Security & Privacy
Your data never leaves your device. Here's what that actually means.
The file stays in your browser
Drop a CSV. It lands in your browser's memory, gets processed by JavaScript and WebAssembly running locally, and the result comes straight back to you. Nothing about the file ever leaves your machine. The only outbound traffic is loading the app itself and, if you ever upgrade, checking your subscription.
No analytics on your file content
Row counts, column names, cell values — none of it reaches us. We use Yandex Metrika for page views (which page, which country, bounce rate). It never touches your data because it can't: the data never leaves the tab.
HTTP security headers
Every response sets HSTS, X-Frame-Options DENY, a tight CSP, and strict Referrer-Policy. Check them yourself with `curl -I https://csvfirstaid.com` — or with any HTTP header checker.
CSV injection protection
A cell starting with =, +, -, or @ can execute as a formula in Excel. Attackers have used this to exfiltrate data. On export, we prefix those cells with a single quote so Excel treats them as text, not formulas.
Payment security
If we ever bring paid plans back, payments go through LemonSqueezy. Your card details hit their systems, not ours — we only get a subscription status back.
Verifiable by design
The architecture prevents us from seeing your data — it would require a code change we can't make without you noticing. Open DevTools → Network, process a file, and confirm nothing goes out.