Privacy Policy

Joylo Limited |Effective

Joylo helps founders and teams take applications from idea to production by combining AI code generation with certified human engineers. Doing that well requires your trust, and trust starts with being clear about data. This policy explains what we collect, how we use it, who can see it, and the rights you have. We have written it in plain English, because a privacy policy you cannot understand protects nobody.

The short version

  • You own your projects. Your prompts, your code, and your applications belong to you.
  • Humans never look at your project unless you ask. Expert Assist engineers access your code only when you trigger an engagement, and only for that engagement.
  • Your data is not for sale. We do not sell personal data and we do not run ads.
  • You can choose where your data lives. Hosting defaults to AWS in the United States. EU hosting is available on request, and enterprise deployments are pinned to the region you choose, including your own cloud.
  • AI providers cannot train on your content. Our agreements with model providers do not permit your content to be used to train their general-purpose models.
  • Your code is portable. You can export your project and take it with you at any time.

1. Who We Are

Joylo Limited ("Joylo", "we", "us", "our") is a private company limited by shares incorporated in Ireland, registered with the Companies Registration Office under company number 818120, with its registered office at 6 Fern Road, Sandyford Business Park, Dublin 18, D18 FP98, Ireland.

We operate joylo.ai and related applications and services (the "Platform"). For the personal data described in this policy, Joylo Limited is the data controller under the EU General Data Protection Regulation ("GDPR") and the Irish Data Protection Act 2018. Our supervisory authority is the Irish Data Protection Commission.

For anything in this policy, contact privacy@joylo.ai.

2. What This Policy Covers

Joylo plays two different roles depending on whose data is involved:

The dataWho is responsible
Your account, projects, billing, and use of the PlatformJoylo is the controller. This policy applies.
Personal data of your applications’ end usersYou are the controller. Joylo processes this data on your behalf as a processor under our Data Processing Addendum.

If you deploy applications that collect personal data from your own users, you are responsible for providing your own privacy notice, establishing a lawful basis, and complying with the data protection laws that apply to you. Our Data Processing Addendum sets out how we handle that data as your processor. Request a copy at privacy@joylo.ai.

This policy does not apply to third-party services you choose to connect to your applications. Their own policies govern their processing.

3. The Data We Collect

CategoryExamplesSource
Account dataName, email address, hashed password, workspace and notification settingsYou
Project ContentPrompts, chat history with the AI, generated code, files you upload, configurations, deployment settingsYou and the Platform
Billing dataPlan, credit purchases, credit consumption, invoices, VAT details. Card payments are handled by our payment processor. We never store full card numbers.You and our payment processor
Usage and log dataIP address, browser and device information, pages and features used, credit metering events, timestamps, error and diagnostic logsAutomatic
Support dataSupport tickets, emails, Expert Assist requests and related correspondenceYou
Marketing dataEmail address and preferences, if you subscribe to updatesYou

The Platform is not designed for special category data such as health records or biometric identifiers. Please do not include it in your Project Content. Section 2 explains your responsibilities for personal data inside applications you build.

4. How We Use Your Data and Why It Is Lawful

Under the GDPR we need a legal basis for everything we do with your personal data. Here is each purpose and its basis:

PurposeLegal basis (GDPR Art. 6)
Providing the Platform: building, deploying, and hosting your applications, metering credits, and managing your accountPerformance of a contract
Processing payments, invoices, and subscription changesPerformance of a contract
Delivering Expert Assist and Co-Build engagements you requestPerformance of a contract
Securing the Platform: preventing fraud, abuse, and unauthorised accessLegitimate interests
Improving the Platform, including the AI Confidence Score, using de-identified and aggregated dataLegitimate interests
Sending service communications about your account, billing, security, or changes to the PlatformPerformance of a contract and legal obligation
Sending marketing communicationsConsent, which you can withdraw at any time
Meeting legal obligations, including tax, accounting, and lawful requests from authoritiesLegal obligation

Where we rely on legitimate interests, we balance those interests against your rights and freedoms, and we use de-identified data wherever possible.

5. How AI Processing Works

When you build with Joylo, your prompts and the relevant parts of your Project Content are sent to large language model providers to generate code, plans, and responses. Our primary provider is Anthropic, whose Claude models we access through the Anthropic API. We use OpenAI models for certain planning and agent functions. On enterprise deployments, model inference can run through Amazon Bedrock inside the deployment region instead.

Our agreements with these providers do not permit them to use your prompts or Project Content to train their general-purpose models.

Project files are provided to models as direct context for your specific request. Data stored inside your deployed applications’ production databases is not transmitted to AI providers as part of normal Platform operation.

The AI Confidence Score is an automated assessment of the technical readiness of your build. It flags weaknesses in areas such as deployment, authentication, security, and scaling before you go to production, so you can decide where engineering help is worth it. It informs decisions; it does not make decisions that produce legal or similarly significant effects about you within the meaning of GDPR Article 22.

6. Expert Assist and Human Access

Joylo staff and engineers never access your project automatically. Human access to your Project Content happens in only two situations: when you actively request it, or when it is strictly necessary to investigate a security incident, abuse, or a legal obligation. In the second case, access is logged and limited to what is necessary.

