Privacy Policy

1. Who We Are

JustDeploy is operated by CUPPASOFT LTD (Company No. 16060739), registered in England and Wales at 13 Approach Road, London, SW20 8BA, United Kingdom. We are the data controller for personal information collected through the Service.

2. Information We Collect

Account Information

When you create an account, we collect:

• Email address — used as your username, for one-time verification codes, and for account communications
• Name — displayed in your profile and to team members

We do not collect or store passwords. Sign-in is via a one-time code we email you, or via Google Sign-In.

Google Sign-In

If you sign in with Google, we receive your name and email address from your Google account. We do not access your Google contacts, calendar, or any other Google services. Google Sign-In is subject to Google's Privacy Policy.

Organization and Project Data

When you use the Service, we store:

• Organization names and membership details
• Project names, configurations, and deployment settings
• Build artifacts (your uploaded source code)
• Database contents you create through the Service
• Files uploaded to storage
• API credentials
• Firewall rules and custom domain configurations
• Team invitations

Lead Capture Data

If you use the Lead Capture feature, JustDeploy stores form submissions you collect from your own users (such as visitors to your landing page) on your behalf. This may include name, email, phone number, company information, message content, marketing attribution (UTM parameters, referrer, source), and the IP address and user-agent of the submitter. For this data, JustDeploy acts as a data processor and you act as the data controller. You are responsible for establishing a lawful basis (such as consent), providing your own privacy notice to the individuals submitting the form, and complying with applicable privacy laws.

Payment Information

When you subscribe to a paid plan, payment is processed by Stripe. We do not store your full card number on our servers. We retain only a reference to your Stripe customer account and basic card details (brand, last four digits, expiry) for display purposes.

Automatically Collected Information

• Server logs — HTTP request logs (IP address, request method, URL, status code, user agent) are collected for operational purposes
• IP address — when you use the firewall configuration feature, your public IP may be detected to help you set up access rules

3. What We Do Not Collect

• We do not use tracking or advertising cookies. We use only functional cookies necessary for the Service: a language preference cookie, and (when you arrive through an affiliate or referral link) a 30-day attribution cookie (ref_code) so the referring partner is credited at sign-up.
• We do not use analytics or tracking tools (no Google Analytics, Mixpanel, etc.)
• We do not perform device fingerprinting
• We do not collect geolocation data
• We do not sell or share your personal data with advertisers
• We do not use your code, database contents, or storage files to train AI or machine learning models

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following legal bases:

• Contract performance — Processing necessary to provide the Service, manage your account, process deployments, and handle payments (Article 6(1)(b))
• Legitimate interests — Processing necessary for security monitoring, fraud prevention, service improvement, and enforcement of our Terms of Service (Article 6(1)(f))
• Legal obligation — Processing required to comply with applicable tax, accounting, and regulatory requirements (Article 6(1)(c))

5. How We Use Your Information

• To provide and maintain the Service
• To authenticate you and manage your account
• To send you account-related communications (e.g., one-time sign-in codes, team invitations)
• To process your deployments and manage your infrastructure
• To process payments and manage your subscription
• To enforce our Terms of Service and protect the security of the Service

6. How We Store and Protect Your Data

Infrastructure

All data is stored on Amazon Web Services (AWS) infrastructure in the United States (US East (N. Virginia) region).

Encryption

• One-time sign-in codes are stored briefly, hashed, and invalidated after use or expiry
• Sensitive credentials are encrypted at rest using AES-256 encryption
• All data in transit is encrypted via HTTPS/TLS

Authentication

We use token-based authentication stored in your browser. Tokens expire automatically.

7. Browser Storage

We store the following in your browser:

• Authentication token — for API authentication (expires automatically)
• User profile — your name and email
• Current organization — the organization you last accessed

This data is cleared when you sign out. You can also clear it manually through your browser settings.

8. Third-Party Services

We use the following third-party services to operate the Service:

• Amazon Web Services (AWS) — Cloud infrastructure including hosting, compute, storage, databases, and email delivery (Amazon SES). Data is processed in the US East (N. Virginia) region. Subject to AWS Privacy Notice.
• Stripe — Payment processing. When you subscribe to a paid plan, your payment information is collected and processed directly by Stripe. Subject to Stripe's Privacy Policy.
• Google Sign-In — Authentication. If you choose to sign in with Google, your name and email are provided by Google. Subject to Google's Privacy Policy.

We may update the list of third-party services from time to time. Material changes will be communicated through the Service or via email.

9. Data Sharing

We do not sell your personal data. We share your information only in these circumstances:

• With team members within your organization (name, email, and role are visible)
• With our infrastructure and service providers as necessary to operate the Service (see Section 8)
• With Stripe for payment processing when you subscribe to a paid plan
• When required by law or to protect the rights and safety of the Service

10. International Data Transfers

Our servers are located in the United States. As a UK-based company, we ensure that transfers of personal data from the UK to the United States are protected by appropriate safeguards in accordance with the UK GDPR, including the use of the UK International Data Transfer Agreement (IDTA) or other approved transfer mechanisms where required. By using the Service, you acknowledge that your data will be transferred to and processed in the United States.

11. Data Retention

• Account data is retained for as long as your account is active
• Build artifacts are retained for the lifetime of the associated project
• Server logs are retained for up to 90 days
• Lead capture submissions are retained for the lifetime of your organization. To delete individual leads or all leads ahead of organization deletion, contact support@justdeploy.ai
• Deleted resources are permanently removed after a reasonable retention period
• Team invitations expire automatically

12. Account Deletion

You may request deletion of your account at any time. Upon account deletion:

• Your personal data (name, email, authentication credentials) will be permanently deleted
• Your membership in all organizations will be removed
• Content associated with organizations you own may be deleted if you are the sole owner
• Some data may be retained where required by law (e.g., billing records for tax purposes)
• Deletion is typically completed within 30 days of the request

To request account deletion, contact us at support@justdeploy.ai or through the account settings in the Service.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.

14. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your data in a portable format
• Object to or restrict certain processing of your data
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at support@justdeploy.ai. We will respond to your request within one month, as required by applicable data protection law.

15. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

17. Contact

If you have questions about this Privacy Policy or how we handle your data, you may contact us at:

• General enquiries: contact@justdeploy.ai
• Data protection requests: support@justdeploy.ai

CUPPASOFT LTD
13 Approach Road, London, SW20 8BA, United Kingdom