Privacy Policy | JustAutomateIt

Privacy Policy Overview

Effective Date: 14 January 2026

Last Updated: 14 January 2026

Welcome to the Privacy Policy of JUST AUTOMATE IT LTD ("JAI", "we", "us", or "our"). We are committed to protecting your privacy and being transparent about how we collect, use, and safeguard your personal information.

This Privacy Policy explains how we handle your data when you:

Visit our website at just-automate-it.org (the "Website")
Use the JAI Platform at jai-dash.app and your dedicated subdomain (the "Platform")
Interact with our Services, including consultancy and support

Data Controller:

JUST AUTOMATE IT LTD

27 Lower Aston Hall Lane

Deeside, Clwyd

CH5 3EX

United Kingdom

Email: support@just-automate-it.org

Our Commitment:

We operate in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are dedicated to protecting your privacy and safeguarding your personal information through industry-standard security measures and transparent data practices.

Information We Collect

We collect only the information necessary to provide and improve our Services. We practice data minimization and do not collect unnecessary personal information.

Website Visitors (just-automate-it.org)

Information You Provide:

Contact Forms: Name, email address, company name, phone number (optional), and message content when you submit inquiries
Newsletter Signups: Email address and name (if provided)
Trial Signup: Email address for 5-day trial access

Information Collected Automatically:

Analytics Data: Pages visited, time on site, referral source, device type, browser type, and IP address (via Google Analytics or similar)
Cookies: Session cookies for functionality; analytics cookies for usage tracking (see Cookie Policy)

Platform Users (jai-dash.app)

Account Information:

Registration Data: Full name, email address, company name, and password (hashed)
Authentication Data: Auth0 user ID, login timestamps, and authentication method (email/password or social login)
Billing Information: Payment details processed by Stripe (we do not store full credit card numbers)
Subscription Details: Plan type, billing cycle, subscription status, and payment history

Platform Usage Data:

Dashboard Configurations: Saved dashboards, custom visualizations, and user preferences
Query History: Natural language queries submitted to the JIA Assistant and conversation logs
API Credentials: Encrypted API keys for AI providers (OpenAI, Anthropic, etc.) and data source integrations
Usage Metrics: API call logs, cost tracking data, response times, and error logs for billing and optimization
Prompt Library: Saved prompts, templates, and custom agent configurations

Important - Your Business Data:

The JAI Platform is designed with data minimization principles. We process your business data via API calls in real-time but do not persistently store your raw business data (e.g., sales figures, customer records, financial data). Data is processed temporarily to generate insights, then discarded.

Information from Third Parties

Social Authentication:

If you sign in using Google, LinkedIn, or Microsoft, we receive:

Name, email address, and profile picture
We do not access your contacts, messages, or other account data

Subprocessors:

We receive limited data from trusted service providers:

Auth0: Authentication and identity management
Stripe: Payment processing and billing information
Supabase: Database hosting (your data is stored in your isolated environment)
n8n: Workflow automation metadata

Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

Contract: To provide the Services you've subscribed to or requested
Legitimate Interests: To improve our Services, prevent fraud, and ensure security
Consent: For marketing communications (you can withdraw consent anytime)
Legal Obligation: To comply with tax, accounting, and regulatory requirements

How We Use Your Information

We use your personal information only for legitimate purposes related to providing and improving our Services.

Platform Operation and Service Delivery

Account Management: Create and manage your user account, authenticate logins, and provide access to your dedicated environment
Subscription Management: Process payments, manage billing cycles, and handle subscription changes or cancellations
Service Delivery: Enable the JIA Assistant, process your queries through specialized agents, and generate dashboards and visualizations
Cost Tracking: Monitor API usage, calculate real-time AI provider costs, and provide transparent billing reports
Customer Support: Respond to your inquiries, provide technical assistance, and troubleshoot issues

Service Improvement and Analytics

Platform Optimization: Analyze usage patterns to improve response times, agent accuracy, and user experience
Product Development: Identify feature requests, prioritize improvements, and develop new capabilities
Performance Monitoring: Track system uptime, error rates, and performance metrics to maintain service quality
Security: Detect and prevent fraudulent activity, unauthorized access, and security threats

Communication

Transactional Emails: Send account confirmations, password resets, billing notifications, and service updates
Product Updates: Notify you of new features, improvements, and important changes (if you've opted in)
Marketing Communications: Send newsletters, case studies, and promotional content (only with your explicit consent - you can opt out anytime)

Legal and Compliance

Legal Obligations: Comply with tax, accounting, and regulatory requirements (e.g., retaining invoices for 7 years)
Dispute Resolution: Respond to legal claims, enforce our Terms of Service, and protect our rights
Regulatory Compliance: Meet GDPR, UK data protection, and financial regulations

Data We Do NOT Use

We never:

Sell or rent your personal information to third parties
Use your business data processed via APIs for any purpose other than providing insights to you
Share your data with advertisers or data brokers
Train AI models on your proprietary data without explicit consent
Use your data for purposes unrelated to the Services

GDPR Compliance and Commitment

JUST AUTOMATE IT LTD operates in full compliance with:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Privacy and Electronic Communications Regulations (PECR)

Our GDPR Commitments

Data Protection Principles:

We ensure your data is:

Lawful, Fair, and Transparent: Processed with clear legal basis and transparent practices
Purpose Limited: Collected for specific, explicit purposes only
Data Minimized: Limited to what is necessary for our Services
Accurate: Kept up to date; you can request corrections anytime
Storage Limited: Retained only as long as necessary
Secure: Protected by appropriate technical and organizational measures
Accountable: We maintain records of our processing activities and can demonstrate compliance

Your Rights Under UK GDPR:

You have the right to:

Access your personal data (Subject Access Request)
Rectify inaccurate or incomplete data
Erase your data ("right to be forgotten") in certain circumstances
Restrict processing of your data
Data portability (receive your data in a machine-readable format)
Object to processing based on legitimate interests
Withdraw consent for marketing communications
Lodge a complaint with the Information Commissioner's Office (ICO)

Data Processing Agreement

For Platform users, we act as a data processor for business data you process through the Platform. You (the customer) are the data controller.

