Joqiva Privacy Policy

2 June 2026

This Privacy Policy explains how Joqiva collects, uses, stores, shares and protects personal data. It applies to Joqiva websites, web applications, customer-facing quote and invoice pages, documented interfaces, communications and related services, features and support that we provide (together, the "Service"). Joqiva is a business-to-business SaaS product for sole traders, trades, service businesses and small companies. Joqiva customers use the Service for business purposes. End Customers may be consumers, homeowners, tenants, payers, quote recipients, invoice recipients or other individuals who interact with a Joqiva customer through customer-facing pages.

Joqiva is operated by FOP Mykola Marchuk Mykolaiovych, an individual entrepreneur registered in Ukraine, trading as Joqiva. Joqiva's current legal entity details, trading name, website, country of establishment, establishment address, correspondence address, registration information, tax status, contact details, privacy contact and UK/EU representative details are maintained in the Legal Notice. For privacy questions, rights requests, data protection complaints or international transfer information, use the privacy contact listed in the Legal Notice. Joqiva's UK and EU GDPR Article 27 representative details are stated in the Legal Notice.

Joqiva is operated by FOP Mykola Marchuk Mykolaiovych, an individual entrepreneur registered in Ukraine, trading as Joqiva. For the purposes of Article 27 UK GDPR, Joqiva has appointed Euverify Ltd (UK) as its UK representative. UK representative: Euverify Ltd (UK) 3rd Floor 86-90 Paul Street London EC2A 4NE United Kingdom Email: gdpr@euverify.com For the purposes of Article 27 EU GDPR, Joqiva has appointed Euverify Ltd (Ireland) as its EU representative for EEA individuals where EU GDPR applies. EU representative: Euverify Ltd (Ireland) Unit 3D North Point House North Point Business Park New Mallow Road Cork T23 AT2P Ireland Email: gdpr@euverify.com People in the UK, people in the EEA where EU GDPR applies, the UK Information Commissioner's Office and EU supervisory authorities may contact our representatives about UK GDPR or EU GDPR matters using the Euverify secure request and verification portal: https://gdpr.euverify.com/verify/280fd1c9-68eb-438f-a2cd-92302bb9129e You may also contact Joqiva directly at privacy@joqiva.co.uk. Our UK and EU representatives are appointed for Article 27 contact purposes only. They are not Joqiva's data protection officer, UK branch, EU branch, registered office, establishment, controller or processor.

The Joqiva operator, Mr Mykola Mykolaiovych Marchuk, is registered with the UK Information Commissioner's Office as a data protection fee payer. ICO registration reference: ZC164109 Date registered: 02 June 2026 Registration expires: 01 June 2027 This registration is not an ICO endorsement, approval or certification of Joqiva.

This Privacy Policy explains how Joqiva processes personal data where Joqiva acts as an independent controller. This includes personal data we process for: (a) account registration; (b) login and account administration; (c) subscription billing; (d) support; (e) website and Service operation; (f) customer-facing page operation; (g) service communications; (h) product administration; (i) security monitoring; (j) abuse and fraud prevention; (k) legal compliance; (l) business administration; (m) waitlist and marketing communications; (n) cookie consent and preferences; (o) internal product analytics and usage metrics; (p) limited service analytics; (q) affiliate attribution; and (r) partner programme administration. This Privacy Policy also explains how Joqiva handles personal data contained in customer, enquiry, job, quote, invoice, file, email, payment report, reminder, audit log and workspace data where Joqiva normally acts as a processor on behalf of a Joqiva customer. Where Joqiva acts as processor, the Joqiva Data Processing Agreement also applies. This Privacy Policy does not replace any privacy notice that a Joqiva customer must provide to its own End Customers, staff, suppliers or contacts where that customer acts as controller.

3.1 Joqiva as controller Joqiva acts as an independent controller when we decide why and how personal data is processed for our own purposes. This includes account data, billing administration data, support data, website visitor data, security logs, legal records, cookie consent records, service communications, internal product analytics and Joqiva business administration data. 3.2 Joqiva customer as controller For customer, enquiry, job, quote, invoice, file, email, payment report, reminder and workspace data that a Joqiva customer submits to or generates through the Service, the Joqiva customer is normally the controller. This means the Joqiva customer is responsible for deciding why and how that personal data is processed. 3.3 Joqiva as processor Where Joqiva processes Customer Personal Data on behalf of a Joqiva customer, Joqiva normally acts as processor. That processing is governed by the Joqiva Data Processing Agreement and the Joqiva customer's documented instructions. 3.4 If you are an End Customer If you are a customer, prospective customer, quote recipient, invoice recipient, payer or contact of a business using Joqiva, that business is normally the controller of your personal data. For example, if you receive a quote page, invoice page, reminder or customer-facing link from a service business using Joqiva, that business decides why your data is used. You should contact that business first if you have questions about its use of your personal data or if you want to exercise your data protection rights in relation to quote, invoice, job or payment workflow data. Joqiva may still process limited personal data about you as an independent controller where necessary for security, abuse prevention, legal compliance, website operation, service protection or legal claims. 3.5 Same data, different roles In some cases, the same item of personal data may be processed for different purposes. For example, Joqiva may process customer workflow data as processor for the Joqiva customer, while also processing limited technical, security or legal records as controller where necessary to operate, secure, protect or defend the Service.

