Privacy Policy

Last updated: 12 June 2026

TL;DR: JWT Lens does not collect, store, or transmit the tokens you paste. The only data sent to a third party is your IP address, which is logged by our hosting provider (Vercel) and, if ads are enabled, by Google AdSense. No analytics. No tracking pixels. No cookies set by us.

1. Who we are

JWT Lens ("we", "us", "the site") is a single-file web application operated by Sonny ("the operator"). The site is hosted on Vercel, Inc. The site is provided free of charge and does not require registration.

Contact: see the main site.

2. What data we collect

From you, the user: nothing you paste into the tool is collected, stored, logged, or transmitted. All decoding and signature verification happens locally in your browser using JavaScript and the Web Crypto API. You can verify this by opening your browser's DevTools Network tab; the only network request your browser makes is the initial fetch of the HTML file itself.

Automatically: standard HTTP request metadata is logged by our hosting provider (Vercel) for the purpose of serving the site and detecting abuse. This includes your IP address, the user agent string, the requested URL, and the response status. Logs are retained for up to 30 days and are not shared with third parties except as required by law.

Cookies: JWT Lens does not set any cookies. No analytics cookies. No preference cookies. No session cookies.

3. Third-party services

3.1 Google AdSense (only if enabled)

The site may display advertisements served by Google AdSense. AdSense is a third-party ad network operated by Google Ireland Limited. If ads are enabled, the following happens when you load a page with an ad slot:

Google's ad-serving script (https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js) is loaded in your browser.
Google sets or reads cookies (or uses local storage) on your device to deliver and measure ads.
Your IP address, user agent, and a pseudonymous identifier may be transmitted to Google.
Google uses this data to select and serve ads, and to provide aggregated reporting to the site operator.

For users in the European Economic Area, the United Kingdom, and Switzerland, Google serves non-personalized ads by default. Non-personalized ads use contextual information (the page content) rather than your behavioural profile to select ads. You can change your consent choice at any time via Google's ad personalisation settings.

You can opt out of personalised ad measurement by installing the Google Analytics opt-out browser add-on, although JWT Lens does not use Google Analytics.

For more information on how Google uses data from partner sites, see How Google uses information from sites or apps that use our services.

3.2 Vercel (hosting)

JWT Lens is served by Vercel, Inc. Vercel's privacy practices are described in their privacy policy.

4. Legal basis for processing (UK GDPR)

If you are in the UK or EEA, the legal basis for processing your IP address and request metadata is our legitimate interest (UK GDPR Article 6(1)(f)) in operating and securing the site. The legal basis for serving AdSense ads, if enabled, is your consent as collected by Google's consent management platform (TCF v2.2).

5. Your rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the right to:

Access the personal data we hold about you (we hold essentially none — see section 2)
Rectify inaccurate personal data
Request erasure of your personal data
Restrict or object to processing of your personal data
Data portability
Withdraw consent at any time (where processing is based on consent)
Lodge a complaint with the Information Commissioner's Office (ico.org.uk)

6. Children's privacy

JWT Lens is not directed at children under the age of 13, and we do not knowingly collect personal data from children. The site is a technical tool aimed at software developers.

7. International transfers

Data we process may be transferred to and stored in countries outside the UK or EEA, including the United States. Where we rely on third-party services that process data outside the UK, we ensure that appropriate safeguards are in place (such as Standard Contractual Clauses for Google services).

8. Changes to this policy

We may update this privacy policy from time to time. The "last updated" date at the top of this page will reflect any changes. Material changes will be noted in the site footer for at least 30 days.

9. Contact

If you have any questions about this privacy policy or wish to exercise your rights, please open an issue on the project's source repository. The link is in the footer of jwtlens.dev.