Data Security

Welcome to the JoyAds Privacy Policy. JoyAds is a website and advertising service operated by Milena Barton ET, a company based in Sofia, Bulgaria. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our website or services. It is intended to apply globally to all users, including our business-to-business (B2B) customers, and to meet the requirements of major data protection laws worldwide (GDPR, UK GDPR, CCPA/CPRA, and other relevant laws). We aim to be transparent and lawful in our processing of personal data in compliance with these framework.

By using the JoyAds website or services, you acknowledge that you have read and understood this Privacy Policy. This policy covers visitors to our website and customers using our services. Please note that we do not use any contact forms on our site and we do not send newsletter marketing emails, so we will not collect personal data for those purposes. We only collect personal data that is necessary to provide our services and support to you, as described below.

Data Controller and Contact Information

The “data controller” responsible for your personal data (i.e., the organization determining the purposes and means of processing) is Milena Barton ET registered in Bulgaria. If you have any questions or requests regarding your personal data, you can contact us at:

Milena Barton ET (d/b/a JoyAds)
Business Address: Sofia, Bulgaria (we will provide full registered address upon request)
Email: privacy@joyads.example

Milena Barton ET is the entity accountable for data protection compliance for JoyAds. You may reach out to us at the above email for any privacy-related inquiries, including exercise of rights or complaints. We are committed to responding to your concerns and resolving any issues. Additionally, individuals in the EU/UK have the right to lodge a complaint with their supervisory data protection authority, and we will cooperate with such authorities as needed.

Personal Data We Collect

We limit our collection of personal data to what is relevant and necessary for the purposes described in this policy. The categories of personal data we collect and process include:
- Billing and Payment Information (Stripe): If you purchase services or subscriptions from JoyAds, we collect billing details to process payments. This includes your name, email, company name, and payment information. Payments are handled through Stripe, our secure payment processor. Stripe may collect your payment card details and billing address on our behalf. We do not store full credit card numbers on our systems; Stripe processes payments in compliance with PCI-DSS security standards. Personal data used for billing is necessary to perform our contract with you and to comply with financial record-keeping laws.
- Account and Communication Data (Brevo/Sendinblue): When you create a JoyAds account or communicate with us, we collect your name, business email, and any contact information you provide. We use Brevo (formerly Sendinblue) as our email service provider to send service-related communications, such as account activation emails, transaction receipts, important service updates, or support responses. These emails are not marketing newsletters, but rather essential communications to operate the service (for example, an email confirming your purchase or notifying you of important changes). We will only send you such communications as necessary to perform our services or upon your request, in line with applicable law. We do not send unsolicited marketing emails and you will not receive a newsletter from us.
- Analytics Data (Google Analytics): When you visit our website, we use Google Analytics (GA) to gather anonymized analytics information about how visitors use our site. This may include data such as your IP address (which Google may anonymize in EU territories), browser type, device identifiers, pages visited, and time spent on the site. This information helps us understand user engagement and improve our website’s functionality. Google Analytics works through cookies or similar tracking technologies (discussed below under Cookies). The data collected through Google Analytics is typically aggregated and does not directly identify you. We have configured Google Analytics with privacy in mind (e.g. IP anonymization and limited data retention) to comply with EU requirements. We only use analytics data with your consent (where required) and for our legitimate interest in understanding and improving our services.
- Advertising & Tracking Data (Pixels from Google, Meta, TikTok, Microsoft): We use marketing and remarketing tools to reach people who may be interested in JoyAds. This means our website includes tracking pixels or tags from third-party advertising platforms, specifically:
  - Google Ads (including YouTube) – Google’s remarketing pixel may track if you visited our site so we can show you JoyAds promotions on other websites.
  - Meta Pixel (Facebook/Instagram) – Allows us to show JoyAds ads on Facebook/Instagram to people who visited our site or to measure ad conversions.
  - TikTok Pixel – Allows JoyAds to advertise on TikTok to site visitors or measure conversions.
  - Microsoft Advertising (Bing UET) – Microsoft’s Universal Event Tracking tag helps us show ads on Bing or LinkedIn to our site visitors.
  These pixels collect data such as cookie IDs, device/browser information, and your site browsing behavior (e.g., pages viewed, actions taken) for the purpose of ad targeting and analytics. The data collected by these third-party tools may be combined with your profile on those platforms if you are a user. We do not receive personal identifiers like your name from these pixels, but we may receive aggregate reports about ad campaign performance (for example, how many users visited our signup page after clicking an ad). We rely on user consent where required (e.g., in the EU/UK, we will not activate non-essential ad tracking cookies without your consent). You can control these trackers via our cookie consent banner (see Cookies section), and you can opt out of targeted advertising as described in the Your Rights section (for “Do Not Sell/Share” requests under CCPA, see below).
- Customer Support and Ticket Data (ClickUp): If you contact us for support or interact with our customer support ticketing system, we will collect the information you provide in your request. This could include your contact information (like email or phone), and the content of your inquiry or any attachments. We use ClickUp as our internal ticket and project management tool to track support issues. When you email us or otherwise create a support ticket, the details are logged in ClickUp so our team can assist you. This may result in storage of your name, email, and any other personal data you disclose in the support conversation. We only use this information to provide customer support and improve our services. Please avoid sharing sensitive personal information in support tickets unless necessary. Support correspondence is retained as described in the Retention section and is kept confidential within our support team.
- No Contact Forms or Newsletters: As mentioned, our site does not have a general “Contact Us” web form, and we do not collect data for newsletter subscriptions or marketing mailouts. Therefore, we do not collect personal data for those purposes. If in the future we introduce new features that collect personal data (such as a contact form or newsletter), we will update this Privacy Policy accordingly and obtain any necessary consents.
We collect personal data either directly from you (for example, information you enter during account registration or payment) or through your use of our site (through cookies and tracking tools). If we ever obtain personal data from third-party sources, we will ensure we have a lawful basis to use it and will inform you as required (for instance, if a business partner provided your contact details, we would let you know). However, in general, you provide most of the personal data we process, or it is collected automatically through your interaction with our site.