We may collect and process the following categories of personal data. 4.1 Account and user data This may include: (a) name; (b) email address; (c) phone number; (d) authentication credentials or security information; (e) account identifiers; (f) user role; (g) workspace permissions; (h) login activity; (i) account status; (j) profile information; (k) workspace invitations; (l) authentication events; and (m) user preferences. 4.2 Business and workspace administration data This may include: (a) business name; (b) trading name; (c) business address; (d) business contact details; (e) VAT or tax details where provided; (f) plan information; (g) workspace settings; (h) user roles and permissions; (i) subscription status; (j) billing contact details; (k) business operating preferences; and (l) customer-facing display settings. 4.3 Billing and subscription data This may include: (a) billing contact name; (b) billing email; (c) billing address; (d) business name; (e) VAT or tax details; (f) subscription plan; (g) trial status; (h) renewal status; (i) Joqiva subscription invoices or receipts; (j) payment attempts; (k) payment status; (l) billing events; (m) safe billing-provider identifiers; (n) payment method references provided by the billing provider; (o) tax or VAT metadata; and (p) related accounting records. Joqiva does not store full payment card numbers, CVC codes or raw card data. Joqiva subscription billing is separate from payments that End Customers make to Joqiva customers. Where a billing provider or merchant of record processes subscription payments, that provider may process billing, payment, tax, anti-fraud and support information under its own privacy terms and legal obligations. Details of current billing providers are made available at checkout, in billing documentation, in the Refund Policy or on the Subprocessors page where applicable. Billing providers are not used for customer invoice bank-transfer payment tracking. Joqiva does not process, collect, hold, transfer, settle or control End Customer invoice payments. End Customers pay the Joqiva customer directly by bank transfer. 4.4 Support and communication data This may include: (a) support requests; (b) support messages; (c) email communications; (d) call notes; (e) screenshots; (f) attachments; (g) technical details submitted in support requests; (h) issue history; (i) feedback; (j) survey responses; and (k) complaint records. You should not send passwords, full payment card numbers, unnecessary special category data, unnecessary identity documents or irrelevant sensitive information in support requests. 4.5 Website, app and device data This may include: (a) IP address; (b) browser and device information; (c) operating system information; (d) application version where applicable; (e) referring pages; (f) pages or screens visited; (g) timestamps; (h) session information; (i) approximate location inferred from IP address; (j) cookie identifiers where used; (k) consent preferences; (l) diagnostics where used; and (m) technical request logs. 4.6 Security and abuse prevention data This may include: (a) IP addresses; (b) login and authentication events; (c) failed login attempts; (d) account recovery events; (e) suspicious activity indicators; (f) usage-limit and abuse-prevention events; (g) audit logs; (h) access logs; (i) integration and operational logs; (j) error logs; (k) fraud or abuse indicators; and (l) incident investigation records. 4.7 Marketing and waitlist data This may include: (a) name; (b) email address; (c) business name; (d) role; (e) industry; (f) location; (g) product interest; (h) communication preferences; (i) waitlist status; (j) marketing consent status; (k) unsubscribe status; and (l) engagement with marketing communications where lawfully tracked. Where account access is not open to everyone, Joqiva may collect your email address through waitlist or access request forms so we can contact you when access is available. 4.8 Affiliate attribution and partner programme data If you apply to become a Joqiva partner, use a partner link, refer a potential customer, or are attributed through the Joqiva Partner Programme, Joqiva may process limited affiliate attribution data and partner programme administration data. This may include: (a) partner name or business name; (b) partner contact details; (c) partner website, profile or channel information; (d) partner programme application data; (e) affiliate click or reference identifiers; (f) campaign or source information; (g) conversion references; (h) conversion status; (i) amount and currency for eligible Joqiva subscription payments; (j) plan group; (k) commission status; (l) commission validation information; (m) fraud-prevention information; and (n) timestamps. Joqiva may use an affiliate network or partner programme provider to help administer the Partner Programme. Details of current partner programme providers are listed in the Subprocessors page or Partner Terms where applicable. Affiliate commission applies only to eligible Joqiva subscription payments after validation and approval. Customer invoice payments are not commissionable and are not processed through Joqiva, subscription billing providers or affiliate networks. 