Privacy Policy

1.1 Account Information

When you create an account, we collect:

• Username
• Email address
• Password (stored in encrypted/hashed form using bcrypt)
• Profile image (optional)

1.2 Payment and Billing Information

When you subscribe to paid plans, we collect through Stripe:

• Payment method details (processed and stored by Stripe)
• Billing address
• Transaction history
• Stripe Customer ID

We do not directly store your full credit card numbers. All payment information is processed and securely stored by Stripe in accordance with PCI DSS standards.

1.3 Website and Content Data

When you create websites on our platform, we collect:

• Website content (text, images, videos, files)
• Website configuration and settings
• Page layouts and design choices
• Custom fonts and styling
• SEO metadata and keywords
• Domain information

1.4 E-commerce Data

If you use our e-commerce features, we collect:

• Inventory items (names, descriptions, SKUs, pricing, images)
• Orders and transaction records
• Customer information you collect through your websites
• Quotes and invoices you create
• Electronic signatures from quote acceptances

1.5 User Acquisition Data

We automatically collect data about how you found our service:

• Referrer URL (the page that linked you to us)
• UTM parameters (campaign, source, medium, content, term)
• Landing page
• Acquisition channel
• Referral codes (if applicable)

1.6 Usage Data

We automatically collect information about your use of the Service:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Timestamps of access
• Clickstream data
• Error logs

1.7 Communication Data

We collect data from your communications:

• Contact form submissions (name, email, phone number, message, uploaded files)
• Phone numbers provided for SMS/text messaging
• SMS consent status and timestamps
• Support requests
• Email correspondence
• Feedback and surveys

1.8 Connected Account Data

If you connect third-party accounts, we collect:

• Social media OAuth tokens (Facebook, Instagram, X/Twitter)
• Connected account identifiers and usernames
• Access tokens required to post on your behalf
• Scheduled post content and settings

When you connect your Facebook Page and/or Instagram Business or Creator account, we may access the following data through Meta's APIs:

• Profile information: Page/account name, username, profile picture, follower and following counts, and media count
• Content publishing: We create and publish posts (including images and captions) to your connected accounts on your behalf
• Insights and analytics: Account-level metrics such as impressions, reach, and follower counts to help you understand your audience performance
• Comments: We read and display comments on your posts to help you manage engagement
• Messages: We access Instagram direct message conversations to enable you to manage communications from within our platform
• Media: We access your published media to display it within our management interface

You can disconnect your Facebook or Instagram account at any time from the Social Poster settings in your website dashboard. Disconnecting will revoke our access to your account data and stop any scheduled posts. You may also revoke access directly from your Facebook Settings or Instagram Settings.

1.9 Kanban/Workflow Data

If you use our Kanban boards, we collect:

• Board structures and configurations
• Card content and custom fields
• Card movements and history
• Watchers and assignments
• Automation rules and triggers

1.10 Team and Sub-User Data

If you add team members, we collect:

• Sub-user names and email addresses
• Role assignments and permissions
• Activity and access logs

2.1 To Provide the Service

• Create and manage your account
• Process subscriptions and payments
• Host and publish your websites
• Manage your domains and DNS
• Store and serve your content
• Enable e-commerce functionality
• Send transactional emails (quotes, invoices, contact form submissions)
• Provide customer support

2.2 To Improve and Develop the Service

• Analyze usage patterns and trends
• Identify and fix bugs and errors
• Develop new features and functionality
• Optimize performance and user experience
• Conduct research and analytics

2.3 To Communicate with You

• Send account-related notifications
• Provide customer support
• Send service updates and announcements
• Deliver marketing communications (with your consent)
• Respond to your inquiries

2.4 To Ensure Security and Compliance

• Authenticate users and prevent fraud
• Detect and prevent abuse or violations
• Comply with legal obligations
• Enforce our Terms of Service
• Protect our rights and property

2.5 For Content Moderation

• Scan uploaded images for inappropriate content using AWS Rekognition
• Identify and block prohibited content
• Enforce our content policies

2.6 For AI Features

• Generate AI-powered content suggestions
• Create website blueprints and SEO content
• Generate AI images for websites and social media posts
• Process text requests through OpenAI's services
• Process image generation requests through OpenAI (DALL-E) and Google (Gemini) services

2.7 SMS/Text Messaging

JellyMachine provides SMS/text messaging capabilities that allow businesses using our platform to communicate with their customers. If you provide your phone number and consent to receive SMS messages through a form on a website built with JellyMachine:

• We collect your phone number and record your opt-in consent along with a timestamp
• Your phone number is used solely to send SMS/text messages related to your inquiry or the services of the business whose form you submitted
• Message frequency varies depending on the nature of your interaction with the business
• Message and data rates may apply depending on your mobile carrier and plan
• You can opt out of SMS messages at any time by replying STOP to any message, or by visiting jellymachine.com/sms/unsubscribe
• You can reply HELP to any message for assistance
• SMS consent is not required as a condition of purchasing any goods or services
• We do not sell, rent, or share your phone number or SMS consent data with third parties for their marketing purposes
• Phone numbers and SMS consent records are retained as long as the business account that collected them remains active, or until you opt out

For questions about SMS messaging, contact us at support@jellymachine.com.