Use of Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate our website, analyze usage, and facilitate advertising. When you first visit JoyAds, you will see a cookie consent banner (managed by Cookiebot) that allows you to opt-in or opt-out of certain categories of cookies. We classify cookies into the following categories:

Essential Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually set in response to actions you make, such as logging in, setting your privacy preferences, or filling out forms (if applicable). Essential cookies do not require consent under most laws. For example, if our service has a login session cookie or a cookie to remember items in a cart (for future e-commerce features), those would be essential. We also consider the Cookiebot consent cookie as essential – this cookie remembers your cookie preferences so that the site knows what you have consented to. The Cookiebot consent cookie (CookieConsent) is a first-party cookie that stores an encrypted key of your consent state and is designed to persist for up to 12 months so you won’t be asked to reconfirm your choices on every visit (unless it expires or you clear cookies).
Analytics Cookies: These cookies collect information about how visitors use our site, so that we can measure and improve its performance. We use Google Analytics for this purpose. Analytics cookies allow us to recognize and count the number of visitors and see how visitors move around the site. All data collected via analytics cookies is aggregated and anonymized; we do not use analytics to identify individual users. We will only set analytics cookies if you give us consent via the cookie banner (in regions where consent is required). You can withdraw consent at any time by adjusting your cookie settings (see “Your Choices” below). By default, we have configured Google Analytics with a limited data retention period (e.g., user-level data is retained for [example: 14 months] and then automatically deleted) in line with privacy best practices.
Marketing Cookies (Advertising Pixels): Marketing or targeting cookies are set by our advertising partners (Google, Meta, TikTok, Microsoft) via the tracking pixels embedded on our site. These cookies and trackers record your visit to our site and your interaction with our content, which allows us to advertise to you on other platforms and measure the effectiveness of our ads. For example, if the Meta Pixel is allowed, it may place a cookie that enables Facebook to recognize you visited our site and later show you a JoyAds advertisement in your Facebook feed. Similarly, the Google Ads tag may record a “conversion” if you sign up after clicking one of our Google ads. Marketing cookies typically uniquely identify your browser and device. We will only load these trackers with your consent (where required by law, such as under EU ePrivacy rules). If you do not consent, these pixels will remain inactive. You can manage your consent choices at any time through our Cookiebot banner (click the “Cookie Settings” link on our site footer or banner to adjust your preferences).
Cookiebot Consent Management: We utilize Cookiebot (a consent management platform by Cybot A/S) to display our cookie consent banner and store your preferences. Cookiebot helps ensure that no non-essential cookies are set unless you have given consent, as required by GDPR and similar laws. Cookiebot will record a log of consents given by users (including the consent ID, date/time, and anonymized IP address) to demonstrate compliance. This consent log data is stored securely by Cookiebot (in an EU data center) and is accessible to us if we need to prove that a user consented to cookies. The information stored by Cookiebot is limited to what is necessary for consent compliance, and all IP addresses in the log are anonymized. We plan to implement Cookiebot fully to manage cookie consent globally and keep it updated with evolving legal requirements. In the meantime, we operate under the intent to comply with cookie consent rules: no unnecessary cookies without consent, clear information about cookies, and a mechanism to change preferences.

Your Choices: On your first visit, you can choose which cookie categories to accept or reject (except strictly necessary cookies which are always active). If you wish to change your choice later, you can do so by revisiting the cookie settings (if available on the site) or by clearing your cookies and reloading the site to get the consent banner again. Additionally, most web browsers allow you to control cookies through settings (you can block or delete cookies). However, blocking all cookies (especially essential ones) might impair site functionality. For interest-based advertising, you can also use industry opt-out tools such as the NAI or DAA opt-out pages for U.S. users, or YourOnlineChoices for EU users, which can help manage many advertising cookies across websites.

