Privacy Policy
Last Updated: May 28, 2026
This Privacy Policy describes how JellyMachine ("we," "us," "our," or the "Company") collects, uses, discloses, and protects your personal information when you use our website builder platform and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Username
- Email address
- Password (stored in encrypted/hashed form using bcrypt)
- Profile image (optional)
1.2 Payment and Billing Information
When you subscribe to paid plans, we collect through Stripe:
- Payment method details (processed and stored by Stripe)
- Billing address
- Transaction history
- Stripe Customer ID
We do not directly store your full credit card numbers. All payment information is processed and securely stored by Stripe in accordance with PCI DSS standards.
1.3 Website and Content Data
When you create websites on our platform, we collect:
- Website content (text, images, videos, files)
- Website configuration and settings
- Page layouts and design choices
- Custom fonts and styling
- SEO metadata and keywords
- Domain information
1.4 E-commerce Data
If you use our e-commerce features, we collect:
- Inventory items (names, descriptions, SKUs, pricing, images)
- Orders and transaction records
- Customer information you collect through your websites
- Quotes and invoices you create
- Electronic signatures from quote acceptances
1.5 User Acquisition Data
We automatically collect data about how you found our service:
- Referrer URL (the page that linked you to us)
- UTM parameters (campaign, source, medium, content, term)
- Landing page
- Acquisition channel
- Referral codes (if applicable)
1.6 Usage Data
We automatically collect information about your use of the Service:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and features used
- Timestamps of access
- Clickstream data
- Error logs
1.7 Communication Data
We collect data from your communications:
- Contact form submissions (name, email, phone number, message, uploaded files)
- Phone numbers provided for SMS/text messaging
- SMS consent status and timestamps
- Support requests
- Email correspondence
- Feedback and surveys
1.8 Connected Account Data
If you connect third-party accounts, we collect:
- Social media OAuth tokens (Facebook, Instagram, X/Twitter)
- Connected account identifiers and usernames
- Access tokens required to post on your behalf
- Scheduled post content and settings
When you connect your Facebook Page and/or Instagram Business or Creator account, we may access the following data through Meta's APIs:
- Profile information: Page/account name, username, profile picture, follower and following counts, and media count
- Content publishing: We create and publish posts (including images and captions) to your connected accounts on your behalf
- Insights and analytics: Account-level metrics such as impressions, reach, and follower counts to help you understand your audience performance
- Comments: We read and display comments on your posts to help you manage engagement
- Messages: We access Instagram direct message conversations to enable you to manage communications from within our platform
- Media: We access your published media to display it within our management interface
You can disconnect your Facebook or Instagram account at any time from the Social Poster settings in your website dashboard. Disconnecting will revoke our access to your account data and stop any scheduled posts. You may also revoke access directly from your Facebook Settings or Instagram Settings.
1.9 Kanban/Workflow Data
If you use our Kanban boards, we collect:
- Board structures and configurations
- Card content and custom fields
- Card movements and history
- Watchers and assignments
- Automation rules and triggers
1.10 Team and Sub-User Data
If you add team members, we collect:
- Sub-user names and email addresses
- Role assignments and permissions
- Activity and access logs
2. How We Use Your Information
2.1 To Provide the Service
- Create and manage your account
- Process subscriptions and payments
- Host and publish your websites
- Manage your domains and DNS
- Store and serve your content
- Enable e-commerce functionality
- Send transactional emails (quotes, invoices, contact form submissions)
- Provide customer support
2.2 To Improve and Develop the Service
- Analyze usage patterns and trends
- Identify and fix bugs and errors
- Develop new features and functionality
- Optimize performance and user experience
- Conduct research and analytics
2.3 To Communicate with You
- Send account-related notifications
- Provide customer support
- Send service updates and announcements
- Deliver marketing communications (with your consent)
- Respond to your inquiries
2.4 To Ensure Security and Compliance
- Authenticate users and prevent fraud
- Detect and prevent abuse or violations
- Comply with legal obligations
- Enforce our Terms of Service
- Protect our rights and property
2.5 For Content Moderation
- Scan uploaded images for inappropriate content using AWS Rekognition
- Identify and block prohibited content
- Enforce our content policies
2.6 For AI Features
- Generate AI-powered content suggestions
- Create website blueprints and SEO content
- Generate AI images for websites and social media posts
- Process text requests through OpenAI's services
- Process image generation requests through OpenAI (DALL-E) and Google (Gemini) services
In accordance with applicable transparency requirements (including Article 50 of the EU AI Act), AI-generated content produced through the Service is identified as such where required by law. You remain solely responsible for reviewing AI-generated content before publishing and for ensuring it does not infringe third-party rights or mislead end users.
