This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. By visiting www.journoportfolio.com (the Site) you accept and consent to the practices described in this policy. Journo Portfolio Ltd (we/us/the Company) is committed to protecting and respecting your privacy.
By choice, we also voluntarily extend all the rights that GDPR offers to EU citizens to our users outside of the EU.
- We will never sell or share your data with third parties except for when required by law or when used to provide our services. For example, our support system or hosting providers.
- We never track you for advertising purposes. No ad-platform trackers are installed on our site. We use Google Analytics to monitor how the site is used and to improve our services.
- You have the right to request to see all the data we have on your or have it permanently deleted at any time by deleting your account. You also have other rights set-out below.
- We store all data within the EU. Some third-party services we use to store data in the US, but all comply with GDPR.
- We take data privacy and security very seriously and have a range of policies to minimise risks to your data. We use industry-standard security practices to secure our servers.
How we obtain consent
- Information we collect
We may collect and process the following data about you:
- Information you give us. You may give us information about you by filling in forms on the Site or by corresponding with us by e-mail. This includes information you provide when you register to use the Site and our Services. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph, amongst other information.
- Information we collect about you. With regard to each of your visits to the Site we may automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the Site (including date and time); pages you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
- Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, analytics providers, search information providers) and may receive information about you from them.
GDPR requires us to have a clear legal basis for collecting data on our users, this is set out below. As our service revolves around publicly displaying data you provide us with we have labelled each data type as private or public.
- Private data: is data only visible to yourself and our staff.
- Public data: is data visible to anyone via your portfolio and is, therefore, a far lower security risk. You should not add data that you do not wish to be public to your portfolio.
Why we collect/process it
Where we obtain it
Private unless displayed on portfolio
We need these to identify your account and provide secure access to it.
Provided by you during the sign-up process.
This is content you want to have displayed on your portfolio. We store in order to provide our service and serve it on your portfolio.
You add this content in the dashboard.
This is content you want to have displayed on your portfolio. We store in order to provide our service and serve it on your portfolio.
You add this content in the dashboard.
We store various settings that you configure about your portfolio, such as what fonts you have set.
We auto-populate your account with default settings, when you make changes in the dashboard these settings are updated.
We need these to charge you for our services. We do not store payment details directly, but instead use large secure payment gateways: Stripe and PayPal.
When you pay for a service these details are provided by you and transmitted directly to the payment gateway over a secure HTTPS connection.
We are legally required to identify who we are providing services to and where they are based in order charge the correct taxes and provide an invoice.
When you pay for services you provide this to us. Address details are also provided to us the payment gateway we use (Stripe, PayPal) which are obtained based on your card details.
We are legally required to confirm your location for tax reasons. This also allows us to keep a legal record of where the payment was authorised in case of fraud.
We obtain this from the details of your connection to our website.
We store your device type, OS, browser and browser version.
These are used to help identify bugs when you have an issue and for aggregated monitoring and analytics to improve our services.
We store basic statistics such as how many articles you have, when you last logged in and when you created your account.
These are used to provide you with stats, and carry out aggregated monitoring and analytics to improve our services.
- Our consent for privacy is separate from other terms and conditions.
- Consent requires a positive opt-in with an unticked opt-in checkbox.
- Third-party organisations who will rely on this consent are listed on this page.
We are exploring ways in which we can remove consent as a precondition of our service and offer more granular controls.
- We keep records of what you consent to and when you consented.
We do not employ targeting cookies for the purposes of advertising. We do not use Google, Facebook, Twitter or any other third-party advertising network to track your usage of the site.
- Strictly necessary cookies. These are cookies that are required for the operation of the Site. They include, by way of general example, cookies that enable you to log into secure areas of the Site, use a shopping cart or make use of e-billing services.
- Analytical/performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around the Site when they are using it. This helps us to improve the way the Site works by, for example, ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to the Site. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies), you may not be able to access all or parts of our Site.
Intercom, Stripe, PayPal and Braintree
- Our Site uses Google (Universal) Analytics, a web analytics service provided by Google, Inc. (www.google.com). Google Analytics uses methods that allow you to analyse the use of the site, such as "cookies", text files that are stored on your computer. The generated information about your use of this website is generally transferred to a Google server and stored there.
- By activating the IP anonymity on this website, the IP address is shortened before transmission within the Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and abbreviated there. The anonymised IP address provided by Google Analytics from your browser will not be merged with other Google data.
