Ad 1
Ad 2
Ad 3
Ad 4
Ad 1
Ad 2
Ad 3
Ad 4
Ad 5
Ad 6
Ad 7
Ad 8
Ad 5
Ad 6
Ad 7
Ad 8
Ad 9
Ad 10
Ad 11
Ad 12
Ad 9
Ad 10
Ad 11
Ad 12
Ad 13
Ad 14
Ad 15
Ad 16
Ad 13
Ad 14
Ad 15
Ad 16
Ad 17
Ad 18
Ad 19
Ad 20
Ad 17
Ad 18
Ad 19
Ad 20
Ad 21
Ad 22
Ad 23
Ad 24
Ad 21
Ad 22
Ad 23
Ad 24
Ad 25
Ad 26
Ad 27
Ad 28
Ad 25
Ad 26
Ad 27
Ad 28
Ad 29
Ad 30
Ad 31
Ad 32
Ad 29
Ad 30
Ad 31
Ad 32
POPJAM Logo

Privacy Policy

Last Updated: December 3, 2025

1. Introduction and Scope

POPJAM OÜ (“POPJAM”, “we”, “us” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal data when you use the POPJAM platform and related services (the “Services”), and explains your rights and choices regarding your personal data. We adhere to all applicable data protection laws, including the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR (UK GDPR) as applicable, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), Turkey’s Personal Data Protection Law No. 6698 (KVKK), and other relevant U.S. state privacy laws. This policy applies regardless of whether you are located in the EU, U.S., Turkey or elsewhere, and we aim to provide a level of privacy protection consistent with these laws.

Scope: This Privacy Policy applies to personal data processed by POPJAM when you interact with our Services, including data collected through our website (popjam.io), web application, and any other online services under our control where this Policy is posted. It does not apply to any third-party websites or services that we do not control, even if our Services link to them (for example, payment processors or partner platforms have their own privacy policies). Please read this Policy carefully to understand our practices. By using the Services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller and Contact Information

For the purposes of GDPR and similar laws, the “Data Controller” of your personal data is POPJAM OÜ, an Estonian limited company (registry code 17381868). Our registered business address is Sepapaja tn 6, Lasnamäe, Tallinn 15551, Estonia. You can contact us with any questions or requests regarding your personal data at:

  • Email: info@popjam.io
  • Postal Mail: Attn: Privacy, POPJAM OÜ, Sepapaja 6, 15551 Tallinn, Estonia

If we are required to appoint a local representative or officer under certain laws (for example, a representative in the EU or UK, or a contact person in Turkey), we will provide those details on our website or upon request. As of the last updated date, POPJAM’s core operations are in the EU, and we do not have a legal requirement for an EU representative (since we are established in the EU).

3. Personal Data We Collect

We collect or obtain several categories of personal data in order to provide and improve our Services. The types of personal data we may process include:

  • Identity and Account Data: Information that identifies you when you create an account or use our Services. This includes your name, email address, and profile photo (if you choose to upload one). If you register via a third-party OAuth provider like Google or Meta (Facebook), we receive your email and basic profile info from them to set up your account. We also assign user IDs and collect team or organization affiliation if you are using team features.
  • Contact Information: If you provide contact details for business purposes or support (such as your phone number, mailing address, or chat handle), we will collect those. This also includes any contact information provided when subscribing to newsletters or filling out forms on our site.
  • Credentials: We collect login credentials such as your username and password (stored in encrypted form) if you do not use social login. For OAuth logins, we store tokens necessary to authenticate with your Google or Meta account (these tokens are encrypted at rest).
  • User Content and Uploaded Data: The content and data that you (or your organization) input into our platform. This includes:
  • Ad & Campaign Content: Any creatives, images, videos, advertisements, copy text, campaign briefs, or related materials you upload for analysis or storage on our platform.
  • Persona & Audience Data: If you provide any market research data, audience persona information, or datasets for our “Research-Augmented Generation” (RAG) features or for fine-tuning the AI persona models. This could include demographic or psychographic information about target audiences, which might be personal data if it relates to identifiable individuals (e.g., a customer list or survey data).
  • Brand Assets: Your brand’s logos, graphics, style guides, or other assets you upload to your content library on POPJAM.
  • Any feedback or notes: If you annotate content or provide feedback through the platform (such as telling the AI whether an output was relevant or not), those inputs are collected. Important: User Content you upload may contain personal data (for example, images of persons or data about individuals). We process such data on your behalf to provide the Service, and our Terms of Use require that you have a lawful basis to upload this information. See Section 6 on Data Sharing and Section 11 on Your Rights for more about how we handle such data and your responsibilities.
  • Usage Data (Technical & Behavioral Data): Information about how you access and use our Services. This includes:
  • Technical Information: Your Internet Protocol (IP) address, browser type and version, device type, operating system, device identifiers, language preference, and region/country.
  • Interaction Data: Pages or screens you view on our app or site, features you use, links clicked, the date/time of your visits, the amount of time spent on pages, search queries within the platform, error logs, and other diagnostic information. We also collect data about how you interact with our emails (e.g., whether you open or click links).
  • Behavioral Advertising Data: Through cookies and tracking technologies (described below), we collect data about your browsing behavior on our site for analytics and advertising. This may include events like sign-up or conversion, and information about how you came to our site (referral source, campaign information).
  • Third-Party Integrations Data: If you choose to connect third-party accounts or data sources to POPJAM, we will receive information from those sources as needed to provide the service. For example:
  • Google Ads and Meta Ads Data: If you connect your Google Ads account or Meta (Facebook/Instagram) Ads account to POPJAM, we will gain API access to certain data in those accounts. This includes campaign names and settings, ad groups, ads and creatives, budgets, keywords, and performance metrics (impressions, clicks, conversions, etc.). We may also pull conversion data from those platforms. We use this data to display reports to you, generate insights, and allow you to manage campaigns via our interface. Important: We access and use this data only to provide you with services you have requested – such as performance dashboards, AI suggestions based on past performance, or to execute changes you explicitly make through our platform. We comply with Google’s and Meta’s API limited use policies, meaning we do not use data from your ad accounts for any purposes other than to serve you (no sharing with third parties or using it to train broad machine learning models). We also do not transfer your Google Ads data to others except as necessary for security or compliance (e.g., secure cloud storage or if required by law).
  • Analytics from Third Parties: We may receive aggregated audience insights from tools like Google Analytics if enabled, but those are generally not personal data (or are anonymized).
  • Payment and Transaction Data: If you subscribe to a paid plan or purchase credits, our third-party payment processor (e.g., Stripe) will collect your payment card information and billing details. POPJAM itself generally does not store full credit card numbers. We do keep records of your transactions such as the products/services purchased, date and amount of the transaction, and limited billing info (e.g., last four digits of your card, card type, billing address) for invoicing, accounting, and to maintain a record of your subscription.
  • Support and Communications: If you contact us for support or with inquiries (via email, chat, or phone), we will collect the information you choose to share in those communications (such as your contact details and the content of your message). We may also keep records of our correspondence. If we conduct surveys or you participate in our beta feedback sessions, we will collect any feedback you provide.
  • Cookies and Similar Technologies: When you visit our website or use the web app, we use cookies, pixels, and similar tracking technologies to collect some of the data mentioned above (Usage Data and certain Technical Data). Our Cookie Policy (see Section 9 below) provides details on what cookies are used and your choices.

