static asset fetches — they do not transmit user data or text content:

• Google Fonts (fonts.googleapis.com): loads the Inter, JetBrains Mono, and Sora typeface families. Google may log the referring page URL and browser metadata as part of standard CDN operation.
• Google Material Symbols (fonts.googleapis.com): loads the Material Symbols icon font for UI elements (tab icons, action button icons, hamburger menu, etc.).
• Google Tag Manager (googletagmanager.com): serves the GA4 gtag.js library. This is the standard delivery mechanism for GA4.

No other third-party scripts, analytics services, behavioral tracking tools, heatmapping services, session recording platforms, advertising networks, Facebook Pixel, or marketing tracker integrations are loaded on Rosenav.

4. Data Sharing, Sale & Third-Party Access

Rosenav does not share, sell, rent, trade, or disclose any user data to any third party for any purpose — because there is no user data to share.

Specifically:

• No data brokers: we do not sell or transfer data to data brokers, aggregators, or information resellers.
• No advertisers: we do not share data with advertising networks, demand-side platforms, or ad exchanges.
• No analytics resale: GA4 aggregate statistics remain within Google's ecosystem and are not exported, sold, or shared with additional parties.
• No legal disclosure history: we have never received a subpoena, court order, or law enforcement request for user data — because we hold none. Should such a request ever arrive, we would have nothing responsive to provide.
• No affiliates or partners with data access: the 345tool Team is the sole operator of Rosenav. No third-party affiliates, partners, or contractors have access to any operational systems that could theoretically capture user data.

5. Hosting Infrastructure & Server-Side Configuration

Rosenav is hosted on a dedicated virtual private server running Nginx as the web server with PHP-FPM for server-side page assembly. The server-side role is strictly limited to:

• Serving static assets: HTML templates, CSS stylesheets (combined.css — a merged single file from tailwind.min.css and style.css), JavaScript files (text-tools.js, script.js), images (PNG screenshots, favicon), and font files.
• PHP header/footer assembly: the header.php and footer.php files inject navigation, metadata, and GA4 tags into each page at the server level before delivering HTML to the browser.

Server access logs (standard Nginx access.log) record HTTP requests including timestamp, requested URL path, HTTP status code, bytes transferred, and User-Agent string. These logs are retained for a limited period for operational purposes (troubleshooting, DDoS mitigation, traffic analysis). They are not analyzed at the individual-request level, not cross-referenced with any other data source, and not used to identify or profile individual users. IP addresses in access logs are not linked to text processing activity because all text processing happens entirely in the browser and generates no server requests.

No application-level logging of text content, analysis results, or user interactions exists at any layer of the stack — not in Nginx, not in PHP, not in any database, and not in any external logging service.

6. Data Security — Architectural Guarantees

Because Rosenav collects and stores no user data, the traditional data-security threat model (database breaches, server compromise, insider threats) does not apply in the conventional sense. There is no database to breach, no user table to exfiltrate, and no stored text content to leak.

6.1 TLS/HTTPS

All communication between your browser and the rosenav.com server is encrypted via TLS (HTTPS). While no text data traverses this connection (all processing is client-side), TLS protects the integrity of the JavaScript and CSS files delivered to your browser, preventing man-in-the-middle injection of malicious code that could compromise the client-side analysis.

6.2 Subresource Integrity

External resources (Google Fonts, GA4) are loaded from Google's CDN. We do not currently implement Subresource Integrity (SRI) hashes for these resources; however, the text processing engine (text-tools.js) has no external JavaScript dependencies, meaning the core text analysis functionality is isolated from CDN compromise risks.

6.3 Breach Notification

In the unlikely event of a server compromise, the impact on users is architecturally bounded: no text data, analysis results, or personal information exists on the server to be exfiltrated. If we become aware of any security incident affecting the rosenav.com domain or its hosting infrastructure, we will post a notice on this page and update the "Last Updated" date.

7. Your Rights Under GDPR (EU/EEA Users)

The European Union's General Data Protection Regulation (GDPR, Regulation 2016/679) grants specific rights to individuals in the EU and EEA. Because Rosenav does not collect, store, or process personal data, many of these rights are satisfied by architectural design:

• Right to Information (Art. 13 & 14): This Privacy Policy serves as the complete disclosure of our data-handling practices. There is no additional processing to disclose because no personal data processing occurs beyond what is described here.
• Right of Access (Art. 15): There is no personal data stored to provide access to. All text processing is ephemeral and client-side only. If you submit a Subject Access Request, we will confirm that we hold no personal data about you.
• Right to Rectification (Art. 16): Not applicable — no personal data is held that could be inaccurate.
• Right to Erasure / "Right to be Forgotten" (Art. 17): No personal data exists on our servers to erase. Closing your browser tab permanently destroys all locally processed text data from RAM. We have no backup systems, replication databases, or log archives containing text content.
• Right to Restriction of Processing (Art. 18): No processing of personal data occurs. The text analysis is performed locally by your own device, which is outside the scope of GDPR's processing restrictions.
• Right to Data Portability (Art. 20): Not applicable — no personal data is held in any structured, machine-readable format on our servers.
• Right to Object (Art. 21): No profiling, direct marketing, or automated decision-making concerning individuals occurs. You may object to GA4 tracking by using the opt-out methods described in Section 3.1.
• Rights Related to Automated Decision-Making (Art. 22): The text diff, similarity, and dedup algorithms operate locally on your input and display results to you. They do not make decisions about you, profile you, or produce legal effects concerning you.

7.1 Legal Basis for Processing

To the extent that GA4 page-view analytics constitutes "processing" under GDPR, the legal basis is Legitimate Interest (Art. 6(1)(f)): aggregated, anonymized traffic analysis is necessary for the operation and improvement of the website, and this processing does not override the fundamental rights and freedoms of users given that no personal or sensitive data is involved. GA4's IP anonymization and our configuration restrictions (no User-ID, no Signals, no remarketing) ensure this processing is proportionate and minimally intrusive.

