March 18, 2020
Thank you for using Jumbo! Here we describe how we might collect, use and handle your personal data when you use our privacy and security services.
But first, we want to highlight two major principles that drive our day-to-day decisions:
Whatever your choices are with regards to your activity with Jumbo, we will never EVER sell your personal data.
As a privacy company, we want your privacy and your use of Jumbo to be fully transparent and understandable. Therefore, we have made a summary of all the services Jumbo provides you, and how every service impacts your personal data.
Please find hereunder more information on the processing of personal data made by Jumbo – 2121 Atelier Inc.
Title 1 – Jumbo Features you may use
Section 1. Privacy & Security Services in the Jumbo App
Jumbo App is a mobile application available on iOS and Android who helps you manage your online privacy and security.
Every step of the way, you are the one controlling and deciding how to manage your personal data and privacy settings related to the accounts you link to the Jumbo App. The Jumbo App will never change anything in your accounts without your prior authorization. Consequently, we are only processing your data because you have consented to it and/or because we are performing a service you have requested from us.
(i) Change of the privacy settings of your online accounts
We offer you the possibility to scan some of your online accounts through the Jumbo App to suggest privacy changes to your account settings. You can choose what online account you want to scan through the Jumbo App.
To inform you of the changes we suggest, we will ask you to log into your account through the Jumbo App, using your username and password. The authentication of your account will be made in your phone during the whole process. We do not store any of this personal data in the Jumbo Cloud.
(ii) Saving of your password
We might offer you to save your password for some online services to avoid having to log in, every time you use the Jumbo App. If you chose to do so. your password will be stored within the Jumbo App in your phone. If you do not wish for your password to be stored in your phone, please do not use the features that allow such storing of password within the Jumbo App. To delete your passwords, please disconnect the Jumbo App.
If you decide to transfer some of your personal content, the transfer of such personal content will be made directly from your account to the storage space you have selected. This can be the Jumbo App or a third-party storage space selected.
If you decide to store your personal content in the Jumbo App, your personal content will be stored in your phone. We do not have access to your personal content, and it is not stored in Jumbo Cloud.
If you want to delete your personal content, please delete the Jumbo App.
If you chose to verify if your email address was in a data breach, the email address you indicate will be transmitted from the Jumbo App, to haveibeenpwned.com through Jumbo Cloud. This means that your email address will be on Jumbo Cloud for less than one second, and then transferred to haveibeenpwned.com. We never look at your email address nor store it. We use the cloud computing of Microsoft for Jumbo Cloud, and our servers are hosted by Cloudfare (more information on Cloudfare here). For more information about the use of your email address by haveibeenpwned.com, please see here.
If you chose to register your phone number within the “FTC do-not call registry” through the Jumbo App, your phone number will be sent to the “FTC do-not call registry” through your phone. We only have access to the last 4-digit of your phone to confirm your registration with the FTC. For more information about the use of your phone number by the FTC, please see here.
When you chose to use the Privacy Requests functionality to delete some of your personal data, or to opt-out from some services, you are mandating Jumbo to act as your privacy agent. We will only act as your privacy agent towards the services you have selected in the Jumbo App and for the privacy requests (access, opt-out, deletion) you have chosen in the Jumbo App.
We ask you for your name to complete the mandate for exercise of privacy rights, and for your email address to confirm the authentication ID of the account you want to delete. We also use your email address to send you the mandate for your review and signature.
We might also collect your advertising ID (IDFA/AAID) directly in your phone, if you chose to make privacy requests related to such advertising ID.
The mandate is sent to you by Docusign which is a certifier of electronic signature. For more information about the use of your email address by Docusign, please see here.
By signing the mandate you agree that Jumbo will process your personal data to make the privacy requests you have selected and notably that your name, email, privacy requests and signed mandate will be sent to the service providers you have selected in the Jumbo App. We use Helpscout to send these emails. For more information about the use of your personal information by Helpscout, please see here.
Once the privacy requests have been processed, upon expiration of a period of six months during which you have not used the privacy request feature, we will delete your personal data and your mandate from our archives.
B. Your rights
How to access, rectify, or delete your personal data?
Except for Privacy Requests, Jumbo does not access or store any of your personal data.
Therefore, you can access rectify, or delete the accounts you have managed through the Jumbo App and/or the data you have stored within the Jumbo App at any time directly in the Jumbo App.
If you want to delete any data stored in the Jumbo App, you need to delete the Jumbo App from your phone.
You can access, rectify, or delete your privacy requests at any time, by sending an email to [email protected]
If you are not able to do any of this, you want help doing so or have any related questions, please send an email to [email protected].
For more information about your use of the Jumbo App, please consult our TOS.
We may send you updates about the Jumbo App by sending you push notifications through the Jumbo App if you have given us your prior approval to do so.
To send you push notifications, we store and use a serial number which was generated by Apple and/or Google, depending of the version of the Jumbo App you are using, best known as a “token”, which is unique to your use of the Jumbo App in your phone.
We cannot identify you nor localize you through this token but we can send you messages. This is why we have a strict security policy when collecting, storing and using your token.
