Last updated: June 2026
Payload Playground is a security-testing toolkit. The large majority of what we offer — every generator, encoder, hasher, and analysis tool — runs entirely in your browser and never transmits your input anywhere. A small number of features are different by necessity and are described plainly below: optional sign-in, optional AI assistance, and optional cloud features (saving, sharing, and community submissions). This policy explains exactly what leaves your device, when, and to whom — and your rights over any data we store. It covers the website at payloadplayground.com and the payload-playground CLI package on npm.
All payload generators, the encoding pipeline, and the analysis and conversion tools run entirely in your browser using client-side JavaScript. The payloads, tokens, hashes, code, and any other input or output you work with are processed locally and are never automatically transmitted to our servers or any third party. There is no background syncing and no input telemetry — you can verify this with your browser's network tab open.
A few tools must make a network request to do their job, and these are clearly labeled in the tool itself:
These send only the domain/URL you explicitly provide — never your other tool inputs.
The optional AI assistant and the AI-powered payload mutator are the one place your tool input is sent to a third party — and only when you explicitly invoke them. When you send an AI request, the prompt you submit (which may include a payload) is sent to our server, which forwards it to DeepSeek, a third-party large-language-model provider, to generate the response.
All free tools work with no account. If you sign in (via Clerk) and use the optional cloud features, content is stored on our servers only when you explicitly choose to save or share it — there is no automatic upload. These features are:
You can delete any of this at any time — see Your Privacy Rights.
| Data | When & why | Retention |
|---|---|---|
| Saved payloads, cloud history | Only when you save (your account) | Until you delete it or your account |
| Shared / community payloads | Only when you share/submit (public) | Until you delete it or your account |
| Payload hashes + outcomes | Effectiveness/WAF voting (aggregate) | Indefinite (no raw payload, no PII) |
| API key hash + prefix | When you generate a key | Until you revoke it or your account |
| AI query count | Free-tier limit enforcement | Resets monthly |
| AI prompts & responses | Forwarded to DeepSeek for the response | Not stored by us |
We use your browser's local storage to remember your theme, your last-used generator settings, and recent-tool history — this stays on your device and is never transmitted. Cookies that may be set:
| Cookie | Purpose | Duration |
|---|---|---|
| _ga / _gid | Google Analytics (only after you accept) | Up to 2 years |
| __session / __clerk* | Clerk authentication (if signed in) | Session |
| theme | Your dark/light mode preference | 1 year |
No advertising or cross-site tracking cookies are used. You can block or delete cookies through your browser without affecting the free tools.
Wherever you live, and regardless of whether the GDPR (EU/UK) or CCPA/CPRA (California) applies to you, we honor the following rights over data tied to your account:
To exercise any right you can't complete in-app, email [email protected] and we will respond within 30 days.
We rely on the following third-party processors. Some may process data outside your country:
See Clerk, Stripe, Neon, and Google for how each handles data.
The payload-playground CLI package (on npm) runs entirely on your local machine. It does not collect data, send analytics, or make network requests — all generation and utility functions execute locally.
Payload Playground is not directed at children under 13, and we do not knowingly collect information from children. The tools are intended for security professionals, researchers, and students engaged in authorized security testing and education.
We may update this policy from time to time. Material changes will be reflected here with an updated "Last updated" date. We encourage you to review this page periodically.
Questions about this policy or your data? Email [email protected].