Privacy Controls
JSONFiddle is local-first for guest sessions and explicit about the moments when data leaves the browser.
Local vs cloud data
| Area | Where it lives | Contains source data? |
|---|---|---|
| Unsaved editor tabs | Browser session storage | Yes |
| Preferences and privacy consent | Browser local storage | No |
| Saved workspaces | Supabase, for signed-in users | Metadata only |
| Workspace files | Supabase, for signed-in users | Yes |
| Share snapshots | Supabase, only after confirmation | Optional |
| Feedback reports | Supabase | No source data |
Guest tabs disappear when the browser tab is closed. Signed-in workspace data remains until you delete it.
Automatic crash reports
Automatic crash reporting is off by default.
To enable or disable it:
- Open Preferences from the workbench header.
- Go to Privacy.
- Toggle Automatic crash reports.
When enabled, JSONFiddle sends safe diagnostics such as route, viewport, browser family, operating system, and sanitized stack traces. It does not send JSON, YAML, XML, CSV, Mermaid, JFDG, query text, workspace file content, cookies, or local storage contents.
First-party analytics
First-party analytics is off by default and uses the same local privacy preference model as crash reporting.
When enabled, JSONFiddle records product usage events such as page views, view changes, tool actions, workspace actions, share actions, and privacy preference changes. Events go through JSONFiddle's own /api/analytics/event endpoint before they reach Supabase.
The endpoint accepts only an explicit analytics consent flag, known event names, normalized routes, and allowlisted metadata such as action, tool, view, format, status, and count. The local analytics identifier is salted and hashed on the server before storage. The server also hashes the user agent for coarse dedupe, stores only coarse browser, operating system, viewport, and app version metadata, and never stores raw IP addresses.
JSONFiddle does not send JSON, YAML, XML, CSV, Mermaid, JFDG, query text, query results, file content, raw source payloads, raw user agents, cookies, local storage contents, secrets, or precise location data as analytics.
If geographic analytics are added later, JSONFiddle will derive them only from coarse Vercel request geo headers and store coarse values such as country or region. It will not store raw IP addresses or use third-party IP enrichment for analytics.
To disable analytics, open Preferences > Privacy and turn off First-party analytics. Disabling analytics removes the local analytics identifier from browser storage.
Microsoft Clarity, PostHog, and similar third-party analytics tools are not enabled by default. They require explicit consent, a privacy review, and documentation updates before any script or SDK is loaded.
Vercel Web Analytics
JSONFiddle also uses Vercel Web Analytics for aggregate site measurement. This is separate from JSONFiddle's opt-in first-party product analytics.
Vercel Web Analytics is cookieless. It can process page route or URL, referrer, coarse location, browser, operating system, and device metadata so we can understand traffic and page performance. It does not read or send editor JSON, YAML, XML, CSV, Mermaid, JFDG, query text, query results, workspace file content, cookies, or local storage contents.
Cookies and browser storage
JSONFiddle uses essential cookies for theme preference and authenticated Supabase sessions. Unsaved guest work uses browser session storage. Optional first-party analytics and crash reporting preferences are stored locally. Vercel Web Analytics does not add a JSONFiddle cookie or local storage key.
Read the full Cookie Policy for the storage inventory and browser controls.
Export your cloud data
Signed-in users can export cloud records with:
GET /api/privacy/export
The export includes:
- Account identifier and email.
- Saved diagrams.
- Saved workspaces, files, queries, and share records.
- Feedback reports submitted by the account.
- A data inventory describing local browser records, cloud records, and processors.
Local browser-only data is not included because it never reaches JSONFiddle cloud storage.
Delete your cloud data
Signed-in users can delete cloud records with:
POST /api/privacy/delete
Content-Type: application/json
{
"confirm": "DELETE_MY_CLOUD_DATA"
}
This removes saved workspaces, workspace share snapshots, legacy diagrams, and feedback reports for the signed-in account.
To also request account deletion, include:
{
"confirm": "DELETE_MY_CLOUD_DATA",
"includeAccount": true
}
Account deletion requires server admin configuration in the deployed environment.
Share snapshot retention
Workspace share links are explicit snapshots. Revoking a link clears the stored snapshot content and marks the link revoked. Expired share snapshots are also eligible for cleanup by the private retention function.
Legacy diagram shares remain supported for compatibility, but new secure workspace shares should be preferred.
Server-side tools
Most editor exploration happens in the browser. Some tools, such as type generation, intentionally use server-side API routes. Those routes enforce validation and size limits, but you should not submit secrets or production-only payloads to server-side utilities.