Privacy Policy
How we collect, use, and protect your personal data — and the rights you have over it.
Last updated 30 May 2026
This Privacy Policy explains how SIA Karto (“Jepex”, “we”, “us”) handles personal data when you use the Jepex website (jepex.app) and the Jepex applications for macOS and iOS. We are the data controller for that processing. You can reach us at privacy@jepex.app, and our full company details are on the Legal Notice page.
What we collect
Account & sign-in
Your email address and a password (stored only in hashed form by our authentication provider — we never see or store it in plain text). If you sign in with Apple or Google, we receive the identifier and basic profile details (such as email and name) that you authorise them to share.
Profile
Your display name, username, bio, avatar image, any links you add to your other profiles, and the camera models you list.
Content you create
The recipes you make (camera settings, descriptions, tags), the photos you attach to them, and your favourites. When you upload a photo we strip embedded location (GPS) and other EXIF metadata on upload, keeping only the camera, lens and exposure details relevant to the recipe.
Subscription & payment
Payments are handled by Stripe. We receive your subscription tier and status and a Stripe customer reference. We never receive or store your full card number. Stripe collects the billing details it needs to take payment and to calculate the correct VAT.
Usage analytics (only with your consent)
If you consent, we collect product-usage events — for example which pages or recipes are viewed and which actions are taken — using PostHog, hosted in the European Union. For signed-in users who opt in, these events are linked to your account so we can understand how the product is used. We do not use session recording.
Waitlist
If you join our waitlist, your email address, used to send you a confirmation and launch updates. These emails are delivered through Resend.
Technical & security data
Your IP address, browser and device information, and server logs — processed by our hosting and content-delivery provider (Cloudflare) to deliver and protect the service — together with the cookies described below.
Why we use it & legal bases
Under the EU General Data Protection Regulation (GDPR), we rely on:
- Performance of a contract — to create and run your account, provide the apps and website, and process your subscription.
- Consent — for usage analytics, affiliate cookies, and waitlist/marketing emails. You can withdraw consent at any time.
- Legitimate interests — to keep the service secure, prevent fraud and abuse, and understand aggregate usage, balanced against your rights and freedoms.
- Legal obligation — to keep invoices and accounting records as required by Latvian law.
Cookies & analytics
We use a small number of cookies and similar technologies:
- Strictly necessary — session cookies that keep you
signed in (for example
sb_access_tokenandsb_refresh_token, which are HttpOnly). These are required for the site to work and do not need consent. - Analytics (consent) — PostHog cookies, set only after you accept. Data is hosted in the EU.
- Affiliate (consent) — Rewardful cookies, set only after you accept, used to credit referrals from our affiliates.
You control non-essential cookies through the consent banner shown on your first visit, which you can change at any time. Signed-in users can also manage analytics in their Account settings.
Content that is public
Published recipes and public profiles are public by design. Your display name, username, bio, avatar, links, camera list, and any photos you attach to published recipes are visible to anyone and can be indexed by search engines. Please don’t include anything in them you wouldn’t want to be public.
Who we share data with
We share data only with service providers who process it on our behalf, each under a data processing agreement. We do not sell your personal data.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, photo storage | EU (Ireland) |
| PostHog | Product usage analytics (consent) | EU |
| Stripe | Payments and subscription billing | EU / US |
| Cloudflare | Hosting, content delivery, security | Global edge |
| Resend | Waitlist and transactional email | US |
| Rewardful | Affiliate referral attribution (consent) | US |
| Apple, Google | Sign in with Apple / Google | Global |
We may also disclose data where required by law, or to protect our rights, our users, or the public.
International transfers
Your core data — account, content, and analytics — is stored in the European Union (Supabase in Ireland; PostHog in the EU). Some providers (Stripe, Cloudflare, Resend, Apple, Google) may process data outside the EU, including in the United States, under appropriate safeguards such as the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
How long we keep it
- Account & profile — while your account is active, and deleted within about 30 days of a deletion request (residual copies in backups are purged on their normal cycle).
- Invoices & accounting records — about 5 years, as required by Latvian law.
- Analytics — about 14 months.
- Waitlist — until you unsubscribe.
Your rights
If you are in the EU/EEA, you have the right to access your data, correct it, delete it, restrict or object to processing, receive it in a portable format, and withdraw consent at any time. To exercise any of these, email privacy@jepex.app — we respond within one month.
You can request deletion of your account at any time by emailing privacy@jepex.app, and directly in the app where that option is available. You also have the right to complain to a data protection supervisory authority (see section 12).
Children
Jepex is not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@jepex.app and we will delete it.
Security
We protect your data with encryption in transit (HTTPS), hashed passwords, row-level access controls in our database, stripping of photo location metadata, and access limited to what is needed to run the service. No method of transmission or storage is completely secure, but we take reasonable measures to protect your data.
Changes to this policy
We may update this policy from time to time. When we do, we will revise the “last updated” date above, and we will notify you of material changes in the app or by email.
Contact & authorities
For any privacy question or request, contact privacy@jepex.app.
- EU / Latvia — our lead supervisory authority is the Data State Inspectorate of Latvia (Datu valsts inspekcija), dvi.gov.lv. You may also complain to the authority in your own EU country.
- United Kingdom — you may complain to the Information Commissioner’s Office (ICO), ico.org.uk.
- California — you have the right to know, delete, and correct your personal information, and to opt out of its “sale” or “sharing”. We do not sell or share your personal information. We will not discriminate against you for exercising these rights.
- Canada — you have rights under PIPEDA and may contact the Office of the Privacy Commissioner of Canada, priv.gc.ca.
- Brazil — you have rights under the LGPD and may contact the National Data Protection Authority (ANPD), gov.br/anpd.