7.2 International Data Transfers

GA4 data is processed by Google on servers that may be located outside the EU/EEA, including in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF), which provides a legal mechanism for such transfers. No other international data transfers occur because no other data is collected.

8. Your Rights Under CCPA/CPRA (California Residents)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants specific rights to California residents. Our compliance posture is as follows:

• Right to Know (CCPA § 1798.100/110): This Privacy Policy discloses all categories of information collected (see Section 3 for GA4 page-view analytics) and all categories not collected (see Section 2). We collect no personal information beyond what GA4 collects automatically for aggregated analytics.
• Right to Delete (CCPA § 1798.105): We hold no personal information about California residents to delete. Text data is ephemeral and client-side only.
• Right to Opt-Out of Sale/Sharing (CCPA § 1798.120): We do not sell or share personal information because we do not collect any. We have no financial incentive to collect data — our monetization model (see Section 10) is designed to be compatible with zero data collection.
• Right to Correct (CCPA § 1798.106): Not applicable — no personal information is held that could be inaccurate.
• Right to Limit Use of Sensitive Personal Information (CCPA § 1798.121): We do not collect, use, or disclose sensitive personal information (as defined by CCPA categories: government IDs, financial account credentials, precise geolocation, biometric data, communications content, etc.). Text content entered into the tool is processed locally and is never received by us.
• Right to Non-Discrimination (CCPA § 1798.125): The tool is fully functional for all users regardless of privacy choices. There are no features, pricing tiers, or service levels tied to data sharing because there is no data sharing.

To exercise any CCPA rights, contact us at [email protected]. We will respond within the timeframe required by applicable law. We do not use authorized agents for CCPA request processing.

9. Children's Privacy (COPPA Compliance)

The Children's Online Privacy Protection Act (COPPA) in the United States and similar regulations in other jurisdictions (e.g., GDPR Art. 8, UK Age Appropriate Design Code) impose requirements on services that collect personal information from children.

Rosenav does not knowingly collect personal information from children under the age of 13 — nor from any user of any age. The tool operates without registration, login, or any form of user identification. No user-generated content is stored or transmitted. No communication features (comments, direct messaging, forums, social features) exist on the platform. No behavioral advertising, attention metrics, or engagement tracking is deployed.

If you are a parent or guardian and believe that your child has provided personal information through this website (which is architecturally impossible for text content but theoretically possible if a child emailed us), please contact us at [email protected] and we will promptly address the concern.

10. Monetization Model & Economic Incentives

Rosenav is a free tool with no premium tiers, subscriptions, or paywalled features. Our monetization strategy is designed to be compatible with the zero-data-collection architecture:

• Current state (June 2026): Rosenav is operated as a public-good utility by the 345tool Team with no active monetization. Operating costs (server, domain, bandwidth) are covered by the parent organization.
• Future monetization: If monetization is introduced, it will rely on static, contextually relevant banner placements positioned outside the core text processing interface — never interstitials, never popups, never forced interactions. Over time, these may transition into premium B2B link partnerships with verified technical organizations in adjacent fields (developer tooling, NLP/text analysis, data processing).
• What will never happen: We will never collect, package, sell, or share user text content, analysis results, or behavioral data with advertisers, data brokers, or any third party. The zero-server architecture makes this commercially impossible, not just a policy choice.

11. External Links & Third-Party Websites

Rosenav contains links to external websites that are not operated by us:

• 345tool.com — the parent developer collective's primary domain
• Linked partner sites listed on the Team page — other 345tool satellite tools
• External references cited in educational content (git diff, hashcat, NIST, academic LCS literature)

We are not responsible for the privacy practices, content, or security of these external websites. Clicking external links navigates you away from Rosenav, and those sites are governed by their own privacy policies. We encourage you to review the privacy policy of any website you visit, particularly before entering any personal information.

12. Policy Updates & Version History

We may update this Privacy Policy to reflect changes in the tool's architecture, operational practices, or applicable regulations. Updates are published directly on this page with the "Last Updated" date revised accordingly.

12.1 Material Change Notification

If we ever introduce a feature that collects, stores, or transmits user data of any kind — which would represent a fundamental architectural departure — we will:

1. Post a prominent notice on the homepage at least 30 days before the change takes effect.
2. Update this Privacy Policy with a detailed description of what data is collected, how it is processed, and the legal basis for processing.
3. Provide a clear opt-out mechanism where technically feasible.

We encourage periodic review of this page. The "Last Updated" date at the top of the policy indicates when the most recent changes were published.

12.2 Governing Law & Jurisdiction

This Privacy Policy and any disputes arising from it are governed by applicable data protection laws in the jurisdictions where users reside, including but not limited to the GDPR (EU/EEA), CCPA/CPRA (California, USA), COPPA (USA), and PIPEDA (Canada).

13. Contact & Verification

For privacy-related inquiries, data protection questions, GDPR/CCPA rights requests, or technical verification of our zero-server architecture, contact the 345tool Team:

• Email: [email protected]
• Parent Organization: 345tool.com
• Physical Address: Available upon request via email for formal legal correspondence.
• Response Time: We aim to acknowledge all privacy-related inquiries within 48 hours and provide substantive responses within 14 calendar days.

If you are a security researcher and wish to verify our zero-server claims, we welcome independent technical audits. You can verify client-side-only operation by opening the browser Developer Tools Network panel (F12 → Network), typing or pasting text into any tool panel, clicking any action button, and confirming that zero outbound requests are generated. The unminified source code of text-tools.js is publicly accessible at /js/text-tools.js for direct inspection.