Privacy Policy
Effective: April 12, 2026
Your privacy matters to us. This Privacy Policy explains how JUG Software Ltda. ("JUG", "we", "us", "our") collects, uses, shares, stores and protects personal data of users ("User", "you") of the JUG platform (the "Platform"), in accordance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018).
If you do not agree with this Policy, do not access or use the Platform.
Summary of this Policy
- We collect data you provide directly (account, profile, content) and data generated automatically (session token, operational usage data).
- We use your data to provide the Platform, process payments, send operational notifications and comply with legal obligations. We do not use your data for advertising or targeted marketing.
- We share data only with Stripe (payments) and AWS (infrastructure). We do not sell personal data.
- You have rights over your data under the LGPD, including access, correction, deletion and portability.
1. Data We Collect
1.1 Data you provide
Account and profile information: when you create an account, we collect your name, email address and password (stored only using BCrypt hashing). You may optionally add a profile photo.
Content you add to the Platform: we collect and store all content you create, send or share on the Platform, including projects, goals, steps, tasks, sprints, documents, comments, attachments and timesheet entries. We process this content solely to provide the contracted service.
Workspace information: workspace name, identifier and settings defined by the administrator.
1.2 Data provided by other users
We receive your email address when another User provides it to invite you to a workspace. Similarly, an administrator may provide your information when adding you as a member or billing contact.
1.3 Data collected automatically
Authentication token: when you sign in, a token is generated and stored locally in your browser (localStorage) to keep you signed in. On our servers we store only a cryptographic hash of the token.
Operational usage data: we collect information necessary to run the Platform, such as WebSocket connections for real-time notifications and API requests. We do not collect browsing analytics, tracking cookies, IP addresses for profiling, or behavioral tracking.
1.4 Payment data
Payment data (credit card, banking details) is collected and processed exclusively by Stripe, Inc., which is PCI DSS Level 1 certified. We do not store full card data on our servers. We only retain:
- Stripe customer identifier (stripe_customer_id)
- Stripe subscription identifier (stripe_subscription_id)
- Name and email associated with billing
2. How We Use Your Data
How we use your data depends on how you use the Platform:
To provide and operate the Platform: authenticate you, secure your account, process and display content you create, manage workspace members and permissions, and send operational notifications (invites, task updates, sprint alerts).
To process payments: manage subscriptions, process charges through Stripe, send payment confirmations and billing reminders.
To improve the Platform: identify and fix technical issues, analyze aggregated usage patterns to improve existing features and develop new ones. For improvements we work with aggregated, de-identified information where possible.
For operational communications: send transactional emails about your account, subscription, invites received and relevant Platform updates. We do not send marketing or promotional emails.
To comply with legal obligations: meet tax and regulatory requirements and respond to lawful requests.
3. Legal Bases for Processing (Art. 7, LGPD)
Processing of your personal data is based on the following legal grounds:
| Purpose | Legal basis |
|---|---|
| Provide the Platform, authenticate, process payments | Performance of contract (Art. 7(V)) |
| Acceptance of Terms of Use at registration | Consent (Art. 7(I)) |
| Platform improvements, operational communications, security | Legitimate interest (Art. 7(IX)) |
| Tax and regulatory obligations | Compliance with legal obligation (Art. 7(II)) |
4. How We Share Your Data
4.1 Service providers
| Third party | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription management | Name, email, billing details |
| Amazon Web Services (AWS) | Hosting, database and file storage | All data (infrastructure) |
These providers act on our instructions and are subject to contractual confidentiality and security obligations.
4.2 Within the workspace
When you use the Platform, certain information about you is shared with other members of the same workspace: your name, avatar, email and all content you create (tasks, comments, documents, etc.). The workspace administrator may view additional information such as roles, permissions and members' timesheet records.
4.3 Legal requirements
We may disclose personal data when necessary to: (a) comply with applicable law, regulation or court order, (b) protect the rights, safety or property of JUG, Users or third parties, or (c) detect and prevent fraud or illegal activity.