2.7 SMS/Text Messaging
JellyMachine provides SMS/text messaging capabilities that allow businesses using our platform to communicate with their customers. If you provide your phone number and consent to receive SMS messages through a form on a website built with JellyMachine:
- We collect your phone number and record your opt-in consent along with a timestamp
- Your phone number is used solely to send SMS/text messages related to your inquiry or the services of the business whose form you submitted
- Message frequency varies depending on the nature of your interaction with the business
- Message and data rates may apply depending on your mobile carrier and plan
- You can opt out of SMS messages at any time by replying STOP to any message, or by visiting jellymachine.com/sms/unsubscribe
- You can reply HELP to any message for assistance
- SMS consent is not required as a condition of purchasing any goods or services
- We do not sell, rent, or share your phone number or SMS consent data with third parties for their marketing purposes
- Phone numbers and SMS consent records are retained as long as the business account that collected them remains active, or until you opt out
For questions about SMS messaging, contact us at support@jellymachine.com.
3. How We Share Your Information
3.1 Service Providers
We share information with third-party service providers who perform services on our behalf:
- Amazon Web Services (AWS): Hosting, storage (S3), content delivery (CloudFront), email (SES), DNS (Route 53), SSL certificates (ACM), content moderation (Rekognition), serverless functions (Lambda), monitoring (CloudWatch)
- Stripe: Payment processing, subscription management, e-commerce transactions
- OpenAI: AI content generation and image generation (DALL-E)
- Google LLC: Google Analytics 4 (anonymous platform and website usage measurement) and Gemini (AI image generation). Google Analytics is only loaded after you grant analytics consent through our cookie consent banner. Google Signals and ad-personalization features are disabled. IP addresses transmitted to Google Analytics are truncated/anonymized.
- Meta Platforms, Inc.: Facebook Pixel (only loaded after analytics consent is granted)
- Mapbox: Map functionality for websites
- MongoDB, Inc. (MongoDB Atlas): Database hosting and storage
- Twilio (where applicable): SMS/text-message delivery
We maintain Data Processing Agreements (DPAs) and, where required, Standard Contractual Clauses with each of these sub-processors. A full sub-processor list, including processing purpose, appears in Additional Disclosure A below. We will notify customers of new sub-processors in advance where required by GDPR Article 28.
3.2 Social Media Platforms
If you connect social media accounts (Facebook, Instagram, X/Twitter), we share:
- Post content you schedule or publish
- Media files attached to posts (including AI-generated images)
- Captions and hashtags
We also receive data from these platforms (profile information, insights, comments, messages, and media) as described in Section 1.8 to provide our social media management features. This data is used solely to power the Service and is not shared with other third parties.
3.3 Your Customers
If you use e-commerce features:
- Information necessary to fulfill orders
- Quote and invoice details you send to customers
3.4 Legal Requirements
We may disclose information when required:
- To comply with legal process or government requests
- To enforce our Terms of Service
- To protect the rights, property, or safety of JellyMachine, our users, or others
- In connection with investigations of suspected illegal activity
3.5 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
3.6 With Your Consent
We may share information with third parties when you explicitly consent to such sharing.
3.7 Aggregated or Anonymized Data
We may share aggregated or anonymized data that cannot reasonably be used to identify you for research, analytics, or other purposes.
4. Cookies and Tracking Technologies
4.1 Authentication Cookies
We use essential cookies for authentication:
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
| accessToken | Essential | Authentication | 3 hours |
| refreshToken | Essential | Authentication | 24 hours |
These cookies are HTTP-only, secure, and use same-site strict policy. They are necessary for the Service to function and cannot be disabled.
