vøiddo
jsonyo · privacy

privacy policy.

local json validator + formatter + JMESPath queries.

← back to jsonyo

this is the privacy policy for jsonyo — extracts inline JSON / JSON-LD from the current tab — pure browser, zero round-trips. the policy applies to the chrome / firefox / edge extension, the optional account on scrb.voiddo.com if you upgrade to a paid tier, and any data exchanged between them.

vøiddo is the data controller. you can reach us at support@voiddo.com for any privacy question.

last updated 2026-04-27 · v1.1 · effective immediately

1. what we collect (and what we do not)

we list every category of data we touch. if it is not in this table, we do not have it.

data categorypurposeretention
view preferencesto remember whether you last viewed schemas as raw JSON or as a flattened table.until uninstall.

what we do not collect:

  • the JSON content found on the page (parsed in your browser, never transmitted)
  • the URL of the page you scan
  • any analytics on usage

2. browser permissions explained

chrome web store flags every permission your extension requests. here is what each one of ours actually does:

  • storage — remember your preferred view mode (raw vs table) and which schemas you collapsed last time.
  • activeTab — scan the active tab for inline <script type="application/ld+json"> blocks and any other inline JSON. only when you click the popup.
  • scripting — inject the scanner only when you ask it to.

summary: jsonyo runs entirely in your browser. nothing is sent anywhere. there is no server-side component.

3. how your data flows

most processing happens entirely on your device. when data must leave your device (paid features only), we describe the exact flow:

  1. you click a button in the extension.
  2. the extension sends the minimum required payload over HTTPS (TLS 1.3) to our API at scrb.voiddo.com.
  3. our API authenticates your license key, applies the rate limit, and forwards paid feature requests to our hosted analysis service where needed. billing requests are handled by Paddle as merchant of record.
  4. the hosted service returns its response to our API.
  5. our API returns the response to your extension.
  6. we keep an entry in the usage log: timestamp, license key id, endpoint, response code, token count for billing. we do not log the request body or the response body.

4. cookies

the extension itself sets no cookies. our website (scrb.voiddo.com and extensions.voiddo.com) uses two cookies, both strictly necessary:

  • session — an httpOnly + Secure session cookie that keeps you logged in to your paid-plan dashboard. expires when you log out or after 30 days of inactivity.
  • csrf — an httpOnly + Secure CSRF protection token. expires with the session.

paddle's checkout iframe sets its own cookies for the duration of the transaction; paddle deletes them when the checkout closes.

we do not set analytics, advertising, or behavioural cookies. we do not use cookie banners because we do not need consent for strictly-necessary cookies (GDPR recital 30).

5. legal basis for processing (GDPR Art. 6)

we process your personal data only when at least one of these legal bases applies:

  • contract performance — for paid users, we process your billing email + license key because you have entered into a contract for the paid plan. without this data we could not validate your license or send you a receipt.
  • legitimate interest — we keep aggregated, non-identifiable usage logs (count of API calls per day, error rates) to operate the service. you can object to this processing at any time.
  • legal obligation — we keep transaction records for the period required by tax law in our jurisdiction (typically 7 years).
  • consent — for any optional feature that goes beyond the above, we ask explicitly. example: opt-in desktop notifications.

6. sub-processors

we use a small number of infrastructure services to operate the extension and the optional paid plan. each one processes only the data strictly required for its function. all are contractually bound by data-processing agreements where applicable.

processorpurposeregion
Paddle.com Market Limitedmerchant of record for paid plans — receives your billing email, country, payment instrument, issues invoices, handles VAT/sales tax, processes refunds. paddle privacy policy.UK / EU / US
vøiddo owned SMTP mailertransactional email delivery (license keys, password resets, alerts, and important policy changes). it runs through our owned mail server; no third-party email API is used for the normal transactional path.EU
OVH / DigitalOcean (hosting)virtual private server in Europe hosting our API endpoints. processes API requests in transit; logs are kept 14 days then rotated.EU

we do not use Google Analytics, Meta pixel, Hotjar, or any other behavioural-tracking service.

7. international data transfers

our hosting is in the european union. some hosted-analysis infrastructure may be located in the united states; transactional email runs through our owned SMTP stack. when we transfer your personal data outside the EU/UK, we rely on the European Commission's Standard Contractual Clauses (SCC) as the legal mechanism, supplemented by technical safeguards: TLS 1.3 in transit, AES-256 at rest, and strict access controls. we have completed a transfer impact assessment for each sub-processor and consider the risk acceptable given the limited scope of data shared.

if you would like a copy of our SCCs or the transfer impact assessment summary, email support@voiddo.com.

8. security measures

  • all traffic to our APIs uses TLS 1.3.
  • credentials (license keys, password hashes) are stored using bcrypt with cost factor 12 or higher.
  • API access requires a per-user license key with rate limiting (per-day, per-minute) to prevent abuse.
  • servers are patched within 7 days of upstream security advisories; critical CVEs patched within 24h.
  • operational logs are stripped of personally identifiable information before persistence.
  • backups are encrypted and stored in a separate region from production data.
  • multi-factor authentication is enforced on every account that can access production infrastructure.
  • we have an internal incident response procedure; in the event of a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33.

9. your rights under GDPR / UK GDPR / CCPA

if you are in the european economic area, the united kingdom, switzerland, or california (and many other places that have copied these frameworks), you have the following rights regarding your personal data:

  • right of access — you can ask for a copy of any personal data we hold about you.
  • right to rectification — you can ask us to correct inaccurate personal data.
  • right to erasure (“right to be forgotten”) — you can ask us to delete your personal data; if you uninstall the extension, this happens automatically for the local data, and emailing support@voiddo.com gets the server-side data (license key + billing email) erased within 14 days.
  • right to data portability — you can ask for your data in a machine-readable format (we provide JSON).
  • right to restrict processing — you can ask us to stop processing your data while we resolve a complaint.
  • right to object — you can object to our processing on the basis of legitimate interest.
  • right to withdraw consent — where we rely on your consent, you can withdraw it at any time.
  • right not to be subject to automated decision-making — we do not use your data for automated decisions with legal effect.
  • right to lodge a complaint — with your local data protection authority. for EU users, that is the supervisory authority of your country of residence; for UK users, it's the ICO.

california residents (CCPA) additionally have the right to know what personal information we collect, the right to delete it, and the right not to be discriminated against for exercising these rights. we do not sell personal information; “do not sell” requests therefore have no operational effect, but you can still email us to confirm.

to exercise any of these rights, email support@voiddo.com with a subject line that includes the right you want to exercise. we respond within 30 days (typically within 5 business days).

10. children's privacy

jsonyo is not directed at children under 13 (under 16 in some EU jurisdictions). we do not knowingly collect personal data from children. if you are a parent or guardian and believe your child has provided us with personal data, contact us and we will delete it without delay.

11. changes to this policy

we may update this privacy policy from time to time — usually because we have added a feature that processes a new kind of data, or because a sub-processor has changed. when we do:

  • we update the last updated timestamp at the top of this page.
  • we publish the previous version in our change log.
  • if the change is material (we start collecting a new category of data, or we add a new sub-processor), we email all paid users at least 14 days before the change takes effect.
  • continued use of the extension after the change takes effect constitutes acceptance.

12. contact

privacy questions, data subject requests, complaints: support@voiddo.com. response within 5 business days; full GDPR-deadline 30 days.

last updated 2026-04-27 · v1.1 · vøiddo studio · remote / Israel