Legal Bases for Processing Personal Data

We process personal data only when we have a valid legal basis to do so under applicable data protection laws. Depending on the context, one or more of the following legal grounds may apply:

Performance of a Contract: When we collect and use personal data to provide you with our services, process your orders, or respond to your requests, we do so because it is necessary to fulfill our contract with you or to take steps at your request before entering into a contract. For example, we need to process your name, email, and payment information to register your account and accept payments – this is contractual necessity. Likewise, if you are a customer, we use your contact information to send service communications (e.g., an email about a system update) as part of delivering the service you signed up for.
Consent: We rely on consent for certain types of data processing, particularly regarding cookies and similar tracking technologies that are not strictly necessary. For instance, before setting analytics or marketing cookies on your device, we will ask for your consent via the cookie banner (as required by GDPR/ePrivacy rules). Similarly, if we ever want to send marketing emails to you (which we currently do not), we would obtain your prior consent as required. Where we process personal data based on your consent, you have the right to withdraw that consent at any time Withdrawal of consent will not affect the lawfulness of processing already carried out, but it will stop the specific processing going forward (for example, if you withdraw consent to marketing cookies, we will stop collecting data via those cookies on future visits).
Legitimate Interests: In some cases, we process personal data because it is in our legitimate interests (or those of a third party) to do so, and these interests are not overridden by your data protection rights. We only rely on legitimate interests after careful consideration of the potential impact on individuals. Our legitimate interests may include:
- Improving and Securing our Services: We may use certain analytics data to understand how our product is used and to improve user experience. We also may process data to detect fraud or security incidents and to keep our platform secure (e.g., monitoring for suspicious logins).
- B2B Marketing to Corporate Contacts: If you are a representative of a company that could benefit from JoyAds, we might reach out to you in a business-to-business context (for example, if you provided your contact at an industry event, or if we make direct sales calls to business contacts). We will always do so in compliance with direct marketing laws, and provide an opt-out in any such communication. (Currently, we do not maintain a marketing email list, so this would be limited to individual outreach.)
- Enforcing Our Rights: We may process personal data as needed to enforce our Terms of Service, to pursue or defend against legal claims, and to prevent misuse of our services.
When we rely on legitimate interest, we ensure that we consider and balance any potential impact on you and your rights. You have the right to object to processing based on our legitimate interests in certain cases (see Your Rights below).
Legal Obligation: We also process personal data where necessary for compliance with a legal obligation to which we are subject. For example, financial and tax laws in Bulgaria require us to keep records of transactions (invoices, payments) for a certain period (often several years). To meet these obligations, we will retain billing records including personal data like names on invoices. We may also have to disclose personal information if required by lawful requests from public authorities (such as complying with a court order or government regulation) – in such cases we only provide what is necessary and permitted by law.

In summary, the main legal bases we use are contract, consent, legitimate interests, and legal obligations. We indicate in the relevant sections of this policy which basis typically applies to each type of processing. If you have questions about the specific legal basis for any processing of your personal data, feel free to contact us.

Third-Party Processors and Data Sharing

JoyAds uses several trusted third-party service providers (processors) to operate our business. These third parties process personal data on our behalf for specific purposes, as described below. We have signed Data Processing Agreements (DPAs) with these providers as required by GDPR, and we have ensured that they implement appropriate data protection measures. We do not sell your personal information to anyone, and we do not share data with third parties for their own independent marketing purposes. However, we do share data with the following categories of recipients as necessary to run JoyAds:

Third-Party ServicePurpose of ProcessingLocation & Data Transfer SafeguardsStripe, Inc. (Payment Processor)We use Stripe to process credit card payments and manage subscriptions/billing. Stripe collects payment details (card numbers, billing info) on our behalf and helps manage invoices and the customer portal for billing.Stripe has entities in the EU (Stripe Payments Europe, Ltd.) and the US. Personal data may be transferred to the United States for processing. Stripe participates in the EU-U.S. Data Privacy Framework and UK Extension privacyshield.gov, which means it is certified to receive EU/UK personal data under approved conditions. Stripe also employs Standard Contractual Clauses for data transfers where appropriate. Google LLC (Analytics and Ads) Google Analytics collects site usage data as described above. Google Ads/DoubleClick cookies enable advertising and conversion tracking.Google’s servers for these services are primarily in the United States and globally. Google LLC is certified under the EU-U.S. Data Privacy Framework (including the UK extension) policies.google.com, committing to comply with EU privacy principles for transferred data. Google also offers EU Standard Contractual Clauses in its terms for relevant services policies.google.com. Data may be stored in or accessed from the U.S.; Google applies safeguards and has pledged to protect data in line with EU requirements. Meta Platforms, Inc. (Facebook/Instagram) The Meta Pixel on our site sends pseudonymous data (like cookie identifiers and events) to Meta to facilitate our ads on Facebook and Instagram. No direct identifiers like your name or email are shared via the pixel.Meta Platforms, Inc. (USA) may receive data from the Meta Pixel. As of September 2023, Meta relies on the EU-U.S. Data Privacy Framework for transferring data (including Meta Business Tools data) from the EU to the US about.fb.com. Meta is certified under the DPF, and also had SCCs in place prior to the new framework. These measures are meant to ensure any European personal data transferred to Meta in the US is adequately protected. Microsoft Corporation (Advertising via Bing Ads)We use Microsoft’s Universal Event Tracking (UET) tag for Bing Ads, which collects data on our site to help us advertise via Microsoft’s network (including Bing search ads or LinkedIn ads).Microsoft is a U.S.-based company. Microsoft Corporation and its U.S. subsidiaries are certified under the EU-U.S. Data Privacy Framework microsoft.com and also implement the UK and Swiss extensions. Microsoft will process any transferred data in compliance with these frameworks and/or SCCs. Data from the UET tag may be stored on Microsoft’s servers in the U.S. and is protected via DPF certification and contractual safeguards. TikTok (TikTok Technology Ltd. and affiliates) The TikTok Pixel on our site sends pseudonymous information to TikTok’s advertising platform, allowing us to measure ad performance on TikTok and reach relevant audiences.TikTok’s main operations relevant to the EU are in Ireland (TikTok Technology Ltd.), but data may be accessed by TikTok’s groups in non-EU countries (e.g., US, Singapore, potentially China) for storage or maintenance. TikTok does not fall under the EU-U.S. DPF (as TikTok is not a U.S.-owned company); instead, TikTok relies on Standard Contractual Clauses for transfers of personal data out of the EEA tiktok.com. However, regulators have scrutinized TikTok’s transfers to ensure compliance. We only use the TikTok pixel with your consent, and TikTok is obligated to protect EU data under the SCCs (and other measures) when it is transferred internationally. Brevo (Sendinblue SAS) (Email Delivery)Brevo (formerly Sendinblue) is our email delivery service for transactional/service emails. We upload your email address and name to Brevo in order to send you account-related emails (e.g., confirming your account or notifying you of service alerts). Brevo acts as an email processor.Brevo is a company based in France (EU). By default, personal data we store in Brevo (such as your email contact details and email content) is hosted on servers within the European Union. Brevo is fully compliant with GDPR requirements help.brevo.com. There are no routine transfers of EU user data outside the EU by Brevo. (If Brevo were to engage sub-processors outside the EU, they would use SCCs, but at present our understanding is your data stays within EU infrastructure.) ClickUp, Inc. (Support Ticketing)We use ClickUp’s cloud software to track and manage customer support issues and internal tasks. When you email us or otherwise create a support ticket, the information is stored in ClickUp so our team can collaborate to resolve your issue.ClickUp is a U.S.-based service, and data submitted to our ClickUp workspace (which may include your name, email, and support correspondence) might be stored on servers in the United States. ClickUp is hosted on Amazon Web Services help.clickup.com and is committed to GDPR compliance (they offer a Data Protection Addendum and utilize Standard Contractual Clauses for EU data transfers). This means your support data is protected by contractual safeguards when transferred to the U.S. for processing. Cookiebot (Cybot A/S) (Consent Management) Cookiebot provides the cookie consent banner and related compliance services on our site. It collects consent choices from users and logs proof of consent as required by law support.cookiebot.com. It may also scan our site for cookies to generate a cookie declaration.Cookiebot (by Cybot) is a company based in Denmark (EU). The consent data (e.g., your IP in anonymized form, consent timestamp, and consent preference) is stored on servers within the EU. We do not transfer Cookiebot’s consent log data outside the EU. Cybot/OneTrust (the parent company) ensures that any processing of personal data for the consent management service complies with GDPR and other privacy laws. No personal data is shared by Cookiebot with third parties except as needed for providing the service (and all such data remains within EU jurisdiction).

Other Disclosures: In addition to the processors listed above, we may disclose personal data to other parties in specific circumstances:

Legal Requirements: If required by law or a valid legal process (subpoena, court order, or equivalent), we may disclose necessary personal data to government authorities or other parties. We will only do so after verifying the request’s legitimacy and only the minimum data required.
Business Transfers: If we undergo a merger, acquisition, or sale of assets, personal data may be transferred to the successor or acquiring entity. We will ensure the receiving party is bound to respect the personal data in a manner consistent with this Privacy Policy, and we will notify you if your data becomes subject to a new privacy policy.
Professional Advisors: We may share personal data with our auditors, legal counsel, or other professional advisors if necessary to obtain advice or protect our business interests, but only under duties of confidentiality.

Importantly, we do not share or sell personal information to data brokers or advertisers for their own use. All third parties who process data on our behalf are contractually obligated to use it only for the specified purpose and to implement adequate security. Whenever your personal data is shared with a processor or third party, we remain responsible to ensure your data is handled in line with this Policy and applicable law.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, accounting, or reporting requirements commission.europa.eu. In compliance with the principle of storage limitation commission.europa.eu, we have defined retention periods for different categories of data:

Account Information: If you have a JoyAds account, we will retain your account data (such as your name, email, company info, and login credentials) while your account is active. If you choose to delete your account or if your account becomes inactive, we will delete or anonymize your personal data within a reasonable time after account closure. However, we may retain certain data for a further period if necessary for legitimate business purposes such as responding to post-termination inquiries, or as required by law. For example, we may keep a record of account transactions or support history for a certain period after account deletion (typically up to 3-5 years) to have an audit trail in case of disputes or to comply with statute of limitations for legal claims. After such retention period, any remaining personal data will be securely erased or anonymized.
Billing and Payment Records: We retain financial transaction records (invoices, billing statements, payment confirmations) for 10 years or more, as required under Bulgarian accounting and tax laws and general EU law (business records are often required to be kept for 10 years) aidosbg.com. This means your invoice information (which may include your name, business contact, and transaction details) will be kept in our archives for at least ten years from the transaction date. We hold this data to comply with our legal obligations for financial reporting and audits. After the mandatory retention period, we will delete or anonymize these records. Payment card details are not stored by us; they are handled by Stripe. Stripe may have its own retention obligations (e.g., to retain transaction logs for fraud prevention and compliance), but any such retention on Stripe’s side is governed by Stripe’s privacy policy.
Support Tickets and Communication: Our support correspondence with you (emails, ticket logs in ClickUp, chat history if any) will be retained as long as necessary to resolve your issue and as needed for quality assurance. Generally, we keep support tickets for up to 2 years after resolution, in case you have follow-up questions and to help us improve our support processes. In some cases, we might keep a support record longer if it is tied to an active customer account (for example, as part of the account history) or if needed for legal reasons (e.g., evidence in a dispute). We regularly review older support records and delete those that are no longer needed.
Analytics Data: Data collected via Google Analytics is retained in accordance with the settings we have control over. Currently, we have set Google Analytics to retain user-level and event-level data for 14 months (or the shortest period offered that meets our analysis needs). This means that analytics cookies and identifiers will automatically expire or be deleted after this period support.cookiebot.com, and only aggregate data (which is not personally identifiable) may be kept beyond that for trend analysis. Google Analytics may periodically purge data as we configured. We do not store raw analytics logs containing personal data beyond the periods provided by Google’s analytics platform.
Advertising/Tracking Data: Data collected via third-party advertising cookies/pixels on our site (Google Ads, Meta, TikTok, Microsoft) is largely controlled by those providers. We do not personally hold identifiable “profiles” of individuals for ad targeting; rather, the data is on those platforms. Each platform has its own retention practices (for example, Facebook might retain website custom audience data for a certain number of days). Typically:
- Google Ads and Bing Ads conversion cookies expire after about 90 days, unless refreshed by a new visit.
- Meta’s advertising data (via Pixel) is often kept for up to 180 days for tracking website custom audiences.
- TikTok’s cookie data similarly may persist for several months.
We ourselves do not see your cookie identifiers. We receive aggregated advertising reports from these platforms. We will utilize the tools provided by these platforms to limit the duration of ad targeting where possible. For example, we might limit how long a visitor remains in a remarketing audience. Additionally, if you opt out of marketing cookies via our site, the pixels will not collect further data on you going forward.
Cookie Consent Logs: Records of your consent preferences (stored by Cookiebot) are retained for as long as we are required to demonstrate compliance. According to guidance, proof of consent should not be kept longer than necessary support.cookiebot.com. Cookiebot currently retains consent logs for 12 months from the date of consent, after which older records are automatically deleted. This 12-month log retention aligns with the period that a consent is considered valid under some regulations before renewal is needed. We may adjust this retention in line with legal requirements or guidance. The consent cookie in your browser will also expire after 12 months (unless you clear it sooner) support.cookiebot.com, prompting you to give fresh consent.
Legal Compliance and Disputes: Notwithstanding the above, we may retain information for longer periods if required to by law (for instance, if a law enforcement authority issues a preservation order or if we need to keep data in connection with a legal dispute). In particular, if we are involved in litigation or an official investigation, we will retain relevant data until the matter is fully resolved and no further appeal is possible, even if that extends beyond the normal retention schedule.

After the expiration of the applicable retention period, we will securely dispose of or anonymize personal data. “Anonymize” means that we remove or irreversibly alter personal identifiers so that the data can no longer be associated with any individual, in which case it is no longer personal data. For example, we may aggregate historical analytics usage data or strip identifying details from old support tickets for statistical purposes.

We continuously review the data we hold and delete what is no longer needed. If you believe we are retaining your personal information longer than necessary, you have the right to request erasure (see Your Rights below), and we will respond in accordance with applicable law.

Your Rights as a Data Subject

We respect the rights that individuals have under privacy and data protection laws. Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data: Rights for EU/EEA, UK, and Similar Jurisdictions (GDPR/UK GDPR, etc.): If you are in the European Union, United Kingdom, or a country with similar data protection laws, you have the following rights (subject to the conditions and exceptions defined in applicable law):

Right of Access: You have the right to request confirmation whether we are processing personal data about you, and if so, to request a copy of the data and relevant information about how we use it cookiebot.com

This allows you to know and verify the lawfulness of our processing.
Right to Rectification: If any of your personal data that we hold is inaccurate or incomplete, you have the right to have it corrected or updated without undue delay.