We generally do not seek to collect special categories of personal data (such as data about health, religion, biometric identifiers, etc.) or data about children, since our Services are business-oriented. We ask that you do not upload or submit any sensitive personal data unless it is necessary and you have legal grounds to do so. If you believe any sensitive data has been provided to us improperly, please contact us so we can address it.

4. Purposes and Legal Bases for Processing Personal Data

We process personal data for a variety of business purposes in accordance with different legal bases under the GDPR and other laws. This section explains why we process your data and the legal justification for each purpose. Depending on the context, more than one legal basis may apply simultaneously.

4.1 To Provide the Services (Contractual necessity):

We process data to set up and maintain your account, to provide the features of our platform, and to fulfill our obligations in the Terms of Use. This includes:

  • Creating and authenticating your account (using Identity and Account Data, Credentials).
  • Providing the core SaaS functionalities: e.g., generating AI-driven ad variants and persona feedback based on your inputs, storing and displaying your content, running simulations, retrieving campaign data from integrated accounts, and delivering analytics dashboards. We use the data you input and generate (User Content, Ad Data, etc.) to perform these services as you direct us to.
  • Facilitating communications through the platform (for example, if our platform allows team members to collaborate or leave comments).
  • Providing customer support at your request, troubleshooting issues, and answering questions about the Services.

Legal Basis: Processing for the above purposes is generally based on contractual necessity (GDPR Art. 6(1)(b)) – it is required to deliver the Service you have requested under our Terms of Use. If you do not provide the relevant data, we cannot provide the Service. In some cases, legal obligations or legitimate interests may also justify certain processing (see below).

4.2 To Improve and Develop our Services (Legitimate interests):

We continually seek to enhance our platform’s performance, add new features, and make AI models more effective. To do so, we may process data such as:

  • Usage Data and analytics: to understand how users interact with our Services, which features are popular, and where improvements or fixes are needed. This helps us identify usability issues, optimize workflows, and guide our product development.
  • Aggregated learning: We might use anonymized and aggregated data derived from your content and usage to improve our AI algorithms and models. For example, we may analyze trends across campaigns or general feedback patterns to refine our persona simulation model. Crucially, we do not use any personally identifiable data or any client-specific content to train generalized AI models without permission. Any machine learning training on usage data is either at an aggregated level or within a dedicated model for your use where you have provided data (like fine-tuning an AI on your proprietary data in the Enterprise plan).
  • Feedback: If you provide feedback or participate in surveys, we use that to improve our Services and customer experience.

Legal Basis: Our processing of data to improve and develop the Services is based on legitimate interests (GDPR Art. 6(1)(f)). It is in our interest as a business to optimize our products and ensure they remain competitive, and we believe it is also in our users’ interest to receive a better service. We take steps to minimize privacy impact, such as using aggregated or pseudonymous data wherever possible for these purposes. You have the right to object to processing based on legitimate interests (see Section 11 on Your Rights).

4.3 For Marketing and Communications:

  • Service and Transactional Communications: We will use your email or other contact info to send you important administrative or transactional messages, such as confirmations of sign-up, billing receipts, subscription renewal notices, security or support notifications, and updates about critical service changes or outages. These are necessary communications for the performance of our contract with you and are not subject to separate consent.
  • Product Updates and Offers: We may send existing customers or trial users periodic emails about new features, tips on using the service, newsletters, or events. If you are an existing customer, we might rely on our legitimate interest to inform you about our similar products or services (often called a “soft opt-in” under some laws). We will always provide an easy way to unsubscribe in such emails. For new prospects or where required by law, we will obtain your consent before sending marketing emails.
  • Advertising and Retargeting: We may use cookies and third-party advertising networks (like Google or Facebook) to show you ads for POPJAM on other websites (this is a common practice known as retargeting). This involves using cookie data about your visits. Where required by law, we obtain your consent for using advertising cookies. Under US state laws, sharing of certain cookie data with third-party ad networks might be considered a “sale” or “sharing” of personal info; we provide opt-out options as described in Section 12.

Legal Basis: Transactional communications are done as part of our contract with you or legal obligations. Marketing emails to new users are based on consent (GDPR Art. 6(1)(a)), while marketing to existing customers may be based on legitimate interests (GDPR Art. 6(1)(f)), in compliance with ePrivacy rules. For SMS or certain automated calls (if ever used), we would obtain consent as required. Cookie-based advertising is based on consent where required (see Cookie Section 9). In all cases, you can opt-out of marketing communications at any time.

4.4 To Ensure Security and Prevent Fraud:

We process certain data to maintain the security of our platform, to detect or prevent fraudulent activity, and to protect both our interests and those of our users. This includes monitoring use of the Services for potential abusive activities (e.g., scraping or unusual access patterns), using automated systems to flag accounts for possible policy violations, and verifying accounts as needed.