A Data Processing Agreement (DPA) is available upon request for Enterprise customers and can be reviewed at just-automate-it.org/dpa.

International Data Transfers

Your data is primarily stored and processed within the UK and European Economic Area (EEA). Where we use subprocessors outside the UK/EEA (e.g., some AI providers), we ensure:

Adequacy decisions are in place, or
Standard Contractual Clauses (SCCs) are implemented, or
The provider has appropriate safeguards (e.g., Privacy Shield successor frameworks)

AI Provider Data Transfers:

When you use AI providers (OpenAI, Anthropic), data is sent to their APIs. You should review their privacy policies:

OpenAI: Based in USA (uses SCCs for EU data)
Anthropic: Based in USA (uses SCCs for EU data)

You control which AI providers to use by providing your own API keys.

Regular Compliance Reviews

We conduct:

Annual privacy policy reviews and updates
Quarterly security audits and vulnerability assessments
Regular staff training on data protection and GDPR compliance
Data Protection Impact Assessments (DPIAs) for high-risk processing activities

Your Privacy Rights

Under UK GDPR and the Data Protection Act 2018, you have comprehensive rights regarding your personal data.

Right to Access (Subject Access Request)

You have the right to request a copy of all personal data we hold about you.

How to Request:

Email support@just-automate-it.org with "Subject Access Request" in the subject line
We will respond within 30 days (may be extended by 2 months for complex requests)
No fee unless the request is manifestly unfounded or excessive

What You'll Receive:

All personal data we hold about you
The purposes of processing
Categories of data and recipients
Retention periods
Your rights and how to exercise them

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

How to Request:

Update your profile directly in the Platform (Account Settings)
Email support@just-automate-it.org for data you cannot update yourself
We will correct inaccuracies within 30 days

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances:

The data is no longer necessary for the purposes it was collected
You withdraw consent (where consent was the legal basis)
You object to processing based on legitimate interests
The data was unlawfully processed
Legal obligations require erasure

How to Request:

Cancel your account via the Platform (Account Settings → Cancel Subscription)
Email support@just-automate-it.org to request immediate deletion
We will delete your data within 30 days of account closure

Exceptions:

We may retain certain data where we have a legal obligation (e.g., financial records for 7 years for tax purposes).

Right to Restrict Processing

You can request that we limit how we use your data while:

Verifying the accuracy of your data
Determining the legitimacy of our processing
You need the data for legal claims, but we no longer need it

Right to Data Portability

You can request your data in a structured, machine-readable format (e.g., JSON, CSV) to transfer to another service.

Available for:

Account information
Dashboard configurations
Saved queries and conversation history
Prompt library entries

How to Request:

Email support@just-automate-it.org
We will provide the export within 14 days

Right to Object

You can object to:

Marketing Communications: Opt out via the unsubscribe link in any email or email support@just-automate-it.org
Processing Based on Legitimate Interests: We will cease processing unless we have compelling legitimate grounds

Right to Withdraw Consent

Where we process your data based on consent, you can withdraw it at any time.

How to Withdraw:

Marketing Emails: Click the unsubscribe link in any email
Platform Consent: Email support@just-automate-it.org

Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

If you believe we have not handled your data correctly, you can lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

How to Exercise Your Rights

Email: support@just-automate-it.org

Subject Line: Include the specific right you wish to exercise (e.g., "Subject Access Request")

Response Time: We will respond within 30 days

Verification: We may request proof of identity to protect your data from unauthorized access

Contact Us

For privacy-related questions, to exercise your data rights, or to lodge a complaint, please contact us:

JUST AUTOMATE IT LTD

27 Lower Aston Hall Lane

Deeside, Clwyd

CH5 3EX

United Kingdom

Email: support@just-automate-it.org

Website: https://just-automate-it.org

Response Times:

General inquiries: Within 2 business days
Data rights requests: Within 30 days
Urgent security matters: Within 24 hours

Data Protection Officer (DPO):

For complex data protection inquiries, you may contact our Data Protection Officer at: support@just-automate-it.org (mark "Attention: DPO" in subject line)

UK Supervisory Authority:

If you are not satisfied with our response, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Email: casework@ico.org.uk

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

Data Security and Protection Measures

We implement industry-standard technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction.

Technical Security Measures

Encryption:

Data in Transit: TLS 1.3 encryption for all data transmitted between your browser and our servers
Data at Rest: AES-256 encryption for all data stored in databases
API Keys: Encrypted storage of your AI provider credentials and data source API keys

Access Controls:

Authentication: Multi-factor authentication (MFA) available via Auth0
Role-Based Access Control (RBAC): Granular permissions for team members
Least Privilege Principle: Users and systems are granted minimum necessary access
Session Management: Automatic logout after inactivity; secure session tokens

Infrastructure Security:

Tenant Isolation: Each customer has a dedicated, isolated Supabase environment
Firewall Protection: Network-level security to prevent unauthorized access
DDoS Protection: Mitigation of distributed denial-of-service attacks
Regular Security Patching: Timely updates to all systems and dependencies

Monitoring and Logging:

Audit Logs: Comprehensive logging of access, changes, and security events
Intrusion Detection: Real-time monitoring for suspicious activity
Anomaly Detection: Automated alerts for unusual access patterns

Organizational Security Measures

Staff Training:

Mandatory data protection and security training for all employees
Regular updates on GDPR, phishing awareness, and security best practices
Confidentiality agreements for all staff and contractors

Access Management:

Background checks for employees with access to customer data
Regular review and revocation of access rights
Segregation of duties for critical operations

Incident Response:

Documented incident response plan
24-hour notification to affected users in case of data breaches
Notification to the ICO within 72 hours of discovering a breach (as required by UK GDPR)

Third-Party Security:

Due diligence on all subprocessors and vendors
Contractual data protection obligations
Regular security assessments of third-party services

Data Backup and Recovery

Automated Backups: Daily backups of all platform data
Redundancy: Geographically distributed backups to prevent data loss
Disaster Recovery: Tested recovery procedures to restore service within 24 hours
Backup Encryption: All backups are encrypted at rest

Limitations

While we implement robust security measures, no system is 100% secure. You are responsible for:

Keeping your login credentials confidential
Using strong, unique passwords
Enabling multi-factor authentication (MFA)
Securing your own devices and networks
Not sharing your API keys or access credentials

Security Reporting

If you discover a security vulnerability, please report it immediately to: support@just-automate-it.org (mark "URGENT: Security Issue" in subject line)

We take security reports seriously and will respond within 24 hours.

Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations.

Platform User Data

Active Accounts:

Retained for the duration of your subscription and as long as your account remains active
Updated regularly as you use the Platform

Cancelled Accounts:

Grace Period: Data retained for 30 days after cancellation to allow for data export and potential reactivation
Permanent Deletion: After 30 days, all data is permanently deleted from our systems and backups
Exception: Billing records retained for 7 years to comply with UK tax law (HMRC requirements)

Specific Data Types

Account Information:

Retained while your account is active
Deleted 30 days after account closure

Query and Conversation History:

Retained while your account is active
Deleted 30 days after account closure

API Usage Logs:

Retained for 90 days for billing accuracy and troubleshooting
Aggregated, anonymized data may be retained indefinitely for analytics

Financial Records:

Invoices, payment records, and receipts: Retained for 7 years (HMRC requirement)
Credit card details: Not stored by us; processed and retained by Stripe

Marketing Consent Records:

Retained for 3 years after consent is withdrawn to demonstrate compliance

Support Tickets:

Retained for 2 years to improve service quality
Anonymized after 2 years; identifiable information deleted

Website Visitor Data

Analytics Data:

IP addresses and usage data: Retained for 26 months (Google Analytics default)
Aggregated, anonymized data may be retained indefinitely

Contact Form Submissions:

Retained for 2 years unless you request earlier deletion
Deleted immediately upon request if no ongoing business relationship

Newsletter Subscribers:

Retained until you unsubscribe
Deleted within 30 days of unsubscribing

Legal Holds and Exceptions

We may retain data beyond the standard retention periods if:

Required by law (e.g., court order, regulatory investigation)
Necessary to establish, exercise, or defend legal claims
You have requested data retention for a specific purpose

Data Deletion Process

Soft Deletion:

Data is marked as deleted and removed from production systems
Data remains in backups for 30 days

Hard Deletion:

After 30 days, data is permanently deleted from all backups
Deletion is irreversible and complete
Cryptographic erasure techniques used where applicable

Verification:

Upon request, we can provide confirmation that your data has been deleted.

Requesting Early Deletion

To request deletion of your data before the standard retention period expires:

Email support@just-automate-it.org with "Data Deletion Request" in the subject line
Specify which data you want deleted
We will confirm deletion within 30 days

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, protect, and improve our Services.

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences, authenticate your identity, and analyze usage patterns.

Types of Cookies We Use

Strictly Necessary Cookies (Always Active):

Purpose: Essential for the Platform to function (authentication, session management, security)
Duration: Session cookies (deleted when you close your browser) or up to 30 days
Examples: Login sessions, CSRF protection, load balancing
Legal Basis: Legitimate interest (necessary for service delivery)
Cannot Be Disabled: These cookies are required for the Platform to work

Functional Cookies (Optional):

Purpose: Remember your preferences and settings (language, theme, dashboard layouts)
Duration: Up to 1 year
Examples: User preferences, recently viewed dashboards, UI customizations
Legal Basis: Consent (you can disable these in your browser settings)

Analytics Cookies (Optional):

Purpose: Understand how visitors use our Website and Platform to improve user experience
Duration: Up to 26 months
Examples: Google Analytics (page views, bounce rate, session duration)
Legal Basis: Consent (you can opt out via cookie banner or browser settings)
Third Party: Google Analytics (see Google's privacy policy: policies.google.com/privacy)

We Do NOT Use:

Advertising or marketing cookies
Cross-site tracking cookies
Social media tracking pixels (beyond authentication)

Other Tracking Technologies

Local Storage:

We use browser local storage to cache dashboard configurations and improve performance. This data is stored locally on your device and can be cleared via browser settings.

Web Beacons (Pixel Tags):

Used in emails to track open rates and engagement (only for marketing emails you've consented to receive). You can disable image loading in your email client to block these.

Managing Cookies

Browser Settings:

You can control cookies through your browser settings:

Chrome: Settings → Privacy and Security → Cookies
Firefox: Settings → Privacy & Security → Cookies
Safari: Preferences → Privacy → Cookies
Edge: Settings → Privacy → Cookies

Cookie Consent Banner:

When you first visit our Website, we display a cookie banner allowing you to accept or reject optional cookies.

Opt-Out Tools:

Google Analytics: Install the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout)
Do Not Track: We honor "Do Not Track" browser signals where technically feasible

Impact of Disabling Cookies

Strictly Necessary Cookies:

If you block these, you will not be able to log in or use the Platform.

Functional Cookies:

Your preferences and settings will not be saved between sessions.

Analytics Cookies:

We will not be able to track usage patterns or improve the user experience based on data.