We sometimes conduct surveys within the Jumbo App to get feedback on our products and services. When conducting such surveys, we might collect anonymous information such as country or age range to understand demographics of our userbase. On some rare occasion, we give you the possibility to provide us your email address on an opt-in basis if you want the opportunity to chat with a team member or if you want to receive updates regarding the Jumbo App. In such event, we only process your email address for the purpose provided for in the survey, and for as long as strictly necessary. We do not sell it or transfer it to any third party.
You can opt-out from any further communication, rectify, and/or erase your email address directly in any received communication, or by sending us an email to [email protected]
You can subscribe to our newsletter at any time by given us your email address in the Jumbo App or on our dedicated websites. We only send the newsletter to you for the informational purposes you have chosen when you subscribed. You can opt-out whenever you want by clicking the opt-out link directly in the newsletter or by sending us an email to : [email protected]. We use Mailchimp to send you our newsletter, for more information, please see here.
The Jumbo App sends analytics data to our analytics providers: Segment and Amplitude. We do not track or store any personal information in our analytics. Instead, we ask Apple/Google to generate a unique deviceID which we use as a unique token for analytics purposes. Our analytics are 100% anonymous and only contains information about your usage of the Jumbo Privacy App, device and country. For more information about Segment and Amplitude, please see here.
When you navigate on our websites available at the following URL addresses: www.jumboprivacy.com and blog.jumboprivacy.com, they send us anonymous statistics that allow us to track the number of visitors and information on the device screen size. For such analytics, we use Simple Analytics, for more information see here.
We do not have any other cookies on our websites (such as tracking or advertising cookies).
TITLE 2: Sub-Processors
Third party services Jumbo relies on, and what data they might store about you
We only share your personal data with the services we rely on, if strictly necessary to provide you with our privacy and security services.
Where we need to share your personal data with our third-party services, we have chosen them with a lot of care, to make sure they take privacy as seriously as we do and that they only use your personal data for the purposes we have instructed them to do. We might also have executed data processing agreement with them to regulate how such service providers use your personal data. This data processing agreement was implemented thanks to the GDPR. In the event where such service providers are limiting their data processing agreements to European users, we are negotiating to extend such protection to all our users wherever located.
We have decided to use Help Scout as our helpdesk service provider Therefore, if you email [email protected], Help Scout will receive and keep a copy of your IP address, and your name if it sent as part of the headers of the email protocol. We have setup Help Scout so that it deletes automatically all emails from their servers 30 days after they are received.
We also use Help Scout to manage your privacy requests. If you use this functionality, Help Scout will receive your privacy request and process the privacy request email which is sent to the service providers you have selected in the Jumbo App. They will store your first name, last name, country of residence, email address, signed mandate and privacy request. HelpScout only stores your personal data as long as we process your privacy requests. Once we have completed your privacy requests, your personal data will be deleted within three months following such completion, from Help Scout.
For more information about how Help Scout processes your data, please visit https://www.helpscout.com/company/legal/privacy/. You can also consult the data processing agreement signed with Help Scout, available here: https://www.helpscout.com/company/legal/dpa/
Section 2. Jumbo Cloud: Microsoft Cloud, Azure
We choose the products we use very carefully, and our email servers (that we are using for [email protected] for example) are powered by Microsoft Cloud. Microsoft Cloud has a very strong reputation to respect privacy. If you email [email protected], Microsoft servers will receive and keep a copy of your IP address, and your name if your name is sent as part of the headers of the email protocol. Contrary to what we have set up for Help Scout, we will keep your emails for as long as it is necessary for replying to your request and then for as long as necessary, if required to, for evidence purposes. For more information about how Microsoft processes your data, please visit https://privacy.microsoft.com/. You can also find more information about the data processing agreement signed with Microsoft here: https://docs.microsoft.com/en-us/legal/gdpr
Section 3. Apple
Apple hosts our Jumbo iOS app. Apple provides Jumbo with analytics: this feature is called App Analytics. Apple does not provides Jumbo with information that would personally identify you. You can turn off this feature completely within your iPhone settings, also. For more information about how Apple processes your data, please visit https://www.apple.com/legal/privacy/
Section 4. Google Play Console
Android hosts our Android app. Google provides Jumbo with anonymous analytics with regards to your use of our app (country, device): this feature is called Google Play Console. Google does not provide Jumbo with information that would personally identify you. You can turn off this feature completely, also. For more information about how Google processes your data, please visit https://policies.google.com/privacy
Section 5. Cloudflare
We use Cloudflare as our DNS provider for our app and our websites. Cloudflare has a solid privacy reputation. Cloudflare says they will log your IP address for less than 24 hours. To the best of our knowledge, we haven’t found a way to access, from the Cloudflare dashboard, these logs. For more information about how Cloudfare processes your data, please visit: www.cloudflare.com/privacypolicy/.
Section 6. Github Pages
The websites www.jumboprivacy.com and blog.jumboprivacy.com are hosted by Github, via their feature Github Pages. Jumbo has configured Cloudflare as a proxy between you and the Github servers, in order to avoid your IP address being sent to Github. Github never get any personal data. We do not use any cookies on our websites that will store any personal data.