Legal Basis: This processing is in our legitimate interests (protection of our business, network, and users) and in some cases might be to comply with legal obligations (GDPR Art. 6(1)(c)), such as obligations to prevent crime.

4.5 To Comply with Legal Obligations:

We will process personal data where necessary to comply with our legal obligations under applicable laws. For example:

  • Keeping proper business records and financial records for tax and accounting (which may include transaction histories with personal data).
  • Responding to lawful requests by public authorities, courts, or regulators (which might involve processing and disclosing personal data as required by law or legal process).
  • Complying with data protection laws (e.g., handling opt-out signals, honoring your privacy rights requests, and documenting our compliance efforts).

Legal Basis: GDPR Art. 6(1)(c) – compliance with a legal obligation. When we must retain or disclose certain data for legal reasons, we do so based on this necessity.

4.6 Other Purposes (with Consent):

If we ever need to process your personal data for a purpose that is not covered by the above bases, we will seek your consent. For instance, if we wish to use your name and photo in a public testimonial or case study on our website, we would ask for your explicit consent. You have the right to withdraw your consent at any time, and we will honor that (note that withdrawal does not affect the lawfulness of processing that occurred before withdrawal).

5. Data Sharing and Disclosures to Third Parties

We share personal data with third parties only in the ways described in this Policy, and we do not sell your personal information for monetary consideration. However, as noted below, certain uses of analytics and advertising partners may be considered a “sale” or “share” under US law, and you have rights to opt out (see Section 12 for California/US rights). Here are the categories of recipients with whom we may share data and why:

  • Authorized Service Providers (Processors): We use third-party companies to help us operate and support the Services. These include:
  • Cloud Hosting and Infrastructure: Providers such as Google Cloud Platform (data centers in the EU, e.g., Finland) and Supabase (hosted on AWS in Sweden) for storing databases and servicing our application.
  • Deployment and Development Tools: Services like Vercel (hosting our web frontend in EU regions). These providers process data (including possibly personal data in your content) only on our instructions and for the purposes of storing or delivering our software to you.
  • AI Inference and Integration Providers: We integrate with specialized AI services to provide certain features. Our policy is to use EU-based AI providers where possible and to prevent client-provided personal data from being processed by non-EU models. For example, we may use Google Vertex AI in Finland for some AI processing. We also have optional integrations with globally operated AI APIs like OpenAI, Anthropic, Perplexity, Nebius AI, or Ideogram. According to our internal rules, no personal data or user-uploaded proprietary content is sent to those global AI services unless it’s exempted from privacy risk (e.g., only non-personal prompts are used). These AI providers might process some data to fulfill your requests (e.g., generating an image or text), but they are contractually bound not to use your data for any purpose other than delivering the result to us. We have Data Processing Agreements or equivalent terms (including Standard Contractual Clauses where needed) in place with such sub-processors.
  • Payment Processors: e.g., Stripe, for secure processing of payments. They will process your payment details under strict PCI-DSS standards.
  • Analytics Providers: We use tools like Google Analytics (with IP anonymization) to collect Usage Data on our website. These tools act as our data processors in analyzing how our site is used. Google may act as a controller for some data for its own purposes – we have configured Google Analytics to limit data sharing and we honor “do not track” or cookie consent choices.
  • Customer Support and CRM: Tools we use for customer communications (e.g., an email service provider for sending newsletters or a customer support ticketing system) will necessarily process your contact info and messages. They are bound by confidentiality and use restrictions. All these service providers are vetted for strong security and privacy practices, and they are bound by contracts (Data Processing Agreements) to process personal data only for our specified purposes and to provide adequate protection (GDPR Art. 28 compliant). They do not have any independent right to use your personal data except as needed to assist us.
  • Team Accounts and Collaborators: If your account is part of an organization or team on POPJAM, certain data will be shared with other users in your team by design. For example, team members may see each other’s work email, name, and any content contributed to the shared workspace. Similarly, if you invite an external collaborator to view a report or creative, you consent to the sharing of the relevant data with that person. These are disclosures you control through the platform’s sharing settings.
  • Analytics and Advertising Partners: As described in the Cookie and Marketing sections, we allow certain third-party tracking technologies on our site (with consent where required). Companies like Google (for analytics, Tag Manager, and Ads) and Meta (Facebook Pixel) may receive Technical and Behavioral Data about visitors to our site. We use these to understand site traffic and to run marketing campaigns (e.g., showing ads to people who have visited our site). The data shared may include cookie identifiers, IP address, and events like page visits or conversions. We configure these tools not to collect sensitive data (and we do not knowingly send them any user-uploaded content data). However, under CCPA/CPRA, this kind of data sharing for “cross-context behavioral advertising” may be considered a “sale” or “sharing” of personal info. California residents have the right to opt out of this, which they can do by rejecting non-essential cookies or using the opt-out mechanisms provided (see Section 12). We do not use this data to identify you by name – it’s mainly used to target ads by aggregated audience segments.
  • Business Transfers: If POPJAM is involved in a merger, acquisition, financing due diligence, restructuring, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal data may be disclosed or transferred to a successor or affiliate of POPJAM as part of that transaction. In such cases, we will ensure the acquiring entity is bound to respect the personal data in a manner consistent with this Privacy Policy (or you will be given notice and a chance to opt-out of the transfer if required by law).
  • Legal Compliance and Protection: We may disclose personal data to third parties (such as courts, law enforcement, or government agencies) if we have a good-faith belief that such disclosure is necessary to:
  • Comply with any applicable law, regulation, legal process, or enforceable governmental request. For example, responding to a subpoena or court order.
  • Enforce our Terms of Use, investigate, or defend against legal claims or allegations.
  • Detect, prevent, or otherwise address illegal or suspected illegal activities (such as fraud, security breaches, or technical issues).
  • Protect against harm to the rights, property, or safety of POPJAM, our users, or the public as required or permitted by law. This may include exchanging information with other companies and organizations for cybersecurity and fraud protection.