- You can prevent Google's processing of the data (including your IP address) generated by the cookie and your use of the website, as well as the processing of this data by Google, by downloading and installing the browser plug-in available under the following link : Http://tools.google.com/dlpage/gaoptout?hl=en
- Alternatively to the browser plug-in, you can click this link to prevent Google Analytics from being tracked on this site in the future. An opt-out cookie is stored on your terminal. If you delete your cookies, you must click the link again.
- From time to time, we may undertake several data behaviour analytics and usage may be tracked in third-party analytics systems like other than just Google Analytics, including HotJar and Amplitude for the improvement of our Site and Services.
Uses made of the information
- Our Site uses Intercom as a support service and Stripe, PayPal and Braintree for billing all of our Services. These services are provided by the companies Intercom R&D Unlimited Company, Stripe, Inc. and PayPal Holdings, Inc. (together, the ‘Providers’)
- When you visit our Site, your browser connects directly to the servers of Intercom, Stripe, PayPal and Braintree. The providers get the information that your browser has called up the corresponding page of our website, even if you do not have a profile or are not logged in at the moment. This information (including your IP address) is transmitted directly from your browser to a server of the respective provider and stored there. If you are logged in to one of the services, the vendors can directly assign their website to your profile on Stripe, Intercom, PayPal or Braintree. The information is also stored in the social network and show it to your contacts.
- For the purpose and scope of the data collection and the further processing and use of the data by these providers, as well as your rights and setting options for the protection of your privacy, please refer to the data protection guidelines of the providers.
Disclosure of your information
- We may use information held about you in the following ways:
- Information you give to us. We may use this information:
- to carry out our obligations to provide you with our Services;
- to provide you with information about other services we offer that are similar to those that you have already inquired about or about other services we may provide in the future;
- to notify you about changes to our service;
- to ensure that content from the Site is presented in the most effective manner for you and for your computer.
- Information we collect about you. We will use this information:
- to administer the Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve the Site to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you to participate in interactive features of our service, when you choose to do so;
- as part of our efforts to keep the Site safe and secure;
- to make suggestions and recommendations to you and other users of the Site about goods or services that may interest you or them.
- To email customers as part of having an account including their password resets, security info and other important notices about their portfolio and our Services.
- Information we receive from other sources. We may combine this information with information you give to us and the information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
We do not sell or otherwise share your data with any third parties for them to use for their own purposes.We do not track users for advertising purposes.We do use a number of tools to provide our services these services are sent some data:
- We may share your personal information with any member of our group, which means any subsidiaries, any ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
- We may disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- If the Company or substantially all of its assets are acquired by a third-party, in which case personal data held by it about its customers will be one of the transferred assets; and
As a data controller we have ensured that third-party services we use comply with GDPR:
Where we store your personal data
|External service||Data transferred/collected||Reason for use|
|IntercomData stored in the US||Transferred:|
Your plan and basic billing history
Emails/messages sent to us
Collected by them:
Your browser details and OS
Details on your usage of our site
|Intercom allows us to provide quick and effective support but allowing you to message us from our site, and providing a single place for us to manage support issues. The data it collects and is sent is to aid us in identifying issues when you have them.|
|Google AnalyticsData stored in the US and EU||Collected by them:|
Analytics on your usage of our site
|Google Analytics is used to provide aggregated monitoring and analytics of our website to helps us improve our service. We do not use this data for any advertising purposes.|
|GsuiteData stored in the US and EU||
Emails sent to us
||Gsuite provides our @journoportfolio.com email accounts.|
|QboxmailData stored within the EU||
Qboxmail host the email accounts we provide as an add-on service for Pro users. If you do not have a Pro account with an email account this does not apply to you. |
|XeroData stored in the US||Transferred:|
Xero is our accounting software. We only transfer your name and billing address into their software to allow us to keep accounting records as is our legal obligation.|
|Digital OceanData stored in the EU||
All non-media data
Digital Ocean provide our servers which include those that host our databases. These databases store all user-uploaded data except file uploads and are protected by industry-standard protections.
|Amazon AWSData stored in the EU||
All user-uploaded media files and images
We use Amazon's AWS S3 storage service to store all user-uploaded files. All uploaded files are for display on portfolios and are therefore all are publicly accessible.
- All information you provide to us is stored on our servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
- Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Data security, transfers and breaches
Right to be informed
We respect your right to be informed about what data we collect on you and why, and who we share that data with. This data is all included on this page.
Right of access
You have the right to obtain:
- Confirmation that your data is being processed
- Access to your personal data that we have
As we host account data online we assume that if you have an account your data is being processed.