When you trigger Expert Assist or purchase a Co-Build plan, certified Joylo engineers deliver the work. They access your project, code, and related content solely to complete the engagement you requested, are bound by confidentiality obligations, and lose access when the engagement ends.

Our engineering team works from Ireland, India, and Kenya. Where an engineer outside the European Economic Area accesses your data, the transfer safeguards in Section 8 apply.

We keep a record of each engagement, including the issue found, the fix applied, and the outcome. We retain these records in de-identified form to improve the reliability of the Platform and the accuracy of the Confidence Score.

7. Who We Share Data With

We share personal data only with providers who help us run the Platform, under contracts that restrict how they may use it. We never sell personal data and we never share it for advertising. Our current providers:

ProviderPurposeLocation
Amazon Web ServicesCloud hosting and storage; model inference through Amazon Bedrock on enterprise deploymentsUnited States by default; EU and enterprise regions available
NeonManaged application databasesFollows your hosting region; United States by default
AnthropicAI code generationUnited States
OpenAIAI planning and agent functionsUnited States
StripePayment processingEuropean Union and United States
Analytics, support, and email toolsProduct measurement, customer support, and service communicationsEuropean Union and United States

We update this list as our providers change, and material changes are reflected in an updated version of this policy. We may also disclose personal data where required by law, to enforce our terms, to protect the rights or safety of Joylo, our users, or others, or as part of a corporate transaction such as an investment, financing, or acquisition, in which case we will notify you where required.

8. International Transfers

Where your data is hosted depends on your plan:

  • Standard plans are hosted with Amazon Web Services in the United States (Northern Virginia) by default. If you want your account hosted in the European Union, contact support and we will transfer your account to our EU region.
  • Enterprise deployments are pinned to the region you choose, either in a dedicated environment or in your own cloud account, so application data does not leave that region.

Some processing happens outside the European Economic Area: our default United States hosting, AI providers, and our payment processor. Our engineering team works from Ireland, India, and Kenya, so an engagement you request may also involve access from outside the EEA. Wherever that happens, we protect EEA and UK personal data with European Commission Standard Contractual Clauses, the EU-US Data Privacy Framework where the recipient is certified, and additional contractual and technical safeguards.

9. How Long We Keep Data

DataRetention
Account dataWhile your account is active, then deleted within 30 days of account closure or a verified deletion request
Project ContentWhile your account is active, then deleted within 30 days of account closure; residual copies are purged from backups within 90 days
Usage and log dataUp to 90 days for operational logs; up to 12 months for security logs
Billing and transaction records6 years, as required by Irish tax and company law
Support correspondence24 months after the ticket is closed
Engagement records (Expert Assist, Co-Build)De-identified after the engagement ends; de-identified records are no longer personal data and may be retained
Marketing dataUntil you unsubscribe or withdraw consent

10. How We Protect Your Data

Our safeguards include:

  • Encryption of data in transit and at rest
  • Role-based access controls and the principle of least privilege
  • Isolated environments for each project
  • Data residency options, including EU hosting on request and region-pinned enterprise deployment
  • Logging and monitoring of access to production systems
  • Confidentiality obligations for all staff and engineers
  • Due diligence and contractual safeguards for every provider listed in Section 7

We continue to invest in our security programme, including work toward independent certification. If a personal data breach occurs that puts your rights at risk, we will notify the Data Protection Commission within 72 hours where required and tell you without undue delay.

One request from us: never place passwords, API keys, or other secrets in prompts or in code you share publicly.

11. Your Rights

If you are in the European Economic Area or the United Kingdom, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Receive your data in a structured, commonly used, machine-readable format (portability)
  • Object to processing based on legitimate interests, and to direct marketing at any time
  • Withdraw consent at any time, without affecting processing that already happened
  • Not be subject to solely automated decisions with legal or similarly significant effects, which we do not carry out

To exercise any right, email privacy@joylo.ai. We will verify your identity and respond within one month. If a request is complex and we need more time, we will tell you why and respond within three months at the latest.

You can also complain to the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland (www.dataprotection.ie), or to your local supervisory authority. We would appreciate the chance to resolve your concern first.

If you are outside the EEA and the UK, we extend the same core commitments: you can access, correct, and delete your personal data, and opt out of marketing at any time, subject to the laws that apply where you live.

12. Cookies

We use cookies and similar technologies in three ways: strictly necessary cookies that make the Platform work, such as sign-in and security; analytics cookies that help us understand how the Platform is used; and marketing cookies that measure our campaigns. Strictly necessary cookies do not require consent. Analytics and marketing cookies are set only with your consent where the law requires it, and you can change your choices at any time through the cookie settings on our website or your browser controls.

13. Children

The Platform is for people aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact privacy@joylo.ai and we will delete it.

14. Changes to This Policy

We will update this policy as the Platform and the law evolve. The effective date at the top always shows the current version. For material changes, we will give you at least 30 days’ notice by email or through the Platform before they take effect.

15. Contact Us

Joylo Limited

Registered in Ireland, CRO 818120
6 Fern Road, Sandyford Business Park, Dublin 18, D18 FP98, Ireland

privacy@joylo.ai