Privacy Policy

Last updated: April 23, 2026

In case of any conflict between this English version and the Dutch version, the Dutch version prevails.

1. Data controller

JetUp, registered at Kanaalkade 57, 1811 LS Alkmaar, Nederland. Chamber of Commerce no. 81581513. VAT no. NL862145831B01. Privacy questions? Email hello@jetup.nl.

2. GDPR compliance

JetUp processes personal data in accordance with the General Data Protection Regulation (GDPR). We have signed Data Processing Agreements (DPAs) with all our sub-processors, including Anthropic, OpenAI, Supabase, Stripe and Vercel. These agreements ensure your data is processed according to European privacy standards.

3. Data we process

• Account: name, email, company name, hashed password.
• Payment: via Stripe - we never receive card details, only a reference and billing address.
• Content: anything you create or upload - chats, prompts, images, leads, business profiles.
• Usage: API calls, credit usage, error logs for support and billing.

4. Encryption and security

We take the security of your data seriously and apply multiple layers of encryption:

• Encryption in transit: all connections use TLS/SSL (HTTPS). Data is always encrypted between your browser, our servers, and sub-processors.
• Encryption at rest: the database is encrypted with AES-256 (via Supabase). Even with physical access to servers, data is unreadable without decryption keys.
• Application-level encryption: sensitive fields such as SMTP passwords and API keys are additionally encrypted with AES-256-GCM before storage. The encryption key lives exclusively in our secured server environment, not in the database itself.
• Passwords: user passwords are stored hashed via bcrypt (Supabase Auth). We cannot view your password.
• Multi-tenant isolation: Row-Level Security (RLS) at database level ensures each customer can only access their own data. Even in case of an application error, data cannot leak between customers.

5. Where data is stored

Your account, content and metadata are stored exclusively on EU servers:

• Supabase (database + file storage) - eu-west-1, Ireland. SOC2 Type II certified, AES-256 at rest.
• Vercel (application hosting) - EU edge (arn1). No data storage, processing only.
• Stripe (payments) - Ireland. PCI-DSS Level 1 certified. We never receive your full card details.

6. AI model providers and data minimization

For AI functionality (chat, image, video) we send prompts and uploads to US-based providers. We apply data minimization: only the strictly necessary business context is sent. Personal lead data (names, emails, phone numbers of your customers) is never sent to AI providers.

• Anthropic (Claude) - United States. API data is not used for model training. Data is retained for a maximum of 30 days for abuse detection, then automatically deleted. DPA signed.
• OpenAI (GPT, Whisper) - United States. API data is not used for training (since March 2023). Retention maximum 30 days for abuse monitoring. DPA signed.
• Replicate (Flux, Kling, Wan, Hailuo) - United States. Processes images and video. No storage after processing. DPA signed.
• Apify (web scraping) - Czechia/United States. Processes only publicly available web data, no customer data.
• DataForSEO (search volumes, SERP) - United States. Anonymous search queries only, no personal data.

Why 30-day retention at AI providers? Anthropic and OpenAI temporarily retain API requests (maximum 30 days) exclusively to detect and prevent abuse (e.g. generation of illegal content). After this period, data is automatically and permanently deleted. Data is never used to train their models.

Your use of AI features in JetUp is a deliberate choice. Non-AI features (lead management, team management, billing) process data exclusively on EU servers.

7. Google user data (Gmail, Google Ads)

When you connect your Gmail or Google Ads account in JetUp via Google OAuth, JetUp gains access to specific Google data. The following describes which data, for what purpose, and how we comply with the Google API Services User Data Policy including the Limited Use requirements.

7.1 Which OAuth scopes do we request?

• userinfo.email + userinfo.profile + openid — basic identification (name, email) to display the connected account in JetUp.
• gmail.readonly — read incoming emails (only those you explicitly let the Reply Mail agent process).
• gmail.send — send draft replies after your explicit approval in the JetUp dashboard.
• gmail.modify — create / update / delete drafts in your Gmail drafts folder.
• adwords — read Google Ads campaign data for performance reporting, AND modify campaign settings (e.g. pause, adjust budget) after your explicit approval in the JetUp dashboard.