Right to Erasure: You can ask us to delete or remove your personal data in certain circumstances – for example, if it’s no longer necessary for us to have it, or if you withdraw consent and we have no other legal basis to keep it, or if you object to processing and we have no overriding legitimate ground to continue. This is sometimes known as the “right to be forgotten.” Please note this right is not absolute; sometimes we must retain certain data (see Retention section) to comply with legal obligations or to establish/exercise legal claims
support.cookiebot.com

Right to Restriction of Processing: You have the right to request that we limit the processing of your personal data in certain scenarios – e.g., while we are verifying the accuracy of data you contested or assessing an objection you made.

Right to Data Portability: You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to request that we transmit it to another controller where technically feasible. This right applies when the processing is based on your consent or a contract and carried out by automated means.

Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests or performance of a task in public interest. If you object, we must stop processing unless we demonstrate compelling legitimate grounds for the processing that override your rights, or if we need to continue processing for the establishment, exercise, or defense of legal claims. Importantly, you have an unconditional right to object to your personal data being used for direct marketing purposes at any time – if we were sending marketing communications or using data for personalized ads, you can opt out and we will honor that. For example, you can opt out of Google/Meta advertising as described in the Cookies section, or contact us to register a general opt-out.

Right to Withdraw Consent: If we rely on your consent for any processing (e.g., for cookies or future newsletter), you have the right to withdraw that consent at any time ico.org.uk

Once you withdraw consent, we will stop the processing that was based on consent. For instance, if you withdraw consent for marketing emails, we will cease sending them. Withdrawing consent does not affect the lawfulness of processing done before the withdrawal.

Right to Lodge a Complaint: If you believe we have infringed your data protection rights, you have the right to file a complaint with a supervisory authority, especially in the country where you live or work, or where the alleged infringement occurred
ico.org.uk

For EU users, this would be your national Data Protection Authority (DPA). For UK users, it is the Information Commissioner’s Office (ICO). We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so we invite you to contact us with any complaint and we will do our best to resolve it.

Additional Rights for California Residents (CCPA/CPRA): If you are a resident of California, USA, you are protected by the California Consumer Privacy Act (as amended by the California Privacy Rights Act). In addition to the rights above (many of which are similar in spirit), you have the following rights under CCPA/CPRA with respect to personal information (as defined by California law):
Right to Know: You can request that we disclose the specific pieces and categories of personal information we have collected about you in the past 12 months, the categories of sources of that information, the business or commercial purposes for collecting or sharing it, and the categories of third parties with whom we share or sell that information
cookiebot.com

Essentially, this is a right to know what personal data we have about you and how we use and share it.
Right to Delete: You can request that we delete personal information we have collected from you (and direct our service providers to do the same), with certain exceptions cookiebot.com

For example, if the information is necessary to complete a transaction or comply with a legal obligation, we may decline the deletion request for those specific data elements. Outside of the exceptions, if you request deletion, we will remove your personal information from our records and instruct any service providers to do so as well.

Right to Correct: You can request that we correct inaccurate personal information that we maintain about you. We will take into account the nature of the personal information and the purposes of processing when considering correction, and may request documentation if necessary to verify the accuracy.
Right to Opt-Out of Sale or Sharing: The CCPA gives you the right to opt out of the “sale” of your personal information to third parties, as well as the “sharing” of your personal information for cross-context behavioral advertising (targeted advertising) cookiebot.com

However, JoyAds does not sell personal information in exchange for money. We also do not share personal information for cross-context advertising in the sense of disclosing identifiable information about you to third-party advertisers. The only “sharing” that might be considered under CPRA is the use of third-party advertising cookies (where a third-party like Google or Meta might use data from our site to improve their advertising services). If you have opted out of marketing cookies via our cookie banner, then no such sharing occurs for you. If we ever engage in any practice that qualifies as a sale or share under CCPA, we will implement a “Do Not Sell or Share My Personal Information” link on our website to facilitate opt-outs. California law also prohibits us from selling personal data of consumers under 16 without affirmative authorization, which we do not do. We treat opt-outs broadly – if you are a California resident and wish to ensure your data is not used for targeted advertising, you can use the cookie controls or contact us to register an opt-out, and we will honor it.

Right to Limit Use of Sensitive Personal Information: CPRA introduces a right to limit the use/disclosure of “sensitive personal information” (SPI) if a business uses it for purposes beyond what is necessary to provide goods or services. JoyAds generally does not collect sensitive personal information as defined by California law (e.g., we do not collect government IDs, full account login credentials, precise geolocation, racial or ethnic origin, health data, etc. – except potentially payment card numbers for transactions, which are handled by Stripe securely for the sole purpose of completing the transaction). In any event, we do not use or disclose sensitive information for inferring characteristics about consumers or for any purpose other than the strictly necessary purposes allowed by law (like processing payments). Therefore, the right to limit SPI use is not applicable to our practices (there is nothing to “limit” beyond what we already do, which is only using such data for its required purpose). If that ever changes, we will provide a clear method for you to exercise this right.
Right of Non-Discrimination: You have the right not to receive discriminatory treatment from us for exercising any of your CCPA rights cookiebot.com

This means we will not deny you our services, charge you a different price, or provide a lesser quality of service just because you exercised your privacy rights. We do not offer financial incentives in exchange for your data (if we did, we would disclose them and you’d have to opt-in), so there is no scenario of discriminatory pricing.