Although we are legally allowed to charge a fee to provide you with this information we do not charge for this.
We will provide you with an export of your data within one month of receiving the request, as legally required to do so.
To request these please email firstname.lastname@example.org
Right to rectification and data quality
You have the right to have your personal data rectified if it is inaccurate or incomplete.
You can easily update all of your account data on the dashboard by logging in to your account. Alternatively, if you email email@example.com we will update your account for you.
Right to erasure including retention and disposal
You have the right to be forgotten and can request the erasure of personal data at any time.
To do this either delete your account at under 'Account' in the dashboard or email us at firstname.lastname@example.org.
We will not delete data that we are legally obligated to store, for example, your name and address from VAT invoices that we have issued. All other data will be deleted permanently.
To minimise the risks of data-loss or in case you change your mind, your data will not be deleted until at least 2 weeks after you delete your account and at most 4 weeks after.
Right to restrict processing
You have a right to block or restrict the processing of your personal data.
As we host your data online and consider this 'processing', you can restrict processing by deleting your account as set out above.
Right of data portability
The right to data portability allows you to obtain and reuse your personal data for their own purposes across different services.
This can be easily done by copying data from the dashboard to an alternative service of your choice, or by requesting access to all the data we have on your account and using that.
Right to object
You have the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); and processing for purposes of scientific/historical research and statistics.
You also have the right to object to any processing undertaken for the purposes of direct marketing (including profiling).
Rights related to automated decision making including profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention via 'profiling'.
We do not carry out any profiling or automated decisions that could fall into this category.
We have a detailed Information Security policy that sets out our approach to information security, the technical and organisational measures that we implement and the roles and responsibilities staff have in relation to keeping information secure.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
All data is processed directly by us in the EU. Some of our third-party services host data in the US and comply with the conditions for transfer set out in Chapter V of the GDPR.
The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In the event of a breach, we will take immediate actions to mitigate access to the compromised data and secure our systems. We will notify the ICO and notify any of our users that have been affected as soon as practically possible.
We will maintain records of all data breaches.
Data Protection Policy
We have an internal Data Protection Policy that sets out how we approach data protection and the responsibilities for implementing the policy and monitoring compliance.
It is approved by management, published and communicated to all staff. We review and update the policy at planned intervals or when required to ensure it remains relevant.
We understand that having a clear understanding of existing and potential threats, vulnerabilities and impacts are key to minimising information risks. To that purpose, we regularly review new threats and mitigate existing risks.
Our Data Protection Officer is a senior staff member and responsible for managing information risks and coordinating procedures put in place to mitigate them as well as for logging and risk assessing information assets.
If and when we identify new information risks we take immediate action to reduce and mitigate risks to an appropriate level.
Data Protection by Design
A key aspect of GDPR is implementing 'Data Protection by Design', that is, implementing appropriate technical and organisational measures to enact considered and integrated data protection into our processing activities.
This involves only collecting data that is necessary, minimising access points, ensuring transparency in what we do with the data and a range of common practices such as pseudonymisation and transparency measures.
Data Protection Impact Assessments (DPIA)
We are legally required to always carry out a DPIA if we plan to:
- Use systematic and extensive profiling or automated decision-making to make significant decisions about people.
- Process special category data or criminal offence data on a large scale.
- Systematically monitor a publicly accessible place on a large scale.
- Use new or untested technologies or systems.
- Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.
- Carry out profiling on a large scale.
- Process biometric or genetic data.
- Combine, compare or match data from multiple sources.
- Process personal data without providing a privacy notice directly to the individual.
- Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
- Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.
- Process personal data which could result in a risk of physical harm in the event of a security breach.
As we do not currently, or intend to in the future, carry out any of the above we have not carried out a DPIA to date. We will carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.
Data Protection Officers
We have a dedicated Data Protection Officer to help you with any requests you have about your data. Your query will be passed to our Data Protection Officer if you contact us through our Chat, or by emailing email@example.com.
All key personnel and staff with access to customer data are aware of and trained in the requirements of GDPR and keeping our customers' data secure.
- For the purpose of the Data Protection Act 1998 (the Act), the data controller is Journo Portfolio Limited. We are registered in England and Wales under company number 10554685. Our registered office address is 9 Perseverance Works, Kingsland Road, London, United Kingdom, E2 8DD and our email address is firstname.lastname@example.org.
- As we are a UK limited company, Journo Portfolio Limited is registered with the ICO as required by law.
Questions or concerns?
Chat with us if you have any questions about how these legal documents, or email us at email@example.com.