Last Updated: May 28, 2026
This Privacy Policy describes how JellyMachine ("we," "us," "our," or the "Company") collects, uses, discloses, and protects your personal information when you use our website builder platform and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.
When you create an account, we collect:
When you subscribe to paid plans, we collect through Stripe:
We do not directly store your full credit card numbers. All payment information is processed and securely stored by Stripe in accordance with PCI DSS standards.
When you create websites on our platform, we collect:
If you use our e-commerce features, we collect:
We automatically collect data about how you found our service:
We automatically collect information about your use of the Service:
We collect data from your communications:
If you connect third-party accounts, we collect:
When you connect your Facebook Page and/or Instagram Business or Creator account, we may access the following data through Meta's APIs:
You can disconnect your Facebook or Instagram account at any time from the Social Poster settings in your website dashboard. Disconnecting will revoke our access to your account data and stop any scheduled posts. You may also revoke access directly from your Facebook Settings or Instagram Settings.
If you use our Kanban boards, we collect:
If you add team members, we collect:
In accordance with applicable transparency requirements (including Article 50 of the EU AI Act), AI-generated content produced through the Service is identified as such where required by law. You remain solely responsible for reviewing AI-generated content before publishing and for ensuring it does not infringe third-party rights or mislead end users.
JellyMachine provides SMS/text messaging capabilities that allow businesses using our platform to communicate with their customers. If you provide your phone number and consent to receive SMS messages through a form on a website built with JellyMachine:
For questions about SMS messaging, contact us at support@jellymachine.com.
We share information with third-party service providers who perform services on our behalf:
We maintain Data Processing Agreements (DPAs) and, where required, Standard Contractual Clauses with each of these sub-processors. A full sub-processor list, including processing purpose, appears in Additional Disclosure A below. We will notify customers of new sub-processors in advance where required by GDPR Article 28.
If you connect social media accounts (Facebook, Instagram, X/Twitter), we share:
We also receive data from these platforms (profile information, insights, comments, messages, and media) as described in Section 1.8 to provide our social media management features. This data is used solely to power the Service and is not shared with other third parties.
If you use e-commerce features:
We may disclose information when required:
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
We may share information with third parties when you explicitly consent to such sharing.
We may share aggregated or anonymized data that cannot reasonably be used to identify you for research, analytics, or other purposes.
We use essential cookies for authentication:
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
| accessToken | Essential | Authentication | 3 hours |
| refreshToken | Essential | Authentication | 24 hours |
These cookies are HTTP-only, secure, and use same-site strict policy. They are necessary for the Service to function and cannot be disabled.
On the JellyMachine platform itself (jellymachine.com) we use Google Analytics 4 (GA4) and Meta (Facebook) Pixel to measure how the platform is used. These tools are loaded only after you grant analytics consent through the cookie consent banner (Consent Mode v2 default-deny). We have disabled Google Signals and ad personalization in our GA4 property, and IP addresses are anonymized in transit. When consent is granted, the following may be collected:
_ga, _ga_*) — 13-month expiry_fbp) — 90-day expiryYou can decline analytics at any time through the cookie banner or your browser settings. Declining or withdrawing consent immediately deactivates these scripts. You may also opt out of GA4 specifically by installing the Google Analytics Opt-out Browser Add-on.
If you (as a JellyMachine customer) enable analytics on websites you build, the following data may be collected from your visitors. This data flows through our infrastructure to you and, if you provide a GA4 Measurement ID, to Google:
If you enable analytics or tracking on your websites, you are responsible for:
We do not respond to legacy "Do Not Track" browser signals because there is no industry consensus on
their meaning. However, in accordance with the California Privacy Rights Act (CPRA), we do honor
Global Privacy Control (GPC) signals. When your browser transmits a GPC signal (either via the
Sec-GPC: 1 HTTP header or the navigator.globalPrivacyControl JavaScript
property), we treat it as a binding opt-out of sale and sharing of personal information for analytics and
advertising purposes. Analytics scripts (GA4, Meta Pixel) will not load for that browser session and no
analytics cookies are set.
You can also manage cookies through your browser settings or revoke analytics consent at any time using the cookie preferences link in our site footer.
We retain your account information for as long as your account is active. Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
Your website content is retained while your subscription is active. After account termination, content is retained for a reasonable period (typically 30 days) before deletion.
Payment records are retained for 7 years to comply with tax and accounting regulations.
If you use our analytics feature:
Backup copies may be retained for disaster recovery purposes and are deleted in accordance with our backup retention policies.
We may retain information longer if required by law, to resolve disputes, or to enforce our agreements.
We implement industry-standard security measures to protect your information:
We use AWS Rekognition to automatically scan uploaded images for inappropriate content as an additional security and content safety measure.
