GDPR Compliance

1. Introduction

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, across the European Union (EU) and European Economic Area (EEA). This regulation strengthens the protection of personal data and gives individuals greater control over their personal information.

Jestimate is committed to full compliance with GDPR and other applicable data protection laws. This page explains how we comply with GDPR requirements and outlines your rights as a data subject.

2. Legal Basis for Processing Personal Data

Under GDPR, we must have a legal basis for processing your personal data. We process your data based on the following legal grounds:

2.1 Contract Performance

We process your data to provide our services under the terms of service agreement:

• Creating and managing your account
• Providing estimation and retrospective tools
• Enabling real-time collaboration features
• Processing payments and managing subscriptions
• Providing customer support

2.2 Legitimate Interest

We process data for our legitimate business interests, provided these do not override your fundamental rights:

• Improving our services and user experience
• Preventing fraud and ensuring security
• Analyzing usage patterns for service optimization
• Communicating important service updates

2.3 Consent

We process certain data based on your explicit consent:

• Marketing communications (where applicable)
• Non-essential cookies and tracking
• Optional profile information
• Third-party integrations

2.4 Legal Obligation

We may process data to comply with legal requirements:

• Tax and accounting obligations
• Regulatory compliance
• Legal proceedings and investigations
• Data retention requirements

3. Your GDPR Rights

As a data subject under GDPR, you have several important rights regarding your personal data:

4. How to Exercise Your GDPR Rights

4.1 Making a Request

To exercise any of your GDPR rights, you can contact us using the following methods:

• Email: contact@jestimate.app
• Support Portal: Through your account settings
• Postal Address: Available upon request

4.2 Information Required

To process your request efficiently, please provide:

• Your full name and email address
• Specific right(s) you wish to exercise
• Details of your request
• Any relevant context or additional information

4.3 Response Timeline

We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months, and we will inform you of any extension and the reasons for it.

4.4 Verification

We may need to verify your identity before processing your request to ensure the security of your personal data. This may involve asking you to provide additional information or documentation.

5. Data Processing Details

5.1 Categories of Personal Data

We process the following categories of personal data:

• Identity Data: Name, email address, display name
• Contact Data: Email address, billing address
• Technical Data: IP address, browser type, device information
• Usage Data: How you use our services, feature preferences
• Content Data: Estimation votes, retrospective items, chat messages
• Financial Data: Payment information (processed by Stripe)

5.2 Data Sources

We collect personal data from the following sources:

• Directly from you: When you create an account, use our services, or contact us
• Automatically: Through cookies and similar technologies
• Third parties: OAuth providers (Google, GitHub), payment processors

5.3 Data Recipients

We may share your personal data with:

• Service Providers: Supabase (database), Stripe (payments), hosting providers
• Legal Authorities: When required by law or to protect our rights
• Business Partners: Only with your explicit consent

6. Data Retention and Deletion

6.1 Retention Periods

We retain your personal data for the following periods:

• Active Accounts: For the duration of your account activity
• Canceled Accounts: According to your subscription plan's retention policy
• Legal Requirements: As required by applicable laws and regulations
• Anonymized Data: Indefinitely for statistical and analytical purposes

6.2 Deletion Process

When you request deletion of your data:

• We will permanently delete your personal data within 30 days
• Some data may be retained longer for legal compliance
• We will confirm deletion in writing
• Backup copies will be deleted within 90 days

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for such transfers:

7.1 Safeguards

• Standard Contractual Clauses: Approved by the European Commission
• Adequacy Decisions: For countries with adequate data protection
• Binding Corporate Rules: For transfers within our corporate group
• Certification Schemes: Where applicable and recognized

7.2 Countries of Transfer

Your data may be transferred to the following countries:

• United States: For hosting and analytics services
• European Union: For primary data storage and processing
• Other Countries: As required for service delivery

8. Data Protection Officer

While we are not legally required to appoint a Data Protection Officer (DPO), we have designated privacy responsibilities to ensure GDPR compliance. For privacy-related inquiries, please contact:

9. Data Breach Notification

In the unlikely event of a personal data breach, we have procedures in place to:

• Detect and assess the breach within 72 hours
• Notify relevant supervisory authorities where required
• Inform affected individuals when the breach poses a high risk to their rights
• Document all breaches and our response actions
• Implement measures to prevent future breaches

10. Supervisory Authority

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

You can find contact details for EU supervisory authorities at: European Data Protection Board

11. Contact Us