Privacy Policy
Last updated: 11 May 2026
xbrl2json ("we", "us", "our") operates the xbrl2json.co.uk website and related services. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the choices you have regarding your information.
1. Information we collect
1.1 Account information
When you register for an account we collect your email address and optional display name. If you subscribe to a paid plan we also store a Stripe customer identifier so we can manage your subscription; we do not store payment-card details ourselves.
1.2 Uploaded documents
When you upload an XBRL or iXBRL file, the document is stored on our servers so it can be scanned for malware (via ClamAV) and sent to our conversion service for parsing. Free-tier uploads are automatically purged after processing. Paid-tier uploads are retained for the period defined by your plan and are then permanently deleted in accordance with our data-retention schedule (see section 5).
1.3 Conversion results
The structured JSON output produced from your documents is stored alongside the original upload. The same retention rules apply.
1.4 Usage and technical data
We automatically collect:
- IP address and browser user-agent string
- Pages visited and features used
- Timestamps of your last activity (last-seen date)
- Server-side error logs (which never intentionally include document content)
This data is used for security monitoring, abuse prevention, and service improvement. Logs are retained for a maximum of 7 days on disk.
1.5 Cookies
We use essential cookies only — these are strictly necessary for authentication, session management, and anti-forgery protection. We do not use advertising or third-party tracking cookies.
2. Why we process your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the conversion service and manage your account | Performance of a contract |
| Process payments via Stripe | Performance of a contract |
| Scan uploads for malware | Legitimate interest (security) |
| Send transactional emails (confirmations, password resets) | Performance of a contract |
| Respond to Contact Us enquiries | Legitimate interest |
| Server logging and abuse prevention | Legitimate interest (security) |
3. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email address, subscription plan |
| PlanetIntelligence Arelle API | XBRL-to-JSON conversion | Uploaded document content (transmitted over TLS) |
| Seq (self-hosted) | Centralised structured logging | Server logs (IP address, user ID, error details) |
We do not sell or share your personal data with any other third parties.
4. Data security
- All traffic is encrypted with TLS.
- Uploaded files are scanned with ClamAV before processing.
- Passwords are hashed using ASP.NET Core Identity's default algorithms.
- Sensitive configuration values (database credentials, API keys, SMTP passwords) are stored in environment variables, never in source code or config files.
- Each tenant's data is isolated by organisation-scoped queries.
5. Data retention
- Free-tier uploads — purged automatically after processing completes.
- Paid-tier uploads & results — retained for the duration of your subscription, then permanently deleted after a 30-day grace period following cancellation or expiry.
- Account data — retained while your account is active. If you delete your account, personal data is removed within 30 days.
- Server logs — rotated daily and retained for up to 7 days.
6. Your rights
Under the UK GDPR and the Data Protection Act 2018 you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict or object to certain processing
- Data portability — receive your data in a structured, machine-readable format
To exercise any of these rights, please contact us. We will respond within 30 days.
7. Children's privacy
Our service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
8. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the website or by email. Your continued use of the service after such changes constitutes acceptance of the updated policy.
9. Contact
If you have any questions about this Privacy Policy or how we handle your data, please reach us via the Contact Us page.