To exercise any of your rights, please contact us at privacy@joyads.example. We may need to verify your identity to process certain requests (especially for access/know and deletion requests under CCPA, we might ask for information to match against our records). For California residents, you may also designate an authorized agent to make requests on your behalf, in which case we will need proof of the agent’s authorization and may still verify your identity directly. We will respond to your request within the timeframe required by law (for example, GDPR mandates one month, CCPA mandates 45 days, with possible extension in certain cases). We will confirm receipt of your request and keep you updated on its status. Please note that some rights may overlap or differ slightly depending on the law, but we aim to ensure that all users, regardless of location, have appropriate control over their personal data. Even if you are not in one of the jurisdictions listed, you can still contact us to request access or deletion of your data, and we will try to accommodate if feasible and not inconsistent with legal obligations. Our goal is to handle personal data in a transparent and fair manner, consistent with the rights outlined above for everyone.

International Data Transfers

JoyAds is based in the European Union (Bulgaria), but we utilize services and infrastructure that may be located in other countries. When you access JoyAds or when we collect personal data, that data may be transferred, stored, or processed outside of your home country, including in the United States. In particular, many of our third-party processors (Stripe, Google, Meta, Microsoft, ClickUp) are U.S.-based companies. If you are located in the EU, UK, or other regions with data transfer restrictions, we take steps to ensure that your personal data is afforded an adequate level of protection when it is transferred internationally.

EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF): Several of our U.S. service providers have self-certified under the new Data Privacy Framework program, which was recognized by the European Commission in 2023 as providing adequate protection for personal data transferred from the EU to participating U.S. companies. Notably:

Google, Microsoft, and Stripe are all active participants in the EU-U.S. DPF (and the associated UK Extension and Swiss-U.S. DPF) as of 2023/2024policies.google.com microsoft.com privacyshield.gov. This means these companies have committed to comply with specific privacy principles for EU data and are under the enforcement authority of the U.S. Federal Trade Commission. For example, Google’s certification covers Google Analytics and Google Ads data transferspolicies.google.com, and Microsoft’s certification covers its U.S. subsidiaries including those providing Bing Ads servicesmicrosoft.com. By relying on these certified frameworks, we can legally transfer personal data to these providers in the U.S. with confidence that they will protect it in line with EU/UK standards.
Meta (Facebook/Instagram): Meta has also certified under the EU-U.S. Data Privacy Framework, and as of Sept 7, 2023, Meta relies on the DPF for transfers of Facebook user data and Meta Business Tools data (which includes data from the Meta Pixel) from the EU to the U.S.about.fb.com. This resolves the uncertainty that existed around Facebook’s EU data transfers and means that JoyAds’ use of the Meta Pixel is covered under Meta’s DPF compliance, ensuring an approved safeguard is in place.
We will monitor the status of the Data Privacy Framework and maintain reliance on it for these providers as long as it remains a valid mechanism. We also commit to only use U.S. processors who either are certified under DPF or provide another valid transfer mechanism.

Standard Contractual Clauses (SCCs): For transfers to countries that are not covered by an adequacy decision (or to service providers who are not part of DPF), we use the European Commission’s Standard Contractual Clauses as the primary legal mechanismpolicies.google.com. These are standardized contractual terms that bind the recipient of the data to protect it according to EU privacy standardspolicies.google.com. All our relevant vendor contracts include the SCCs where applicable. For instance:

Our contract with ClickUp for support tickets includes SCCs, since data may be stored in the U.S.
TikTok is a special case due to its data flows potentially reaching outside even the U.S. – TikTok’s EU entity uses SCCs to allow data to be accessed by its corporate group (including in Singapore and even China)tiktok.com. We only use the TikTok pixel with your consent, and we understand TikTok is working on localized data centers for Europe (“Project Clover”). In the meantime, SCCs plus additional measures are in place. We will evaluate any regulatory developments (e.g., the recent EU DPA decisions regarding TikTok) and act accordingly to ensure compliance.
If we ever transfer personal data to any other third party or our own corporate affiliates in a country without EU adequacy, we will implement SCCs or another valid transfer basis (such as Binding Corporate Rules if we ever use those, or other derogations allowed by Article 49 GDPR if appropriate in a one-off situation).

UK and Switzerland: Transfers from the United Kingdom are handled similarly. The UK government has recognized the new EU-U.S. DPF with a UK extension, so U.S. companies who have extended their certification to the UK cover UK data. For SCCs, the UK requires an addendum or tailored version, which we have in place with our vendors when needed. Transfers from Switzerland also follow either the Swiss-U.S. DPF (for those certified) or SCCs adapted for Switzerland.