3.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Amazon Web Services (AWS): Hosting, storage (S3), content delivery (CloudFront), email (SES), DNS (Route 53), SSL certificates (ACM), content moderation (Rekognition), serverless functions (Lambda), monitoring (CloudWatch)
• Stripe: Payment processing, subscription management, e-commerce transactions
• OpenAI: AI content generation and image generation (DALL-E)
• Google (Gemini): AI image generation
• Mapbox: Map functionality for websites
• MongoDB: Database services

3.2 Social Media Platforms

If you connect social media accounts (Facebook, Instagram, X/Twitter), we share:

• Post content you schedule or publish
• Media files attached to posts (including AI-generated images)
• Captions and hashtags

We also receive data from these platforms (profile information, insights, comments, messages, and media) as described in Section 1.8 to provide our social media management features. This data is used solely to power the Service and is not shared with other third parties.

3.3 Your Customers

If you use e-commerce features:

• Information necessary to fulfill orders
• Quote and invoice details you send to customers

3.4 Legal Requirements

We may disclose information when required:

• To comply with legal process or government requests
• To enforce our Terms of Service
• To protect the rights, property, or safety of JellyMachine, our users, or others
• In connection with investigations of suspected illegal activity

3.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

3.6 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

3.7 Aggregated or Anonymized Data

We may share aggregated or anonymized data that cannot reasonably be used to identify you for research, analytics, or other purposes.

4.1 Authentication Cookies

We use essential cookies for authentication:

These cookies are HTTP-only, secure, and use same-site strict policy. They are necessary for the Service to function and cannot be disabled.

4.2 Analytics (Optional Feature)

If you enable analytics on your websites, the following data is collected from your website visitors:

• Session identifiers
• Visitor identifiers (for returning visitor tracking)
• Pageviews (path, referrer, timestamp)
• Sessions (duration, page count, landing page)
• Device information (type, OS, browser)
• Geographic data (country, region - derived from CDN headers)
• Viewport/screen dimensions
• UTM parameters
• Scroll depth
• Custom events

4.3 Your Responsibility for Visitor Tracking

If you enable analytics or tracking on your websites, you are responsible for:

• Disclosing this in your own privacy policy
• Obtaining any required consents from your visitors
• Complying with applicable privacy laws (GDPR, CCPA, etc.)

4.4 Do Not Track

We currently do not respond to "Do Not Track" browser signals. However, you can manage cookies through your browser settings.

5.1 Account Data

We retain your account information for as long as your account is active. Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

5.2 Website Content

Your website content is retained while your subscription is active. After account termination, content is retained for a reasonable period (typically 30 days) before deletion.

5.3 Payment Records

Payment records are retained for 7 years to comply with tax and accounting regulations.

5.4 Analytics Data

If you use our analytics feature:

• Raw events: Approximately 180 days (auto-expire)
• Sessions: Approximately 365 days (auto-expire)

5.5 Backup Data

Backup copies may be retained for disaster recovery purposes and are deleted in accordance with our backup retention policies.

5.6 Legal Requirements

We may retain information longer if required by law, to resolve disputes, or to enforce our agreements.

6.1 Security Measures

We implement industry-standard security measures to protect your information:

• Encryption in transit (HTTPS/TLS)
• Password hashing using bcrypt
• HTTP-only, secure cookies with same-site strict policy
• Two-factor authentication (TOTP) option
• AWS security infrastructure and compliance certifications
• Web Application Firewall (WAF) protection
• Access controls and authentication for all services
• Regular security assessments

6.2 Content Moderation

We use AWS Rekognition to automatically scan uploaded images for inappropriate content as an additional security and content safety measure.

6.3 Incident Response

In the event of a data breach affecting your personal information, we will:

• Investigate and contain the breach
• Assess the risk to affected individuals
• Notify affected users and relevant authorities as required by law
• Take steps to prevent future incidents

6.4 Your Responsibilities

You are responsible for:

• Maintaining the security of your account credentials
• Using strong, unique passwords
• Enabling two-factor authentication
• Protecting any API keys or access tokens
• Reporting any suspected security issues

7.1 Data Location

Our Service uses AWS infrastructure, which may process and store data in various locations globally, including the United States.