4.2 Analytics on the JellyMachine Platform
On the JellyMachine platform itself (jellymachine.com) we use Google Analytics 4 (GA4) and Meta (Facebook) Pixel to measure how the platform is used. These tools are loaded only after you grant analytics consent through the cookie consent banner (Consent Mode v2 default-deny). We have disabled Google Signals and ad personalization in our GA4 property, and IP addresses are anonymized in transit. When consent is granted, the following may be collected:
- GA4 cookies (e.g.,
_ga,_ga_*) — 13-month expiry - Meta Pixel cookies (e.g.,
_fbp) — 90-day expiry - Truncated IP address, device type, browser, OS, viewport
- Page path, referrer, UTM parameters, timestamps
- Custom events (sign-up, login, site_created, site_published, subscription_started, etc.)
You can decline analytics at any time through the cookie banner or your browser settings. Declining or withdrawing consent immediately deactivates these scripts. You may also opt out of GA4 specifically by installing the Google Analytics Opt-out Browser Add-on.
4.3 Optional Analytics on Customer Websites
If you (as a JellyMachine customer) enable analytics on websites you build, the following data may be collected from your visitors. This data flows through our infrastructure to you and, if you provide a GA4 Measurement ID, to Google:
- Session identifiers
- Visitor identifiers (for returning visitor tracking)
- Pageviews (path, referrer, timestamp)
- Sessions (duration, page count, landing page)
- Device information (type, OS, browser)
- Geographic data (country, region — derived from CDN headers)
- Viewport/screen dimensions
- UTM parameters
- Scroll depth
- Custom events
4.4 Your Responsibility for Visitor Tracking
If you enable analytics or tracking on your websites, you are responsible for:
- Disclosing this in your own privacy policy
- Obtaining any required consents from your visitors
- Complying with applicable privacy laws (GDPR, CCPA, etc.)
4.5 Do Not Track & Global Privacy Control (GPC)
We do not respond to legacy "Do Not Track" browser signals because there is no industry consensus on
their meaning. However, in accordance with the California Privacy Rights Act (CPRA), we do honor
Global Privacy Control (GPC) signals. When your browser transmits a GPC signal (either via the
Sec-GPC: 1 HTTP header or the navigator.globalPrivacyControl JavaScript
property), we treat it as a binding opt-out of sale and sharing of personal information for analytics and
advertising purposes. Analytics scripts (GA4, Meta Pixel) will not load for that browser session and no
analytics cookies are set.
You can also manage cookies through your browser settings or revoke analytics consent at any time using the cookie preferences link in our site footer.
5. Data Retention
5.1 Account Data
We retain your account information for as long as your account is active. Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
5.2 Website Content
Your website content is retained while your subscription is active. After account termination, content is retained for a reasonable period (typically 30 days) before deletion.
5.3 Payment Records
Payment records are retained for 7 years to comply with tax and accounting regulations.
5.4 Analytics Data
If you use our analytics feature:
- Raw events: Approximately 180 days (auto-expire)
- Sessions: Approximately 365 days (auto-expire)
5.5 Backup Data
Backup copies may be retained for disaster recovery purposes and are deleted in accordance with our backup retention policies.
5.6 Legal Requirements
We may retain information longer if required by law, to resolve disputes, or to enforce our agreements.
6. Data Security
6.1 Security Measures
We implement industry-standard security measures to protect your information:
- Encryption in transit (HTTPS/TLS)
- Password hashing using bcrypt
- HTTP-only, secure cookies with same-site strict policy
- Two-factor authentication (TOTP) option
- AWS security infrastructure and compliance certifications
- Web Application Firewall (WAF) protection
- Access controls and authentication for all services
- Regular security assessments
6.2 Content Moderation
We use AWS Rekognition to automatically scan uploaded images for inappropriate content as an additional security and content safety measure.