Other Regions: We strive to apply appropriate safeguards no matter where data is moving. For example, if we were to transfer data to a processor in a country like India or Canada, we would first check if that country has an adequacy decision (Canada’s commercial sector is adequate for EU; India is not). If not adequate, we’d use SCCs or similar. We also consider local laws and whether they may impinge on privacy; if needed, we conduct transfer impact assessments to evaluate risks (as recommended by EU authorities, especially after the Schrems II ruling).

Whenever we rely on SCCs, we also ensure that the recipients provide additional security measures like encryption in transit and at rest, access controls, and commitments to challenge unlawful government access requests. Our U.S. providers, for instance, have stated that they will notify us (or the data subject) if they receive government requests for data, unless legally prohibited, and they publish transparency reports.

In summary, we ensure that international data transfers are protected by one or more of the following: (i) adequacy decision (such as the EU-U.S. DPF), (ii) Standard Contractual Clausespolicies.google.com, (iii) Binding Corporate Rules (if applicable), or (iv) an Article 49 GDPR exception if expressly relevant (e.g., explicit consent or necessity for contract in a pinch). Our goal is that no matter where your data is processed, it will receive a level of protection equivalent to that in your home jurisdiction. If you have questions about cross-border data transfers or want to obtain a copy of the SCCs we have in place, you can contact us via the email provided. (Note: Some parts of SCC documents may be redacted for confidentiality, but we will provide as much information as possible.)

Data Security Measures

We take the security of your personal data very seriously. Milena Barton ET has implemented a variety of technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, and destructiongdpr-info.eu. These measures are designed to provide a level of security appropriate to the risk of our data processing activitiesgdpr-info.eu. Key security practices we employ include:

Encryption: All communications between your browser and our website are protected by HTTPS encryption (TLS). This means that any personal data you submit (for example, when logging in or entering payment details on Stripe’s form) is encrypted in transit, so it cannot be easily intercepted. Our servers and third-party providers also encrypt data at rest where applicable. For instance, Stripe will tokenize and encrypt credit card information. We encourage strong encryption as a safeguard as recognized by GDPRgdpr-info.eu.
Access Control and Authentication: Personal data stored in our systems (or in third-party systems we use) is accessible only by authorized personnel who need access to perform their duties. JoyAds staff accounts are protected by strong passwords and, where possible, multi-factor authentication. We limit access rights following the principle of least privilege – each employee or contractor only gets the minimum access necessary for their role (for example, our support agents can see your account info to help you, but they cannot download all user data wholesale). Administrative access to our databases and backend is tightly controlled.
Secure Infrastructure: We host our application and data on reputable cloud providers that maintain high security standards (such as data centers certified under ISO 27001, SOC 2, etc.). For example, ClickUp is hosted on AWS which provides robust physical and network securityhelp.clickup.com. We apply security patches and updates promptly to protect against vulnerabilities. Our servers are firewall-protected and monitored.
Activity Logging and Monitoring: We log administrative access and significant actions in our systems, and we monitor for suspicious activities. This helps us detect unauthorized attempts to access data or unusual behavior patterns. If an anomaly is detected (such as multiple failed login attempts or data being extracted in bulk unexpectedly), we investigate and respond as needed (including suspending accounts or blocking IPs that may be malicious).
Employee Training and Policies: We train our team on data protection best practices and confidentiality. All team members are bound by confidentiality agreements. We have internal policies in place for handling personal data safely and for responding to potential security incidents. We also designate specific staff responsible for security and privacy compliance, ensuring accountabilityico.org.uk ico.org.uk within the organization.
Testing and Assessments: We periodically review our security measures and update them in light of new risks or technological developments. This may include vulnerability scanning, penetration testing by third parties, or reviewing our procedures. We also ensure that our third-party processors maintain robust security; through our DPAs we require them to adhere to strict standards (for example, Brevo’s and Stripe’s security programs are outlined in their documentation, and we rely on those commitmentshelp.brevo.com).

Despite all these precautions, no system can be 100% secure. However, we strive to reduce risk as much as possible. In the unlikely event of a data breach that affects your personal data, we will follow applicable laws in notifying users and authorities. For instance, under GDPR we would notify the relevant supervisory authority within 72 hours of becoming aware of a serious personal data breach, and we would inform affected individuals without undue delay when required by law. Our breach response plan ensures timely action to contain and investigate any incident.

We also encourage you to play a role in keeping your data secure. Please use a strong, unique password for your JoyAds account, do not share your login credentials, and notify us immediately if you suspect any unauthorized access to your account or personal data.

Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify you by appropriate means – for example, by posting a prominent notice on our website or by emailing registered users (for major changes that materially affect your rights). We indicate the effective date of the Privacy Policy at the end of this document.

Your continued use of JoyAds after any update to this Policy will signify your acceptance of the changes, to the extent permitted by law. However, if the changes require your consent (for example, if we plan to process your data for a new purpose that requires consent), we will obtain that consent separately.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Prior versions of the Policy may be archived and available upon request for your reference.

If you have any questions or concerns about changes to the Privacy Policy, please contact us at info@joyads.agancy.

‍