7.2 Transfer Mechanisms

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide adequate data protection, we rely on:

• Standard Contractual Clauses approved by the European Commission
• AWS's compliance with applicable data protection frameworks
• Stripe's compliance with data protection requirements

7.3 Privacy Shield

While the EU-US Privacy Shield was invalidated, we ensure adequate protections through alternative transfer mechanisms.

8.1 Access and Portability

You have the right to:

• Access the personal information we hold about you
• Receive a copy of your data in a portable format
• Request information about how your data is processed

8.2 Correction

You have the right to request correction of inaccurate or incomplete personal information.

8.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing disputes).

8.4 Restriction and Objection

You have the right to:

• Request restriction of processing in certain circumstances
• Object to processing based on legitimate interests
• Opt out of marketing communications

8.5 Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

8.6 How to Exercise Your Rights

To exercise your privacy rights, please:

• Use the account settings and tools available in the Service
• Contact us at the address provided in the "Contact Us" section
• We will respond to your request within 30 days

9.1 California Residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

9.2 Categories of Personal Information Collected

We collect the following categories of personal information:

• Identifiers (name, email, username, IP address)
• Commercial information (subscription history, transaction records)
• Internet activity (browsing history, search history, interaction with Service)
• Professional information (if provided for business accounts)
• Inferences (preferences derived from usage patterns)

9.3 Your California Rights

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt Out of Sale/Sharing: We do not sell personal information
• Right to Non-Discrimination: Exercise your rights without discriminatory treatment
• Right to Limit Use of Sensitive Personal Information: Where applicable

9.4 Verification

We will verify your identity before processing requests by matching information you provide with information in our records.

9.5 Authorized Agents

You may designate an authorized agent to make requests on your behalf with proper verification.

9.6 No Sale of Personal Information

We do not sell your personal information as defined under the CCPA.

9.7 Financial Incentives

We may offer financial incentives for participation in programs. Terms will be disclosed at enrollment.

10.1 Data Controller

JellyMachine is the data controller for personal information collected through the Service.

10.2 Legal Bases for Processing

We process personal information under the following legal bases:

• Contract: Processing necessary to provide the Service and fulfill our agreement
• Legitimate Interests: Processing for our legitimate business interests (security, improvement, analytics)
• Legal Obligation: Processing required to comply with laws
• Consent: Processing based on your explicit consent (marketing, optional features)

10.3 Your GDPR Rights

As an EEA, UK, or Swiss resident, you have additional rights:

• Right of Access (Article 15)
• Right to Rectification (Article 16)
• Right to Erasure (Article 17)
• Right to Restriction of Processing (Article 18)
• Right to Data Portability (Article 20)
• Right to Object (Article 21)
• Rights related to Automated Decision-Making (Article 22)

10.4 Data Protection Officer

For GDPR-related inquiries, please contact us at the address in the "Contact Us" section.

10.5 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority.

10.6 Data Processing Agreements

We maintain Data Processing Agreements with our sub-processors (AWS, Stripe, etc.) as required by GDPR.

11.1 Age Restrictions

The Service is not directed to children under 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children.

11.2 Parental Rights

If you believe we have collected information from a child, please contact us immediately. We will take steps to delete such information.

11.3 User Websites

Users of our platform who create websites are responsible for their own compliance with children's privacy laws (COPPA, etc.) if their websites target or collect information from children.

12.1 Third-Party Integrations

The Service integrates with third-party services. Your use of these services is governed by their respective privacy policies:

• Stripe
• AWS
• OpenAI
• Google (Gemini)
• Mapbox
• Facebook/Meta
• Instagram
• X (Twitter)

12.2 Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites.

12.3 Your Websites

Websites you create and publish through our Service may collect information from your visitors. You are responsible for:

• Creating and displaying appropriate privacy policies
• Obtaining necessary consents
• Complying with applicable privacy laws

13.1 Updates

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on the Service
• Updating the "Last Updated" date
• Sending an email notification for significant changes

13.2 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13.3 Continued Use

Your continued use of the Service after changes to this Privacy Policy constitutes acceptance of the updated policy.

14.1 Questions and Requests

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

14.2 Response Time

We will respond to your inquiries within 30 days, or as required by applicable law.

14.3 Complaints

If you have a complaint about our privacy practices, please contact us first. If you are not satisfied with our response, you may have the right to lodge a complaint with a data protection authority.

A. Data Sub-Processors

We use the following categories of sub-processors to process personal data:

B. Data Collected by Feature