4.9 Customer-facing page interaction data If you interact with a Joqiva customer-facing quote page or invoice page, we may process: (a) name; (b) email address; (c) phone number; (d) IP address; (e) timestamps; (f) technical information about the device or browser used; (g) page interaction records; (h) quote view records; (i) quote acceptance or decline records; (j) quote question records; (k) invoice view records; (l) document download records; (m) "I've paid" confirmations; (n) payment-related comments; (o) uploaded payment evidence; (p) customer-facing page access information; and (q) related audit history. Most of this data is processed by Joqiva as processor for the Joqiva customer. Joqiva may also process limited technical and security data as controller where necessary to operate, secure and protect the Service, prevent abuse, comply with law or handle legal claims. 4.10 Customer workspace data Joqiva customers may submit or generate personal data in workspaces, including: (a) customer names; (b) customer contact details; (c) service addresses; (d) job descriptions; (e) job notes; (f) quote details; (g) invoice details; (h) invoice items; (i) quote items; (j) payment status; (k) payment reports; (l) payment workflow records; (m) quote acceptances; (n) document view records; (o) files; (p) PDFs; (q) email content; (r) email attachments; (s) payment proof files; (t) audit logs; (u) integration and operational event records; (v) operational task records; (w) bank transfer instructions; and (x) other information submitted by the Joqiva customer or its End Customers. Joqiva normally processes this data as processor on behalf of the Joqiva customer. 4.11 Bank transfer instruction data Joqiva customers may enter bank transfer instructions into the Service so they can be displayed on quotes, invoices, customer-facing pages, reminders and PDFs. This may include: (a) account name; (b) sort code; (c) account number; (d) IBAN, where used; (e) payment reference; (f) payment terms; and (g) payment instructions. If these details identify a sole trader or individual, they may be personal data. Joqiva does not collect, hold, transfer, settle or control money owed by End Customers to Joqiva customers. End Customers pay directly into the Joqiva customer's bank account. 4.12 AI-assisted processing data If AI-assisted features are enabled, Joqiva may process content submitted to the Service to help create draft suggestions or extracted fields. This may include: (a) inbound email content; (b) message content; (c) attachments; (d) customer names; (e) contact details; (f) job descriptions; (g) enquiry details; (h) extracted draft fields; (i) reviewed or validated AI-assisted output; (j) usage and operational metadata; and (k) error or operational logs. AI-assisted features create drafts only. They do not create final jobs, final quotes, final invoices, final customer communications or final business decisions. Further information is available in the AI Processing Notice. 4.13 Product analytics and usage data Joqiva may process limited product analytics and usage data to understand how the Service is used, improve reliability and usability, manage trials and subscriptions, understand feature usage, monitor usage limits and improve customer experience. This may include: (a) safe account, user or workspace identifiers; (b) event names; (c) feature names; (d) entity types; (e) plan or subscription status; (f) usage counts; (g) usage limits; (h) route or page groups; (i) event results; (j) timestamps; and (k) limited operational metadata. Where analytics uses cookies, browser storage or similar storage/access technologies, Joqiva will obtain consent where required unless an exemption applies under applicable law. Joqiva does not intentionally send customer quote or invoice content, payment proof content, bank details, payment instructions, AI raw input or output, email bodies, customer names, customer email addresses, customer phone numbers, SMS delivery metadata, credentials, secrets, provider message payloads or full URLs containing access information to analytics providers. Aggregated or anonymised analytics may be used to understand, operate, secure and improve the Service. Pseudonymised analytics data may still be personal data where an individual can be identified directly or indirectly.

