This Privacy Policy explains how Jo & Ko OÜ ("we", "our", "us") collects, uses, and protects your personal data when you use our website, participate in surveys, or interact with our products and services.
We are based in the European Union (Estonia) and comply fully with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679).
1. Data Controller
Jo & Ko OÜ
Sepapaja 6, Tallinn 1551, Estonia
Email: filippo.pedrazzini@joandko.io
Data Controller: Filippo Pedrazzini
2. What Data We Collect
We may collect the following types of personal data, depending on how you interact with our services:
a. User-Provided Data
- Name and surname (if provided)
- Email address
- Payment details (via Stripe)
- Survey responses and feedback
- Account credentials (email/password via Clerk)
b. Automatically Collected Data
- IP address and device/browser info
- Usage and interaction data (via Plausible, PostHog)
- Error logs (via Sentry)
- Login/session metadata (via Clerk)
- Email activity metadata (via Resend)
- Web behavior (page visits, clicks)
3. Google User Data
- When you sign in with Google, we access basic profile information (such as your name, email address, and profile image) as authorized by you.
- We use this data only to provide login and account functionality.
- We do not share or sell Google user data.
- You can revoke access at any time via your Google Account permissions page.
- Any stored Google user data is deleted within 30 days of account disconnection or deletion.
4. How We Use Your Data
We process your data for the following purposes:
- To authenticate and manage user accounts (via Clerk)
- To provide access to our services and surveys
- To send transactional emails and newsletters (via Resend and Ghost)
- To process payments (via Stripe)
- To analyze website and product usage (via Plausible and PostHog)
- To monitor and fix errors (via Sentry)
- To comply with legal obligations and respond to requests from authorities
5. Legal Basis for Processing
We process your personal data lawfully under the following GDPR legal bases:
- Consent – for analytics, marketing emails, and voluntary survey responses.
- Contractual necessity – to provide services you've requested (e.g. authentication, payments).
- Legal obligations – for tax, accounting, and regulatory compliance.
- Legitimate interests – such as service improvement, security, and performance monitoring (e.g. via Sentry, PostHog).
You can withdraw your consent at any time.
6. Third-Party Services
We use third-party providers to support our services. These providers may process your data on our behalf under strict data protection agreements:
| Service | Purpose | Location | Terms of Service | Privacy Policy |
|---|---|---|---|---|
| DigitalOcean | Hosting infrastructure | EU / US | Terms | Privacy |
| Clerk | User authentication | US | Terms | Privacy |
| Stripe | Payment processing | US / EU | Terms | Privacy |
| Ghost | Newsletter & publishing | EU / US | Terms | Privacy |
| Resend | Transactional emails | US | Terms | Privacy |
| Plausible | Cookie-free web analytics | EU (Germany) | Terms | Privacy |
| PostHog | Product analytics | US / EU (self-hosted) | Terms | Privacy |
| Sentry | Error monitoring | US / EU option | Terms | Privacy |
| Notion | Surveys & embedded forms | US | Terms | Privacy |
Data is transferred outside the EEA only where adequate safeguards are in place (e.g. Standard Contractual Clauses (SCCs).
7. Cookies and Analytics
We use a privacy-friendly approach to analytics:
- Plausible Analytics: Cookie-free, anonymous tracking.
- PostHog: Used for product feature usage insights.
We use a cookie consent banner to obtain your explicit consent before setting any non-essential cookies or tracking tools.
You can manage your preferences at any time via the "Change Cookie Settings" link in our footer.
8. How Long We Keep Your Data
We retain your data only as long as necessary to:
- Fulfill the purpose for which it was collected
- Comply with legal or contractual obligations
- Resolve disputes and enforce agreements
Typical retention periods:
- Survey and contact data: Up to 12 months
- Payment records: 7 years (for accounting)
- Analytics and session data: Up to 12 months or as configured in the tool
- Newsletter subscriptions: Until you unsubscribe
9. Your Rights Under GDPR
As an EU data subject, you have the following rights:
- Access – Request a copy of your data
- Rectification – Correct incorrect or incomplete data
- Erasure – Ask us to delete your data (“right to be forgotten”)
- Restriction – Ask us to limit processing of your data
- Portability – Receive your data in a machine-readable format
- Object – Object to processing where legitimate interest applies
- Withdraw Consent – At any time, for non-essential processing
To exercise any of these rights, email us at:
📧 filippo.pedrazzini@joandko.io
10. Data Security
We implement appropriate technical and organizational measures to protect your data. These include:
- HTTPS encryption
- Access control and authentication
- Data minimization and anonymization
- Secure third-party agreements and audits
11. International Data Transfers
Where data is transferred outside the EU/EEA (e.g. to the United States), we ensure:
- Standard Contractual Clauses (SCCs) are in place, or
- The provider is part of the EU-U.S. Data Privacy Framework (if applicable)
We only use third-party vendors that demonstrate GDPR compliance.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in technology, services, or legal requirements.
The most recent version will always be available on this page, with the "Last updated" date at the top.
13. Contact
For any privacy-related questions or to exercise your rights, contact:
Filippo Pedrazzini
📧 filippo.pedrazzini@joandko.io
🏢 Jo & Ko OÜ, Sepapaja 6, Tallinn 15551, Estonia