6.3 Incident Response and Breach Notification
In the event of a personal data breach, we will:
- Investigate and contain the breach without undue delay
- Assess the risk to affected individuals
- Notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach where required by GDPR Article 33
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34), and in accordance with applicable U.S. state breach notification laws (including, but not limited to, Cal. Civ. Code § 1798.82, New York Shield Act, and Texas Bus. & Com. Code § 521)
- Take steps to prevent future incidents
6.4 Your Responsibilities
You are responsible for:
- Maintaining the security of your account credentials
- Using strong, unique passwords
- Enabling two-factor authentication
- Protecting any API keys or access tokens
- Reporting any suspected security issues
7. International Data Transfers
7.1 Data Location
Our Service uses AWS infrastructure, which may process and store data in various locations globally, including the United States.
7.2 Transfer Mechanisms
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide adequate data protection, we rely on:
- Standard Contractual Clauses approved by the European Commission
- AWS's compliance with applicable data protection frameworks
- Stripe's compliance with data protection requirements
7.3 Privacy Shield
While the EU-US Privacy Shield was invalidated, we ensure adequate protections through alternative transfer mechanisms.
8. Your Privacy Rights
8.1 Access and Portability
You have the right to:
- Access the personal information we hold about you
- Receive a copy of your data in a portable format
- Request information about how your data is processed
8.2 Correction
You have the right to request correction of inaccurate or incomplete personal information.
8.3 Deletion
You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing disputes).
8.4 Restriction and Objection
You have the right to:
- Request restriction of processing in certain circumstances
- Object to processing based on legitimate interests
- Opt out of marketing communications
8.5 Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time.
8.6 How to Exercise Your Rights
To exercise your privacy rights, please:
- Use the account settings and tools available in the Service
- Contact us at the address provided in the "Contact Us" section
- We will respond to your request within 30 days
9. California Privacy Rights (CCPA)
9.1 California Residents
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
9.2 Categories of Personal Information Collected
We collect the following categories of personal information:
- Identifiers (name, email, username, IP address)
- Commercial information (subscription history, transaction records)
- Internet activity (browsing history, search history, interaction with Service)
- Professional information (if provided for business accounts)
- Inferences (preferences derived from usage patterns)
9.3 Your California Rights
- Right to Know: Request disclosure of personal information collected, used, and shared
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt Out of Sale/Sharing: We do not sell personal information
- Right to Non-Discrimination: Exercise your rights without discriminatory treatment
- Right to Limit Use of Sensitive Personal Information: Where applicable
9.4 Verification
We will verify your identity before processing requests by matching information you provide with information in our records.
9.5 Authorized Agents
You may designate an authorized agent to make requests on your behalf with proper verification.
9.6 No Sale of Personal Information; Limited Sharing for Analytics
We do not sell your personal information as defined under the CCPA/CPRA in exchange for monetary or other valuable consideration. We do not provide your personal information to data brokers or to third parties for their own independent marketing purposes.
We disclose limited information to Google Analytics 4 and Meta Pixel solely for the purpose of measuring how visitors use the JellyMachine platform. The CPRA defines this transmission as "sharing." We have configured these services to disable Google Signals, ad personalization, and cross-context behavioral advertising, and we honor Global Privacy Control (GPC) signals as a binding opt-out (see Section 4.5).
California residents may exercise the right to opt out of any sharing at any time by:
- Selecting "Decline" on our cookie consent banner
- Enabling Global Privacy Control in their browser
- Emailing privacy@jellymachine.com with the subject "Do Not Sell or Share My Personal Information"
9.7 Financial Incentives
We may offer financial incentives for participation in programs. Terms will be disclosed at enrollment.
10. European Privacy Rights (GDPR)
10.1 Data Controller
JellyMachine is the data controller for personal information collected through the Service.
10.2 Legal Bases for Processing
We process personal information under the following legal bases:
- Contract: Processing necessary to provide the Service and fulfill our agreement
- Legitimate Interests: Processing for our legitimate business interests (security, improvement, analytics)
- Legal Obligation: Processing required to comply with laws
- Consent: Processing based on your explicit consent (marketing, optional features)
10.3 Your GDPR Rights
As an EEA, UK, or Swiss resident, you have additional rights:
- Right of Access (Article 15)
- Right to Rectification (Article 16)
- Right to Erasure (Article 17)
- Right to Restriction of Processing (Article 18)
- Right to Data Portability (Article 20)
- Right to Object (Article 21)
- Rights related to Automated Decision-Making (Article 22)
10.4 Data Protection Officer
For GDPR-related inquiries, please contact us at the address in the "Contact Us" section.