In all cases of sharing, we seek to share the minimum amount of information necessary to fulfill the purpose. We do not sell mailing lists or personal details to data brokers. We do not share your content or data with third parties for them to use for their own advertising or machine learning training. Any third-party recipients of your data will be bound to protect that data in accordance with applicable laws and, where they act as our processor, with our instructions and this Policy.

6. International Data Transfers

POPJAM is headquartered in Estonia (in the European Economic Area), and our primary data storage and processing occurs in the European Union. We follow an “EU-First” data residency policy: all primary client data and personal data we collect are stored on secure servers located in the EU (Finland, Sweden, and Germany). This means if you are a user from outside the EEA (e.g., the US or Turkey), your personal data will be transferred to and stored in the EU.

However, in providing our Services globally, international data transfers will occur:

  • Within the Company: Our team may access personal data from locations outside the EU (for example, we have presence in Sweden and Turkey as noted, and possibly team members or support staff in other countries). Regardless of location, our team members are trained on data protection and are bound by confidentiality. When accessing EU data from outside, they do so via secure connections.
  • To Our Service Providers: Some of our third-party processors are based outside the EU or have global infrastructure. For instance, while our default storage is EU, some backup systems or support tools might involve servers in the United States or other countries. Additionally, certain AI providers or optional services (like an AI image generation feature by a US-based provider) may process data outside the EU. We only use providers in countries that the European Commission has deemed to have an adequate level of data protection, or we rely on approved transfer mechanisms as described next.
  • Optional Features: As mentioned, if you use optional features that involve non-EU services (for example, opting to generate an image via a US-based AI), some data (likely not personal data, but e.g. an image prompt) might be processed by that service in the US. In such cases, we ensure no personally identifying or client-confidential data is included, or we obtain your consent if needed.

Safeguards for International Transfers: Whenever we transfer personal data out of the EEA to a country that the EU has not determined to have adequate data protection laws (such as the USA), we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

  • Standard Contractual Clauses (SCCs): We have signed the European Commission’s SCCs with relevant service providers to contractually require that your personal data receives an equivalent level of protection, regardless of where it is processed. These clauses impose data protection obligations on the recipient and give individuals rights to enforce those obligations.
  • EU-U.S. Data Privacy Framework: Where applicable, we may rely on the new EU-U.S. Data Privacy Framework or the UK Extension / Swiss-U.S. framework for transfers to certified U.S. entities. For example, if a U.S.-based service provider is certified under the DPF, we may rely on that certification as a transfer mechanism.
  • Explicit Consent or Derogations: In some cases, we may ask for your explicit consent to transfer data to a third country if no other transfer mechanism is available and the specific transfer is not repetitive or mass. You have the right to withdraw such consent at any time. Additionally, in rare instances we might rely on a GDPR derogation (e.g., transfer necessary for performance of a contract with you, or for establishment of legal claims) if applicable.

We will provide further information on the specific safeguards for a given transfer upon request. Our aim is to ensure that your personal data stays protected to the standards of European law even when accessible outside Europe.

Note for Users in Turkey: Your personal data may be transferred to European countries or other jurisdictions from Turkey, for the purposes described. Turkey’s KVKK allows cross-border data transfers if certain conditions are met, including adequate protection or explicit consent of the data subject. As Estonia/EU may not be on any “white list” of KVKK at this time, we rely on mechanisms like the EU’s adequate framework and your acceptance of this Privacy Policy (which includes consenting to necessary international transfers) to process your data. We also have put in place contract clauses mirroring KVKK’s requirements with our processors. By using POPJAM, you acknowledge the transfer of your data to our servers in the EU (and limited processing in other countries as described), and that we take measures to protect your data in line with this Policy and applicable law. If you have any concerns about cross-border transfer, please contact us.

Client Responsibility: If you are a business client uploading personal data of third parties (e.g., customer lists) from outside the EU, it is your responsibility as the data controller to ensure you have the right to transfer that data to us in Estonia/EU. This may mean, for example, obtaining consent from individuals in Turkey for transferring their data abroad, if required by KVKK. We are happy to assist by providing details of our safeguards, but we cannot verify the lawfulness of the data you send us – that remains your duty.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as described in this Policy, and to comply with legal obligations. Retention periods may vary depending on the type of data and the purposes of processing. Here are some key retention practices:

  • Account Information: We keep your account data (like your name, email, login credentials, and profile info) for as long as your account is active. If you delete your account or it is terminated, we will delete or anonymize your personal data within a reasonable period after account closure, typically within 30 days, except as noted below for certain data we may keep longer.
  • User Content: Content you upload or create on the platform (ads, images, etc.) is stored for your use. If you delete specific content from your account, we will remove it from active use promptly. Residual copies may remain in backups for a short duration but will be overwritten according to our backup retention cycle. If your account is deleted, all User Content is scheduled for deletion shortly after (unless required for legal reasons). We may retain anonymized derivatives (e.g., aggregated analytics that are not identifiable to you).
  • Ad Performance Data from Integrations: Data fetched from your Google/Meta ad accounts is updated continuously and older performance data may be retained for historical reporting. If you disconnect an integration or delete your account, any stored ad performance data will be deleted from our systems after a short grace period (unless it has been aggregated into non-identifiable statistics). We abide by Google’s policies in deleting user data from our servers when no longer needed.
  • Transactional Records: We retain billing and payment records, invoices, and transactional history as required for accounting and tax purposes – generally for at least 7 years or as mandated by law in Estonia. These records may include personal data (like name, company, and billing address on invoices) because we need a record of transactions.
  • Communications: If you contacted support or we had email correspondence, we may retain those communications for a period of time (typically 2 years) to refer back to previous issues or for training purposes. If you unsubscribe from marketing emails, we will keep your email on a suppression list to ensure we honor your opt-out.
  • Web Analytics Data: Data collected via Google Analytics and similar tools is typically retained for 14 months (default setting) or a duration we configure to analyze trends. It is aggregated, and in some cases, you can delete it by clearing cookies.
  • Cookie Data: Cookies have varying lifespans. For example, analytics cookies might persist for 13 months unless cleared (in line with French CNIL guidance). Advertising cookies may last as set by the third party (often 3-6 months). See Section 9 for specific cookie retention.
  • Legal Holds: If we are under a legal obligation to retain data (for example, a litigation hold or a government order), or if data is needed to resolve disputes, enforce our agreements, or detect/prevent fraud or abuse, we will retain the necessary data for as long as required. This may mean retaining some data beyond normal retention periods until the issue is resolved.

