This Privacy Policy describes how JUMP ON, a French single-member limited liability company (EURL), operating the Joely.io platform ("Joely", "we", "us", "our"), collects, uses, stores and shares personal data when you use our customer support platform. This policy is drafted to comply with Regulation (EU) 2016/679 (the "GDPR") and the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 modifiée, "Loi Informatique et Libertés").
1. Data Controller
The data controller responsible for the processing of your personal data is:
- Company: JUMP ON (EURL, single-member limited liability company under French law)
- Registered office: 17 rue de Toulouse, 51100 Reims, France
- SIREN: 983 062 100 (RCS Reims)
- VAT number: FR58983062100
- Manager (Gérant): Hugo Cressent
- Contact: contact@joely.io
For any question regarding the processing of your personal data, or to exercise your rights, you may contact us at the email address above. JUMP ON has not designated a Data Protection Officer (DPO) as it is not legally required for our processing activities, but the contact email above is the single point of contact for all privacy matters.
2. Scope and Roles
Joely is a multi-tenant customer support platform. Depending on the context, JUMP ON acts as:
- Data controller for personal data we collect from account holders (project owners, staff members, administrators) for the purpose of providing, securing and billing the Joely service.
- Data processor on behalf of project owners (our customers) for the support tickets, messages, attachments and end-customer data they upload or generate through the platform. In that case, the project owner is the data controller and our processing is governed by a Data Processing Agreement (DPA) that is incorporated by reference into our Terms of Service.
If you are an end-customer interacting with a Joely portal operated by a project owner, the project owner is the controller of your data and you should contact them first for any right-related request.
3. Information We Collect
We collect information that you provide directly to us, information generated by your use of the service, and information received from third-party providers you choose to connect.
3.1 Account Information
- Email address, display name and avatar
- Authentication identifiers from your chosen OAuth provider (Cfx.re, Google, Discord, GitHub)
- Encrypted password (only when using email/password registration)
- Organization, team membership and role assignments
- User preferences (language, notification settings, current project)
3.2 Support Ticket and Message Data
- Support ticket content, including messages, internal notes and mentions
- File attachments uploaded to tickets
- Ticket metadata (status, priority, timestamps, assignments, audit trail)
- Customer satisfaction (CSAT) survey responses
3.3 Third-Party Integration Data
- Tebex: store API credentials (encrypted at rest), transaction IDs, purchase history and customer order metadata used for order verification
- Discord: Discord user ID, username and avatar for authentication, notifications and DM delivery
- GitHub: OAuth tokens, repository identifiers and issue references when linked
- Cfx.re (FiveM forum): forum user ID, username and (when explicitly granted by the user) an encrypted Cfx.re API key used to query the user's purchases
3.4 Billing Data
- Subscription plan, billing cycle, plan history and invoices
- Stripe Customer ID and subscription identifiers (no card data is ever stored on our servers; payment details are handled exclusively by Stripe)
- Country and approximate region (derived from IP) to determine currency and applicable VAT
- VAT number when provided for B2B billing
3.5 Technical and Usage Data
- IP address, user agent, device and browser information
- Access timestamps and session identifiers (authentication access tokens with a 30-day expiry, capped at 10 concurrent sessions per user)
- Server logs and security events (failed login attempts, rate-limit hits)
- Feature usage and product analytics events
- Application errors, performance traces and stack traces
3.6 AI Processing Data
When AI features are enabled by the project owner, the following content may be sent to our AI sub-processor (OpenAI) to generate response suggestions or analyses:
- Ticket subject, description and message history
- Customer-facing knowledge base entries configured by the project
- Tebex package metadata (when "Package Scope" is enabled)
4. Purposes and Legal Bases for Processing
Pursuant to Article 6 of the GDPR, we process your personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): creating and managing your account, delivering the support platform, processing tickets, providing third-party integrations, billing paid subscriptions and providing customer support.
- Legitimate interests (Art. 6(1)(f)): securing the platform against fraud and abuse, monitoring service availability via error tracking, measuring product usage in aggregate to improve features, and defending our rights in case of dispute. You can object to processing based on legitimate interests at any time.
- Consent (Art. 6(1)(a)): enabling AI features, sending non-essential marketing communications (if any), and any optional analytics that go beyond strictly necessary measurement. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
- Compliance with a legal obligation (Art. 6(1)(c)): retaining accounting and invoicing records for the legal retention period (10 years under French Commercial Code Art. L.123-22), responding to law enforcement requests, fulfilling VAT obligations.
5. Sub-Processors and Third-Party Recipients
We rely on the following sub-processors to operate the service. All sub-processors are bound by a data processing agreement (DPA) that requires GDPR-compliant safeguards. Transfers to providers located outside the European Economic Area (EEA) are protected either by the EU-US Data Privacy Framework (DPF) or by Standard Contractual Clauses (SCCs) approved by the European Commission.
