Privacy Policy

Effective: January 1, 2026 | Last updated: January 1, 2026

1. Controller Information

JD Software Labs ("we," "us," or "our") is the data controller responsible for your personal data.

Company: JD Software Labs
Website: jdsoftwarelabs.com
Privacy Contact: [email protected]
Location: Mexico

Controller vs. Processor

When you use our Service to process your end-users' data (e.g., WhatsApp conversations), we act as a data processor on your behalf, and you are the data controller for that data.

2. Scope of This Policy

This Privacy Policy applies to:

Our website at jdsoftwarelabs.com
The JD Software Labs dashboard and platform
Any other services that link to this policy

This policy does not apply to third-party services integrated with our platform (WhatsApp, Google, OpenAI, etc.), which have their own privacy policies.

3. Personal Data We Collect

We collect personal data in the following categories:

3.1 Account and Administrative Data

When you create an account or contact us:

Name and email address
Organization name
Password (encrypted)
Account preferences and settings
Support communications

3.2 Google Calendar Integration

If you enable Google Calendar integration:

OAuth tokens for calendar access
Calendar event data (titles, times, attendees) as needed for scheduling features
Your Google email address for authentication

Limited Use Disclosure

Our use of Google Calendar data complies with Google's Limited Use Requirements. We only access calendar data to provide scheduling features and do not use it for advertising or unrelated purposes.

3.3 WhatsApp / Meta Platform Data

Through your WhatsApp Business integration:

Phone numbers of end-users who message your chatbot
Message content (text, media references)
Conversation timestamps and metadata
WhatsApp Business Account identifiers

This data is processed to provide chatbot functionality and is stored according to your retention settings.

3.4 Billing and Payment Data

For paid subscriptions:

Billing contact name and address
Payment method details (processed by Stripe; we do not store full card numbers)
Transaction history and invoices

3.5 Technical and Usage Data

Automatically collected when you use our Service:

IP address and approximate location
Browser type, device information, and operating system
Pages visited and features used
Referral source and session duration
Cookies and similar tracking technologies

4. Legal Bases for Processing (GDPR)

We process personal data under the following legal bases:

Contract Performance: Processing necessary to provide the Service you requested (account management, chatbot functionality)
Legitimate Interests: Analytics, security, fraud prevention, and service improvement, balanced against your rights
Consent: Marketing communications, optional integrations (e.g., Google Calendar), and cookies where required
Legal Obligation: Tax records, legal compliance, and responding to lawful requests

You can withdraw consent at any time without affecting the lawfulness of prior processing.

5. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy:

Account Data: Retained while your account is active, plus 30 days after deletion request to allow recovery
Conversation Data: Retained according to your configured retention settings (default: 90 days), or until you delete it
Billing Records: Retained for 7 years as required by tax laws
Technical Logs: Retained for up to 12 months for security and debugging purposes

Configurable Retention

You can configure conversation data retention periods in your dashboard settings. Contact support for custom retention requirements.

6. Data Sharing and Processors

We share personal data with the following categories of recipients:

AI Providers: OpenAI, Google (Gemini), and/or Anthropic process conversation content to generate chatbot responses, based on your configuration
Infrastructure: Hetzner (Germany/EU) for hosting and data storage
Payment Processing: Stripe for subscription billing
Analytics: We may use privacy-focused analytics tools
Legal Requirements: Authorities when required by law or legal process

We do not sell your personal data. We require all processors to maintain appropriate security measures and process data only as instructed.

7. International Transfers

Your data may be transferred internationally:

Primary Storage: Our servers are located in Germany (EU), within Hetzner's data centers
AI Processing: Depending on your configuration, conversation data may be sent to AI providers in the United States (OpenAI, Anthropic, Google)
Safeguards: For transfers outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and/or adequacy decisions where applicable

EU Data Storage

Core platform data is stored in the EU. AI processing locations depend on which provider you configure for your chatbots.

8. Your Rights

Depending on your location, you may have the following rights:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Receive your data in a structured, machine-readable format
Restriction: Limit how we process your data
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw previously given consent at any time

To exercise these rights, contact us at [email protected]. We will respond within 30 days (or as required by applicable law).

Verification

We may need to verify your identity before processing rights requests to protect your data.

9. Security Measures

We implement appropriate technical and organizational measures to protect your data:

Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Role-based access, strong authentication requirements
Infrastructure Security: Firewalls, intrusion detection, regular security audits
Secure Development: Code reviews, vulnerability scanning, dependency updates
Incident Response: Documented procedures for detecting, reporting, and responding to data breaches

While we strive to protect your data, no system is 100% secure. Please notify us immediately if you suspect unauthorized access to your account.

10. Children

Our Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time:

Material Changes: We will notify you via email or dashboard notice at least 30 days before material changes take effect
Minor Changes: Non-material updates may be made with notice on our website
Review: We encourage you to review this policy periodically

Continued use of the Service after changes take effect constitutes acceptance of the updated policy. Contact [email protected] with any questions.