Third-Party Cookies

We do not allow third-party cookies on our Platform except for:

Auth0: Authentication cookies for social login (Google, LinkedIn, Microsoft)
Stripe: Payment processing cookies (only on payment pages)
Google Analytics: Usage tracking (only with consent)

These third parties have their own privacy policies. We recommend reviewing them:

Updates to Cookie Policy

We may update this Cookie Policy to reflect changes in technology or regulations. The "Last Updated" date at the top of this Privacy Policy indicates when changes were made.

Third-Party Services and Subprocessors

We use trusted third-party service providers ("subprocessors") to help deliver our Services. All subprocessors are carefully vetted and bound by data protection agreements.

Core Subprocessors

These services are essential to the JAI Platform:

Auth0 (Okta, Inc.)

Purpose: User authentication, identity management, and social login
Data Shared: Name, email, authentication tokens, login timestamps
Location: USA (uses Standard Contractual Clauses for UK/EU data)
Privacy Policy: auth0.com/privacy

Supabase (Supabase, Inc.)

Purpose: Database hosting, real-time data sync, and backend infrastructure
Data Shared: All Platform data (stored in your isolated tenant environment)
Location: EU (AWS Frankfurt region for UK/EU customers)
Privacy Policy: supabase.com/privacy

Stripe (Stripe, Inc.)

Purpose: Payment processing, subscription management, and billing
Data Shared: Billing information, payment details, transaction history
Location: USA (certified under EU-US Data Privacy Framework)
Privacy Policy: stripe.com/privacy

n8n (n8n GmbH)

Purpose: Workflow automation and integration orchestration
Data Shared: Workflow metadata, trigger events, execution logs
Location: Germany (EU)
Privacy Policy: n8n.io/legal/privacy

AI Provider Subprocessors (Your Choice)

You control which AI providers to use by providing your own API keys:

OpenAI (OpenAI, L.L.C.)

Purpose: Large language model (GPT-4, GPT-3.5) for natural language processing
Data Shared: Your queries, prompts, and context sent to the API
Location: USA
Privacy Policy: openai.com/privacy
Note: OpenAI does not use API data to train models (as of their Enterprise Terms)

Anthropic (Anthropic PBC)

Purpose: Large language model (Claude) for natural language processing
Data Shared: Your queries, prompts, and context sent to the API
Location: USA
Privacy Policy: anthropic.com/privacy
Note: Anthropic does not use API data to train models (as per their Terms)

Optional Subprocessors

Used only if you integrate with these services:

Google Cloud Platform / Google Analytics

Purpose: Website analytics, hosting (if applicable)
Location: USA (certified under EU-US Data Privacy Framework)
Privacy Policy: policies.google.com/privacy

Email Service Provider (e.g., SendGrid, Mailgun)

Purpose: Transactional emails, password resets, notifications
Location: Varies (typically USA with SCCs)
Privacy Policy: Depends on provider

Data Processing Agreements (DPAs)

All subprocessors have signed Data Processing Agreements with us that:

Limit data use to providing services to us
Require appropriate security measures
Prohibit unauthorized data disclosure
Ensure compliance with UK GDPR
Include Standard Contractual Clauses (SCCs) for non-UK/EU transfers

Changes to Subprocessors

We may add, remove, or replace subprocessors as necessary to improve our Services. For material changes:

We will notify Enterprise customers 30 days in advance
You may object if you have reasonable data protection concerns
If we cannot resolve your concerns, you may terminate your subscription without penalty

Up-to-Date Subprocessor List

For the most current list of subprocessors, visit: just-automate-it.org/subprocessors

Your Responsibility

When you integrate your own tools and data sources (e.g., CRM, databases, third-party APIs), you are responsible for:

Reviewing their privacy policies
Ensuring you have the right to share data with them
Managing your API keys and access credentials securely

We are not responsible for how third-party services you connect process your data.

Children's Privacy

The JAI Platform and our Services are not intended for use by individuals under the age of 18.

Age Restriction

You must be at least 18 years old to:

Create an account on the JAI Platform
Use our Services
Submit forms on our Website

No Knowing Collection of Children's Data

We do not knowingly collect, use, or disclose personal information from individuals under 18 years of age.

If we discover that we have inadvertently collected personal information from a child under 18, we will:

Delete the information immediately
Terminate the associated account
Notify the individual (if contact information is available)

Parental Notice

If you are a parent or guardian and believe your child under 18 has provided personal information to us, please contact us immediately at: support@just-automate-it.org

We will promptly investigate and delete any such information.

Educational Use

For educational institutions that wish to use the JAI Platform for students under 18:

A separate agreement with parental consent provisions is required
Contact us at support@just-automate-it.org to discuss educational licenses

Compliance

Our age restriction policy complies with:

UK GDPR (Age of Consent: 13 for online services, but we set a higher threshold)
Children's Online Privacy Protection Act (COPPA) requirements (for users in the USA)

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes

Material Changes:

For significant changes that affect how we collect, use, or share your personal data, we will:

Notify you by email at least 30 days before the changes take effect
Display a prominent notice on the Website and Platform
Request your consent if required by law

Examples of Material Changes:

Adding new subprocessors or data transfers outside the UK/EU
Expanding data collection or usage purposes
Reducing data protection measures or security controls
Changes to your privacy rights or how to exercise them

Minor Changes:

For non-material changes (e.g., clarifications, formatting, correcting typos), we will:

Update the "Last Updated" date at the top of this Privacy Policy
Not send individual notifications

How to Stay Informed

Review Regularly: The current version is always available at just-automate-it.org/privacy
Version History: Previous versions are available upon request
RSS Feed: Subscribe to our privacy policy updates (if available)

Your Options After Changes

If you disagree with updated terms:

You may stop using the Services
You may cancel your subscription (see Terms of Service for cancellation process)
You may request deletion of your data (see "Your Privacy Rights")

Continuing to use the Services after changes take effect constitutes your acceptance of the updated Privacy Policy.