After the retention period expires, we will securely delete or anonymize the personal data. When we anonymize data, we remove identifying information so that it can no longer be associated with an individual, and such anonymized data may be retained indefinitely without further notice to you.

Specific Retention Period Examples:

  • User Account Data: Deleted within 365 days after account termination (often sooner), to accommodate users who might reactivate or for us to conclude any post-termination obligations.
  • Cookie Identifiers: 13 months maximum for analytics cookies (per EU guidance), shorter for others as configured.
  • Backups: Encrypted backups are generally retained for 30-90 days for disaster recovery, after which they are overwritten or deleted.
  • AI Prompt/Output Logs: If we log AI prompts and outputs for debugging or improvement, those logs (with no direct identifiers) might be kept for a few months at most, and personal identifiers are minimized or removed.

If you have specific questions about retention of certain data, you can contact us for more details.

8. Cookie Policy and Tracking Technologies

Like many online platforms, POPJAM uses cookies and similar tracking technologies to provide, personalize, and improve our Services. This section explains how we use these technologies and your choices regarding them.

What Are Cookies: Cookies are small text files placed on your device (computer, smartphone, etc.) when you visit a website. They allow the site to remember your actions or preferences over time. Similar technologies include pixels (small images or scripts that detect when a page is viewed or an email is opened) and local storage objects (which can store data in your browser).

How We Use Cookies: POPJAM uses cookies and tracking for several purposes:

  • Necessary Cookies: These are essential for the website or app to function properly. For example, we use cookies to keep you logged in during your session, to remember your preferences (like language or theme), and for load balancing or security purposes. Without these, certain services or features cannot be provided. These cookies do not require consent.
  • Functional Cookies: These remember choices you make (such as your region or settings) to provide enhanced, more personalized features. They may be set by us or third-party providers whose services we’ve added to our pages. For instance, if we have a chat support widget, it might set a cookie to recall your last conversation.
  • Analytics Cookies: We use these to collect information about how visitors use our website, to count visitors, and to understand usage patterns. For example, we use Google Analytics and Google Tag Manager (GTM) to track page views, referral sources, and interactions on our marketing site. This helps us improve the site and Services. The information collected is aggregated and not intended to identify you personally. Google Analytics may set cookies like _ga which persist for up to 13 months. We have enabled IP anonymization so that Google truncates IP addresses in the EU.
  • Advertising and Marketing Cookies: We use these cookies to deliver relevant ads to you and to measure the performance of our ad campaigns. Specifically:
  • Google Ads & YouTube: We may use Google Ads cookies to later show you POPJAM ads on Google search or other sites after you visited our site. Google’s cookies (like gcl) help track conversions (e.g., if you signed up after clicking an ad). If we embed YouTube videos, YouTube may set cookies to track video views.
  • Meta Pixel (Facebook/Instagram): We have the Meta Pixel on our site. It allows us to show ads on Facebook or Instagram to people who visited our site, and to measure ad results (like if you sign up after seeing a Facebook ad). The Pixel might trigger cookies or use an existing Facebook cookie to identify you.
  • These advertising cookies/pixels collect information such as the pages you visited, your actions on our site, and possibly device identifiers. They enable advertising networks to recognize your browser/device and deliver ads based on your interests.

Consent Management: In regions where required (e.g., EU, UK, Turkey), we will present a cookie consent banner or tool when you first visit our site. Non-essential cookies (analytics and advertising) will not be set unless you opt-in. You can choose which categories of cookies to accept or reject via this tool. Your preferences will be remembered (we may set a cookie for that purpose). You can adjust your consent choices at any time by accessing our Cookie Settings link (typically in the website footer).

If you are in California or a U.S. state with similar laws, you can opt out of “sale/sharing” of data by toggling off advertising cookies (which is the mechanism we provide). We respond to browser Global Privacy Control (GPC) signals as an opt-out of sale for California residents, which will turn off advertising cookies by default.

Browser Settings: In addition to our tool, most web browsers allow you to control cookies through their settings. You can usually set your browser to notify you of cookies or automatically refuse them. However, if you disable all cookies, our site may not function properly (especially for login). You can delete cookies that have already been set. For more information on how to manage browser cookies, check out aboutcookies.org or your browser’s help documentation.

Third-Party Tracking: Note that we do not have control over third-party cookies; third-party providers (like Google or Meta) have their own privacy policies. However, we limit their use as described: - Google’s ability to use and share information collected by Google Analytics about your visits is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can opt-out of Google Analytics by installing a browser add-on provided by Google. - You can opt-out of interest-based Google ads via Google’s Ad Settings, and opt-out of certain third-party networks via the NAI consumer opt-out or YourAdChoices. - For Meta, you can adjust your ad preferences in your Facebook settings to control what ads you see.

Do Not Track: Our site currently does respond to “Do Not Track” (DNT) signals in that our cookie consent mechanism would treat it similar to an opt-out for marketing cookies. However, DNT is not a universally recognized standard and if you have specific privacy preferences, we recommend using our consent tool or browser controls as described.