10.5 Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority.
10.6 Data Processing Agreements
We maintain Data Processing Agreements with our sub-processors (AWS, Stripe, etc.) as required by GDPR.
11. Children's Privacy
11.1 Age Restrictions
The Service is not directed to children under 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children.
11.2 Parental Rights
If you believe we have collected information from a child, please contact us immediately. We will take steps to delete such information.
11.3 User Websites
Users of our platform who create websites are responsible for their own compliance with children's privacy laws (COPPA, etc.) if their websites target or collect information from children.
12. Third-Party Services
12.1 Third-Party Integrations
The Service integrates with third-party services. Your use of these services is governed by their respective privacy policies:
12.2 Third-Party Links
Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites.
12.3 Your Websites
Websites you create and publish through our Service may collect information from your visitors. You are responsible for:
- Creating and displaying appropriate privacy policies
- Obtaining necessary consents
- Complying with applicable privacy laws
13. Changes to This Privacy Policy
13.1 Updates
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on the Service
- Updating the "Last Updated" date
- Sending an email notification for significant changes
13.2 Review
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
13.3 Continued Use
Your continued use of the Service after changes to this Privacy Policy constitutes acceptance of the updated policy.
14. Contact Us
14.1 Questions and Requests
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
JellyMachine Privacy Team
privacy@jellymachine.com
www.jellymachine.com
Jelly Machine LLC
5150 W 120th Ave., Suite 100, #1149
Westminster, CO 80020, United States
For data subject access requests, deletion requests, opt-out requests, or any other privacy-related inquiry, please use the email address above. We will verify your identity in accordance with applicable law before processing your request and will respond within the timeframe described in Section 14.2.
14.2 Response Time
We will respond to your inquiries within 30 days, or as required by applicable law.
14.3 Complaints
If you have a complaint about our privacy practices, please contact us first. If you are not satisfied with our response, you may have the right to lodge a complaint with a data protection authority.
Additional Disclosures
A. Data Sub-Processors
We use the following categories of sub-processors to process personal data:
| Category | Provider | Purpose |
|---|---|---|
| Cloud Infrastructure | Amazon Web Services, Inc. | Hosting (EC2/Lambda), storage (S3), compute, security (WAF), CDN (CloudFront) |
| Database | MongoDB, Inc. (MongoDB Atlas) | Managed database hosting |
| Transactional Email | Amazon Web Services (SES) | Account, billing, and notification emails |
| Content Moderation | Amazon Web Services (Rekognition) | Automated scanning of uploaded images for prohibited content |
| Payment Processing | Stripe, Inc. | Subscriptions, e-commerce, billing |
| Analytics | Google LLC (Google Analytics 4) | Platform usage measurement (only after consent; Signals disabled) |
| Advertising Pixel | Meta Platforms, Inc. (Facebook Pixel) | Marketing measurement (only after consent) |
| AI Services | OpenAI, LLC and Google LLC (Gemini) | Content generation, AI image generation |
| Mapping | Mapbox, Inc. | Map components on websites |
| Social Media | Meta Platforms, Inc.; X Corp. | Social media integration (Facebook, Instagram, X/Twitter) |
| SMS Delivery | Amazon Web Services (SNS) / Twilio (where applicable) | SMS/text message delivery on behalf of customers |
B. Data Collected by Feature
| Feature | Data Collected |
|---|---|
| Account Registration | Email, username, password (hashed) |
| Subscriptions | Payment info (via Stripe), billing history |
| Website Builder | Content, layouts, settings, media files |
| E-commerce | Inventory, orders, customer data |
| Analytics | Visitor data, pageviews, sessions |
| Kanban Boards | Cards, workflows, assignments |
| Email Services | Recipient addresses, email content |
| AI Features | Prompts, generated content |
| Social Integration | OAuth tokens, scheduled posts, profile data, insights, comments, messages, media |
| SMS/Text Messaging | Phone numbers, SMS consent status and timestamps, opt-out records |