General
This Privacy Policy ("Policy") describes how we collect and use your personal data in connection with the Journify Website and Services (as defined below). The terms "Journify", "we", "us", or "our" refer to the relevant Journify entity, as explained below.
Scope
This Policy applies to the Journify website (https://www.journify.io — the "Website") and service offerings available via the Website (collectively — the "Services"). The Services, together with our Website, are referred to as the "Platform".
This Privacy Policy does not constitute, create, or form part of any contract or warranty between you and Journify. It is provided for informational purposes under applicable privacy laws. Please check the Journify Terms of Service for the meaning of defined words not explicitly defined here.
Who is responsible for your data
For the purposes of applicable data protection laws, including the GDPR and the Saudi Personal Data Protection Law ("PDPL"), the relevant Journify entity acting as data controller may be one of the following:
| Name | Address | Contact |
|---|---|---|
| Journify Inc | 2716 Walnut Blvd, Walnut Creek, CA 94596, Delaware, USA | privacy@journify.io |
| Journify.io FZ-LLC | Dubai Internet City, Building 17, Office 151, UAE | |
| Journify Company | 3141 Anass Ibn Malik, Al Malqa District, Riyadh 13521, Kingdom of Saudi Arabia |
Each such entity may act as a data controller when you visit our Website or use our Services. Where any such entity processes personal data on behalf of a client, it acts as a data processor.
Failure to provide personal data
Please read this Privacy Policy and our Terms carefully before using the Services. If you do not agree with the Terms of Service, you should not use the Services.
If we are required by law to collect personal data, or if it is necessary to process your requests or fulfill a contract with you, and you do not provide the requested data, we may be unable to carry out your instructions or meet our contractual obligations. In such cases we may need to terminate our engagement, but we will inform you of this at the time.
If you have any questions about how we protect or use your data, please email us at privacy@journify.io.
Key terms and definitions
- Personal data — any information relating to an identified or identifiable natural person ("Data subject").
- Processing — any operation performed on personal data, whether or not by automated means, such as collection, storage, use, disclosure, or destruction.
- Data controller — the natural or legal person that determines the purposes and means of processing personal data.
- Data processor — a natural or legal person that processes personal data on behalf of the controller.
- You — any Visitor, Client, Partner, Lead, or Client's end user interacting with the Platform.
- Services — all features, tools, and functionalities provided through the Platform, including data activation, ingestion, advertising platform integration, and analytics.
- Cookies — text files stored on a visitor's computer or mobile device by a website's server.
Sources of personal data
When acting as a controller
- Directly from you — when you register an account, fill in forms, contact support, book a call, or exercise data subject rights.
- Automatically through your use — via cookies and tracking technologies when you use our website or platform.
- Third-party sources — from publicly available sources and third-party data providers for identifying companies and enriching business information.
When acting as a processor
- Through client use of our services — data collected via SDKs and plugins installed on customers' websites, mobile apps, or e-commerce stores, as well as data imported through offline files (e.g., CSV uploads).
- Other sources — depending on the customer's use case, other sources may be connected through the platform.
Why we process your data
As a data controller
- Account management & authentication — to register, facilitate, and manage your account and ensure authentication.
- Billing & invoicing — to manage subscriptions and process payments via third-party payment providers.
- Client testimonials — to collect, display, and share client feedback, including photos, for promotional purposes.
- Communication — to contact you about service matters, security, payment processing, or policy changes.
- Compliance with legal requirements — to comply with legal obligations, including responding to lawful requests from authorities.
- Cookies & tracking technologies — to ensure proper platform functioning and, where applicable and based on consent, support marketing activities.
- Defending or resolving legal claims — to defend our rights and resolve disputes including litigation and regulatory inquiries.
- Marketing & advertising — to contact Leads and Clients via email, phone, LinkedIn, and newsletters about our services.
- Sales call recording — to record sales calls for quality assurance, training, and maintaining accurate records.
- Partnership and collaboration — to contact and establish collaboration with technology and business partners.
- Platform analytics and development — to understand interactions with our service and optimize engagement and performance.
- Security maintenance & performance — to ensure platform security, access control, and continuity.
- Client support — to respond to queries, provide customer service, and implement your rights under GDPR and applicable laws.
When acting as a processor under client instructions
- Data source configuration — to enable clients to configure and connect their data sources.
- Data ingestion and processing — to collect and process personal data from configured sources including SDKs, plugins, and offline data.
- Data forwarding to destinations — to forward processed personal data to advertising and marketing platforms for campaign measurement and optimization.
- Tracking and event identification — to track events and behaviors of clients' end users across websites, apps, and e-commerce stores.
- Behavioral data analysis — to process and analyze behavioral data for campaign optimization including match rates, targeting, and ROAS metrics.
No sale of personal data
We do not sell personal data under any circumstances. Personal information collected is used solely for the purposes described in this policy and in accordance with applicable data protection laws. Any sharing of personal data with third parties occurs only where necessary to provide our services, comply with legal obligations, or with your explicit consent.
Types of personal data & legal basis for processing
Below are the categories of personal data we may collect and process:
- Account data — first name, last name, email address, automatically assigned Client ID.
