Privacy Policy
Last updated: February 11, 2025
This Privacy Policy describes how Joinways SAS collects, uses, stores and protects your personal data when you use our Service. It applies to all users of the Service, whether free or paid.
1. Data Collected, Purposes and Legal Basis
| Data | Purpose | Legal basis | Required |
|---|---|---|---|
| Name, email, password | Account creation and management | Contract | Yes |
| Created content (events, quotes, contacts) | Service provision | Contract | Yes |
| Billing data | Payments and accounting | Contract + Legal obligation | Yes |
| IP, browser, logs | Security and fraud prevention | Legitimate interest | Yes |
| Usage data | Service improvement | Legitimate interest | No |
| Email (marketing) | Newsletters and communications | Consent | No |
Note: Data marked as required is necessary for the provision of the service. Their absence may prevent full use of the platform.
2. Recipients and Sub-processors
We do not sell your data.
We only share your data with sub-processors necessary for the provision of the Service. Here are the main categories:
| Category | Provider | Location | Safeguards |
|---|---|---|---|
| Hosting / Database | Supabase (AWS) | EU (Frankfurt) | DPF + SCCs |
| CDN / Frontend | Vercel | USA / Global | DPF + SCCs |
| Payments | Stripe | USA / Ireland | DPF + SCCs |
| Electronic signature | SignatureAPI | USA | DPF + SCCs |
| Transactional emails | Resend | USA | DPF + SCCs |
| AI / Automated processing | OpenAI / Anthropic | USA | DPF + SCCs + DPA |
Note: This list is updated regularly. Sub-processors are selected for their GDPR compliance and are bound by data processing agreements (DPA).
2.1 International Transfers
Some of our sub-processors are located outside the European Union, particularly in the United States. These transfers are governed by:
- Data Privacy Framework (DPF): For transfers to the United States
- Standard Contractual Clauses (SCCs): For other third countries
These safeguards ensure an adequate level of protection for your data in accordance with the GDPR.
Full list of sub-processors available upon request: [email protected]
3. Retention Period
- Account data: duration of contract + 3 years
- Invoices: 10 years (legal obligation)
- User content: duration of contract + 30 days for export
- Connection logs: 1 year
4. Your Rights
GDPR (EU)
- Right of access: Obtain a copy of your personal data
- Right to rectification: Correct inaccurate data
- Right to erasure: Request the deletion of your data
- Right to data portability: Retrieve your data in a structured format
- Right to object: Object to processing on legitimate grounds
- Right to restriction: Restrict processing in certain cases
- Right to withdraw consent: At any time for consent-based processing
CCPA (California)
- Right to know: Know what data is collected and how it is used
- Right to deletion: Request the deletion of your data
- Right to opt-out: Opt out of the sale of data (not applicable: we do not sell your data)
- Right to non-discrimination: You will not be discriminated against for exercising your rights
Exercise your rights:
Send your request by email to [email protected] specifying your identity and the right you wish to exercise.
Response time: We will respond within a maximum of 30 days (1 month for GDPR, 45 days for CCPA in case of complexity).
Identity verification: For your security, we may ask for identification to verify your identity before processing your request.
5. Complaints
You may file a complaint with the CNIL (France) or the data protection authority in your country.
6. Security
TLS/AES-256 encryption, MFA authentication, access controls, encrypted backups. In case of a breach, notification within 72 hours.
7. Cookies
See our Cookie Policy.
8. Minors
Service reserved for professionals aged 18 and over. We do not knowingly collect data from minors.
9. Automated Decisions
We do not use automated decision-making that has legal effects on you.
10. Modifications
We may modify this privacy policy to reflect changes in our practices or for legal or regulatory reasons.
In case of a substantial modification, we will notify you by email at the address associated with your account with at least 30 days' notice. The last updated date is indicated at the top of this page.
Continued use: Your continued use of the service after notification of the modifications constitutes acceptance of the new privacy policy.