Privacy Policy
Joylo Limited |Effective
Joylo helps founders and teams take applications from idea to production by combining AI code generation with certified human engineers. Doing that well requires your trust, and trust starts with being clear about data. This policy explains what we collect, how we use it, who can see it, and the rights you have. We have written it in plain English, because a privacy policy you cannot understand protects nobody.
The short version
- You own your projects. Your prompts, your code, and your applications belong to you.
- Humans never look at your project unless you ask. Expert Assist engineers access your code only when you trigger an engagement, and only for that engagement.
- Your data is not for sale. We do not sell personal data and we do not run ads.
- You can choose where your data lives. Hosting defaults to AWS in the United States. EU hosting is available on request, and enterprise deployments are pinned to the region you choose, including your own cloud.
- AI providers cannot train on your content. Our agreements with model providers do not permit your content to be used to train their general-purpose models.
- Your code is portable. You can export your project and take it with you at any time.
1. Who We Are
Joylo Limited ("Joylo", "we", "us", "our") is a private company limited by shares incorporated in Ireland, registered with the Companies Registration Office under company number 818120, with its registered office at 6 Fern Road, Sandyford Business Park, Dublin 18, D18 FP98, Ireland.
We operate joylo.ai and related applications and services (the "Platform"). For the personal data described in this policy, Joylo Limited is the data controller under the EU General Data Protection Regulation ("GDPR") and the Irish Data Protection Act 2018. Our supervisory authority is the Irish Data Protection Commission.
For anything in this policy, contact privacy@joylo.ai.
2. What This Policy Covers
Joylo plays two different roles depending on whose data is involved:
| The data | Who is responsible |
|---|---|
| Your account, projects, billing, and use of the Platform | Joylo is the controller. This policy applies. |
| Personal data of your applications’ end users | You are the controller. Joylo processes this data on your behalf as a processor under our Data Processing Addendum. |
If you deploy applications that collect personal data from your own users, you are responsible for providing your own privacy notice, establishing a lawful basis, and complying with the data protection laws that apply to you. Our Data Processing Addendum sets out how we handle that data as your processor. Request a copy at privacy@joylo.ai.
This policy does not apply to third-party services you choose to connect to your applications. Their own policies govern their processing.
3. The Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, hashed password, workspace and notification settings | You |
| Project Content | Prompts, chat history with the AI, generated code, files you upload, configurations, deployment settings | You and the Platform |
| Billing data | Plan, credit purchases, credit consumption, invoices, VAT details. Card payments are handled by our payment processor. We never store full card numbers. | You and our payment processor |
| Usage and log data | IP address, browser and device information, pages and features used, credit metering events, timestamps, error and diagnostic logs | Automatic |
| Support data | Support tickets, emails, Expert Assist requests and related correspondence | You |
| Marketing data | Email address and preferences, if you subscribe to updates | You |
The Platform is not designed for special category data such as health records or biometric identifiers. Please do not include it in your Project Content. Section 2 explains your responsibilities for personal data inside applications you build.
4. How We Use Your Data and Why It Is Lawful
Under the GDPR we need a legal basis for everything we do with your personal data. Here is each purpose and its basis:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Platform: building, deploying, and hosting your applications, metering credits, and managing your account | Performance of a contract |
| Processing payments, invoices, and subscription changes | Performance of a contract |
| Delivering Expert Assist and Co-Build engagements you request | Performance of a contract |
| Securing the Platform: preventing fraud, abuse, and unauthorised access | Legitimate interests |
| Improving the Platform, including the AI Confidence Score, using de-identified and aggregated data | Legitimate interests |
| Sending service communications about your account, billing, security, or changes to the Platform | Performance of a contract and legal obligation |
| Sending marketing communications | Consent, which you can withdraw at any time |
| Meeting legal obligations, including tax, accounting, and lawful requests from authorities | Legal obligation |
Where we rely on legitimate interests, we balance those interests against your rights and freedoms, and we use de-identified data wherever possible.
5. How AI Processing Works
When you build with Joylo, your prompts and the relevant parts of your Project Content are sent to large language model providers to generate code, plans, and responses. Our primary provider is Anthropic, whose Claude models we access through the Anthropic API. We use OpenAI models for certain planning and agent functions. On enterprise deployments, model inference can run through Amazon Bedrock inside the deployment region instead.
Our agreements with these providers do not permit them to use your prompts or Project Content to train their general-purpose models.
Project files are provided to models as direct context for your specific request. Data stored inside your deployed applications’ production databases is not transmitted to AI providers as part of normal Platform operation.
The AI Confidence Score is an automated assessment of the technical readiness of your build. It flags weaknesses in areas such as deployment, authentication, security, and scaling before you go to production, so you can decide where engineering help is worth it. It informs decisions; it does not make decisions that produce legal or similarly significant effects about you within the meaning of GDPR Article 22.
6. Expert Assist and Human Access
Joylo staff and engineers never access your project automatically. Human access to your Project Content happens in only two situations: when you actively request it, or when it is strictly necessary to investigate a security incident, abuse, or a legal obligation. In the second case, access is logged and limited to what is necessary.