Section 7. Haveibeenpwned.com
Section 8. Mailchimp
We may send you our newsletter if you have agreed to receive it. For that, we use Mailchimp as our newsletter service provider. Mailchimp provides that it will only process your personal data to provide us with their emailing tools. Your email address will be automatically deleted from Mailchimp if you decide to opt-out from any communication. We do not keep email addresses for marketing purposes for more than a year following the last sent communication. For more information about how Mailchimp processes your data, please visit: https://mailchimp.com/legal/privacy/. You can consult the data processing agreement signed with Mailchimp here https://mailchimp.com/legal/data-processing-addendum/#3._Sub-processing.
Section 9. Simple Analytics
Section 10. Typeform & Survey Monkey
We conduct surveys using Typeform or Survey Monkey. They provide that they will only process your personal data to provide us with their survey tools. We transfer the answers of the survey to our cloud services and delete them from Typeform/Survey Monkey within a week following the end of such survey. For more information about how Typeform processes your data, please visit https://admin.typeform.com/to/dwk6gt, how Survey Monkey processes your data, please visit: https://www.surveymonkey.com/mp/legal/privacy-policy/. You can also find more information about the data processing agreement signed with Typeform here: https://admin.typeform.com/to/dwk6gt and with Survey Monkey here: https://help.surveymonkey.com/articles/en_US/kb/SurveyMonkey-Data-Transfers-and-EU-Laws
Section 11. Docusign
We use Docusign to send you a mandate to sign for you to authorize Jumbo to act as your privacy agent for your privacy requests. We have executed a data protection agreement with Docusign, which is our sub-processor, under which Docusign notably guarantees to us not to share your personal data with any third parties that do not strictly need to process your personal data to provide us with their services.
For more information about how Docusign processes your data, please visit: https://www.docusign.com/company/terms-and-conditions/schedule-docusign-signature/attachment-data-protection.
Section 12. Freelancers
From time to time, we may use freelancers based in the USA or Europe to help us for specific tasks notably to our support team. These freelancers might process personal data belonging to you under our strict instructions. We chose very carefully the freelancers that work with us, and they all sign a data protection agreement containing security requirements to ensure the safety of your personal data before starting working for Jumbo.
For more information, please contact us.
TITLE 3 - Other information about your data
Section 1. Personal Data transfers EU/UK/Swiss-USA
Since 2121 Atelier Inc is located in the USA, we might transfer some of your personal information from the European Union, the United Kingdom or Switzerland, to the USA. We comply and have self-certified with the EU/UK-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the European Economic Area, the United Kingdom and Switzerland to the United States. You can check our certification here: Privacy Shield Certification.
As described in the Privacy Shield Principles, Jumbo is responsible for personal data that it receives and subsequently transfers to third parties. If third parties that process personal data for us do so in a manner that does not comply with the Privacy Shield Principles, we are responsible for such failure, unless we prove that we are not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, Jumbo commits to resolve complaints about our collection or use of your personal information. EU, British and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Jumbo Privacy by email at [email protected].
Jumbo has further committed to refer unresolved Privacy Shield complaints to ICRD-AAA, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://go.adr.org/privacyshield.html for more information or to file a complaint. The services of ICRD-AAA are provided at no cost to you.
As further explained in the Privacy Shield Principles, binding arbitration before a Privacy Shield Panel will also be made available to you in order to address residual complaints not resolved by any other means. Jumbo is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission
Section 2. Extraordinary disclosures
We may be obligated to disclose your personal data if we determine that such disclosure is reasonably necessary and required:
(a) to comply with applicable laws or judicial orders;
We will always keep in mind that your data should be protected therefore we will always fight unjustified requests and be transparent about them.
If Jumbo or its business or assets are acquired by, or merged into, another company, that company will possess any personal data in our possession at such time and will assume our rights and obligations under this Policy.
Section 3. Security of data
We take security very seriously and therefore have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk linked to our processing of all data as described hereabove. To implement such measures, we have taken into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for your rights and freedoms as natural persons.
Section 4. CCPA
Even though the CCPA does not apply to Jumbo’s activity, we have provided you with all necessary information as provided under the CCPA:
TITLE 4 – Your Rights
On a general basis, you can access, rectify, or delete your personal data directly through the Jumbo Privacy App, or through the service providers we are relying on as described above.
If you are unable to complete your requests through the Jumbo Privacy App or such services, you can send a detailed message explaining your request to us at : [email protected]vacy.com or to 2121 Atelier Inc, 20 Jay Street, Brooklyn, New York, USA.
Section 3. Liability and Disclaimers
Section 4. Contact Us
If you are a European citizen, in addition to 2121 Atelier Inc, you can contact our European Representative, 1862 Avocats, mandated for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union by sending a detailed message to [email protected] or 1862 Avocats, Zoé Vilain, 24 rue de Penthièvre, 75008 Paris, France.
We also want to inform you that you are entitled to lodge any complaint with regards to privacy matters in relation with our activity to your local data supervisory authority. As our EU representant is in France, any complaint will be transferred to the French supervisory authority which is the CNIL.
Thanks for reading!
Chief Privacy Officer