Privacy Policy

Introduction

jsonfmt.dev ("the Site", "we", "us", or "our") is a free, open-source JSON toolkit available at https://jsonfmt.dev. The Site provides a suite of developer tools including a JSON formatter, validator, diff viewer, converter, JWT decoder, repair tool, JSON Schema validator, JSONPath evaluator, and JSONL processor. The core web application is built as a single, self-contained HTML file with all CSS and JavaScript inline — it has zero external runtime dependencies.

The fundamental design principle behind jsonfmt.dev is client-side processing. When you paste, type, or drop JSON data into the tool, that data is processed entirely within your web browser using JavaScript. Your JSON content is never transmitted to any server, never logged, and never stored outside of your local machine. This privacy-first architecture means that even if our servers were compromised, your data would not be at risk — because it was never sent to us in the first place.

This Privacy Policy applies to all users of jsonfmt.dev, the optional REST API at api.jsonfmt.dev, the Chrome extension, the CLI tool (jsonfmt-dev on npm), and the MCP server (jsonfmt-mcp on npm). By using any of these services, you agree to the practices described in this policy.

Data We Do Not Collect

We want to be absolutely clear about the data we do not collect. The following categories of data are never transmitted from your browser to any server operated by jsonfmt.dev or any third party as a result of using the core web tool:

• Your JSON data — All parsing, formatting, validation, diffing, conversion, repair, and schema validation happens entirely in your browser. There are no network requests (no fetch, no XMLHttpRequest, no WebSocket) made with your JSON content.
• JWT tokens — When you decode a JWT in the JWT tab, the decoding happens locally in JavaScript. Your token is never sent to any server.
• File contents — When you drag and drop a file onto the page, it is read using the browser's FileReader API locally. The file contents never leave your device.
• Clipboard data — When you paste content, it is processed in-browser. We do not intercept or transmit clipboard contents.
• JSONPath queries — Your queries and their results are computed entirely client-side.
• Schema definitions — Any JSON Schema you provide for validation stays in your browser.

This is not just a policy decision — it is an architectural guarantee. The web application is designed to work fully offline after the initial page load. Once cached by the service worker, the tool functions without any internet connection, which proves by design that your data cannot be exfiltrated.

Data We Do Collect

While your JSON data stays private, we do collect certain information to operate the Site, understand usage patterns, and serve advertisements. We believe in full transparency about this.

3.1 Google Analytics (GA4)

We use Google Analytics 4 (measurement ID: G-DXKNV8RRNT) to collect anonymous usage statistics. This helps us understand which features are popular, how users navigate the Site, and where we should focus improvement efforts. Google Analytics collects:

• Pages visited and time spent on each page
• Browser type, operating system, and screen resolution
• Geographic region (country/city level, not precise location)
• Referral source (how you arrived at the Site)
• Device type (desktop, mobile, tablet)
• Session duration and bounce rate

Google Analytics uses cookies to distinguish unique users. This data is aggregated and anonymized — we cannot identify individual users from it. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on or by using a browser extension that blocks tracking scripts.

3.2 Google AdSense

We display advertisements through Google AdSense (publisher ID: ca-pub-8341611757792060) to support the ongoing development and hosting of the Site. Google AdSense may use cookies and web beacons to serve ads based on your prior visits to jsonfmt.dev or other websites. This includes:

• Cookies for ad personalization and frequency capping
• Information about your interactions with ads displayed on the Site
• Data shared with Google's advertising partners for ad targeting

You can opt out of personalized advertising by visiting Google Ads Settings or by visiting www.aboutads.info to opt out of third-party advertising cookies. Users in the European Economic Area (EEA) will see a consent banner for personalized ads as required by GDPR.

3.3 localStorage

The Site uses your browser's localStorage API (not cookies) to persist certain user preferences and session data locally on your device. This data is never transmitted to any server. Items stored include:

• Theme preference — your choice of dark or light mode
• Session history — recent JSON inputs so you can revisit previous work
• Pinned sessions — sessions you explicitly pin for quick access
• Toolbar configuration — your customized toolbar layout
• Last active tab — which tab (Format, Diff, Convert, etc.) you last used
• Editor preferences — indentation style, sort keys preference, and other formatting options

All localStorage data stays on your device and is under your full control. You can view, modify, or delete it at any time using your browser's Developer Tools (Application > Local Storage) or by clearing your browser data for jsonfmt.dev.

3.4 API Service (api.jsonfmt.dev)

The optional REST API at api.jsonfmt.dev is a separate service from the core web tool. If you choose to create an API account, we collect:

• Email address — used for account authentication via one-time password (OTP) login. Your email is stored securely on Cloudflare KV.
• API key usage data — request counts, rate limit usage, and endpoint access patterns for your API key. This is managed through Unkey.
• Request metadata — timestamps, endpoint paths, and response status codes for API monitoring and rate limiting.

The JSON data you send to the API for processing is used solely to produce the response and is not logged or stored after the request completes. API responses are not cached on our side.

3.5 AI Chat Feature

The API includes an optional AI chat endpoint (/chat) powered by Cloudflare Workers AI using the Llama 3.1 8B model. When you use this feature, your chat messages are sent to Cloudflare for processing by the AI model. Cloudflare's data handling practices apply to this processing. We do not store chat transcripts after the response is returned to you. Please refer to Cloudflare's Privacy Policy for details on how they handle data processed through Workers AI.

Cookies and Similar Technologies

The following cookies may be set when you visit jsonfmt.dev:

4.1 Google Analytics Cookies

• _ga — Used to distinguish unique users. Expires after 2 years.
• _ga_* — Used to persist session state. Expires after 2 years.

