GDPR Compliance

Data protection and privacy compliance documentation

GDPR Compliance Summary

Jaapi cares about privacy and actively protects your personal data. We maintain GDPR compliance through technical and organizational measures to protect personal data and respect privacy rights.

Data Location: Primarily EU (Frankfurt)
Legal Basis: Contract performance, legitimate interest
Access Control: Password/SSO protection
Last Updated: December 29, 2025

Data Processing Overview

This section explains what personal information we handle and why we're legally allowed to process it. Under GDPR, we must have a valid legal reason (called a "legal basis") for everything we do with your data.

Data We Process

  • Account Data: Name, email, role
  • Shipping Data: Delivery addresses
  • Billing Data: Invoicing addresses, direct debit details
  • Order Data: Purchase history, preferences
  • Usage Data: System logs, analytics

Legal Basis

  • Contract Performance: Order processing, account management
  • Legitimate Interest: Analytics, fraud prevention, system security
  • Consent: Marketing communications (where applicable)

Data Storage & Security

We store your data primarily within the European Union to ensure a high level of privacy protection. For customer support (Pylon) and team communication (Slack), data is stored in the US under EU Standard Contractual Clauses (SCCs), providing equivalent legal protections for any data transferred outside the EU.

Data Location

Primary data stored in EU regions:

  • Primary Database: AWS Frankfurt
  • CDN Assets: Hetzner Falkenstein
  • Backups: EU regions only
  • Support Tickets: US (Pylon, with EU SCCs)
  • Team Communication: US (Slack, with EU SCCs)

Security Measures

  • TLS 1.3 encryption in transit
  • Database encryption at rest
  • HTTPS-only application
  • Role-based access controls
  • Secure UUID session tokens
  • Audit logging of admin actions

Data Subject Rights

GDPR gives you specific rights over your personal data. These aren't just promises - they're legal rights that we must honor. You can exercise any of these rights at any time, and we'll respond within one month.

Contact us at lynn@jaapi.store to exercise these rights:

Access: Request a copy of your personal data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data
Data Portability: Receive data in machine-readable format
Object: Object to processing based on legitimate interest
Restrict Processing: Limit how we process your data

Data Retention

We don't keep your data forever. We only retain information as long as necessary for the service you're using, plus any legal requirements (like tax records). Once data is no longer needed, we delete it permanently.

Account Data

Retained during service period. Hard deletion available upon request.

Order Data

Retained during service period plus legal requirements (7+ years). Anonymized where possible.

System Logs

Automatically deleted after 30 days.

Session Data

Automatically expires based on database schema configuration.

Third-Party Processors

We work with trusted partners to provide our service - for example, AWS hosts our databases and Stripe processes payments. All these partners are carefully vetted and must meet the same GDPR standards we do. Your data stays protected even when these partners help us serve you.

Infrastructure and Service Processors

AWS
Database hosting
Frankfurt, Germany (eu-central-1)
GDPR-compliant, ISO 27001, SOC 2
Juni
Business banking, expense management
Sweden (EU)
GDPR-compliant, ISO 27001, PCI DSS
MailerSend
Email delivery services
Belgium (EU region)
GDPR-compliant, Data Privacy Framework
Pylon
Customer support ticketing
US (EU Standard Contractual Clauses)
GDPR-compliant, SOC 2 Type 2, ISO 27001
Slack
Team communication
US (EU Standard Contractual Clauses)
GDPR-compliant, SOC 2 Type 2, ISO 27001
Stripe
Payment processing
Ireland (EU)
PCI DSS, GDPR-compliant, SOC 2
Vercel
Application hosting and deployment
Frankfurt, Germany (eu-central-1)
GDPR-compliant, SOC 2 Type 2, ISO 27001

Fulfillment Partners

Jaapi uses specialized on-demand production partners to manufacture and ship orders. These partners receive only the minimal data required for order fulfillment (recipient name, shipping address, product specifications) and operate as data processors under Article 28 GDPR with appropriate Data Processing Agreements in place.

Since our fulfillment partner relationships are commercially confidential, we provide this information upon request rather than publishing it publicly. To obtain our current list of fulfillment partners, please contact lynn@jaapi.store. We ask that supplier identities be treated as confidential business information.

Sub-processor Changes: Jaapi maintains general authorization to engage and change sub-processors as needed to provide our service. Customers may request current sub-processor information at any time and may object to the use of a sub-processor on reasonable data protection grounds.

Contact & Compliance

We take data protection seriously and have dedicated resources to ensure compliance. If you have questions about your privacy rights or concerns about how we handle data, we're here to help.

Data Protection Officer

For privacy-related questions or to exercise your data subject rights:

Lynn Smeria
lynn@jaapi.store

Incident Reporting

We maintain automated monitoring and 72-hour breach notification procedures. Incidents are tracked and documented in compliance with GDPR requirements.

Audit Rights: Customers may request documentation of our security controls and conduct audits with reasonable advance notice, limited to one inspection per calendar year during normal business hours.