We may collect personal data from: (a) you directly; (b) Joqiva customers; (c) workspace owners and administrators; (d) invited users; (e) End Customers interacting with customer-facing pages; (f) emails sent to or through Joqiva; (g) support requests; (h) subscription billing providers where used; (i) service providers used to operate the Service; (j) third-party platforms where applicable; (k) cookies and similar technologies; (l) analytics or monitoring tools where used; (m) public business sources where relevant to lawful B2B communications; (n) affiliate networks, partner links and partner programme applications where used; and (o) legal, security, fraud-prevention or compliance sources where necessary. Where we obtain personal data from a source other than the individual it relates to, we provide privacy information where required by applicable law, taking account of the nature of the processing, the reasonable expectations of the individual and whether Joqiva acts as controller or processor. If you provide personal data about another person, you must have the right to do so and must provide any privacy notice required by applicable law.

We rely on different lawful bases depending on the purpose of processing. 6.1 To provide the Service Purpose: To create accounts, authenticate users, provide workspaces, operate the app, provide access to features, manage subscriptions, provide customer-facing pages and deliver the Service. Personal data: Account data, user data, workspace administration data, login data, app data, subscription data and technical data. Lawful basis: Contract, where processing is necessary to enter into or perform a contract with you as an individual, sole trader or business user. Legitimate interests, where processing is necessary to operate and administer a B2B SaaS service for a business customer, including where the user acts for a business or organisation. 6.2 To manage SaaS subscriptions and billing Purpose: To manage trials, subscriptions, renewals, invoices, payment attempts, billing events, cancellations, downgrades and Read-Only Mode. Personal data: Billing contact details, business details, plan information, invoices, payment status, billing events and safe billing-provider identifiers for Joqiva subscriptions. Lawful basis: Contract, where applicable. Legal obligation, where records must be kept for tax, accounting or compliance purposes. Legitimate interests in managing billing, payment recovery, subscription administration and financial administration. 6.3 To provide support Purpose: To respond to support requests, troubleshoot issues, investigate bugs, communicate with users and improve support quality. Personal data: Contact details, support messages, screenshots, attachments, workspace identifiers, technical logs and issue history. Lawful basis: Contract, where support is part of the Service. Legitimate interests in supporting users, troubleshooting issues and improving the Service. 6.4 To send service communications Purpose: To send account messages, security notices, product notices, billing notices, trial notices, subscription notices, legal updates, operational messages and support communications. Personal data: Name, email address, account information, workspace role, subscription status and communication history. Lawful basis: Contract, where communications are needed to provide or administer the Service. Legal obligation for required notices. Legitimate interests in operating and administering the Service. 6.5 To secure and protect the Service Purpose: To authenticate users, prevent unauthorised access, detect abuse, investigate incidents, maintain audit records, apply security and abuse-prevention controls, and protect Joqiva, customers, End Customers and third parties. Personal data: IP addresses, login events, audit logs, access logs, device or browser information, security events and technical logs. Lawful basis: Legitimate interests in security, fraud prevention, abuse prevention and service protection. Legal obligation where security or breach-related processing is required by law. 6.6 To operate websites, apps and documented interfaces Purpose: To deliver website pages, app functionality, documented interfaces, customer-facing pages, redirects, waitlist pages and technical infrastructure. Personal data: IP address, browser data, device data, app data, page request data, session information, interface request data and technical logs. Lawful basis: Contract, where the processing is necessary to provide the Service. Legitimate interests in operating websites, apps and documented interfaces. 6.7 To use cookies and similar technologies Purpose: To run the site and Service, keep sessions secure, remember preferences, store cookie consent choices, protect against abuse, measure performance where permitted, use analytics cookies or similar storage where consent has been given, use limited low-risk or exempt storage/access technologies where permitted by law, and support marketing or advertising where selected, configured and permitted. Personal data: Cookie identifiers, device or browser information, consent preferences, route or page groups, analytics event metadata, page events and usage data. Lawful basis: Consent, where required for non-essential cookies, analytics cookies, similar storage/access technologies, marketing technologies or advertising technologies. Legitimate interests, where technologies are strictly necessary, lawfully exempt, or where limited analytics or operational measurement is permitted without consent under applicable law. More information is available in the Cookie Policy. 6.8 To send marketing or waitlist communications Purpose: To send product updates, launch updates, waitlist emails, business communications, offers and information about Joqiva. Personal data: Name, email address, business name, role, product interest, communication preferences and engagement data. Lawful basis: Consent, where required. Legitimate interests in B2B marketing and communicating with business contacts, where lawful and balanced against individual rights. Soft opt-in where it applies under electronic communications law. For corporate subscribers, B2B marketing may be sent without PECR consent where lawful, but Joqiva must not disguise its identity and must provide a valid opt-out address. For sole traders and some partnerships, Joqiva will use consent or soft opt-in where required. You can unsubscribe from marketing emails at any time. 6.9 To improve the Service and understand product usage Purpose: To understand usage, improve features, fix bugs, improve workflows, analyse performance, understand trial conversion, monitor plan and usage boundaries, and make the Service more useful for small service businesses. Personal data: Product usage data, safe internal product analytics events, usage counters, feedback, support history, technical logs, aggregated statistics and anonymised information. Lawful basis: Legitimate interests in improving, securing and administering the Service, including internal product analytics and limited operational measurement where appropriate. Consent, where improvement activity relies on non-essential cookies, analytics cookies, similar storage/access technologies, marketing technologies or tracking that requires consent. 6.10 To comply with law and protect legal rights Purpose: To comply with legal obligations, maintain records, respond to lawful requests, handle complaints, enforce terms, resolve disputes and protect legal rights. Personal data: Account data, billing records, support records, complaint records, security logs, legal correspondence, audit logs and relevant workspace records. Lawful basis: Legal obligation. Legitimate interests in legal compliance, dispute resolution and protection of rights. 6.11 To process Customer Personal Data as processor Purpose: To process customer, job, quote, invoice, file, email, payment report, reminder and workspace data on behalf of Joqiva customers. Lawful basis: The Joqiva customer is responsible for identifying the lawful basis where it acts as controller. Joqiva processes this data as processor under the DPA and the Joqiva customer's documented instructions. 6.12 To provide AI-assisted features Purpose: To help create draft suggestions, classifications, summaries or extracted fields from submitted emails, messages, attachments or related content. Personal data: Submitted content, inbound email content, attachments, customer contact details, job details, extracted draft fields, reviewed or validated AI-assisted output, usage metadata and operational logs. Lawful basis: Where Joqiva acts as processor, the Joqiva customer is responsible for the lawful basis and Joqiva processes under the DPA and documented instructions. Where Joqiva processes limited technical, security or operational AI metadata as controller, Joqiva relies on legitimate interests in providing, securing, monitoring and improving the Service.