4.2 Google AdSense Cookies

Google AdSense may set various cookies for ad personalization, including but not limited to cookies from the doubleclick.net and google.com domains. These cookies are managed by Google and are subject to Google's privacy policies. They are used for ad targeting, frequency capping, and reporting.

4.3 Cloudflare Cookies

Cloudflare, which hosts our Site and API, may set the __cf_bm cookie for bot management and security purposes. This cookie is essential for protecting the Site against malicious traffic and expires after 30 minutes of inactivity.

4.4 localStorage (Not a Cookie)

As described in Section 3.3, we use localStorage to save your preferences. Unlike cookies, localStorage data is never automatically sent to any server with HTTP requests. It remains entirely on your device. We mention it here for completeness, but it is technically distinct from cookie-based tracking.

Third-Party Services

jsonfmt.dev relies on the following third-party services. Each has its own privacy policy governing how it handles data:

• Cloudflare (Pages & Workers) — Hosts the website and API. Provides CDN, DDoS protection, and edge computing. Cloudflare Privacy Policy
• Cloudflare Workers AI — Powers the AI chat feature using the Llama 3.1 8B model. Data sent to the chat endpoint is processed by Cloudflare's AI infrastructure.
• Google Analytics (GA4) — Provides anonymous website analytics. Google Privacy Policy
• Google AdSense — Serves display advertisements. Google Ads Privacy
• Unkey — Manages API key issuance, verification, and rate limiting for the API service. Unkey Privacy Policy
• Resend — Sends one-time password (OTP) emails for API account authentication. Your email address is shared with Resend solely for this purpose. Resend Privacy Policy

We carefully select third-party services that align with our commitment to privacy and data minimization. We do not sell, trade, or rent your personal information to any third party.

Data Retention

Our data retention practices vary by data type:

• localStorage data — Persists on your device indefinitely until you manually clear it through your browser settings, the Site's built-in clear function, or by clearing browsing data for jsonfmt.dev.
• Google Analytics data — Retained by Google according to their data retention settings. We use the default retention period of 14 months for user-level data.
• API account data — Your email address and API key metadata are stored on Cloudflare KV for as long as your account remains active. You may request deletion at any time (see Section 8).
• API request data — JSON data sent to API endpoints is processed in memory and discarded immediately after the response is sent. It is never written to persistent storage.
• AI chat messages — Chat messages sent to the /chat endpoint are forwarded to Cloudflare Workers AI for processing and are not stored by us after the response is returned.

Share Links

jsonfmt.dev offers a share feature that encodes your JSON data into the URL using a compressed format (URLs beginning with #v3:). It is important to understand how this works from a privacy perspective:

• The data is encoded in the URL fragment (the part after the # symbol).
• Per the HTTP specification (RFC 3986), the fragment portion of a URL is never sent to the server in HTTP requests. It is processed entirely by the browser.
• This means when someone opens a share link, the encoded JSON data is decoded locally in their browser — our servers never see it.
• However, be aware that the full URL (including the fragment) may be visible in your browser history, bookmarks, and any platform where you share the link (e.g., Slack, email, social media).

We recommend exercising caution when sharing links that contain sensitive data. While the data does not pass through our servers, it will be visible to anyone who has access to the URL.

Children's Privacy

jsonfmt.dev is a general-purpose developer tool and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 years of age. If you are a parent or guardian and believe your child has provided personal information to us (for example, by creating an API account), please contact us through the methods described in Section 11 and we will take steps to delete such information promptly.

The core web tool does not require any account creation or personal information to use, so children can safely use the formatting, validation, and conversion features without providing any personal data. The optional API service, which does require an email address, is intended for use by professional software developers and is not targeted at minors.

Your Rights and Choices

You have several rights regarding your data when using jsonfmt.dev:

9.1 Clear Local Data

You can clear all data stored by jsonfmt.dev on your device at any time by:

• Opening your browser's Developer Tools (F12), navigating to Application > Local Storage, and deleting the entries for jsonfmt.dev
• Clearing your browser's site data for jsonfmt.dev through browser settings
• Using the browser's "Clear browsing data" function and selecting cookies and site data

9.2 Opt Out of Analytics and Ads

• Install the Google Analytics Opt-out Add-on to prevent analytics tracking
• Visit Google Ads Settings to control ad personalization
• Use a browser ad blocker or tracking protection extension
• Enable your browser's built-in tracking protection features (e.g., Firefox Enhanced Tracking Protection, Safari Intelligent Tracking Prevention)

9.3 API Account Deletion

If you have created an API account at api.jsonfmt.dev and wish to have your account and associated data deleted, you may request account deletion by emailing us (see Section 11). We will process deletion requests within 30 days. Upon deletion, your email address, API keys, and all associated usage data will be permanently removed from Cloudflare KV and Unkey.

9.4 Data Portability

Since your JSON data is never stored on our servers, there is no server-side data to export. Your localStorage data can be accessed and exported at any time through your browser's Developer Tools. For API account data, you may request a copy of your stored information by emailing us.

9.5 European Users (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict processing, and object to processing of your personal data. To exercise these rights, please contact us via the methods described in Section 11. Our lawful basis for processing data through Google Analytics and AdSense is legitimate interest (for analytics) and consent (for personalized advertising).

9.6 California Users (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, please contact us via the methods described in Section 11.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

For significant changes that materially affect how we handle personal data, we will make reasonable efforts to provide notice — such as a prominent announcement on the Site or an update to the changelog on this page. Your continued use of the Site after changes are posted constitutes your acceptance of the revised policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us through one of the following channels:

• Email — support@jsonfmt.dev for privacy-related inquiries, data deletion requests, and general questions.

We take all privacy inquiries seriously and aim to respond within 14 business days. For data deletion requests, we will complete the process within 30 days of receiving your request.