In the event of a personal data breach, we will:
You are responsible for:
Our Service uses AWS infrastructure, which may process and store data in various locations globally, including the United States.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide adequate data protection, we rely on:
While the EU-US Privacy Shield was invalidated, we ensure adequate protections through alternative transfer mechanisms.
You have the right to:
You have the right to request correction of inaccurate or incomplete personal information.
You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing disputes).
You have the right to:
Where processing is based on consent, you have the right to withdraw consent at any time.
To exercise your privacy rights, please:
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
We collect the following categories of personal information:
We will verify your identity before processing requests by matching information you provide with information in our records.
You may designate an authorized agent to make requests on your behalf with proper verification.
We do not sell your personal information as defined under the CCPA/CPRA in exchange for monetary or other valuable consideration. We do not provide your personal information to data brokers or to third parties for their own independent marketing purposes.
We disclose limited information to Google Analytics 4 and Meta Pixel solely for the purpose of measuring how visitors use the JellyMachine platform. The CPRA defines this transmission as "sharing." We have configured these services to disable Google Signals, ad personalization, and cross-context behavioral advertising, and we honor Global Privacy Control (GPC) signals as a binding opt-out (see Section 4.5).
California residents may exercise the right to opt out of any sharing at any time by:
We may offer financial incentives for participation in programs. Terms will be disclosed at enrollment.
JellyMachine is the data controller for personal information collected through the Service.
We process personal information under the following legal bases:
As an EEA, UK, or Swiss resident, you have additional rights:
For GDPR-related inquiries, please contact us at the address in the "Contact Us" section.
You have the right to lodge a complaint with your local data protection supervisory authority.
We maintain Data Processing Agreements with our sub-processors (AWS, Stripe, etc.) as required by GDPR.
The Service is not directed to children under 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children.
If you believe we have collected information from a child, please contact us immediately. We will take steps to delete such information.
Users of our platform who create websites are responsible for their own compliance with children's privacy laws (COPPA, etc.) if their websites target or collect information from children.
The Service integrates with third-party services. Your use of these services is governed by their respective privacy policies:
Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites.
Websites you create and publish through our Service may collect information from your visitors. You are responsible for:
We may update this Privacy Policy from time to time. We will notify you of material changes by:
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
Your continued use of the Service after changes to this Privacy Policy constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
JellyMachine Privacy Team
privacy@jellymachine.com
www.jellymachine.com
Jelly Machine LLC
5150 W 120th Ave., Suite 100, #1149
Westminster, CO 80020, United States
For data subject access requests, deletion requests, opt-out requests, or any other privacy-related inquiry, please use the email address above. We will verify your identity in accordance with applicable law before processing your request and will respond within the timeframe described in Section 14.2.
We will respond to your inquiries within 30 days, or as required by applicable law.
If you have a complaint about our privacy practices, please contact us first. If you are not satisfied with our response, you may have the right to lodge a complaint with a data protection authority.
We use the following categories of sub-processors to process personal data:
| Category | Provider | Purpose |
|---|---|---|
| Cloud Infrastructure | Amazon Web Services, Inc. | Hosting (EC2/Lambda), storage (S3), compute, security (WAF), CDN (CloudFront) |
| Database | MongoDB, Inc. (MongoDB Atlas) | Managed database hosting |
| Transactional Email | Amazon Web Services (SES) | Account, billing, and notification emails |
| Content Moderation | Amazon Web Services (Rekognition) | Automated scanning of uploaded images for prohibited content |
| Payment Processing | Stripe, Inc. | Subscriptions, e-commerce, billing |
| Analytics | Google LLC (Google Analytics 4) | Platform usage measurement (only after consent; Signals disabled) |
| Advertising Pixel | Meta Platforms, Inc. (Facebook Pixel) | Marketing measurement (only after consent) |
| AI Services | OpenAI, LLC and Google LLC (Gemini) | Content generation, AI image generation |
| Mapping | Mapbox, Inc. | Map components on websites |
| Social Media | Meta Platforms, Inc.; X Corp. | Social media integration (Facebook, Instagram, X/Twitter) |
| SMS Delivery | Amazon Web Services (SNS) / Twilio (where applicable) | SMS/text message delivery on behalf of customers |
| Feature | Data Collected |
|---|---|
| Account Registration | Email, username, password (hashed) |
| Subscriptions | Payment info (via Stripe), billing history |
| Website Builder | Content, layouts, settings, media files |
| E-commerce | Inventory, orders, customer data |
| Analytics | Visitor data, pageviews, sessions |
| Kanban Boards | Cards, workflows, assignments |
| Email Services | Recipient addresses, email content |
| AI Features | Prompts, generated content |
| Social Integration | OAuth tokens, scheduled posts, profile data, insights, comments, messages, media |
| SMS/Text Messaging | Phone numbers, SMS consent status and timestamps, opt-out records |