Legal

Privacy Policy

Effective Date: April 13, 2026 Version: 1.0

1. Introduction

Julay ("Julay," "we," "us," or "our") operates an AI-powered project management platform accessible at julay.org (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service, and describes the rights you have with respect to that information.

We are committed to protecting your privacy and handling your data with transparency and care. This policy applies to all users of the Service, including visitors to our website, registered account holders, and members of teams that use Julay.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

This policy is written to comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area, the California Consumer Privacy Act (CCPA) for California residents, and applicable United States federal and state privacy laws.

2. Data We Collect

We collect information you provide directly to us, information generated automatically through your use of the Service, and information from third-party sources.

2.1 Information You Provide

  • Account Information: When you register, we collect your full name, email address, and a hashed password. If you sign in via OAuth (Google, GitHub), we receive your name, email address, and profile picture URL from the identity provider.
  • Profile Data: Optional information you add to your profile, such as a job title, organization name, or avatar image.
  • Project and Workspace Data: Task names and descriptions, project titles, comments, file attachments, labels, due dates, assignee assignments, and any other content you create, upload, or share within the Service.
  • Payment Information: If you subscribe to a paid plan, our payment processor (Stripe) collects your billing name, address, and payment card details. We do not store raw card numbers on our servers; we store only a Stripe customer ID and the last four digits of your card for display purposes.
  • Communications: When you contact our support team or send us feedback, we collect the content of those communications along with any metadata you include (e.g., your email address, account ID).

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, actions taken, time and duration of sessions, referral URLs, and search queries within the Service.
  • Device and Technical Data: IP address, browser type and version, operating system, device type (desktop/mobile), screen resolution, preferred language, and time zone.
  • Log Data: Server logs, error logs, and performance logs that record interactions with our servers, including timestamps, request methods, response codes, and latency.
  • Cookies and Similar Technologies: Session tokens, preference cookies, and analytics identifiers. See Section 8 and our Cookie Policy for details.

2.3 Information from Third Parties

  • If you connect third-party integrations (e.g., GitHub, Slack, Google Calendar) we receive only the data explicitly authorized by you through the relevant OAuth or API consent flow.
  • We may receive information from referral partners solely for the purpose of crediting your account with any applicable promotional offer.

2.4 Information We Do Not Collect

We do not knowingly collect sensitive personal information such as government-issued ID numbers, financial account numbers (other than through Stripe), biometric data, health information, or precise geolocation data. We also do not knowingly collect personal information from children under the age of 16.

3. How We Use Data

We use the information we collect for the following purposes:

3.1 Providing and Improving the Service

  • Creating and managing your account and workspace.
  • Processing and fulfilling your subscription, including billing and invoicing.
  • Operating, maintaining, and improving the features and functionality of the Service.
  • Diagnosing technical problems and resolving bugs.
  • Conducting internal research and analytics to understand how users interact with the Service and to develop new features.

3.2 Communications

  • Sending transactional emails such as account verification, password resets, subscription confirmations, and payment receipts.
  • Sending product updates, feature announcements, and service-related notices. You may opt out of non-essential communications at any time via your account settings or by using the unsubscribe link in our emails.
  • Responding to your support requests and inquiries.

3.3 Security and Compliance

  • Detecting, investigating, and preventing fraudulent transactions, abuse, and other illegal activity.
  • Enforcing our Terms of Service and other applicable policies.
  • Complying with applicable legal obligations, court orders, and requests from governmental authorities.
  • Protecting the rights, property, and safety of Julay, our users, and the public.

3.4 Legal Bases for Processing (GDPR)

For users in the EEA, we rely on the following legal bases under Article 6 GDPR:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Service — e.g., account management, billing.
  • Legitimate interests (Art. 6(1)(f)): Processing for security, fraud prevention, product improvement, and analytics, where our interests are not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws and regulations.
  • Consent (Art. 6(1)(a)): Where we rely on your explicit consent (e.g., optional marketing emails, non-essential cookies), which you may withdraw at any time.

3.5 Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for their independent marketing or advertising purposes. We share data only as described in this policy (e.g., with sub-processors acting on our behalf).

4. AI Feature Processing

Julay offers AI-powered features — including automated project generation, task suggestions, and intelligent summaries — powered by the Claude API provided by Anthropic, PBC ("Anthropic").

4.1 How AI Features Work

When you use an AI feature, the relevant content you provide (such as a project brief, task description, or prompt) is transmitted to Anthropic's API over an encrypted connection. Anthropic processes this content to generate a response, which is then returned to you within the Service.

4.2 No Training on Your Data

Anthropic does not use content submitted to the Claude API through Julay to train or improve its AI models. Your project data and prompts are not retained by Anthropic for model training purposes. This is governed by our data processing agreement with Anthropic and Anthropic's API usage policies.

4.3 Data Transmitted to Anthropic

Only the specific content you submit when using an AI feature is sent to Anthropic. We do not send your entire project history, personal profile, billing information, or account metadata to Anthropic. Anthropic acts as a data processor on our behalf and is contractually required to protect your data.

4.4 Opting Out

AI features in Julay are optional and clearly labeled within the interface. If you do not wish your content to be processed by the Claude API, you may opt out by simply not using the AI-powered features. No personal data is sent to Anthropic unless you explicitly invoke an AI feature.