7.2 What do we use this data for?

Solely to deliver the user-facing features you have actively enabled:

• Gmail content is sent to our AI models only to generate a draft reply that lands in your Gmail drafts folder.
• Google Ads data is used for performance reporting, spend monitoring and AI-driven optimization suggestions (e.g. budget adjustments, pausing under-performing ads). Changes are applied only after your explicit approval in the dashboard.

7.3 Limited Use Disclosure

JetUp's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements:

• We use Google user data only to provide or improve user-facing features that you have actively enabled within JetUp.
• We do not transfer Google user data to third parties, except to the strictly necessary sub-processors (Anthropic / OpenAI for AI processing, Nango for token storage) under signed data processing agreements.
• We do not use Google user data for advertising.
• We do not use Google user data to train, fine-tune or improve any AI models. Anthropic and OpenAI guarantee in their API DPAs that API data is not used for training.
• No humans read Google user data, except: (a) with your explicit permission, (b) for security investigation upon suspicious activity, (c) to comply with applicable law, (d) for anonymized aggregates.

7.4 Where are your Google tokens stored?

OAuth access and refresh tokens are stored encrypted at Nango (our OAuth provider, EU region). We only retain a reference ID. The actual mail or calendar content is not permanently stored — it is processed only in-memory to generate a draft. The AI-generated draft itself is retained for a maximum of 30 days for the approval flow, after which it is automatically deleted.

7.5 Revoking access

You can revoke JetUp's access to your Google account at any time via:

• Inside JetUp: /integrations → click the Google connection → "Disconnect".
• At Google: Google Account → Security → Third-party apps → JetUp → Remove access.

After revoking, we delete all tokens and metadata linked to your Google account from our systems within 24 hours.

8. Microsoft user data (Outlook)

When you connect your Outlook account via Microsoft OAuth, JetUp gains access to Microsoft Graph API. We apply the same Limited Use principles as for Google.

• Scopes: Mail.Read (read unread mail), Mail.Send (send after explicit approval), Mail.ReadWrite (manage drafts), offline_access (token refresh), User.Read (basic profile).
• Purpose: identical to Gmail — Reply Mail agent reads mails, generates drafts, sends after your approval.
• No advertising, no training, no transfer beyond strictly necessary sub-processors.
• Token storage: encrypted at Nango (EU region). Mail content not permanently stored.
• Revoke access: via JetUp /integrations or Microsoft Account → App access. Tokens removed within 24 hours.

9. Other OAuth services (Slack, Discord, Monday, WordPress, WooCommerce, Missive)

JetUp also supports OAuth connections to Slack, Discord, Monday.com, WordPress, WooCommerce and Missive. The same principles apply for all:

• Scopes: minimal and purpose-bound — only what the JetUp feature requires (e.g. Slack: chat:write + channels:read; WordPress: publish posts; Missive: create/read drafts).
• Purpose: solely the user-facing feature you actively enable (post notifications, publish blog, manage mail conversations).
• No training, no advertising, no transfer.
• Token storage: encrypted at Nango (EU region) or as basic-auth credentials encrypted in our EU database (AES-256-GCM).
• Revoke access: via JetUp /integrations or via the service's account management. Tokens removed within 24 hours of revocation.

Per service you can see in the JetUp dashboard exactly which scopes are active and when the connection was made.

10. Cookies

We only use strictly functional cookies (session, language preference). No tracking, advertising or analytics cookies. Therefore, no cookie banner is required.

11. Retention

• Active subscription: data is retained for the duration of your subscription.
• After cancellation: 30-day recovery period, then all content is permanently deleted.
• Invoices: 7 years per Dutch tax law.
• AI providers: maximum 30 days after processing (see section 6).

12. Your GDPR rights

Under the GDPR you have the following rights:

• Access: request a complete overview of your stored data.
• Rectification: have incorrect data corrected.
• Erasure: have all your data permanently deleted ("right to be forgotten").
• Restriction: restrict the processing of your data.
• Portability: receive your data in a machine-readable format.
• Objection: object to certain processing activities.

Send a request to hello@jetup.nl. We respond within 30 days. Identification may be required to process your request.

13. Data breaches

In the unlikely event of a data breach, we will report it to the Dutch Data Protection Authority within 72 hours per Article 33 GDPR. Affected customers will be notified directly via email.

14. Complaints

Not satisfied? You can file a complaint with the Dutch Data Protection Authority.

15. Changes

We may update this policy. Material changes are announced 30 days in advance via email to account holders. The most recent version is always available on this page.