Purpose: To review partner applications, attribute referred Joqiva subscriptions, validate conversions, prevent fraud and administer commission approval. Personal data: Partner programme application data, partner contact details, affiliate click or reference identifiers, campaign or source data, conversion references, conversion status, amount and currency for eligible Joqiva subscription payments, plan group, commission status, commission validation information and fraud-prevention information. Lawful basis: Contract, where processing is necessary to administer partner programme terms with a partner. Legitimate interests in operating a B2B affiliate programme, validating commission, preventing fraud, avoiding duplicate or self-referral commissions and maintaining accurate business records. Legal obligation, where records must be kept for tax, accounting or compliance purposes. Consent, where a cookie or similar technology is used for affiliate attribution and consent is required.

Where we rely on legitimate interests, our interests may include: (a) operating a B2B SaaS service; (b) providing account administration; (c) securing the Service; (d) preventing abuse and fraud; (e) supporting users; (f) improving product reliability; (g) managing billing and subscriptions; (h) communicating with business users; (i) keeping appropriate business records; (j) enforcing our Terms of Service; (k) protecting legal rights; (l) maintaining audit history; (m) investigating incidents; (n) developing and improving Joqiva; (o) understanding product usage and trial conversion; (p) managing plan, entitlement and usage boundaries; (q) operating the Joqiva Partner Programme; (r) validating affiliate commission; and (s) preventing partner programme fraud, duplicate commissions and self-referrals. When we rely on legitimate interests, we consider whether our interests are overridden by the rights and freedoms of the individuals whose personal data is processed. We do not rely on legitimate interests where consent is required under PECR or other applicable law for cookies, similar technologies or direct marketing.

Some personal data is needed to provide the Service. If you do not provide account, authentication, workspace, billing or technical data that is necessary for the Service, we may not be able to create an account, provide access, operate a workspace, process a subscription, provide support or comply with legal obligations. Marketing and waitlist communications are optional. Non-essential cookies and similar technologies are optional where consent is required. Where Joqiva processes Customer Personal Data as processor, the Joqiva customer is responsible for deciding what personal data is necessary for its own business use case and for giving appropriate notices to End Customers, staff, suppliers and contacts.

Joqiva is not designed for systematic processing of special category data or criminal offence data. Special category data includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, sex life or sexual orientation. Criminal offence data is subject to additional restrictions under UK data protection law. Joqiva customers should not submit criminal offence data unless they have identified a lawful basis, any required additional condition and an appropriate business need. Joqiva customers and users should not submit special category data, criminal offence data, children's data, passwords, full payment card details, unnecessary identity documents or confidential third-party information unless it is necessary, lawful and appropriate for their business use case. If special category data or criminal offence data is incidentally submitted into the Service, Joqiva will process it according to the relevant customer instructions, the DPA and applicable law, unless Joqiva must process it for security, legal claims, compliance or another lawful controller purpose.

Joqiva is a business-to-business service and is not intended for children. Users must be at least 18 years old. Joqiva customers should not intentionally submit children's personal data unless it is lawful, necessary and appropriate for their business use case. If Joqiva becomes aware that the Service is likely to be accessed by children in a way that requires additional safeguards, Joqiva will assess and update its privacy and product safeguards where required by applicable law.

Joqiva may include AI-assisted features that help create draft suggestions, classifications, summaries or extracted fields from emails, messages, attachments or other content submitted to the Service. AI-assisted features create drafts or suggestions only. AI-assisted features do not create final jobs, final quotes, final invoices, final customer communications or final business decisions. Users must review, correct and approve AI-assisted output before using it in their business. AI-assisted processing is handled through Joqiva systems and approved service providers listed in the AI Processing Notice and Subprocessors page where applicable. Joqiva may process source content, reviewed or validated output, usage metadata, status information, validation information and operational logs where needed to provide, secure, monitor and audit the feature. Joqiva will not enable an AI service provider for Customer Personal Data unless relevant data protection terms, transfer safeguards and public disclosures are in place. Joqiva does not use AI-assisted features to make solely automated decisions about individuals that have legal or similarly significant effects. Further information is available in the AI Processing Notice.

Joqiva may process inbound emails, outbound emails, forwarded emails, parsed emails, attachments, reminders, customer-facing quote link SMS delivery attempts, delivery events, bounces and related email or SMS metadata. This may include: (a) sender and recipient email addresses; (b) sender and recipient names; (c) recipient phone numbers; (d) subject lines; (e) email body content; (f) SMS message content required to deliver a customer-facing quote link; (g) attachments; (h) quote or invoice links; (i) customer-facing page links; (j) email and SMS delivery events; (k) SMS delivery status metadata; (l) bounce events; (m) open and click events where configured and lawful; (n) IP addresses; (o) timestamps; (p) message identifiers; and (q) related technical metadata. Email addresses may be used to send customer-facing quote links by email. Phone numbers may be used to send customer-facing quote links by SMS where SMS delivery is selected and available. Manual copy-link sharing is initiated by the workspace user outside automated provider delivery. SMS delivery metadata may be processed for delivery attempts, status tracking, troubleshooting, audit and security. SMS delivery is an attempted communication and may not always succeed. Most email and SMS content processed for customer workflow is processed by Joqiva as processor for the Joqiva customer. Joqiva may also process limited email, SMS and technical data as controller for security, abuse prevention, service operation and legal compliance. Approved communications providers handle email and SMS delivery where those features are enabled. Current provider information is maintained at Subprocessors page. Open and click tracking is disabled by default. If Joqiva later enables open or click tracking, Joqiva will update relevant privacy information and obtain consent where required before using it.