4.4 What we do not do
We do not sell, rent or trade personal data. We do not share data with third parties for marketing, advertising or behavioral profiling.
5. Storage and Security
We implement technical and organizational measures to protect your data:
- Infrastructure: data stored on AWS servers in the us-east-1 region (USA), with encryption in transit and at rest
- Passwords: hashed with BCrypt before storage — we cannot access your password in plain text
- Tokens: stored as cryptographic hashes on our servers
- Database: connections protected by TLS/SSL
- Communication: all data exchange between your browser and the Platform is protected by HTTPS
- Files: attachments, avatars and documents are stored in a private S3 bucket with access controlled by IAM policies
While we implement safeguards designed to protect your data, no system is impenetrable. We cannot guarantee absolute security against intrusion by third parties.
6. International Data Transfers
Data is processed and stored in the United States (AWS us-east-1) and may transit through Stripe, Inc. servers in the USA. These transfers are carried out on the basis of Article 33(II) of the LGPD (standard contractual clauses) and are protected by appropriate technical and organizational measures described in section 5.
7. Data Retention
Retention depends on the type of data, purpose and legal requirements:
- Active account: data retained while the account is active
- After subscription cancellation: workspace data retained for 90 days for possible reactivation. After that period, data will be deleted
- Account deletion: personal data removed within 30 days of request, except where retention is required to meet legal obligations
- Shared content: if your account is deactivated, some content you created (e.g. tasks, comments) may remain visible to other workspace members to ensure team continuity
- Tax records: retained for the applicable legal period (5 years under Brazilian tax law)
8. Your Rights (Art. 18, LGPD)
You have the following rights regarding your personal data:
- Confirm whether we process your data
- Access the personal data we hold about you
- Correct incomplete, inaccurate or outdated data
- Request anonymization, blocking or deletion of unnecessary data or data processed in violation of the LGPD
- Request portability of your data to another service provider
- Request information about public and private entities with which we have shared your data
- Withdraw consent at any time, without affecting processing that occurred before withdrawal
- Request deletion of data processed on the basis of consent
How to exercise your rights
You can manage some information directly in your profile and workspace settings. For requests that cannot be completed in the Platform, contact us at privacidade@usejug.com. We will respond within 15 business days.
We may ask for additional information to verify your identity. If we cannot verify your identity, we may be unable to fulfill your request. Some rights may be limited when fulfilling them would reveal information about third parties or when we are legally required to retain data.
Data portability
Upon request, we will provide a copy of your personal data and content under your control in a structured, machine-readable format.
9. Cookies and Local Storage
The Platform does not use tracking, analytics or advertising cookies. We use only browser localStorage to maintain your session (email and authentication token). This storage is strictly necessary for the Platform to function and does not track your behavior across sessions or websites.
10. Children
The Platform is intended for users aged 18 or older. We do not knowingly collect data from anyone under 18. If we learn that we have collected a minor's data, we will delete it promptly and close the associated account.
11. Changes to this Policy
We may update this Privacy Policy from time to time. We will post changes on this page and, if material, notify you by email or through the Platform at least 30 days in advance. The "effective" date at the top reflects the current version. If you disagree with changes, you should stop using the Platform and may request deletion of your data.
12. Data Protection Officer (DPO)
For questions about personal data protection, contact our Data Protection Officer:
JUG Software Ltda.
Email: privacidade@usejug.com
13. National Data Protection Authority (ANPD)
If you believe processing of your personal data violates the LGPD, or if you are not satisfied with our response, you have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD) at www.gov.br/anpd.
Analytics and privacy preferences
We use PostHog (hosted in the EU) to understand how our product is used and improve it. We only collect aggregate usage events (no session recording, no granular clicks, no sensitive personal data). You can opt out at any time.
Anonymous analytics
Helps us see which features are most useful. We never send your raw email or personal data.
Analytics is not configured in this environment.