3 min read
Where Your Browser Actually Stores Your Data
localStorage, cookies, and cache explained in plain terms: what web apps save on your machine, what survives a restart, what 'clear browsing data' really deletes, and what private browsing does and doesn't hide.
Your browser is a small database
Every website you visit can store data on your machine in several compartments. Cookies are small values sent back to the server with every request — sessions, logins, tracking. localStorage is a roughly 5 MB per-site scratch space that never leaves your device unless a script sends it; it's how a notepad web app keeps your note through a restart with no account. The cache holds copies of images and scripts so repeat visits load fast. Larger apps use IndexedDB, a full structured database that can hold hundreds of megabytes.
The privacy geometry matters: cookies are built to travel to servers; localStorage and IndexedDB are built to stay. A tool that saves your work to localStorage is making a meaningfully different promise than one that syncs to a cloud — the data physically resides on your disk, scoped to that one site, invisible to other websites.
What survives what
Closing a tab: everything survives except sessionStorage (a variant scoped to the tab). Restarting the browser or the computer: cookies with expiry dates, localStorage, and IndexedDB all persist — that's their job. 'Clear browsing data' is the nuclear option, and its checkboxes map to the compartments: 'cookies and site data' wipes cookies, localStorage, and IndexedDB (logging you out everywhere and deleting locally-saved work); 'cached images and files' only clears the cache and is safe for stored data.
The browser can also evict storage under disk pressure — rare on desktops, more common on phones — which is why anything genuinely important that lives in localStorage deserves an occasional export. A notepad's download-as-.txt button isn't decoration; it's the backup strategy.
Checking what a site has stored on you
You don't have to take any site's word for what it stores — the browser shows you everything.
- 1Open DevTools (F12) on the site in question and go to the Application tab (Storage in Firefox).
- 2Expand Local Storage and click the site's origin — every key and value is listed in plain text. A privacy-respecting tool's entries are readable and obviously yours.
- 3Check Cookies in the same panel: names, values, expiry dates, and whether they're first- or third-party.
- 4Use 'Clear site data' in that panel to wipe one site's storage without nuking every login you have.
- 5For a quick audit without DevTools: the padlock/tune icon in the address bar shows cookie and storage counts per site in most browsers.
What private browsing actually does
Incognito or private mode gives the session a temporary set of compartments — cookies, localStorage, and history are discarded when the window closes. It's excellent for shared computers and for testing what a site looks like signed out. What it does not do: hide your traffic from the network. Your ISP, employer, school, and the sites themselves still see your visits; private mode changes what's remembered locally, not what's observable remotely.
The practical model: local storage privacy is about who else uses your device; network privacy is about who watches the wire. Browser storage controls handle the first. The second is a different toolbox — HTTPS, VPNs, and, more fundamentally, choosing tools that never transmit your data in the first place. A client-side tool has nothing to intercept.
Frequently asked questions
Can other websites read a site's localStorage?
No — the same-origin policy scopes storage to the exact origin that wrote it. A note saved by one site is invisible to every other site. The realistic risks are physical (someone using your browser profile) and script-level (a compromised site can read its own storage), not cross-site.
Why did my locally-saved work disappear?
The usual suspects: 'clear browsing data' with 'site data' checked, a private window that was closed, a browser-initiated eviction under disk pressure, or simply a different browser or profile than the one that saved it — localStorage doesn't sync between browsers or devices.
Is localStorage safe for passwords or sensitive data?
No site should put credentials there — it's plain text readable by any script on that page, and it's not encrypted at rest. It's the right place for notes, drafts, and preferences; it's the wrong place for secrets, which is why well-built tools keep secrets out of it.
Tools mentioned in this guide
Online Notepad
A distraction-free notepad that autosaves to your browser as you type.
Productivity Tools
Password Generator
Generate strong random passwords locally with full control over characters.
Generators
JWT Decoder
Decode JWT tokens locally — header, payload, and human-readable claims.
Developer Tools
EXIF Viewer & Remover
See a photo's hidden metadata — including GPS location — and strip it all.
Image Tools
Keep reading