9. Data Security Measures

POPJAM takes security seriously. We employ a comprehensive security framework with technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Some of the key security practices we have in place include:

  • Encryption: All data transmitted between your browser and our Services is encrypted in transit using TLS (Transport Layer Security, e.g., HTTPS with modern protocols TLS 1.2 or higher). This prevents eavesdropping on data as it moves over the internet. Additionally, personal data (and all sensitive data) is encrypted at rest on our servers and databases. We use strong encryption standards (such as AES-256) to secure data at rest. For example, any access tokens for connected Google or Meta accounts are stored encrypted.
  • Access Control: We apply the principle of least privilege and role-based access control for both system processes and our personnel. Only authorized employees or contractors who need access to personal data to perform their job (e.g., technical support or system admins) have such access, and even then, it’s limited to what is necessary. Administrative access to databases and systems is gated behind multi-factor authentication and VPNs. We maintain logs of access to sensitive systems.
  • Multi-Tenant Data Separation: Our platform is designed with a multi-tenant architecture that logically separates each client’s data from others. Your data is marked with unique identifiers to ensure that when our application retrieves data for you, it cannot retrieve another client’s data. This architectural separation helps prevent data leaks between customers.
  • Secure Development Practices: Our development team follows secure coding guidelines. We regularly update dependencies and software libraries to patch security vulnerabilities. We use code reviews and automated scanning tools to detect potential security issues in our codebase.
  • Network Security: Our servers are hosted in secure data centers (like Google Cloud and AWS) which implement robust physical security and network security (firewalls, intrusion detection systems). We leverage their security features such as VPC isolation, security groups, and continual monitoring. We also restrict access to production environments—only essential services are running and reachable.
  • Monitoring and Incident Response: We continuously monitor our systems for unusual activities, errors, or unauthorized access attempts. This includes using intrusion detection and prevention tools, as well as rate-limiting to mitigate brute force attacks or scraping. We have an incident response plan: if a security incident or data breach is suspected or detected, we will take immediate steps to contain and investigate it, and notify affected users and authorities as required by law.
  • Employee Training and Policies: All POPJAM personnel with access to personal data are trained on data protection principles and security best practices. We have internal policies regarding handling of personal data, confidentiality agreements in place, and regular refreshers on privacy/GDPR compliance.
  • Third-Party Assurance: When we select service providers, we review their security practices. Many of our key providers (e.g., cloud infrastructure) have certifications like ISO 27001, SOC 2, etc. We also enter into Data Processing Agreements requiring them to maintain appropriate security.
  • Penetration Testing: We periodically engage independent security experts to perform penetration tests and security assessments of our platform. Any findings are remediated with high priority. We also encourage responsible disclosure of vulnerabilities via a bug bounty or contact method on our site (if you are a security researcher and find a vulnerability, please let us know).
  • Backups and Resilience: We perform regular data backups which are encrypted. We have disaster recovery procedures and redundant systems in place to minimize downtime and data loss in case of hardware failure or other issues. We test our backups and recovery processes periodically to ensure data integrity.

Despite our efforts, no system can be 100% secure. It is important for you as a user to also play a role in keeping your data safe: use a strong, unique password for POPJAM, do not share your login credentials, and notify us immediately if you suspect any unauthorized access to your account. We will notify you and any relevant supervisory authority of a data breach where required by law.

If you have any questions about security on our platform, you can contact us at info@popjam.io. We will be happy to provide more information within reasonable boundaries (disclosing certain details might further risk security).

10. Children’s Privacy

Our Services are not intended for children or anyone under the age of 16 (and in certain jurisdictions, under the age of 13). POPJAM does not knowingly collect or solicit personal data from children under 16. We do not target the platform or any marketing activities toward children. If you are under 16, you are not permitted to use the Services or provide any personal data to us.

In the event that we learn we have collected personal data from a child under the applicable minimum age without verified parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child in violation of this policy, please contact us at info@popjam.io so that we can promptly investigate and address the issue.

Parents or guardians who believe that POPJAM might have collected personal information from their child can also request us to correct or delete it as needed. We will respond to such requests in accordance with applicable laws like the US Children’s Online Privacy Protection Act (COPPA) and similar regulations.

11. Your Rights and Choices

You have certain rights regarding your personal data, which we are committed to honoring. These rights may vary depending on your location and the laws that apply to our processing of your data. Below, we outline the rights generally afforded to individuals under GDPR (which also covers UK and similar jurisdictions), under Turkey’s KVKK, and under U.S. state laws like CCPA/CPRA for California residents. We also explain how you can exercise these rights.

Rights Under GDPR (and Similar Laws like KVKK): If you are in the European Economic Area, UK, Switzerland, Turkey or another jurisdiction with similar rights, you have the following rights concerning your personal data:

  • Right of Access: You have the right to request confirmation as to whether we are processing personal data about you, and if so, to request a copy of the personal data we hold about you. This includes details like the purposes of processing, the categories of data, the categories of recipients, and the envisaged storage period. We will provide the first copy of your data free of charge, but may charge a reasonable fee for additional copies if needed.
  • Right to Rectification: You have the right to request that we correct or update any inaccurate or incomplete personal data we hold about you. For example, if you change your email address or discover errors in your profile information, you can ask us to fix it (and you can often do so directly in your account settings).
  • Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data in certain circumstances. This includes situations such as: the data is no longer necessary for the purposes it was collected; you withdraw consent (if consent was the basis) and no other legal basis exists; you object to processing and we have no overriding legitimate grounds; or if the data was unlawfully processed. Please note this right is not absolute – sometimes we must retain certain data to comply with legal obligations or to establish/exercise legal claims. If you delete your account, as noted, we will delete your data except for what we must keep.
  • Right to Restriction of Processing: You have the right to request that we limit the processing of your personal data in certain scenarios. For example, if you contest the accuracy of your data, you can request we restrict processing while we verify the accuracy; or if processing is unlawful but you oppose deletion and prefer restriction instead; or if we no longer need the data but you need it for a legal claim. When processing is restricted, we will store your data but not use it except for legitimate purposes such as with your consent or for legal claims. We will inform you before any lifting of a restriction.
  • Right to Data Portability: You have the right to receive personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where the processing is based on consent or contract and done by automated means. Where technically feasible, you can request that we send this data directly to another service provider. Essentially, this right allows you to take your data elsewhere if you wish. For example, we can provide you with a JSON or CSV export of your account data upon request.
  • Right to Object: You have the right to object, on grounds relating to your particular situation, to processing of your personal data that is based on our legitimate interests (or those of a third party). If you object, we will evaluate whether our compelling legitimate grounds for processing override your interests, rights, and freedoms. If not, we will cease the processing objected to. You also have an unconditional right to object to your data being processed for direct marketing purposes. That means at any time you can ask us to stop using your data to send you marketing communications, and we will do so (as also described in the marketing sections).
  • Right not to be Subject to Automated Decision-Making: We do not make any decisions about you that have legal or similarly significant effects solely by automated means without human involvement. If we ever do, you would have the right to contest such decisions or request human review. (Our AI outputs may provide suggestions or automation, but decisions like subscription changes or account restrictions involve human oversight.)
  • Right to Withdraw Consent: If we rely on consent to process any personal data, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. For example, you can unsubscribe from our newsletter (withdraw marketing consent) and we will stop sending you emails thereafter.

