Privacy Policy
How we collect, use, and protect your personal data, and the rights you have over it.
Last updated 15 June 2026 · Version 2026-06-15
This Privacy Policy explains how SIA Karto (“Jepex”, “we”, “us”) handles personal data when you use the Jepex website (jepex.app) and the Jepex applications for macOS and iOS. We are the data controller for that processing. You can reach us at privacy@jepex.app, and our full company details are on the Legal Notice page.
What we collect
Account & sign-in
Your email address. We sign you in with a one-time code sent to that address. There is no password, and none is stored. If you sign in with Apple or Google, we receive the identifier and basic profile details (such as email and name) that you authorise them to share.
Profile
Your display name, username, bio, avatar image, any links you add to your other profiles, and the camera models you list.
Content you create
The recipes you make (camera settings, descriptions, tags), the photos you attach to them, and your favourites. When you upload a photo we remove all embedded metadata (EXIF, including GPS location) from the image file before it is stored. The shot details relevant to the recipe (camera make and model, lens, focal length, aperture, shutter speed and ISO) may be read from the photo at upload and saved as part of the recipe; like the rest of the recipe, they are public if you publish it.
The photo library you browse and edit in the apps stays on your device. We do not upload it. Only the photos you choose to attach to a recipe are uploaded. When you match a photo against recipes, the photo is analysed on your device or in your browser and is never sent to our servers.
Subscription & payment
Payments are handled by Stripe. We receive your subscription tier and status and a Stripe customer reference. If you subscribe through an app store (Apple App Store or Google Play, where available), the store processes your payment instead, and we receive your subscription status through RevenueCat, our subscription-management provider for app-store purchases. In no case do we receive or store your full card number. Stripe collects the billing details it needs to take payment and to calculate the correct VAT.
Usage analytics
We use analytics at two levels:
- Anonymous, aggregate measurement: we count overall traffic, such as page views and which pages are popular, using cookieless, privacy-first web analytics (Cloudflare). It sets no cookies, builds no profile, and cannot single you out. Because of that it runs for all visitors, including in the EU, under our legitimate interest in understanding how the site is used; your IP address and browser type are processed only transiently to produce the aggregate counts.
- Identified product analytics: more detailed
product-usage events (which recipes or features are used) and app diagnostics
such as crash and error events, using PostHog, hosted in the European Union and
linked to you. Whether we ask first depends on where you are:
- Regions that require opt-in consent (such as the EU/EEA, the United Kingdom and Switzerland): this runs only if you opt in, and stays off otherwise. Signed-in users are asked through a short in-product prompt and can change the choice in Account settings; it is never on by default.
- Everywhere else: it may run by default, and you can opt out at any time through the “Cookie settings” link in the footer or, when signed in, in your Account settings.
We determine your region from your IP address at the time of your visit. For signed-in users, the identified-analytics choice is stored with your account and applies on web and in the apps, and an explicit opt-out is never overridden by a regional default. We do not use session recording.
Waitlist
If you join our waitlist, your email address, used to send you a confirmation and launch updates. These emails are delivered through Resend.
Technical & security data
Your IP address, browser and device information, and server logs, processed by our hosting and content-delivery provider (Cloudflare) to deliver and protect the service, including when the apps check for updates, together with the cookies described below. To apply plan limits we also count certain actions against your account (for example, how many photo matches a free plan has used).
Terms-acceptance records
When you accept our Terms of Service or this Privacy Policy (when you create your account, and again after any material update) we record which document and version you accepted, the date and time, and the method of acceptance, together with the IP address and browser/device (user-agent) information of the request, so that we can demonstrate which terms applied to your account.
Why we use it & legal bases
Under the EU General Data Protection Regulation (GDPR), we rely on:
- Performance of a contract: to create and run your account, provide the apps and website, process your subscription, and apply plan limits.
- Consent: for usage analytics and affiliate cookies in regions that require opt-in consent, and for waitlist/marketing emails everywhere. You can withdraw consent at any time.
- Legitimate interests: to keep the service secure, prevent fraud and abuse, measure anonymous aggregate traffic (cookieless, for all visitors), and understand how the product is used at an identified level (in regions where opt-in consent is not required, with an opt-out available at any time), balanced against your rights and freedoms, and to keep the terms-acceptance records described above for the establishment and defence of legal claims.
- Legal obligation: to keep invoices and accounting records as required by Latvian law.