Questions About Changes

If you have questions about a specific change or how it affects you, contact us at: support@just-automate-it.org

Effective Date of This Policy: 14 January 2026

Last Reviewed: 14 January 2026

Next Scheduled Review: 14 January 2027

Privacy Policy Overview

Effective Date: 14 January 2026

Last Updated: 14 January 2026

This Privacy Policy explains how we handle your data when you:

Visit our website at just-automate-it.org (the "Website")
Use the JAI Platform at jai-dash.app and your dedicated subdomain (the "Platform")
Interact with our Services, including consultancy and support

Data Controller:

JUST AUTOMATE IT LTD

27 Lower Aston Hall Lane

Deeside, Clwyd

CH5 3EX

United Kingdom

Email: support@just-automate-it.org

Our Commitment:

Information We Collect

We collect only the information necessary to provide and improve our Services. We practice data minimization and do not collect unnecessary personal information.

Website Visitors (just-automate-it.org)

Information You Provide:

Contact Forms: Name, email address, company name, phone number (optional), and message content when you submit inquiries
Newsletter Signups: Email address and name (if provided)
Trial Signup: Email address for 5-day trial access

Information Collected Automatically:

Analytics Data: Pages visited, time on site, referral source, device type, browser type, and IP address (via Google Analytics or similar)
Cookies: Session cookies for functionality; analytics cookies for usage tracking (see Cookie Policy)

Platform Users (jai-dash.app)

Account Information:

Registration Data: Full name, email address, company name, and password (hashed)
Authentication Data: Auth0 user ID, login timestamps, and authentication method (email/password or social login)
Billing Information: Payment details processed by Stripe (we do not store full credit card numbers)
Subscription Details: Plan type, billing cycle, subscription status, and payment history

Platform Usage Data:

Dashboard Configurations: Saved dashboards, custom visualizations, and user preferences
Query History: Natural language queries submitted to the JIA Assistant and conversation logs
API Credentials: Encrypted API keys for AI providers (OpenAI, Anthropic, etc.) and data source integrations
Usage Metrics: API call logs, cost tracking data, response times, and error logs for billing and optimization
Prompt Library: Saved prompts, templates, and custom agent configurations

Important - Your Business Data:

Information from Third Parties

Social Authentication:

If you sign in using Google, LinkedIn, or Microsoft, we receive:

Name, email address, and profile picture
We do not access your contacts, messages, or other account data

Subprocessors:

We receive limited data from trusted service providers:

Auth0: Authentication and identity management
Stripe: Payment processing and billing information
Supabase: Database hosting (your data is stored in your isolated environment)
n8n: Workflow automation metadata

Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

Contract: To provide the Services you've subscribed to or requested
Legitimate Interests: To improve our Services, prevent fraud, and ensure security
Consent: For marketing communications (you can withdraw consent anytime)
Legal Obligation: To comply with tax, accounting, and regulatory requirements

How We Use Your Information

We use your personal information only for legitimate purposes related to providing and improving our Services.

Platform Operation and Service Delivery

Account Management: Create and manage your user account, authenticate logins, and provide access to your dedicated environment
Subscription Management: Process payments, manage billing cycles, and handle subscription changes or cancellations
Service Delivery: Enable the JIA Assistant, process your queries through specialized agents, and generate dashboards and visualizations
Cost Tracking: Monitor API usage, calculate real-time AI provider costs, and provide transparent billing reports
Customer Support: Respond to your inquiries, provide technical assistance, and troubleshoot issues

Service Improvement and Analytics

Platform Optimization: Analyze usage patterns to improve response times, agent accuracy, and user experience
Product Development: Identify feature requests, prioritize improvements, and develop new capabilities
Performance Monitoring: Track system uptime, error rates, and performance metrics to maintain service quality
Security: Detect and prevent fraudulent activity, unauthorized access, and security threats

Communication

Transactional Emails: Send account confirmations, password resets, billing notifications, and service updates
Product Updates: Notify you of new features, improvements, and important changes (if you've opted in)
Marketing Communications: Send newsletters, case studies, and promotional content (only with your explicit consent - you can opt out anytime)

Legal and Compliance

Legal Obligations: Comply with tax, accounting, and regulatory requirements (e.g., retaining invoices for 7 years)
Dispute Resolution: Respond to legal claims, enforce our Terms of Service, and protect our rights
Regulatory Compliance: Meet GDPR, UK data protection, and financial regulations

Data We Do NOT Use

We never:

Sell or rent your personal information to third parties
Use your business data processed via APIs for any purpose other than providing insights to you
Share your data with advertisers or data brokers
Train AI models on your proprietary data without explicit consent
Use your data for purposes unrelated to the Services

GDPR Compliance and Commitment

JUST AUTOMATE IT LTD operates in full compliance with:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Privacy and Electronic Communications Regulations (PECR)

Our GDPR Commitments

Data Protection Principles:

We ensure your data is:

Lawful, Fair, and Transparent: Processed with clear legal basis and transparent practices
Purpose Limited: Collected for specific, explicit purposes only
Data Minimized: Limited to what is necessary for our Services
Accurate: Kept up to date; you can request corrections anytime
Storage Limited: Retained only as long as necessary
Secure: Protected by appropriate technical and organizational measures
Accountable: We maintain records of our processing activities and can demonstrate compliance

Your Rights Under UK GDPR:

You have the right to:

Access your personal data (Subject Access Request)
Rectify inaccurate or incomplete data
Erase your data ("right to be forgotten") in certain circumstances
Restrict processing of your data
Data portability (receive your data in a machine-readable format)
Object to processing based on legitimate interests
Withdraw consent for marketing communications
Lodge a complaint with the Information Commissioner's Office (ICO)

Data Processing Agreement

For Platform users, we act as a data processor for business data you process through the Platform. You (the customer) are the data controller.