Joqiva does not process, collect, hold, transfer, settle or control money owed by End Customers to Joqiva customers. End Customers pay directly into the Joqiva customer's bank account by bank transfer. Joqiva may display bank transfer instructions, record "I've paid" confirmations, record payment reports, record owner confirmation, show overdue invoice status and send reminders. Joqiva subscription billing is different. Joqiva may use a billing provider or merchant of record to process subscription fees payable for access to the Service. That provider may process subscription billing data, billing contact details, business details, tax or VAT information, subscription plan, renewal status, payment attempts, payment status, safe provider identifiers and tax metadata. Joqiva does not store full payment card numbers, CVC codes or raw card data. Joqiva must not use End Customer invoice payment records as evidence of a Joqiva customer's subscription payment.

We use cookies and similar technologies such as local storage, session storage, pixels, SDKs, device identifiers or similar storage/access technologies where applicable. We use these technologies for purposes such as: (a) running the Service; (b) keeping sessions secure; (c) remembering preferences; (d) storing cookie consent choices; (e) protecting against abuse; (f) using analytics cookies or similar storage where consent has been given; (g) using limited low-risk or exempt storage/access technologies where permitted by law; (h) measuring performance where permitted; and (i) marketing or advertising where selected, configured and permitted. Joqiva will not use non-essential cookies, analytics cookies, marketing technologies or advertising technologies before obtaining valid consent where consent is required. Marketing cookies and advertising technologies are not currently used unless the Cookie Policy states otherwise. More information is available in our Cookie Policy. You can change cookie preferences through the Cookie Settings tool where available.

We may share personal data with the following categories of recipients. 15.1 Joqiva customers and workspace users If you interact with a customer-facing quote page, invoice page, reminder or payment workflow, relevant data may be shared with the Joqiva customer that uses the Service. Workspace owners and authorised users may access personal data within their workspace according to their permissions. 15.2 Service providers, subprocessors and third-party recipients We may share personal data with providers that help us operate the Service, including providers for: (a) core service operation; (b) communications; (c) AI-assisted processing, if enabled; (d) service monitoring and reliability; (e) security; (f) support; (g) analytics, if used; (h) subscription billing; (i) affiliate or partner programme administration; and (j) business operations. Where Joqiva processes Customer Personal Data as processor, approved subprocessors are listed at Subprocessors page. Some third-party providers may act as independent controllers for their own legal, tax, anti-fraud, payment, security or compliance purposes. Their own privacy terms may apply to that processing. Provider names, processing locations, transfer safeguards and provider roles are maintained in the Subprocessors page, Cookie Policy, Refund Policy, checkout documentation or Partner Terms where applicable. 15.3 Subscription billing providers We may share billing and subscription data with billing providers or merchants of record to manage Joqiva subscription fees, invoices, payment attempts, payment status, tax calculation, refunds, billing support and related administration. This may include billing contact name, billing email, billing address, business name, VAT or tax details, subscription plan, renewal status, payment attempts, payment status, safe billing-provider identifiers and tax metadata. This does not involve processing End Customer invoice payments. Billing providers are not used for customer invoice bank-transfer payment tracking. 15.4 Affiliate network and partner programme providers Joqiva may use an affiliate network or partner programme provider to administer partner applications, attribution, conversion validation, fraud prevention and commission approval. Joqiva minimises the data shared with partner programme providers. Data shared with partner programme providers may include: (a) conversion reference; (b) affiliate click or reference identifier; (c) amount and currency for an eligible Joqiva subscription payment; (d) plan group; (e) commission status; and (f) fraud-prevention information. Joqiva does not use affiliate networks for customer invoice payments, customer invoice bank-transfer payment tracking, customer invoice contents, workspace business contents or customer-facing quote/invoice data. 15.5 Professional advisers We may share personal data with lawyers, accountants, auditors, insurers and professional advisers where necessary for legal, accounting, audit, insurance, compliance or business purposes. 15.6 Authorities and legal recipients We may share personal data with regulators, courts, law enforcement, public authorities or other third parties where required by law or where necessary to protect rights, safety, security, legal claims or the Service. 15.7 Business transfers If Joqiva is involved in a merger, acquisition, financing, restructuring, sale of assets or transfer of business, personal data may be shared with parties involved in that transaction, subject to appropriate confidentiality and data protection safeguards. 15.8 Third-party platforms If you connect third-party services to Joqiva, those third-party services may process personal data under their own terms and privacy policies.