- Aggregated analytics — statistical information about website and platform usage, page views, feature usage, performance metrics.
- Authentication data — passwords (stored in hashed format).
- Compliance information — data subject consent records, DSAR records, tax records, accounting data.
- Contact information — name, email address, phone number, LinkedIn contact information.
- Financial data — billing information.
- Legal and administrative records — correspondence related to disputes, claim details, court documentation.
- Marketing data — corporate email address.
- Media content — photographs, images, video and audio recordings of sales calls, feedback.
- Support communications data — subject line, request type, message content, and relevant attached files.
- Technical data — IP address, country code, device information, browser type and settings, cookie identifiers, logs.
- Clients' personal data — tracking data of clients' end users such as event data, user traits, offline data, behavioral data, cookies, IP addresses, and device information.
| # | Purpose | Data type | Subjects | Legal basis |
|---|---|---|---|---|
| 1. | Account onboarding, management & authentication | Account data, Authentication data | Clients | Article 6 (1) (b) GDPR (contract performance) |
| 2. | Billing & invoicing | Account data, Financial data | Clients | Article 6 (1) (b) GDPR (contract performance), Article 6 (1) (c) GDPR (legal obligation) |
| 3. | Client testimonials | Media content | Clients | Article 6 (1) (a) GDPR (consent) |
| 4. | Communication (service- and business related) | Contact information | Clients, Visitors, Partners | Article 6 (1) (b) GDPR (contract performance), Article 6 (1) (f) GDPR (legitimate interests) |
| 5. | Compliance with legal and regulatory requirements | Compliance information | Clients | Article 6 (1) (c) GDPR (legal obligation) |
| 6. | Cookies & other tracking technologies implementation | Technical data | Visitors, Clients | Strictly necessary: Article 6 (1) (b) and (f) GDPR; Marketing/Analytics: Article 6 (1) (a) GDPR |
| 7. | Defending or resolving legal claims | Compliance information, Contact information, Legal and administrative records, Support communications data | Clients, Visitors, Partners, Leads | Article 6 (1) (f) GDPR (legitimate interests), Article 6 (1) (c) GDPR (legal obligations) |
| 8. | Marketing & advertising | Marketing data | Leads, Clients | Article 6 (1) (a) GDPR (consent); for outbound leads sourced without consent, Article 6 (1) (f) |
| 9. | Sales call recording and quality assurance | Media content (e.g. call recordings) | Leads, Clients | Article 6 (1) (a) GDPR (consent) |
| 10. | Partnership and collaboration | Contact information | Partners | Article 6 (1) (f) GDPR (legitimate interests) |
| 11. | Platform analytics and development | Aggregated analytics | Clients, Visitors | Article 6 (1) (a) GDPR (consent), Article 6 (1) (f) GDPR (legitimate interests) |
| 12. | Security maintenance & performance | Technical data | Clients, Visitors | Article 6 (1) (f) GDPR (legitimate interests) |
| 13. | Client support | Account data, Contact information, Support communications data | Clients, Visitors, Partners, Leads | Article 6 (1) (b) GDPR (contract performance), Article 6 (1) (f) GDPR (legitimate interests) |
| 14. | Data source configuration, ingestion, forwarding to advertising platforms, tracking and event identification | Clients' end user personal data | Clients' end users | Legal basis established by the data controller |
Automated decisions
Under Article 22 of the GDPR, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.
Journify does not make any decisions based solely on automated processing, including profiling, which produces legal effects concerning data subjects.
International data transfers
Journify is a global business. We may transfer personal data to countries other than the one in which you reside. To offer our Service, we need to transfer your personal data to the United States, which is not considered to provide an adequate level of protection under EU data protection legislation.
Under data protection laws, we can only transfer your personal data outside the EEA where the European Commission has issued an adequacy decision, or where there are appropriate technical and organizational safeguards in place together with enforceable rights and effective legal remedies. In all cases, we implement Standard Contractual Clauses as adopted by the European Commission.
Please contact us if you want further information on the specific mechanism used when transferring your personal data out of the EEA.
Data retention practices
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to comply with applicable legal, accounting, or reporting obligations. In determining appropriate retention periods, we consider the nature, scope, and sensitivity of the personal data, the potential risk of harm, and applicable legal requirements.
Where Journify acts as a data controller, personal data is retained for the duration necessary to provide the services and for a limited period thereafter, in line with applicable legal and regulatory requirements.
Where Journify acts as a data processor, personal data is retained in accordance with the client's documented instructions. Journify does not store client end-user data on its systems — personal data is processed in transit (including routing and transformation) and transmitted to third-party destinations designated by the client without being retained by Journify.
Information security
We maintain appropriate security procedures and technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, disclosure, alteration, or use. Our information-security program is mapped to SOC 2 Type 2 controls audited annually.
Updating personal data
If any personal data you have provided to us changes, or if you become aware we hold inaccurate personal data about you, please let us know at privacy@journify.io. We will not be responsible for any losses arising from inaccurate, inauthentic, deficient, or incomplete personal data that you provide to us.
