Privacy Policy

1. Scope

1.1 Commitment to Independence: Jullow is 100% independently owned and operated with no outside investors or board of directors. This will always be reflected in how Jullow collects and handles user data.

1.2 This Privacy Policy applies to all websites, applications, and services that are part of the Jullow ecosystem — including any current or future product operated under the Jullow brand. If the project's legal structure changes, this policy will be updated accordingly.

1.3 This policy works together with the Jullow Terms of Service and Cookie Policy. Where a specific Jullow app has additional privacy terms, those apply on top of this policy and never replace it. Some Jullow apps may collect additional information depending on their features. Any such data collection will always be explained in that app's own Privacy Policy, which applies in addition to this Privacy Policy.

2. My Jullow & Jullow ID — what is collected and why

My Jullow is the central account hub for the Jullow ecosystem, accessible as a standalone app and at account.jullow.com. A single Jullow ID connects users to all Jullow apps and services.

Required at signup:

• Display name — the name chosen to show publicly. Not required to be a legal name.
• Unique username — the public identifier, visible to other users across the ecosystem.
• Email address — used for account verification and important security notices.
• Phone number (with country code) — required for verification and to help keep accounts unique and secure.
• Password — stored securely using hashing. Jullow never sees or stores plain-text passwords.
• Date of birth (DD/MM/YYYY) — to confirm the user is 16 years or older. Accounts for persons under 16 are not permitted.
• Country — for basic account setup and security purposes.

Other data collected:

Preferences — personal settings such as language, avatar choices, and any other preferences configured across the Services.

Device and session data — collected to keep accounts secure and to power the active sessions feature in My Jullow:

• Device model (e.g. Samsung Galaxy A15 5G, iPhone 15) — stored server-side and visible only to the user in My Jullow to identify and manage active sessions.
• Device type (phone / tablet / desktop)
• OS and version (e.g. Android 14, iOS 18)
• App version (e.g. AniTreasure 1.2.0)
• Browser type and version (collected on Jullow websites only, e.g. Chrome 120)
• Login timestamps

Service metadata — minimal logs retained for troubleshooting and security purposes.

Jullow does not collect sensitive special-category data (such as health information, race, religion, or sexual orientation) as part of a Jullow ID or My Jullow account. Where a specific Jullow app optionally invites users to provide such information to enhance its features, this is always voluntary, never shared with other apps, and governed by that app's own privacy terms in addition to this policy.

3. Legal basis for processing

Jullow is committed to processing personal data lawfully. Under GDPR, every piece of data collected must have a clear legal basis. The table below sets this out simply and transparently.

Where Jullow relies on legitimate interests, it has assessed that the use of the data is necessary, proportionate, and does not override user rights.

4. How data is used

Jullow uses personal data only for clear, limited purposes:

• Create and manage Jullow IDs and sessions.
• Verify accounts and prevent duplicate or fraudulent accounts.
• Keep the Services secure and detect suspicious activity using device and session data.
• Display active sessions in My Jullow so users can manage and sign out of them.
• Remember preferences and display public avatars and usernames.
• Send account-related messages such as verification codes and security notices.

Jullow does not use data for advertising, marketing profiling, or any purpose beyond what is described in this policy. Jullow does not sell personal data to third parties under any circumstances.

5. Visibility & privacy across the ecosystem

Public (visible to other users across Jullow apps): Aija avatar, unique username, and display name.

Private (visible only to the user and Jullow for operational purposes): phone number, email address, country, device and session data.

Active sessions (visible only to the user in My Jullow): device model, device type, OS version, app version, browser type, and login timestamps for each active session.

Comments and posts: where Jullow apps include commenting or posting features, content may be public or private depending on the user's choice and the app's design. Public content is visible to all users of that app. Private content is accessible only to the user who created it unless they choose to share it.

Private messages: private messaging features are built around end-to-end encryption principles so that message content remains inaccessible to Jullow. Only the sender and recipient can access message content. See Section 6 for more details.

6. Messaging & end-to-end encryption

End-to-end encryption (E2EE) is a foundational design principle across all messaging features in the Jullow ecosystem. Messages are encrypted on the sender's device and are designed to be decrypted only by the recipient's device. Jullow is designed so that private message content remains inaccessible to Jullow's servers.

Where a specific Jullow app introduces messaging features, those features will be built around this E2EE principle as a baseline requirement. This is a commitment that applies across the entire Jullow ecosystem, not just individual apps.