Specific Rights for Individuals in Turkey (KVKK): The rights under KVKK largely mirror those under GDPR, including: the right to learn whether your personal data is processed; the right to request information if processed; the right to learn the purpose of processing; the right to know third parties to whom data is transferred (domestic or abroad); the right to correction or deletion of personal data under certain conditions; the right to request notification of such correction or deletion to third parties to whom data has been transferred; the right to object to processing that is to the detriment of the person, if analyzed via automated systems; and the right to claim compensation for damages due to unlawful processing. We consider and handle these rights in line with our GDPR practices described above. For example, any valid KVKK deletion request will be honored just as a GDPR erasure request would. Also, as required by KVKK, if you are in Turkey you may submit requests in Turkish, and we will respond in Turkish if preferred.

Rights of California and U.S. Residents (CCPA/CPRA and similar): If you are a resident of California, you have certain additional rights under the CCPA/CPRA (and other U.S. state laws like those in Virginia, Colorado, etc., provide similar rights):

  • Right to Know: You can request that we disclose to you the following about the personal information we have collected in the past 12 months: (1) the categories of personal information collected; (2) the categories of sources; (3) the business or commercial purposes for collection, sale, or sharing; (4) the categories of third parties to whom we disclose personal info; (5) the specific pieces of personal information we have collected about you. Much of this is laid out in this Privacy Policy, but you can also request a report.
  • Right to Access: Similar to above, you can request a copy of the specific personal information we have about you (this is analogous to the GDPR access right). We will provide this in a portable and, if feasible, readily usable format, which may be JSON or PDF.
  • Right to Delete: You can request that we delete personal information we have collected from you, with certain exceptions. Note that under CCPA, we may deny deletion requests if the information is necessary to complete the transaction, provide a service you requested, for security, to fix errors, to exercise free speech or another right, to comply with legal obligations, or other reasons allowed by law. We will inform you if any such exception applies.
  • Right to Correct: You can request that we correct inaccurate personal information that we maintain about you. We will take into account the nature of the personal info and purpose of processing and may request documentation to validate the correct data.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information for cross-context behavioral advertising. As noted, POPJAM does not sell your personal info for money. However, we do share some data with third-party analytics and advertising partners which might be considered a “sale” or “sharing” under CPRA’s broad definitions. This mostly pertains to cookie and online identifiers used in advertising. You can exercise this right by using the “Do Not Sell or Share My Personal Information” link on our website (or the cookie banner’s opt-out for advertising cookies). If we detect an opt-out preference signal (like Global Privacy Control) from your browser, we will honor it for that browser by opt-ing out of marketing cookies. Once you opt out, we will not share your data with third-party advertising networks except as allowed by law (e.g., for fraud prevention).
  • Right to Limit Use of Sensitive Personal Information: CPRA gives you the right to limit our use of “sensitive personal information” if we use it for purposes beyond what is reasonably expected. POPJAM does not use or disclose sensitive personal info (as defined, e.g., precise geolocation, social security number, etc.) except for providing the services or as required (which are considered expected purposes). Therefore, this right may not be applicable as we don’t use your sensitive data for other purposes. If in the future we do (say, if we collect precise geolocation for a feature), we will update our practices and honor rights to limit.
  • Right of No Retaliation (Non-Discrimination): We will not discriminate against you for exercising any of your privacy rights. This means we will not deny you our Services, charge you different prices, or provide a different level of quality just because you exercised your rights. If you are a California resident and you exercise your rights, you will receive the same service and pricing as before (note: the CCPA allows companies to offer financial incentives or different prices related to data, but if we ever do that, it would be clearly explained and subject to opt-in consent).

Exercising Your Rights:

  • To exercise any of your rights described above, please contact us via email at privacy@popjam.io or info@popjam.io with the subject line “Data Subject Request” and let us know which right you intend to exercise. You may also send your request by mail to our address listed in Section 2 (Attn: Privacy Request). For certain requests, we may also provide self-service options in your account settings (for example, an account deletion button, or an export data function).
  • Verification: For security, we will need to verify your identity before fulfilling a personal data request. For example, if you have an account, we may ask you to send the request from the email associated with your account or to log in to confirm. We may ask for additional info (like confirming a last transaction or profile info) to ensure we are dealing with the correct person. For robust requests (like accessing specific data), the verification will be more stringent. If you are not a registered user, we might ask for information like a recent interaction or email you received to verify. We will only use the information you provide for verification to verify you or to fulfill your request.
  • Authorized Agents: If you are a California resident, you can designate an authorized agent to make requests on your behalf. We will require proof of the agent’s authority (e.g., a signed letter) and still may ask you (or the agent) to verify identity directly with us or confirm the agent’s permission.
  • Response Time: We aim to respond to requests as soon as possible and at the latest within 30 days for GDPR/KVKK requests. For CCPA requests, we aim for 45 days (with the possibility of a 45-day extension, for which we would notify you). If we need more time or cannot comply with your request (due to an exemption or conflict with law), we will inform you of that in our response.
  • No Cost (Generally): We will not charge you a fee for exercising your rights unless the requests are manifestly unfounded or excessive (e.g., repetitive requests). In such rare cases, we may charge a reasonable fee or refuse the request, but we will explain our reasoning.

Complaints: If you believe your rights have been violated or you are not satisfied with our handling of your personal data, you have the right to lodge a complaint with a supervisory authority.

