Privacy Policy

This Privacy Policy explains how JoinxUs ("we," "us," "our") collects, uses, shares, and protects information when you use our websites, applications, APIs, and services (the "Service").

We are a SaaS platform enabling organizations to run partner/promoter programs with proof-based conversions and payout workflows. We strive to collect only what we need to deliver and improve the Service.

• Controller. For our website, account administration, and marketing activities, JoinxUs is the data controller.
• Processor. For Customer Data submitted by Orgs into the Service (e.g., campaign, promoter, and conversion data), JoinxUs acts as a processor on behalf of the Org (the controller). We process such data per the Org's instructions and our data processing addendum (DPA) where applicable.
• Contact: hello@joinx.us.

• Account & Org Data: name, email, password (hashed), role/permissions, Org information, billing admin details.
• Campaign & Promoter Data: campaign settings, commission rules/caps, promoter profiles, payout preferences (via Stripe Connect).
• Conversion & Proof Data: records of outcomes, timestamps, metadata, attached proof (e.g., text, images, PDFs), review statuses and audit logs.
• Payment Data: processed by Stripe. We do not store raw card or bank details.
• Usage & Device Data: logs, IP address, browser/user-agent, device identifiers, app events, and diagnostics.
• Support & Communications: messages, emails, feedback, and survey responses.

We collect information directly from users, from Orgs acting as controllers, automatically through the Service, and from service providers (e.g., Stripe) necessary to operate the Service.

• Provide, maintain, and secure the Service, including authentication, RBAC, audit logging, and fraud prevention.
• Process conversions, approvals, commission calculations, and payout readiness.
• Operate billing and subscriptions (via Stripe Billing) and promoter payouts (via Stripe Connect).
• Provide support, respond to inquiries, and improve reliability and user experience.
• Analyze product usage in aggregate to improve features and performance.
• Send transactional communications (e.g., system notices, security alerts). With consent or as permitted, send product updates or marketing.
• Comply with legal obligations and enforce our Terms.

Where GDPR/UK GDPR applies, we rely on: (a) performance of a contract; (b) legitimate interests (e.g., Service security, product improvement); (c) consent where required (e.g., certain marketing cookies); and (d) compliance with legal obligations.

• Service Providers & Sub-Processors: infrastructure (Google Cloud/Firebase), payments (Stripe), analytics/support tools. They process data under agreements consistent with this Policy.
• Within an Org: data is shared with users according to Org roles and permissions.
• Legal & Safety: to comply with law, enforce agreements, or protect rights, safety, and security.
• Business Transfers: in connection with a merger, acquisition, or asset sale.
• We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined by certain state privacy laws, unless explicitly stated and offered with an opt-out.

• Essential: authentication, session, security.
• Analytics: product usage to improve reliability and UX.

You can control cookies in your browser. Blocking essential cookies may break core features. See our Cookie Policy for details.

We retain data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Orgs may configure retention or request deletion where available. Some logs and backups may persist for a limited period.

We employ measures appropriate for a SaaS provider, including TLS in transit, encryption at rest, RBAC, audit logs, least-privilege access, and backups. No system is perfectly secure; you are responsible for safeguarding credentials and securing any systems that receive data via webhooks or exports. See Security for more.

We may transfer personal data internationally, including to the United States. Where required, we use appropriate safeguards such as Standard Contractual Clauses. By using the Service, you understand your data may be processed in countries with different laws than your own.

• EEA/UK/Swiss Residents: rights to access, rectify, erase, restrict, object, and data portability, and to withdraw consent where applicable.
• California and certain US States: rights to know, access, correct, delete, and, where applicable, opt-out of sale/share or certain profiling. We do not sell personal information.
• Requests should be sent to hello@joinx.us. We may verify your identity and coordinate with the relevant Org if we act as processor.

The Service is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child provided personal information, contact us to request deletion.

For controller-level requests (e.g., a promoter asks to delete data), we will route to the relevant Org where we act as processor. For a DPA or list of sub-processors, contact hello@joinx.us.

We may update this Policy periodically. Material changes will be notified via the Service or email. Continued use after changes take effect means you accept the updated Policy.

Questions or requests: hello@joinx.us.