A Data Processing Agreement (DPA) is available upon request for Enterprise customers and can be reviewed at just-automate-it.org/dpa.

International Data Transfers

Your data is primarily stored and processed within the UK and European Economic Area (EEA). Where we use subprocessors outside the UK/EEA (e.g., some AI providers), we ensure:

Adequacy decisions are in place, or
Standard Contractual Clauses (SCCs) are implemented, or
The provider has appropriate safeguards (e.g., Privacy Shield successor frameworks)

AI Provider Data Transfers:

When you use AI providers (OpenAI, Anthropic), data is sent to their APIs. You should review their privacy policies:

OpenAI: Based in USA (uses SCCs for EU data)
Anthropic: Based in USA (uses SCCs for EU data)

You control which AI providers to use by providing your own API keys.

Regular Compliance Reviews

We conduct:

Annual privacy policy reviews and updates
Quarterly security audits and vulnerability assessments
Regular staff training on data protection and GDPR compliance
Data Protection Impact Assessments (DPIAs) for high-risk processing activities

Your Privacy Rights

Under UK GDPR and the Data Protection Act 2018, you have comprehensive rights regarding your personal data.

Right to Access (Subject Access Request)

You have the right to request a copy of all personal data we hold about you.

How to Request:

Email support@just-automate-it.org with "Subject Access Request" in the subject line
We will respond within 30 days (may be extended by 2 months for complex requests)
No fee unless the request is manifestly unfounded or excessive

What You'll Receive:

All personal data we hold about you
The purposes of processing
Categories of data and recipients
Retention periods
Your rights and how to exercise them

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

How to Request:

Update your profile directly in the Platform (Account Settings)
Email support@just-automate-it.org for data you cannot update yourself
We will correct inaccuracies within 30 days

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances:

The data is no longer necessary for the purposes it was collected
You withdraw consent (where consent was the legal basis)
You object to processing based on legitimate interests
The data was unlawfully processed
Legal obligations require erasure

How to Request:

Cancel your account via the Platform (Account Settings → Cancel Subscription)
Email support@just-automate-it.org to request immediate deletion
We will delete your data within 30 days of account closure

Exceptions:

We may retain certain data where we have a legal obligation (e.g., financial records for 7 years for tax purposes).

Right to Restrict Processing

You can request that we limit how we use your data while:

Verifying the accuracy of your data
Determining the legitimacy of our processing
You need the data for legal claims, but we no longer need it

Right to Data Portability

You can request your data in a structured, machine-readable format (e.g., JSON, CSV) to transfer to another service.

Available for:

Account information
Dashboard configurations
Saved queries and conversation history
Prompt library entries

How to Request:

Email support@just-automate-it.org
We will provide the export within 14 days

Right to Object

You can object to:

Marketing Communications: Opt out via the unsubscribe link in any email or email support@just-automate-it.org
Processing Based on Legitimate Interests: We will cease processing unless we have compelling legitimate grounds

Right to Withdraw Consent

Where we process your data based on consent, you can withdraw it at any time.

How to Withdraw:

Marketing Emails: Click the unsubscribe link in any email
Platform Consent: Email support@just-automate-it.org

Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

If you believe we have not handled your data correctly, you can lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

How to Exercise Your Rights

Email: support@just-automate-it.org

Subject Line: Include the specific right you wish to exercise (e.g., "Subject Access Request")

Response Time: We will respond within 30 days

Verification: We may request proof of identity to protect your data from unauthorized access

Contact Us

For privacy-related questions, to exercise your data rights, or to lodge a complaint, please contact us:

JUST AUTOMATE IT LTD

27 Lower Aston Hall Lane

Deeside, Clwyd

CH5 3EX

United Kingdom

Email: support@just-automate-it.org

Website: https://just-automate-it.org

Response Times:

General inquiries: Within 2 business days
Data rights requests: Within 30 days
Urgent security matters: Within 24 hours

Data Protection Officer (DPO):

For complex data protection inquiries, you may contact our Data Protection Officer at: support@just-automate-it.org (mark "Attention: DPO" in subject line)

UK Supervisory Authority:

If you are not satisfied with our response, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Email: casework@ico.org.uk

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

Data Security and Protection Measures

We implement industry-standard technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction.

Technical Security Measures

Encryption:

Data in Transit: TLS 1.3 encryption for all data transmitted between your browser and our servers
Data at Rest: AES-256 encryption for all data stored in databases
API Keys: Encrypted storage of your AI provider credentials and data source API keys

Access Controls:

Authentication: Multi-factor authentication (MFA) available via Auth0
Role-Based Access Control (RBAC): Granular permissions for team members
Least Privilege Principle: Users and systems are granted minimum necessary access
Session Management: Automatic logout after inactivity; secure session tokens

Infrastructure Security:

Tenant Isolation: Each customer has a dedicated, isolated Supabase environment
Firewall Protection: Network-level security to prevent unauthorized access
DDoS Protection: Mitigation of distributed denial-of-service attacks
Regular Security Patching: Timely updates to all systems and dependencies

Monitoring and Logging:

Audit Logs: Comprehensive logging of access, changes, and security events
Intrusion Detection: Real-time monitoring for suspicious activity
Anomaly Detection: Automated alerts for unusual access patterns

Organizational Security Measures

Staff Training:

Mandatory data protection and security training for all employees
Regular updates on GDPR, phishing awareness, and security best practices
Confidentiality agreements for all staff and contractors

Access Management:

Background checks for employees with access to customer data
Regular review and revocation of access rights
Segregation of duties for critical operations

Incident Response:

Documented incident response plan
24-hour notification to affected users in case of data breaches
Notification to the ICO within 72 hours of discovering a breach (as required by UK GDPR)

Third-Party Security:

Due diligence on all subprocessors and vendors
Contractual data protection obligations
Regular security assessments of third-party services

Data Backup and Recovery

Automated Backups: Daily backups of all platform data
Redundancy: Geographically distributed backups to prevent data loss
Disaster Recovery: Tested recovery procedures to restore service within 24 hours
Backup Encryption: All backups are encrypted at rest

Limitations

While we implement robust security measures, no system is 100% secure. You are responsible for:

Keeping your login credentials confidential
Using strong, unique passwords
Enabling multi-factor authentication (MFA)
Securing your own devices and networks
Not sharing your API keys or access credentials

Security Reporting

If you discover a security vulnerability, please report it immediately to: support@just-automate-it.org (mark "URGENT: Security Issue" in subject line)

We take security reports seriously and will respond within 24 hours.

Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations.

Platform User Data

Active Accounts:

Retained for the duration of your subscription and as long as your account remains active
Updated regularly as you use the Platform

Cancelled Accounts:

Grace Period: Data retained for 30 days after cancellation to allow for data export and potential reactivation
Permanent Deletion: After 30 days, all data is permanently deleted from our systems and backups
Exception: Billing records retained for 7 years to comply with UK tax law (HMRC requirements)

Specific Data Types

Account Information:

Retained while your account is active
Deleted 30 days after account closure

Query and Conversation History:

Retained while your account is active
Deleted 30 days after account closure

API Usage Logs:

Retained for 90 days for billing accuracy and troubleshooting
Aggregated, anonymized data may be retained indefinitely for analytics

Financial Records:

Invoices, payment records, and receipts: Retained for 7 years (HMRC requirement)
Credit card details: Not stored by us; processed and retained by Stripe

Marketing Consent Records:

Retained for 3 years after consent is withdrawn to demonstrate compliance

Support Tickets:

Retained for 2 years to improve service quality
Anonymized after 2 years; identifiable information deleted

Website Visitor Data

Analytics Data:

IP addresses and usage data: Retained for 26 months (Google Analytics default)
Aggregated, anonymized data may be retained indefinitely

Contact Form Submissions:

Retained for 2 years unless you request earlier deletion
Deleted immediately upon request if no ongoing business relationship

Newsletter Subscribers:

Retained until you unsubscribe
Deleted within 30 days of unsubscribing

Legal Holds and Exceptions

We may retain data beyond the standard retention periods if:

Required by law (e.g., court order, regulatory investigation)
Necessary to establish, exercise, or defend legal claims
You have requested data retention for a specific purpose

Data Deletion Process

Soft Deletion:

Data is marked as deleted and removed from production systems
Data remains in backups for 30 days

Hard Deletion:

After 30 days, data is permanently deleted from all backups
Deletion is irreversible and complete
Cryptographic erasure techniques used where applicable

Verification:

Upon request, we can provide confirmation that your data has been deleted.

Requesting Early Deletion

To request deletion of your data before the standard retention period expires:

Email support@just-automate-it.org with "Data Deletion Request" in the subject line
Specify which data you want deleted
We will confirm deletion within 30 days

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, protect, and improve our Services.

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences, authenticate your identity, and analyze usage patterns.

Types of Cookies We Use

Strictly Necessary Cookies (Always Active):

Purpose: Essential for the Platform to function (authentication, session management, security)
Duration: Session cookies (deleted when you close your browser) or up to 30 days
Examples: Login sessions, CSRF protection, load balancing
Legal Basis: Legitimate interest (necessary for service delivery)
Cannot Be Disabled: These cookies are required for the Platform to work

Functional Cookies (Optional):

Purpose: Remember your preferences and settings (language, theme, dashboard layouts)
Duration: Up to 1 year
Examples: User preferences, recently viewed dashboards, UI customizations
Legal Basis: Consent (you can disable these in your browser settings)

Analytics Cookies (Optional):

Purpose: Understand how visitors use our Website and Platform to improve user experience
Duration: Up to 26 months
Examples: Google Analytics (page views, bounce rate, session duration)
Legal Basis: Consent (you can opt out via cookie banner or browser settings)
Third Party: Google Analytics (see Google's privacy policy: policies.google.com/privacy)

We Do NOT Use:

Advertising or marketing cookies
Cross-site tracking cookies
Social media tracking pixels (beyond authentication)

Other Tracking Technologies

Local Storage:

We use browser local storage to cache dashboard configurations and improve performance. This data is stored locally on your device and can be cleared via browser settings.

Web Beacons (Pixel Tags):

Used in emails to track open rates and engagement (only for marketing emails you've consented to receive). You can disable image loading in your email client to block these.

Managing Cookies

Browser Settings:

You can control cookies through your browser settings:

Chrome: Settings → Privacy and Security → Cookies
Firefox: Settings → Privacy & Security → Cookies
Safari: Preferences → Privacy → Cookies
Edge: Settings → Privacy → Cookies

Cookie Consent Banner:

When you first visit our Website, we display a cookie banner allowing you to accept or reject optional cookies.

Opt-Out Tools:

Google Analytics: Install the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout)
Do Not Track: We honor "Do Not Track" browser signals where technically feasible

Impact of Disabling Cookies

Strictly Necessary Cookies:

If you block these, you will not be able to log in or use the Platform.

Functional Cookies:

Your preferences and settings will not be saved between sessions.

Analytics Cookies:

We will not be able to track usage patterns or improve the user experience based on data.

Third-Party Cookies

We do not allow third-party cookies on our Platform except for:

Auth0: Authentication cookies for social login (Google, LinkedIn, Microsoft)
Stripe: Payment processing cookies (only on payment pages)
Google Analytics: Usage tracking (only with consent)

These third parties have their own privacy policies. We recommend reviewing them:

Updates to Cookie Policy

We may update this Cookie Policy to reflect changes in technology or regulations. The "Last Updated" date at the top of this Privacy Policy indicates when changes were made.