Cookies & analytics
We use a small number of cookies and similar technologies:
- Strictly necessary: session cookies that keep you
signed in (for example
sb_access_tokenandsb_refresh_token, which are HttpOnly). These are required for the site to work and do not need consent. - Analytics: PostHog cookies, for identified product analytics. In regions that require opt-in consent they are set only if you opt in; elsewhere they may be set by default. Data is hosted in the EU. Our aggregate traffic measurement (Cloudflare) is cookieless and stores nothing on your device.
- Affiliate: Rewardful cookies, used to credit referrals from our affiliates, set on the same regional basis as identified analytics.
You can change your analytics choice at any time through the “Cookie settings” link in the footer of every page. For signed-in users the choice is saved to your account and applies on web and in the apps; it can also be changed in Account settings.
Content that is public
Published recipes and public profiles are public by design. Your display name, username, bio, avatar, links, camera list, and any photos you attach to published recipes (together with any camera, lens and exposure details saved with them) are visible to anyone and can be indexed by search engines. We submit published pages for indexing. Please don’t include anything in them you wouldn’t want to be public.
Marketing use of published content. Under the content licence in our Terms of Service, we may feature published recipes and their attached photos in Jepex marketing (on our own channels and on third-party platforms such as Instagram, TikTok, YouTube and X) and we credit you by your display name (or another identifier you have set). The legal basis is the performance of that contract. If you unpublish or delete the content, we stop using it in new marketing, and you can object to a particular use at any time by emailing privacy@jepex.app.
Who we share data with
We share data only with service providers who process it on our behalf, each under a data processing agreement. We do not sell your personal data.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, photo storage | EU (Ireland) |
| PostHog | Product usage analytics (see Cookies & analytics) | EU |
| Stripe | Payments and subscription billing | EU / US |
| RevenueCat | App-store subscription status (where you subscribe via an app store) | US |
| Cloudflare | Hosting, content delivery, security, and cookieless aggregate web analytics | Global edge |
| Resend | Waitlist and transactional email | US |
| Rewardful | Affiliate referral attribution (see Cookies & analytics) | US |
| Apple, Google | Sign in with Apple / Google | Global |
We may also disclose data where required by law, or to protect our rights, our users, or the public.
International transfers
Your core data (account, content, and analytics) is stored in the European Union (Supabase in Ireland; PostHog in the EU). Some providers (Stripe, RevenueCat, Cloudflare, Resend, Apple, Google) may process data outside the EU, including in the United States, under appropriate safeguards such as the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
How long we keep it
- Account & profile: while your account is active, and deleted within about 30 days of a deletion request (residual copies in backups are purged on their normal cycle).
- Invoices & accounting records: about 5 years, as required by Latvian law.
- Terms-acceptance records: while your account exists, plus up to 10 years after it closes, in line with the general limitation period for contract claims under Latvian law.
- Analytics: about 14 months.
- Waitlist: until you unsubscribe.
Your rights
If you are in the EU/EEA, you have the right to access your data, correct it, delete it, restrict or object to processing, receive it in a portable format, and withdraw consent at any time. To exercise any of these, email privacy@jepex.app. We respond within one month (for particularly complex requests the law allows an extension, and we will tell you if we need one).
You can request deletion of your account at any time by emailing privacy@jepex.app, and directly in the app where that option is available. You also have the right to complain to a data protection supervisory authority (see section 12).
Children
Jepex is not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@jepex.app and we will delete it.
Security
We protect your data with encryption in transit (HTTPS), passwordless sign-in (one-time email codes, there is no password to steal), row-level access controls in our database, removal of all embedded photo metadata, and access limited to what is needed to run the service. No method of transmission or storage is completely secure, but we take reasonable measures to protect your data.
Changes to this policy
We may update this policy from time to time. Each version carries a version date, shown at the top of this page, and the app records which version you accepted. When we make a material change, we will notify you in the app or by email and ask you to accept the updated policy; for minor changes we will simply post the new version with a revised date.
Contact & authorities
For any privacy question or request, contact privacy@jepex.app.
- EU / Latvia: our lead supervisory authority is the Data State Inspectorate of Latvia (Datu valsts inspekcija), dvi.gov.lv. You may also complain to the authority in your own EU country.
- United Kingdom: you may complain to the Information Commissioner’s Office (ICO), ico.org.uk.
- California: you have the right to know, delete, and correct your personal information, and to opt out of its “sale” or “sharing”. We do not sell or share your personal information. We will not discriminate against you for exercising these rights.
- Canada: you have rights under PIPEDA and may contact the Office of the Privacy Commissioner of Canada, priv.gc.ca.
- Brazil: you have rights under the LGPD and may contact the National Data Protection Authority (ANPD), gov.br/anpd.