Joqiva provides a UK-first SaaS service. Personal data may be processed, stored, accessed or supported from the United Kingdom, Joqiva operating locations, approved provider locations and other countries where Joqiva or its service providers operate. Where required by applicable data protection law, we use appropriate transfer mechanisms for international transfers. These may include: (a) adequacy arrangements where applicable; (b) UK transfer terms or addenda; (c) standard contractual clauses where applicable; (d) approved certification, rules or equivalent safeguards where applicable; (e) transfer risk assessments or equivalent assessments; (f) supplementary technical, contractual or organisational measures; or (g) another lawful transfer mechanism or exception available under applicable law. Where no UK adequacy regulation applies, Joqiva will not rely on adequacy alone and will use another lawful transfer mechanism or exception where required. For Customer Personal Data processed by Joqiva as processor, international transfer details are set out in the DPA and the Subprocessors page. You can contact us using the privacy contact listed in the Legal Notice if you want more information about international transfer safeguards. Joqiva's UK/EU representative information, where required, is maintained in the Legal Notice.

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention depends on the type of data, the purpose of processing, workspace status, legal requirements, security needs, dispute risk and customer instructions where Joqiva acts as processor. 17.1 Account and user data Account and user data is generally kept while the account or workspace is active or in Read-Only Mode. After a valid account deletion request, we will delete or anonymise relevant account data within 90 days where legally and technically possible, except for records that must or may be kept longer. 17.2 Customer, job, quote and invoice data Customer, job, quote and invoice data is generally kept while the workspace is active or in Read-Only Mode. Inactive or Read-Only Mode workspaces are not automatically deleted solely because a trial or subscription has ended. 17.3 Deletion requests After a valid deletion request for an account or workspace, we will delete or anonymise relevant data within 90 days where legally and technically possible. We may retain records that must or may be kept longer for legal, tax, accounting, audit, dispute, security, fraud prevention, compliance or legitimate business purposes. 17.4 Standard retention periods The following standard retention periods may apply: (a) customer, job, quote and invoice data: kept while the workspace is active or in Read-Only Mode; (b) invoices, invoice items, quotes, payments, payment reports, quote acceptances and audit-relevant business history: 6 years where retained as part of workspace history, accounting, audit or legal records; (c) VAT/accounting-relevant records: 6 years; (d) files, PDFs and payment proofs: kept with the corresponding workspace, job or document data; (e) email messages and inbound emails: kept with the corresponding workspace or job data; (f) email events and delivery logs: up to 24 months; (g) SMS delivery status metadata: up to 24 months; (h) integration and operational event logs: up to 24 months; (i) operational task records: up to 24 months; (j) audit logs: 6 years for audit-relevant history; (k) SaaS billing events and billing records: 6 years; (l) partner programme application, affiliate attribution and commission validation records: kept for as long as reasonably necessary to administer the partner programme, validate or reject commission, prevent fraud, handle disputes and meet accounting, tax or compliance obligations; (m) document view records: kept with the corresponding workspace, quote, invoice or audit history where needed for security, audit, support or legal reasons; (n) exports: up to 30 days; (o) backups: up to 90 days; (p) inactive or Read-Only Mode workspaces: not automatically deleted solely because the trial or subscription has ended; and (q) deleted or cancelled accounts: deleted or anonymised within 90 days except for legal, tax, accounting, audit, dispute, security, fraud prevention and compliance records. 17.5 Support records Support records are generally kept for up to 24 months after the support matter is closed, unless a longer period is needed for legal, security, audit, dispute or service improvement purposes. 17.6 Marketing and waitlist records Marketing and waitlist records are kept until you unsubscribe, withdraw consent, ask us to delete them, or we decide they are no longer needed. We may keep a suppression record to make sure we do not send you marketing after you unsubscribe. 17.7 Cookie consent records Cookie consent and preference records may be kept for up to 24 months after your last consent choice or for another period required to demonstrate compliance. 17.8 Security records Security logs and abuse prevention records may be kept for up to 24 months, unless a longer period is needed for security, investigation, legal claims, fraud prevention or compliance. 17.9 Product analytics and usage records Product analytics and usage records are generally kept for up to 24 months unless a shorter period is configured or a longer period is reasonably needed for security, fraud prevention, billing, legal claims or compliance. Analytics records are limited to approved event metadata and, where analytics cookies or similar storage are accepted, pseudonymous visitor or session identifiers. Aggregated or anonymised analytics may be kept for longer where it no longer identifies individuals. 17.10 Affiliate attribution and partner programme records Partner programme application records, affiliate click or reference identifiers, conversion references, conversion status, commission validation information and fraud-prevention information may be kept for as long as reasonably necessary to administer the programme, validate or reject commission, prevent fraud, handle partner disputes and keep accounting, tax or compliance records. Where records are needed for accounting, tax, audit, dispute or legal purposes, they may be kept for up to 6 years after the relevant transaction, relationship or dispute ends, unless a longer period is required or permitted by law. 17.11 Complaints and rights requests Data protection complaints, rights requests and related correspondence may be kept for up to 6 years where needed to show compliance, handle disputes or protect legal rights. 17.12 Backups Backups may be retained for up to 90 days. Backup deletion may occur on the next scheduled backup deletion cycle. Backup data may be isolated, protected and not used for ordinary Service purposes before deletion. 17.13 Longer retention Retention periods may be longer where required or permitted by law, court order, regulator, dispute, investigation, security incident, fraud prevention need or legal claim.