  • For EU residents, you can contact your country’s Data Protection Authority (DPA). As POPJAM is based in Estonia, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). Contact details can be found on their website.
  • For UK residents, you can complain to the Information Commissioner’s Office (ICO).
  • For Turkey, you can lodge a complaint with the Personal Data Protection Authority (KVKK Board) if you disagree with our response to your inquiry or if we do not respond within the legal time.
  • For California, you can contact the California Attorney General’s office or the California Privacy Protection Agency for concerns.

Of course, we would appreciate the chance to address your concerns directly first. We encourage you to reach out to us with any issues, and we will do our best to resolve them to your satisfaction.

12. Additional Disclosures for California Residents (CCPA)

(This section is intended to comply with the California Consumer Privacy Act as amended by CPRA, and it summarizes the categories of personal information we collect and disclose, in CCPA terms.)

Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information (as defined by CCPA) from California consumers, with examples of each:

  • Identifiers: Real name, email address, IP address, account username, and unique identifiers like cookie IDs. (We do not collect government IDs).
  • Customer Records Information: If you are an individual consumer, the only pieces here might be your name, and payment information (through our payment processor) – e.g., billing address. We do not collect social security, medical, or financial information beyond what’s needed for transactions.
  • Protected Classifications: We do not actively collect sensitive characteristics like race, gender, date of birth in our registration. Any such data would only exist if you voluntarily provided it in content (which is not expected for our service). Our personas might have demographic attributes but those are simulated and not tied to a real person.
  • Commercial Information: Records of products or services purchased, obtained, or considered, or other purchasing histories. This includes your subscription plan, credit purchases, and transaction history on POPJAM.
  • Internet or Other Electronic Network Activity: Yes, as described, we collect browsing activity on our site and platform: usage logs, pages visited, time stamps, clicks, and interactions with our Services.
  • Geolocation Data: We infer general location (country, city) from IP address. We do not track precise geolocation (like GPS).
  • Sensory Information: We do not collect audio, electronic, visual, thermal, or similar sensory info. (If you participated in a user research video call, that’s outside the scope of automated collection and would be voluntary).
  • Professional or Employment Information: If you sign up with a business email or give us your company name and role, we have that information. We don’t collect your entire employment history.
  • Education Information: Not collected (unless you provided it by chance in a feedback form, which we wouldn’t specifically use).
  • Inferences: We may draw inferences from usage data to create a profile about a user’s preferences or behavior on our Service (e.g., that you may be interested in certain features). But we do not profile you in a way that produces legal effects.

Categories of Sources: We collect personal information from you directly (through forms you fill or data you input), automatically through your interaction with our Services (cookies, logs), and from third-party sources at your direction (like Google Ads API when you link accounts). We do not purchase personal data from data brokers.

Business or Commercial Purposes for Collection: These align with the purposes outlined in Section 4: providing the service, analytics and improvements, marketing, security, and legal compliance. We do not collect additional purposes beyond those.

Categories of Third Parties with Whom We Disclosed Personal Info: We have disclosed (as defined by CCPA, meaning shared for a business purpose) personal information in these categories to the following types of third parties in the last 12 months:

  • Identifiers – to service providers (hosting, payment, analytics, etc.), and to advertising partners (cookie IDs to Google/Meta).
  • Customer Records (basic info, transactions) – to payment processors, and possibly to cloud storage for backup.
  • Commercial Info (transactions) – to our payment processor and accounting software.
  • Internet/Network Activity – to analytics providers (Google Analytics), and to marketing partners (Facebook Pixel, etc.) for advertising measurement.
  • Geolocation (IP-based) – to analytics and security services (e.g., Cloudflare if used for security, Google Analytics).
  • Professional Info (if any provided) – not really disclosed except maybe through our CRM or support tools if integrated with email.

Sale or Sharing of Personal Information: POPJAM does not sell personal information for money. We also do not share personal information for cross-context advertising except as described with cookies. In the past 12 months, we have shared (as defined by CPRA) identifiers and internet/network activity with third-party advertising networks (Google, Meta) via cookies and pixels, which could be considered a “sharing” for behavioral advertising. Specifically, a Facebook Pixel or Google Ads cookie might be considered sharing your online identifier and site visit behavior to show you ads. We have not knowingly sold or shared the personal information of consumers under 16 years of age.

Your CCPA Rights: As detailed in Section 11, California residents have the right to know, access, correct, delete, and opt-out of sale/sharing of their personal info, as well as to non-discrimination. Section 11 explains how to exercise those rights (email us at privacy@popjam.io, use our cookie consent tools for opt-out, etc.). We will verify and respond to requests as described.

Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes that California law would permit a consumer to limit. Any sensitive data (like a login password, or precise location if we ever had it) is only used to provide the Service.

Retention: See Section 7 for our retention practices. We keep different categories for different lengths. For CCPA’s requirement, generally we keep personal info for as long as you have an account or as needed to provide services, and then as required by law or our internal policies (like 7 years for transaction info). The exact period will depend on the nature of the info and the purposes we described.

Financial Incentives: We do not offer programs that provide a price or service difference in exchange for personal information (like no loyalty program or discount for data). If we ever introduce any, we will update this section and provide terms, including how the value of data is calculated as required by law.

For more information or any questions about these disclosures, you can contact us at privacy@popjam.io.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will notify users as appropriate: by updating the “Last Updated” date at the top of this Policy, and in some cases we may provide additional notice (such as a notice on our website or an email notification for significant changes).

Your Responsibility to Review Updates: We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the personal data we collect. If you continue to use the Services after an updated Privacy Policy has been posted, it indicates that you have read and understood the current version of the Policy.

If we make a material change to the way we collect or use personal data that affects previously collected data (for example, if we decide to use data for a new purpose that you did not originally agree to), we will seek your consent where required by law.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please do not hesitate to contact us:

  • Email: info@popjam.io
  • Postal Mail: POPJAM OÜ – Privacy, Sepapaja tn 6, Lasnamäe linnaosa, Tallinn 15551, Estonia
  • Website: You may also contact us through any web forms or support chat available on our site.

We will respond to your inquiries as promptly as possible, and in any event, within any timeframes required by applicable law. Your privacy is important to us, and we welcome your feedback. Thank you for trusting POPJAM with your marketing innovation and for reviewing our Terms and Privacy Policy.