No accounts, no fetches, no tracking. Every Muntin tool is built so you can verify the promise — not just trust it. Nine claims, five tests you can run on any tool, four tiers of business data, one principle: data never flows up a tier.
Each claim is verifiable in your own browser in under a minute. If any of them turn out to be wrong, we want you to find out first — open every “Inspect this” and check us. The build chain enforces the load-bearing claims (1, 2, 4, 5) — so a future tool that ships a forbidden pattern fails CI before it can deploy.
No fetch(), XMLHttpRequest, or form submission fires when you type a financial number. Every Muntin tool runs entirely in your browser.
Open DevTools (Cmd+Opt+I / Ctrl+Shift+I) → Network tab. Type a number into any tool. The request list should not grow.
The only endpoint a tool page uses is GET /tools/<slug>/. No /api/save, no /api/calculate, no logger. The Worker can't hear you.
From a terminal: curl -X POST https://muntin.digital/tools/margin-math/. Response: 405 Method Not Allowed — there's nothing listening for POSTs.
Plausible receives properties from a short, fixed list of enumerated values. A $25 ticket becomes 25-39. A 30% food cost becomes 28-32. Your raw numbers are never a value on any event.
DevTools → Network → filter plausible. Interact with any tool. When the event fires, look at its payload. Values like ticket_bucket: "25-39" — never ticket: 25.00.
Your typed numbers live only in JavaScript variables, which disappear when you close the tab. There's no persistent state for any tool's financial inputs.
DevTools → Application → Storage. Use any tool. Check Cookies, Local Storage, Session Storage, IndexedDB for this origin — the panels stay empty of any financial value.
Every tool page loads only first-party JS plus one privacy-first analytics script (Plausible). No Google Tag Manager, no Meta Pixel, no chat widget, no session replay.
DevTools → Network → filter JS. Reload. Every script should be plausible.io or muntin.digital — nothing else.
Shareable links carry inputs in the URL fragment — the part after the #. Per HTTP spec, browsers never send fragments to servers. The link you paste is an audit trail you control.
Move any slider on a tool. Watch the URL bar. It updates to something like …#v=1&t=25&f=30. That fragment is never in an HTTP request.
No build step, no minification, no framework. Every tool's math module is plain JavaScript — you can read every line.
Right-click any tool page → View Page Source. Or open the tool's .js file directly. Every function name is human-readable; every comment is in the source.
Close the tab, reopen the tool: every input resets to default. There's no account, no saved history, no "welcome back" — unless you sign in to the optional Workshop, in which case you control what gets saved and you can delete it.
Change every slider and input on any tool. Close the tab. Reopen the tool. Everything is back to its starting value.
"Print this report" opens your browser's native print dialog — we never see the output. "Add to calendar" generates an .ics file in your browser and downloads it locally. The calendar event includes only values already visible to you.
DevTools → Network. Click Print this report — no new requests. Click Add to calendar — still no new requests; a .ics download appears. Open it with a text editor: every field in the event is plain text.
Every sheet at /sheets/<slug>/ runs entirely in your browser. The math, the bands, the recommendations — all client-side. Drafts auto-save to localStorage on your device only. The only network requests a sheet page makes are user-initiated: clicking Save sends one POST to your own Workshop, and (when you're signed in) the page reads back your prior saves of the same sheet to draw the trend sparkline. Anonymous visitors trigger zero network calls from the sheet itself.
Open DevTools (Cmd+Opt+I / Ctrl+Shift+I) → Network tab. Open any sheet — e.g. /sheets/recipe-cost-card/. Type ingredients and watch the request list. The list does not grow as you type. The only requests on initial load are static assets (CSS, fonts, the shared sheets.js / sheet-csv.js / sheet-viz.js / sheet-parse.js / sheet-benchmarks.gen.js). Click Save (only visible when signed in): one POST to /api/workbench/save with { kind: 'sheet', payload: { v:1, slug, inputs, outputs, savedAt } }. The build-time check `node scripts/check-sheet-no-fetch.mjs` greps every sheet fragment for forbidden network calls; CI fails if any fragment contacts any URL.
Five tests you can run on any free financial tool you encounter — before you type a single real number into it. We score ourselves alongside a typical lead-generation free tool so the difference is concrete, not rhetorical.
| The test | Muntin | Typical free tool |
|---|---|---|
| 1. Does typing a number trigger a network request? Open DevTools → Network. Type. |
No requests fire. | Every keystroke POSTs to a server. |
| 2. Is the privacy claim at the point of input? Not buried in a policy page. |
"Stays in your browser" rail on every tool, full claims page in-line. | Privacy Policy link in footer only; implicit consent on submit. |
| 3. Is there an account / newsletter / cookie gate? Anything demanding "accept all" before you can use the tool. |
Nothing — no gate, no popup, no cookie banner. | "Enter your email to see your results." |
| 4. Any third-party analytics, session replay, marketing scripts? DevTools → Network → filter JS. |
Privacy-first Plausible only; bucket props (never raw values). | Google Analytics, Meta Pixel, HubSpot, session replay — stacked. |
| 5. Is the source code readable? Right-click → View Source. |
Unminified, every math function named. | Minified SaaS bundle; math hidden inside a framework dashboard. |
Not every number belongs in every conversation. Most small-business owners carry all their data in the same mental bucket — which means the supplier list and the tax ID get the same protection (often the same low level of it). Four tiers, each with a different audience and a different level of caution.
Everything anyone can find on your site, your listing, or a walk-by.
Share with: Anyone. Optimize aggressively — this is how customers find you.
Legal to share, but useful to a rival — or leverage for a platform.
Share with: Bookkeeper, consultant, broker — under NDA. Not platforms, not competitors, not "free audit" tools that keep your input.
Your actual operating numbers, customer pipeline, employee details.
Share with: Inside the business only. POS vendor, payroll processor, accountant — and only under a written contract that specifies what they can and can't do with it.
Legally protected. Losing this has fines, lawsuits, or criminal exposure attached.
Share with: Encrypted storage, access logging, contracts with cybersecurity terms. Never email. Never in a shared spreadsheet. If a vendor asks for this casually, that alone is a flag.
Apply this anywhere you’re asked to hand data over — vendor evaluations, contracts, loan applications, “free audit” intakes. The pattern: data never flows up a tier. A Tier 3 vendor doesn’t get Tier 4 access just because they asked. The easiest way to reduce your attack surface is to stop volunteering data that wasn’t actually required.
The point of this page is that you don’t have to take any of it on faith. Three concrete ways to confirm:
/assets/site.js directly. Search for any tool’s function — every line is in the open. Hash the file yourself, or compare against the SHA-256 digests published at /security/integrity.txt (regenerated on each deploy; the file lists exactly which paths were hashed).Found a hole? Tell Don directly through The Window. Security reports get the fastest reply turnaround on the site — within 24 hours, weekends included.
If you hire the studio — whether that’s a one-off Site Read, a full build, or a recurring Care Plan — the data we hold for billing is whatever the agreed-upon engagement letter calls for: typically your name, your business name, your email, and an invoice history. Card data is never in our hands; payments go through the payment processor named on the invoice (Stripe, Wise, or check). We don’t back up your operating numbers from any tool you’ve run to a third location, and the Workshop stays opt-in: you save what you choose, you delete it when you choose.
The legal version is at /privacy.html. This is the operator-trust version: same data, plain English.