Children's privacy
Journify does not knowingly collect any personal data from persons under the age of 18 years old unless instructed by our clients.
Your rights and choices
Under the GDPR, you have the following rights in relation to your personal data, subject to certain conditions and limitations:
- Right of access — to obtain confirmation as to whether we process your personal data and, if so, to request access to such data and information about how it is processed.
- Right to rectification — to request the correction of inaccurate or incomplete personal data concerning you.
- Right to erasure — to request the deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful. This right is not absolute and may be subject to legal obligations.
- Right to restriction of processing — to request that we limit the processing of your personal data in certain circumstances.
- Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted to another controller.
- Right to object — to object to the processing of your personal data where such processing is based on legitimate interests, including for direct marketing purposes.
- Right to withdraw consent — where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making — to not be subject to a decision based solely on automated processing which produces legal effects concerning you.
- Right to lodge a complaint — to lodge a complaint with a competent supervisory authority if you believe processing infringes applicable data protection laws.
To exercise any of these rights, contact us at privacy@journify.io. We may need to verify your identity before processing your request. If you are a client's end user, please contact the client directly as they are the data controller for your personal data.
Updates to this Privacy Policy
We reserve the right to update and change this Policy to reflect any changes to the way in which we process your personal data or changing legal requirements. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. You are advised to review this Privacy Policy periodically for any changes.
Contact information
We welcome your comments or questions about this Policy. You may contact us at:
- Email — privacy@journify.io
- United States — 2716 Walnut Blvd, Walnut Creek, CA 94596, Delaware
- Kingdom of Saudi Arabia — 3141 Anass Ibn Malik, Al Malqa District, Riyadh 13521
- United Arab Emirates — FZ-LLC, Dubai Internet City, Building 17, Office 151
Questions about your data?
Our privacy team answers within two business days. For urgent matters — security incidents or regulator requests — use the escalation line and we'll page someone on-call.
Addendum for Saudi Arabia (PDPL)
This Addendum supplements the Journify Privacy Policy and applies exclusively to personal data of individuals located in or residents of the Kingdom of Saudi Arabia ("KSA"). It sets out additional rights, obligations, and protections required under the Saudi Personal Data Protection Law ("PDPL"), Royal Decree No. M/19 (16 September 2021) and its Implementing Regulations. In the event of a conflict between this Addendum and the main Policy, this Addendum prevails with respect to Saudi data subjects.
Controller and Supervisory Authority
For the purposes of the PDPL, Journify Company, registered at 3141 Anass Ibn Malik, Al Malqa District, Riyadh 13521, Kingdom of Saudi Arabia, is the Data Controller for personal data collected from individuals located in the KSA.
The competent supervisory authority in Saudi Arabia is the Saudi Data and Artificial Intelligence Authority ("SDAIA"), reachable at https://sdaia.gov.sa. Clients in KSA may direct complaints or enquiries to SDAIA.
Legal basis and consent
- Consent (Article 5 PDPL) — where the data subject has given explicit, informed, and specific consent prior to processing.
- Contractual necessity (Article 6 PDPL) — where processing is necessary to perform a contract to which the data subject is a party.
- Legal obligation (Article 6 PDPL) — where processing is necessary to comply with a legal obligation imposed on Journify under Saudi law.
- Legitimate interests (Article 6 PDPL) — where processing is necessary for the purposes of legitimate interests pursued by Journify, except where overridden by the interests or rights of the data subject.
Age of consent
In accordance with the PDPL and applicable age of majority in KSA, Journify will not knowingly collect or process personal data from individuals under the age of thirteen (13) years in Saudi Arabia without verifiable parental or guardian consent.
International transfers
Journify transfers personal data outside the KSA to the United States and other jurisdictions. Such transfers are subject to PDPL safeguards: we only transfer data for permitted purposes, ensure the data importer is in a jurisdiction offering adequate protection, adhere to data minimization, and execute appropriate data transfer agreements including standard contractual clauses. Saudi data subjects may request information about specific safeguards by contacting privacy@journify.io.
Security and breach notification
In addition to the security measures described above, Journify implements controls appropriate to the sensitivity of Saudi personal data, including pseudonymisation and encryption at rest and in transit, periodic DPIAs for high-risk activities, and contractual data protection obligations on all sub-processors.
In the event of a personal data breach affecting Saudi data subjects, Journify shall: notify SDAIA within seventy-two (72) hours of becoming aware; notify affected data subjects without undue delay where the breach is likely to result in harm; and maintain a record of all breaches and remedial action taken.
Marketing and direct communications
Journify shall not contact Saudi data subjects for direct marketing purposes without prior and specific consent under Article 26 of the PDPL, except where a prior business relationship exists and the communication relates to a similar product or service. Every marketing communication shall include a clear mechanism for opting out.
Contact and complaints (PDPL)
- Registered address — Journify Company, 3141 Anass Ibn Malik, Al Malqa District, Riyadh 13521, Kingdom of Saudi Arabia.
- Privacy support — privacy@journify.io
- Supervisory authority — SDAIA — https://sdaia.gov.sa