4.5 Responsibility for AI Outputs

AI-generated content is provided as a tool to assist your work. You remain responsible for reviewing and verifying any AI-generated outputs before acting on them. We do not warrant the accuracy, completeness, or fitness for purpose of any AI-generated content.

5. Sub-Processors

We use the following third-party service providers ("sub-processors") to operate the Service. Each sub-processor is bound by a data processing agreement that limits how they may use your data and requires them to implement appropriate security measures.

Sub-Processor Purpose Data Processed Location
Amazon Web Services (AWS) Cloud infrastructure and hosting All Service data including account, project, and log data United States (primary), EU regions where applicable
MongoDB Atlas (MongoDB, Inc.) Database hosting and management Account data, project data, workspace content United States (AWS infrastructure)
Resend (Resend, Inc.) Transactional email delivery Email address, name, email content United States
Stripe (Stripe, Inc.) Payment processing and subscription management Billing name, address, payment card details, subscription status United States
Anthropic, PBC AI feature processing (Claude API) Content submitted when using AI features only United States

We may update this list as we add or remove sub-processors. We will notify you of material changes to our sub-processor list as described in Section 12.

5.1 International Data Transfers

Our sub-processors are primarily located in the United States. If you are located in the EEA or United Kingdom, your personal data may be transferred to the United States. Where such transfers occur, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA), as applicable.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

Data Category Retention Period
Account data (name, email, preferences) Retained until you delete your account. Upon deletion, we remove or anonymize your account data within 30 days, except where retention is required by law.
Project and workspace data (tasks, comments, files) Retained for 90 days after your account is deleted or your subscription expires, then permanently deleted. You may export your data before deletion using our data export tool.
Server and application logs Retained for 30 days, then automatically purged.
Billing records Retained for 7 years as required by applicable tax and accounting regulations.
Support communications Retained for 2 years from the date of last communication.
AI feature input data (transmitted to Anthropic) Not retained by Anthropic for training. Retained by Julay within your project data in accordance with the project data retention schedule above.

Following the applicable retention period, your data is either securely deleted or irreversibly anonymized so that it can no longer be associated with you.

7. Your Rights

Depending on your location, you have specific rights regarding your personal information. We honor these rights for all users regardless of jurisdiction to the extent practicable.

7.1 Rights Under GDPR (EEA and UK Users)

Right of Access Request a copy of the personal data we hold about you (Art. 15 GDPR).
Right to Rectification Request correction of inaccurate or incomplete personal data (Art. 16 GDPR).
Right to Erasure Request deletion of your personal data ("right to be forgotten") (Art. 17 GDPR).
Right to Portability Receive your data in a structured, machine-readable format (Art. 20 GDPR).
Right to Restriction Request that we limit how we process your data in certain circumstances (Art. 18 GDPR).
Right to Object Object to processing based on legitimate interests, including for direct marketing (Art. 21 GDPR).

You also have the right to withdraw consent at any time where we rely on consent as the legal basis for processing. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

If you believe we have not adequately addressed a concern, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or the relevant supervisory authority in your EEA member state).

7.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete personal information we have collected about you, subject to certain exceptions.
  • Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising purposes. You do not need to opt out.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those specified in CPRA.

7.3 How to Exercise Your Rights

You may exercise many rights directly through your account settings, including downloading your data, updating your profile, or deleting your account. For requests that cannot be fulfilled through your account, please contact us at privacy@julay.org. We will respond within 30 days (or within the timeframe required by applicable law) and may ask you to verify your identity before processing your request.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Service. A "cookie" is a small text file stored on your device by your browser at the request of a website.

We use the following types of cookies:

  • Strictly Necessary Cookies: Required for the Service to function (e.g., session authentication tokens). These cannot be disabled.
  • Functional Cookies: Remember your preferences (e.g., display settings, language) to enhance your experience.
  • Analytics Cookies: Help us understand how users interact with the Service so we can improve it. We use these only with your consent.

You can manage your cookie preferences at any time through your browser settings or our cookie consent interface. Please note that disabling certain cookies may affect the functionality of the Service.

For full details on the cookies we use, their purpose, and how to control them, please see our Cookie Policy.

9. Data Breach Notification

We maintain technical and organizational security measures designed to protect your personal information against unauthorized access, loss, alteration, or destruction. These measures include encryption of data in transit (TLS) and at rest, access controls, regular security assessments, and audit logging.

Despite these measures, no system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (e.g., the applicable data protection authority) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR.
  • Document all breaches internally, including those that do not require external notification.

Breach notifications to affected users will be sent to the email address associated with your account and/or posted as a notice within the Service. We will include information about the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days. For formal data subject access requests, we will respond within the timeframe required by applicable law (30 days under GDPR; 45 days under CCPA).

11. Governing Law

This Privacy Policy and any disputes relating to it are governed by the laws of the State of Delaware, United States, without regard to conflict of law principles, except to the extent that applicable mandatory privacy laws in your jurisdiction (including the GDPR or CCPA) provide broader protections.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Effective Date" at the top of this page.
  • Send a notification to the email address associated with your account at least 30 days before changes take effect, where practicable.
  • Display a prominent notice within the Service.

We encourage you to review this policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes to the extent permitted by law. If you do not agree with the revised policy, you may delete your account before the changes take effect.

Prior versions of this policy are available upon request by contacting privacy@julay.org.