Privacy Policy

What Information We Handle

When you create an account and place orders through our platform, we collect information you provide directly to us. This includes your contact details like name and email address, shipping and billing addresses, and your order preferences. We also maintain your order history so you can track past purchases and easily reorder favorites.

Beyond what you directly provide, we automatically collect some technical information to keep our service running smoothly. This includes system usage data that helps us maintain security and improve performance. Under privacy law classifications, this information falls into categories like "identifiers" and "commercial information."

The people whose information we handle include employees and authorized users from organizations using our platform, gift recipients when someone sends branded items as gifts, and administrators who manage their organization's store settings.

How We Use Your Information

We use your information primarily to provide our branded merchandise service. When you place an order, we process your details to handle account management, process payments, and coordinate fulfillment with our suppliers. We also use your information for customer support, system maintenance, and security monitoring.

Sharing with delivery partners: To deliver your orders, we share your name, address, and phone number with logistics service providers like UPS, FedEx, and postal services. These carriers act as service providers on our behalf and are contractually required to protect your information, use it only for delivery purposes, and delete delivery details after completing delivery.

Our legal basis for this processing includes contract performance (fulfilling your orders), legitimate business interests (maintaining security and improving our service), your organization's instructions (when they set up your store), and legal compliance requirements.

Your Privacy Rights

You have control over your information. Depending on your location, you have rights including the ability to access what information we have about you, request corrections to inaccurate information, request deletion of your data, and object to certain types of processing.

For EU residents (GDPR): You have the right to access your personal data, rectify inaccurate information, erase your data (right to be forgotten), restrict processing, data portability, and object to processing based on legitimate interests. You also have the right to withdraw consent and lodge complaints with supervisory authorities.

For California residents (CCPA): You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you. You can request that we delete personal information we've collected from you, correct inaccurate information, and direct us not to sell or share your personal information. We will not discriminate against you for exercising any of these rights.

How to make requests: To exercise your privacy rights, you can email us at lynn@jaapi.store or contact your organization's administrator. We'll respond within 45 days, and if we need additional time, we'll let you know within the first 45 days and explain why.

Security & Protection

We protect your data using industry-standard security measures. All information is encrypted during transmission using TLS 1.3, and sensitive data is encrypted when stored in our databases. We use secure authentication methods, network security protections, and maintain our infrastructure primarily within EU regions.

Our team follows strict access controls with role-based permissions, receives regular data protection training, and we conduct regular security assessments. We also have incident response procedures in place and maintain comprehensive monitoring and logging systems.

Cookies & Tracking

We use cookies and similar technologies to make our service work properly and improve your experience. Essential cookies are necessary for basic functionality like keeping you logged in and maintaining your session. Analytics cookies help us understand how people use our site so we can make improvements.

Third-party services: We work with trusted partners for specific functions. Stripe handles payment processing, our hosting providers (Vercel and AWS) manage our infrastructure primarily in EU regions, and we use services like email delivery and search functionality that may process your data according to their own privacy policies. For a complete list of our service providers and their compliance details, please see our GDPR compliance page.

You can control many cookies through your browser settings, though disabling essential cookies may affect how our service works for you.

Service Providers & International Transfers

We work with carefully selected service providers to deliver our platform. These include Amazon Web Services and Vercel for hosting (primarily in EU regions), Stripe for payments, and various providers for email delivery, search functionality, and monitoring services.

When personal data needs to be transferred outside the European Economic Area, we ensure adequate protection through mechanisms like Standard Contractual Clauses, adequacy decisions where available, and additional technical safeguards as required by law.

How Long We Keep Information

We keep your information only as long as necessary to provide our service and meet legal requirements. We retain your account information while your account is active and your organization continues using our platform. Order history and transaction records are kept for accounting and legal compliance purposes, typically for seven years after the transaction.

System logs are automatically deleted after seven days, and session data expires automatically when you log out or your session times out. When you or your organization decides to stop using our service, we will return your data in a standard format (such as JSON or CSV) upon request, then delete your personal information and provide certification of deletion.

We may retain some anonymized business records for analytics purposes, but these cannot be linked back to you personally.

Security Incidents

If we experience a security incident that affects your personal information, we take it seriously. We'll notify affected customers without undue delay (within 72 hours where feasible) and provide all necessary information to assess the incident.

We'll assist with breach investigation and remediation efforts, document the incident and our response, and implement additional safeguards to prevent similar issues from happening again.

Contact Us

Questions about your privacy? Our Data Protection Officer, Lynn Smeria, handles all privacy matters, security incidents, and compliance questions. You can reach Lynn directly at lynn@jaapi.store.

For general questions about your account or orders, you can also contact your organization's administrator or use the support channels provided through your store.