Privacy

Site overview

• Cipher and code tools run entirely in your browser. Plaintext, ciphertext, and keys are not transmitted to a server.
• The Multi Decoder runs every decoder locally — including syllable counts, which use a CMU Pronouncing Dictionary bundle loaded from this site on first use. No input is transmitted. Share links (e.g. #md= hashes) are only created when you click the Share button, and the encoded payload stays in the URL fragment.
• The Coordinate Converter and Frequency Analyzer compute results locally.
• Map tiles are loaded from third-party providers (Mapbox, OpenStreetMap, Esri, OpenTopoMap). Their privacy policies apply when their tiles are requested.
• Coordinate decoding for Mapcode and reverse-geocoding call out to public APIs (mapcode.com, nominatim.openstreetmap.org) only when you submit a coordinate to those features.
• The ISBN tool looks up book details by sending the ISBN you submit to Open Library (openlibrary.org/api/books). Only the ISBN is sent; their privacy terms apply. Amazon and Google fallback links are constructed locally — no request is made to those services unless you click the link.
• Elevation lookups call out to cachesleuth.opentopodata.org, a third-party endpoint operated by OpenTopoData on a CacheSleuth-branded hostname. Despite the cachesleuth in the URL, the request leaves CacheSleuth's infrastructure and is served by OpenTopoData; their privacy and usage terms apply. Only the coordinate you submit is sent; no other input from the page is included.
• Cache checkers and game pages (the /keyword/, /burggirl/, and the puzzle-cache helper pages reached via owner-supplied links — Ghostbusters, Goonies, Big Boss, the Adventure Lab finals, Ready Player One, and similar) are the one place on the site where the value you type is intentionally transmitted. When you submit an answer, the page logs the attempt so the cache owner is notified and so abuse patterns (e.g. brute-force guessing) can be investigated. Each submission sends the geocache identifier, the keyword or coordinates you entered, whether the attempt was correct, your browser, OS, device, screen size, and timezone, and the date/time. Your IP and its approximate city/region/country are derived at the edge by Cloudflare from the request itself — no third-party IP-lookup service is called. The submission is sent to checker-log.cachesleuth.com, a CacheSleuth-operated Cloudflare Worker. The worker checks your answer against a list maintained by the cache owner inside a CacheSleuth-controlled database, returns the success message (or a generic "not correct" reply) to your browser, records the attempt, and notifies the cache owner. The answer set never leaves the worker and is not exposed in any URL or page response. Submissions are rate-limited per IP to slow brute-force attempts. Attempts are automatically deleted after 90 days. These pages are unlisted and only reached via a cache owner's checker link; if you'd rather not have your attempt logged, do not submit an answer.
• The Wherigo Solver uploads cartridges to api.cachesleuth.com for parsing. Cartridges are processed in memory and are not stored long-term. After parsing, the solver may also fetch the public cartridge-details page on wherigo.com and any referenced geocache pages on geocaching.com through a CORS-bypass proxy at proxy.cachesleuth.com in order to enrich the displayed result with author and cache-title info. The proxy only fetches the public URLs the cartridge already references; it does not see anything you typed.
• Translation. When you pick a language from the footer dropdown, CacheSleuth sends the static UI strings on the current page (button labels, headings, descriptions, tool names) to CacheSleuth's translation service at cs-translate.cachesleuth.com for translation. Your tool input is not included. The translator only sees the same text the page would show to a guest browsing in English: nothing you typed into a textarea, dropped into a file input, pasted into the coordinate box, or entered into the contact form. Form fields, your chosen text, your uploaded cartridges, and anything else you enter into a tool stay in your browser. Translated results are cached on the translation service and in your browser's localStorage so the same string is not re-sent across visits or across visitors.
• Donations route through PayPal; CacheSleuth does not receive your payment details.

My puzzle texts

Anything you type, paste, or drop into a tool (puzzle clues, cipher text, plaintext you're encoding, coordinates, keywords, pad characters, uploaded cartridges, cache pages, photos, notes) stays in your browser. CacheSleuth runs the decoders, encoders, coordinate parsers, and analyzers locally using JavaScript on the page you have open. The site has no server-side database for puzzle inputs and never sends them to a logging endpoint.

The exceptions are spelled out above: cache checker pages (which intentionally log answer attempts so the cache owner is notified), the Wherigo Solver upload (sent to a CacheSleuth parser, processed in memory, not stored long-term), ISBN lookups (the ISBN is sent to Open Library), elevation lookups (the coordinate is sent to OpenTopoData), Mapcode and reverse-geocoding (the coordinate is sent to mapcode.com / Nominatim), and map tile loads (your viewport coordinates are sent to the tile provider). No other tool transmits what you type.

The Notes drawer stores its content in your browser's localStorage on your device. Notes are not transmitted to any server and are not shared between devices or browsers. Clearing your browser's site data removes them.

Share links

Many tools have a Share Link button that copies a self-contained URL recreating your current input. Examples: /multidecoder/#md=…, /multiencoder/#me=…, /tools/coordinateconverter/#cc=…, and similar hashes on the mapping and cipher pages.

The payload after the # is your tool input (e.g. cipher text and keys, or a coordinate string), compressed with LZ-String and URL-safe encoded. Everything needed to recreate the state is in that fragment.

A URL fragment (the part after #) never leaves your browser. Browsers do not include fragments in HTTP requests, so when you open or share a share-link URL, the server (CacheSleuth, Cloudflare, anyone else) sees only the path, not the encoded input. The page loads, JavaScript reads the fragment locally, and the inputs are recreated in your browser.

However, anyone you share the URL with can recover the original input by opening the link, since the payload is encoded (compressed) but not encrypted. Don't paste sensitive information into a share link and then post it publicly. Treat a share link the same as you'd treat a screenshot of the tool with your input visible.

Tool-specific policies

• Geocache Viewer browser extension — local-only processing of the cache page you are viewing on Geocaching.com.

Cookies and storage

CacheSleuth uses your browser's localStorage to remember UI preferences (sidebar mode, theme, format choices, recently used inputs). These values stay on your device and are not transmitted. Clearing your browser's site data resets them.

CacheSleuth does not run any advertising trackers, third-party ad networks, or cross-site fingerprinting scripts. The site is served through Cloudflare, which includes Cloudflare Web Analytics: a cookieless, privacy-respecting analytics script that records page views, browser and OS info, and approximate country. Cloudflare aggregates this data so the site owner can see general traffic patterns. It does not use cookies, does not track you across sites, and does not store your full IP address. You can read more on Cloudflare's Web Analytics page.

Contact

Questions about privacy or data handling? Use the contact page.