7. My Jullow — managing accounts and sessions

My Jullow is where users manage their entire Jullow presence, accessible as a standalone app and at account.jullow.com:

• View and edit profile (display name, username, email, phone, country, preferences).
• Change password at any time.
• View all active sessions across connected apps and sign out of any individual session remotely.
• Emergency sign-off: sign out of all connected apps at once if account compromise is suspected.
• Connect or disconnect apps. Disconnecting an app causes the app-specific data linked to the account to be deleted after a 30-day grace period. Reconnecting within 30 days restores the connection and data.
• Export data: download a machine-readable copy of personal data in JSON format directly from My Jullow. Requests are fulfilled within 30 days.
• Delete Jullow ID: triggers a 30-day recovery window. Upon requesting deletion, Jullow will send a confirmation to the registered email address including the exact date the recovery window expires. After 30 days, personal data is permanently deleted from active systems.

After the 30-day recovery window has passed, account restoration is permanently impossible. Jullow cannot recover accounts or data after this point under any circumstances.

Jullow's liability for data loss following a confirmed deletion request is limited to the extent permitted by applicable law.

8. Reporting, blocking & moderation

Where Jullow apps include social or community features, users can report other users, comments, posts, avatars, or display names for abuse, spam, impersonation, or policy violations. Reports may use limited metadata such as timestamps and account IDs to support moderation. Jullow does not intentionally access private message content as part of this process.

Users may block other users to prevent further interactions. Blocking may apply across connected Jullow services where supported.

Jullow may suspend or permanently remove accounts that violate the Jullow Terms of Service. For more information see the Terms of Service.

9. Cookies & tracking

Jullow uses only essential cookies on its websites — session cookies and language preference cookies. Jullow does not use analytics, advertising, or tracking cookies anywhere in the Jullow ecosystem. For full details see the Cookie Policy.

10. Third-party providers & data processors

Jullow may use third-party service providers such as hosting and email delivery to operate the Services. These providers act as data processors on Jullow's behalf — meaning they may only process data to provide their service to Jullow and for no other purpose.

Jullow selects providers that are GDPR-compliant and privacy-first. Data shared with any provider is limited to what is strictly necessary to provide the Services.

Some content embedded from third parties (for example, videos) may be subject to that third party's own privacy practices. Please refer to their privacy policy for details.

11. International transfers

Jullow selects providers that are GDPR-compliant and privacy-first. Where any provider processes data outside the European Economic Area (EEA), Jullow ensures that appropriate safeguards are in place — such as Standard Contractual Clauses approved by the European Commission — before using their services. Jullow aims to work with providers that meet these standards whenever possible.

If there are questions about where data is processed, see Section 18.

12. Data retention & deletion

Active accounts: data is retained for as long as the account exists.

Deleted accounts: after deletion, data is kept for up to 30 days for recovery purposes. After 30 days it is permanently deleted from active systems and removed from backups within 90 days.

Security logs and session metadata: retained for a limited period to support security and troubleshooting, then deleted.

13. Your rights

The following rights apply to all Jullow users globally, regardless of location. Jullow applies these standards universally because privacy is considered a fundamental right, not a regional privilege.

Through My Jullow users can:

• View account data.
• Edit information (display name, username, email, phone, country, preferences).
• Change password at any time.
• Manage and sign out of active sessions remotely.
• Export a machine-readable copy of personal data in JSON format directly from My Jullow.
• Delete account (subject to the 30-day recovery window).

If an action cannot be performed in the app, users may contact Jullow for assistance. Identity will be verified before acting on any request — through an active My Jullow session for in-app requests, or via a verification code sent to the registered email address for requests made outside the app. Jullow aims to respond within 30 days. If no response is received within 30 days, the matter may be escalated to the Hellenic Data Protection Authority (HDPA).

Users also have the right to lodge a complaint with the HDPA at any time if they believe their personal data is being processed unlawfully. The HDPA can be reached at www.dpa.gr.

14. Age & children

Users must be 16 years or older to create a Jullow ID. A full date of birth (DD/MM/YYYY) is required at signup to verify eligibility. If data belonging to a person under 16 is discovered, it will be deleted as soon as reasonably possible.

15. Security

Jullow takes reasonable technical and organisational measures to protect personal data, including hashed passwords, end-to-end encryption principles for all messaging, encryption in transit, and secure backups. However, no system is completely secure. By using the Services users acknowledge that absolute security cannot be guaranteed. Jullow is not liable for security breaches directly caused by third-party providers where Jullow has exercised reasonable care in selecting and configuring such providers.

16. Data breaches

If Jullow becomes aware of a personal data breach that is likely to result in a risk to users' rights and freedoms, it will act in accordance with applicable law and notify affected users and relevant authorities where required and practicable.

17. Changes to this policy

Jullow may update this policy as the Services evolve. The revised policy will be posted with a new effective date on this page. Where appropriate, users will be notified via My Jullow or the email address associated with their account. Users are encouraged to check this page periodically.

18. Contact

For questions about this policy, data, or to request assistance: info@jullow.com

19. Legal disclaimer

This policy describes current Jullow practices and is not legal advice. For legal certainty about compliance or liability, consult a qualified attorney. To the maximum extent permitted by law, the Services are provided as-is without warranties of any kind.