When you trigger Expert Assist or purchase a Co-Build plan, certified Joylo engineers deliver the work. They access your project, code, and related content solely to complete the engagement you requested, are bound by confidentiality obligations, and lose access when the engagement ends.
Our engineering team works from Ireland, India, and Kenya. Where an engineer outside the European Economic Area accesses your data, the transfer safeguards in Section 8 apply.
We keep a record of each engagement, including the issue found, the fix applied, and the outcome. We retain these records in de-identified form to improve the reliability of the Platform and the accuracy of the Confidence Score.
7. Who We Share Data With
We share personal data only with providers who help us run the Platform, under contracts that restrict how they may use it. We never sell personal data and we never share it for advertising. Our current providers:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting and storage; model inference through Amazon Bedrock on enterprise deployments | United States by default; EU and enterprise regions available |
| Neon | Managed application databases | Follows your hosting region; United States by default |
| Anthropic | AI code generation | United States |
| OpenAI | AI planning and agent functions | United States |
| Stripe | Payment processing | European Union and United States |
| Analytics, support, and email tools | Product measurement, customer support, and service communications | European Union and United States |
We update this list as our providers change, and material changes are reflected in an updated version of this policy. We may also disclose personal data where required by law, to enforce our terms, to protect the rights or safety of Joylo, our users, or others, or as part of a corporate transaction such as an investment, financing, or acquisition, in which case we will notify you where required.
8. International Transfers
Where your data is hosted depends on your plan:
- Standard plans are hosted with Amazon Web Services in the United States (Northern Virginia) by default. If you want your account hosted in the European Union, contact support and we will transfer your account to our EU region.
- Enterprise deployments are pinned to the region you choose, either in a dedicated environment or in your own cloud account, so application data does not leave that region.
Some processing happens outside the European Economic Area: our default United States hosting, AI providers, and our payment processor. Our engineering team works from Ireland, India, and Kenya, so an engagement you request may also involve access from outside the EEA. Wherever that happens, we protect EEA and UK personal data with European Commission Standard Contractual Clauses, the EU-US Data Privacy Framework where the recipient is certified, and additional contractual and technical safeguards.
9. How Long We Keep Data
| Data | Retention |
|---|---|
| Account data | While your account is active, then deleted within 30 days of account closure or a verified deletion request |
| Project Content | While your account is active, then deleted within 30 days of account closure; residual copies are purged from backups within 90 days |
| Usage and log data | Up to 90 days for operational logs; up to 12 months for security logs |
| Billing and transaction records | 6 years, as required by Irish tax and company law |
| Support correspondence | 24 months after the ticket is closed |
| Engagement records (Expert Assist, Co-Build) | De-identified after the engagement ends; de-identified records are no longer personal data and may be retained |
| Marketing data | Until you unsubscribe or withdraw consent |
10. How We Protect Your Data
Our safeguards include:
- Encryption of data in transit and at rest
- Role-based access controls and the principle of least privilege
- Isolated environments for each project
- Data residency options, including EU hosting on request and region-pinned enterprise deployment
- Logging and monitoring of access to production systems
- Confidentiality obligations for all staff and engineers
- Due diligence and contractual safeguards for every provider listed in Section 7
We continue to invest in our security programme, including work toward independent certification. If a personal data breach occurs that puts your rights at risk, we will notify the Data Protection Commission within 72 hours where required and tell you without undue delay.
One request from us: never place passwords, API keys, or other secrets in prompts or in code you share publicly.
11. Your Rights
If you are in the European Economic Area or the United Kingdom, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict processing in certain circumstances
- Receive your data in a structured, commonly used, machine-readable format (portability)
- Object to processing based on legitimate interests, and to direct marketing at any time
- Withdraw consent at any time, without affecting processing that already happened
- Not be subject to solely automated decisions with legal or similarly significant effects, which we do not carry out
To exercise any right, email privacy@joylo.ai. We will verify your identity and respond within one month. If a request is complex and we need more time, we will tell you why and respond within three months at the latest.
You can also complain to the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland (www.dataprotection.ie), or to your local supervisory authority. We would appreciate the chance to resolve your concern first.
If you are outside the EEA and the UK, we extend the same core commitments: you can access, correct, and delete your personal data, and opt out of marketing at any time, subject to the laws that apply where you live.
12. Cookies
We use cookies and similar technologies in three ways: strictly necessary cookies that make the Platform work, such as sign-in and security; analytics cookies that help us understand how the Platform is used; and marketing cookies that measure our campaigns. Strictly necessary cookies do not require consent. Analytics and marketing cookies are set only with your consent where the law requires it, and you can change your choices at any time through the cookie settings on our website or your browser controls.
13. Children
The Platform is for people aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact privacy@joylo.ai and we will delete it.
14. Changes to This Policy
We will update this policy as the Platform and the law evolve. The effective date at the top always shows the current version. For material changes, we will give you at least 30 days’ notice by email or through the Platform before they take effect.
15. Contact Us
Joylo Limited
Registered in Ireland, CRO 818120
6 Fern Road, Sandyford Business Park, Dublin 18, D18 FP98, Ireland