Local-first tools
TOTP, QR, otpauth parsing, readiness checks, and migration planning run in your browser after the page loads. Tool inputs are not sent to Worker APIs.
How we handle secrets
Secrets, otpauth URIs, decoded QR contents, and user-entered codes are not written to URLs, logs, analytics, localStorage, sessionStorage, or downloadable reports.
Advertising and analytics boundary
2FAApp is built for SEO content and may use standard page analytics or Google Ads placements. Tool inputs stay in the browser and are not sent to ad, analytics, or Worker APIs.
What TOTP can and cannot protect against
TOTP is useful and widely supported, but it is not the strongest phishing-resistant option. For high-risk accounts, prefer passkeys or hardware security keys where available.
Data retention
The site does not collect newsletter signups, contact messages, directory submissions, or team-template requests. Static page requests and any configured analytics or ad systems should never include TOTP secrets, QR contents, or recovery codes.