Third-Party Services and Subprocessors

We use trusted third-party service providers ("subprocessors") to help deliver our Services. All subprocessors are carefully vetted and bound by data protection agreements.

Core Subprocessors

These services are essential to the JAI Platform:

Auth0 (Okta, Inc.)

Purpose: User authentication, identity management, and social login
Data Shared: Name, email, authentication tokens, login timestamps
Location: USA (uses Standard Contractual Clauses for UK/EU data)
Privacy Policy: auth0.com/privacy

Supabase (Supabase, Inc.)

Purpose: Database hosting, real-time data sync, and backend infrastructure
Data Shared: All Platform data (stored in your isolated tenant environment)
Location: EU (AWS Frankfurt region for UK/EU customers)
Privacy Policy: supabase.com/privacy

Stripe (Stripe, Inc.)

Purpose: Payment processing, subscription management, and billing
Data Shared: Billing information, payment details, transaction history
Location: USA (certified under EU-US Data Privacy Framework)
Privacy Policy: stripe.com/privacy

n8n (n8n GmbH)

Purpose: Workflow automation and integration orchestration
Data Shared: Workflow metadata, trigger events, execution logs
Location: Germany (EU)
Privacy Policy: n8n.io/legal/privacy

AI Provider Subprocessors (Your Choice)

You control which AI providers to use by providing your own API keys:

OpenAI (OpenAI, L.L.C.)

Purpose: Large language model (GPT-4, GPT-3.5) for natural language processing
Data Shared: Your queries, prompts, and context sent to the API
Location: USA
Privacy Policy: openai.com/privacy
Note: OpenAI does not use API data to train models (as of their Enterprise Terms)

Anthropic (Anthropic PBC)

Purpose: Large language model (Claude) for natural language processing
Data Shared: Your queries, prompts, and context sent to the API
Location: USA
Privacy Policy: anthropic.com/privacy
Note: Anthropic does not use API data to train models (as per their Terms)

Optional Subprocessors

Used only if you integrate with these services:

Google Cloud Platform / Google Analytics

Purpose: Website analytics, hosting (if applicable)
Location: USA (certified under EU-US Data Privacy Framework)
Privacy Policy: policies.google.com/privacy

Email Service Provider (e.g., SendGrid, Mailgun)

Purpose: Transactional emails, password resets, notifications
Location: Varies (typically USA with SCCs)
Privacy Policy: Depends on provider

Data Processing Agreements (DPAs)

All subprocessors have signed Data Processing Agreements with us that:

Limit data use to providing services to us
Require appropriate security measures
Prohibit unauthorized data disclosure
Ensure compliance with UK GDPR
Include Standard Contractual Clauses (SCCs) for non-UK/EU transfers

Changes to Subprocessors

We may add, remove, or replace subprocessors as necessary to improve our Services. For material changes:

We will notify Enterprise customers 30 days in advance
You may object if you have reasonable data protection concerns
If we cannot resolve your concerns, you may terminate your subscription without penalty

Up-to-Date Subprocessor List

For the most current list of subprocessors, visit: just-automate-it.org/subprocessors

Your Responsibility

When you integrate your own tools and data sources (e.g., CRM, databases, third-party APIs), you are responsible for:

Reviewing their privacy policies
Ensuring you have the right to share data with them
Managing your API keys and access credentials securely

We are not responsible for how third-party services you connect process your data.

Children's Privacy

The JAI Platform and our Services are not intended for use by individuals under the age of 18.

Age Restriction

You must be at least 18 years old to:

Create an account on the JAI Platform
Use our Services
Submit forms on our Website

No Knowing Collection of Children's Data

We do not knowingly collect, use, or disclose personal information from individuals under 18 years of age.

If we discover that we have inadvertently collected personal information from a child under 18, we will:

Delete the information immediately
Terminate the associated account
Notify the individual (if contact information is available)

Parental Notice

If you are a parent or guardian and believe your child under 18 has provided personal information to us, please contact us immediately at: support@just-automate-it.org

We will promptly investigate and delete any such information.

Educational Use

For educational institutions that wish to use the JAI Platform for students under 18:

A separate agreement with parental consent provisions is required
Contact us at support@just-automate-it.org to discuss educational licenses

Compliance

Our age restriction policy complies with:

UK GDPR (Age of Consent: 13 for online services, but we set a higher threshold)
Children's Online Privacy Protection Act (COPPA) requirements (for users in the USA)

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes

Material Changes:

For significant changes that affect how we collect, use, or share your personal data, we will:

Notify you by email at least 30 days before the changes take effect
Display a prominent notice on the Website and Platform
Request your consent if required by law

Examples of Material Changes:

Adding new subprocessors or data transfers outside the UK/EU
Expanding data collection or usage purposes
Reducing data protection measures or security controls
Changes to your privacy rights or how to exercise them

Minor Changes:

For non-material changes (e.g., clarifications, formatting, correcting typos), we will:

Update the "Last Updated" date at the top of this Privacy Policy
Not send individual notifications

How to Stay Informed

Review Regularly: The current version is always available at just-automate-it.org/privacy
Version History: Previous versions are available upon request
RSS Feed: Subscribe to our privacy policy updates (if available)

Your Options After Changes

If you disagree with updated terms:

You may stop using the Services
You may cancel your subscription (see Terms of Service for cancellation process)
You may request deletion of your data (see "Your Privacy Rights")

Continuing to use the Services after changes take effect constitutes your acceptance of the updated Privacy Policy.

Questions About Changes

If you have questions about a specific change or how it affects you, contact us at: support@just-automate-it.org

Effective Date of This Policy: 14 January 2026

Last Reviewed: 14 January 2026

Next Scheduled Review: 14 January 2027