We use reasonable technical and organisational measures designed to protect personal data. Our security measures may include access controls, authentication controls, role-based permissions, customer-environment separation, logging, monitoring, abuse-prevention measures, backup and recovery measures, secure credential handling, provider security controls and malware-prevention measures where appropriate. No online service can be guaranteed to be completely secure. You are responsible for keeping your own login details, devices, email accounts, API credentials, workspace permissions, customer-facing links and bank transfer details secure. You should tell us promptly if you suspect unauthorised access, account compromise, credential compromise, unauthorised changes to bank details, unauthorised changes to payment instructions or a security incident affecting your workspace.

Depending on the circumstances and applicable law, you may have the following rights: (a) the right to be informed about how your personal data is used; (b) the right of access to your personal data; (c) the right to rectification of inaccurate or incomplete personal data; (d) the right to erasure of personal data in certain circumstances; (e) the right to restriction of processing in certain circumstances; (f) the right to data portability in certain circumstances; (g) the right to object to processing in certain circumstances; (h) the right to withdraw consent where processing is based on consent; (i) rights related to automated decision-making and profiling; and (j) the right to lodge a complaint with a supervisory authority. These rights are not absolute and may depend on the lawful basis, the type of personal data and the reason for processing. To exercise your rights, use the privacy contact listed in the Legal Notice. We may need to verify your identity before responding. We will respond to rights requests without undue delay and within the time required by applicable law. Where permitted by law, we may ask for additional information to verify your identity or clarify the request, and the response period may pause while we wait for that information. If your request relates to Customer Personal Data processed by Joqiva on behalf of a Joqiva customer, we may refer your request to that customer or act on that customer's instructions. If you are an End Customer and your request relates to quote, invoice, job, payment workflow or customer data controlled by a Joqiva customer, you should contact that Joqiva customer first.

You have the right to object to processing based on legitimate interests in certain circumstances. You always have the right to object to direct marketing. You can opt out of marketing emails by using the unsubscribe link in the email or by using the privacy contact listed in the Legal Notice. If you object to security, legal compliance, service operation or billing-related processing, we may need to continue processing where we have compelling legitimate grounds or legal obligations. If your objection relates to Customer Personal Data processed by Joqiva as processor, we may refer the objection to the relevant Joqiva customer or act on that customer's instructions.

Where we rely on consent, you can withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal. You can withdraw cookie consent through the Cookie Settings tool where available. Withdrawing or rejecting analytics cookies or similar storage stops Joqiva from using consent-based analytics cookies or storage for analytics measurement. It does not necessarily stop strictly necessary processing, security processing, or limited analytics or operational measurement that is permitted without consent under applicable law. You can withdraw marketing consent by using unsubscribe links or contacting us. Consent must be as easy to withdraw as it is to give where applicable law requires this.

Joqiva does not use personal data to make decisions about individuals that are solely automated and have legal or similarly significant effects. AI-assisted features create drafts, suggestions or extracted fields only. A Joqiva user must review and approve AI-assisted output before using it in their business. If Joqiva later introduces automated decision-making that has legal or similarly significant effects, we will update this Privacy Policy, provide the information required by applicable law, and implement required safeguards before using it.

If you have a concern about how Joqiva uses your personal data, please contact us first using the privacy contact listed in the Legal Notice. Please include "Data protection complaint" in the subject line where possible. We will acknowledge receipt of your data protection complaint within 30 days. We will take appropriate steps to investigate and respond without undue delay. We will tell you the outcome of your complaint without undue delay. If your complaint relates to Customer Personal Data processed by Joqiva on behalf of a Joqiva customer, we may refer the complaint to that customer or handle it in cooperation with that customer. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or any successor supervisory authority.

The Service may link to third-party websites, apps or services. Third-party services are not controlled by Joqiva and may process personal data under their own privacy policies. This Privacy Policy does not apply to third-party websites, apps or services.

If you connect third-party services to Joqiva, those third-party services may process personal data under their own terms and privacy policies. This Privacy Policy does not apply to third-party websites, apps or services.

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice, such as by updating this page, sending an email, showing an in-app notice or posting a website notice. The updated Privacy Policy applies from the effective date shown at the top of the page. If we plan to use personal data for a new purpose that is materially different from the purposes described in this Privacy Policy, we will update our privacy information and communicate the change where required before starting that new processing.

For privacy questions, rights requests, data protection complaints or international transfer information, use the contact details maintained in the Legal Notice. The current privacy contact and legal contact are listed in the Legal Notice.