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Hostinger International Ltd. | Application hosting, database, SMTP email delivery | EU (Lithuania) | N/A (within EEA) |
| Stripe Payments Europe, Ltd. | Payment processing, subscription billing, invoices | Ireland + USA | DPF + SCCs |
| OpenAI, L.L.C. | AI response suggestions (only when enabled by project owner) | USA | DPF + SCCs |
| PostHog Inc. | Product analytics, session events | USA / EU (depending on instance) | DPF + SCCs |
| Functional Software, Inc. (Sentry) | Error tracking and performance monitoring | USA | DPF + SCCs |
| Cloudflare, Inc. | CDN, DDoS protection, Cfx.re forum proxy worker | USA + global edge | DPF + SCCs |
| IPinfo.io | IP geolocation for currency and VAT detection | USA | SCCs |
| Open Exchange Rates Ltd. | Currency conversion rates | USA / UK (no personal data sent) | SCCs |
| Vatstack | VAT number validation for B2B billing | UK | UK adequacy decision |
| Discord, Inc. | OAuth authentication, notifications, DM delivery (when used) | USA | DPF + SCCs |
| GitHub, Inc. | OAuth authentication and issue linking (when used) | USA | DPF + SCCs |
| Google Ireland Ltd. | Google OAuth authentication (when used) | Ireland | N/A (within EEA) |
| Cfx.re (FiveM) | Cfx.re OAuth, Tebex purchase verification | Outside EEA | SCCs (third-party API) |
Our Commitments
- We never sell your personal data to anyone.
- We never share personal data for third-party advertising purposes.
- We only share the minimum data necessary for each integration to function.
- We will notify you of any change to our list of sub-processors via this page.
6. International Data Transfers
Some of our sub-processors are located outside the European Economic Area, primarily in the United States. For each such transfer, we rely on one of the following safeguards as required by Articles 44 to 49 of the GDPR:
- The EU-US Data Privacy Framework (DPF) certification of the recipient organization
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- Supplementary technical and contractual measures where required
You may request a copy of the relevant transfer mechanism by writing to contact@joely.io.
7. Data Security
We implement appropriate technical and organizational measures (Art. 32 GDPR) to ensure a level of security appropriate to the risk:
- All traffic encrypted in transit using TLS 1.2 or higher
- Sensitive credentials (Tebex API keys, Cfx.re tokens) encrypted at rest using envelope encryption with versioned master keys
- Passwords stored as salted, slow hashes; OAuth state and refresh tokens encrypted
- Access tokens scoped per device with a 30-day expiry and a 10-session cap per user (oldest sessions are auto-revoked)
- Role-based access control with granular per-permission checks for each action
- Internal API endpoints protected by a shared secret and webhook signature verification
- Rate limiting on sensitive endpoints (login, email OTP, invitations)
- Security headers (CSP, HSTS, X-Frame-Options) enforced by middleware
- Continuous error monitoring and intrusion alerting via Sentry
- Regular review of access rights and least-privilege principle for all employees and contractors
8. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law:
| Data category | Retention period |
|---|---|
| Active account data | Duration of the account |
| Tickets, messages and attachments | Duration of the project, or until deletion by the project owner |
| Authentication access tokens | 30 days from creation (rolling) |
| Server logs and security events | Up to 12 months (Art. L.34-1 CPCE) |
| Application error events (Sentry) | 90 days |
| Product analytics events (PostHog) | Up to 13 months in identified form, then aggregated |
| Invoices and accounting records | 10 years (Art. L.123-22 Code de commerce) |
| Deleted account residual data | Deleted or anonymized within 30 days, except where legal retention applies |
When you delete your account, we delete or irreversibly anonymize all associated personal data within 30 days, except for records we are legally required to retain (e.g. invoices).
9. Your Rights
Under the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation that we process your data and request a copy of it
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten", Art. 17): request deletion of your data, subject to legal retention obligations
- Right to restriction of processing (Art. 18): ask us to limit processing in certain situations
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21): object to processing based on our legitimate interests, including for any direct marketing
- Right to withdraw consent (Art. 7): where processing is based on consent, withdraw it at any time
- Right to define post-mortem instructions (French specific, Art. 85 LIL): set instructions for the fate of your data after your death
- Right not to be subject to automated decision-making (Art. 22): the AI features we offer are decision-support tools and do not produce legal effects without human review
To exercise these rights, contact us at contact@joely.io. We will respond within one month, extendable by two additional months for complex requests. We may ask for proof of identity if there is reasonable doubt.
If you believe we have not adequately addressed your request, you have the right to lodge a complaint with the French data protection authority:
CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
www.cnil.fr
10. Cookies and Similar Technologies
We use a minimal set of cookies and local storage entries necessary to operate the platform:
- Strictly necessary cookies: authentication tokens, session state, CSRF protection, portal context (subdomain), language preference, theme. These are exempt from prior consent under Art. 82 of the French Data Protection Act.
- Measurement cookies (PostHog): product analytics used to understand feature usage. We configure these to comply with the CNIL exemption criteria for audience measurement when possible. Otherwise, your consent is requested via a cookie banner.
- Error tracking (Sentry): session identifiers used to correlate errors. No advertising or cross-site tracking is performed.
We do not use third-party advertising cookies, cross-site tracking technologies, or "fingerprinting" beyond what is strictly required for security.
11. Children
Joely is not intended for users under the age of 15 (the digital consent age in France). We do not knowingly collect personal data from children under 15. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, our sub-processors, or applicable law. For material changes, we will notify you via email or through the platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact
For any question, request or complaint regarding this Privacy Policy or the processing of your personal data:
JUMP ON (EURL)
17 rue de Toulouse, 51100 Reims, France
Email: contact@joely.io