Login

Privacy Policy

Last updated: March 2026

1. Introduction

Joy ("we", "us", "our") is a SaaS project management tool that uses AI to help break down projects into actionable tasks. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.

By using Joy, you agree to the collection and use of information in accordance with this policy.

2. Data We Collect

2.1 Account Information (via OAuth)

When you sign in using Google, GitHub, or Microsoft, we receive and store:

  • Full name, first name, and surname
  • Email address
  • Profile picture URL (avatar)
  • OAuth provider identity (e.g., "google", "github", "microsoft")

2.2 User-Generated Content

Data you create while using Joy:

  • Project details (name, features, target audience, requirements)
  • AI-generated questions and your answers
  • AI-generated summaries and project breakdowns (task trees)
  • Decision block selections

2.3 API Keys & Integration Credentials

If you provide your own API keys or integration credentials:

  • AI provider API keys (OpenAI, Google AI, Anthropic, OpenRouter) — stored encrypted at rest
  • Jira domain, email, and API token — stored encrypted at rest

2.4 Usage & Billing Data

  • AI usage logs: model used, input/output token counts, operation type, cost estimate, duration
  • Subscription status, plan details, billing period dates
  • Token balance (for one-time token purchases)

2.5 User Preferences

  • Theme settings (dark/light mode, color palette)
  • Default AI model selection
  • System API key usage preference

3. How We Use Your Data

  • Authentication: To identify you and manage your session
  • Service delivery: To provide project management and AI features
  • Billing: To manage subscriptions, track usage, and process payments
  • AI processing: To send your project content to AI providers for generating breakdowns, summaries, and answers
  • Personalization: To apply your theme and model preferences
  • Integration: To export data to Jira on your request

4. Third-Party Data Sharing

We share data with the following third-party services as necessary to provide the service:

ServiceData SharedPurpose
Google, GitHub, Microsoft (OAuth)Authentication tokensUser sign-in
PolarEmail, payment informationSubscription billing & payment processing
OpenAI, Google AI, Anthropic, OpenRouterProject content (sent to AI prompts)AI-powered project analysis & generation
Atlassian (Jira)Project breakdown content (on user request)Issue export to Jira

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

5. Cookies

Joy uses only strictly necessary cookies required for the service to function:

CookiePurposeDuration
Session authentication7 days
Post-login redirect (temporary)5 minutes
OAuth state managementSession only

All cookies are set with HttpOnly, Secure, and SameSite flags. We do not use analytics, advertising, or tracking cookies.

We also use browser localStorage to persist your theme preferences (dark/light mode, color palette, font scale) and cookie notice dismissal. This data stays on your device and is not sent to our servers.

6. Data Storage & Security

  • All data is stored in a PostgreSQL database on our servers
  • Sessions are stored in Redis with automatic expiration
  • API keys and integration credentials are encrypted at rest using AES-256
  • Session cookies are cryptographically signed to prevent tampering
  • All production traffic is encrypted via HTTPS (TLS)

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, all associated data (profile, projects, usage logs, API keys, subscriptions) is permanently deleted from our systems.

Session data expires automatically after 7 days of inactivity.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Delete your account and all associated data via Settings
  • Portability: Export your data in a machine-readable format via Settings
  • Restriction: Request restriction of processing
  • Objection: Object to processing of your data

To exercise these rights, use the self-service options in your account Settings or contact us at the email address below.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your own. When data is sent to third-party AI providers (OpenAI, Google, Anthropic) or payment processors (Polar), it may be processed in the United States or other jurisdictions. These transfers are necessary to provide the service.

10. Children's Privacy

Joy is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions or concerns about this Privacy Policy or your data, please contact us at:

privacy@joy-app.com

← Back to Home · Terms of Service

This site uses essential cookies for authentication and functionality. No tracking or advertising cookies are used. Learn more