Privacy Policy for Junovy

1. Introduction & Data Controller

Welcome to Junovy, a Dutch eenmanszaak registered in Amsterdam, The Netherlands under Chamber of Commerce (KvK) number 71813977. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://junovy.com or use our services.

Junovy is the data controller responsible for your personal data under the General Data Protection Regulation (GDPR). Junovy also operates under the registered trade names (handelsnamen) Drake Design Studio (drakedesign.studio), BizDom (bizdom.biz), and bzz.nu. Under Dutch law a handelsnaam is not a legal person; all four brands share Junovy as the legal entity and data controller.

Registered Address: [protected], The Netherlands
KvK Number: 71813977
Privacy Contact: [protected email]

2. Information We Collect

We collect information that you provide directly to us and information automatically collected when you use our website or services.

2.1 Personal Data You Provide

When you use our contact form, sign up for services, or communicate with us, we may collect:

• Full name
• Email address
• Phone number (if provided)
• Company name (if applicable)
• Message content and project details
• Any other information you choose to provide

2.2 Automatically Collected Data

• IP address
• Browser type and version
• Device information
• Pages visited and time spent on pages
• Referring website
• Date and time of visit

2.3 Hosting Client Data

If you use our hosting or infrastructure services, we may also process:

• Server access logs and system logs
• Domain and DNS configuration data
• SSH keys and access credentials (encrypted)
• Backup data as specified in your service agreement
• Technical support communications

2.4 Junovy Business Suite Data

If you use any Junovy Business Suite services (Cloud Storage, Team Chat, Talk, Office, or Sites), we process additional data specific to those services. For detailed information about data collection and retention per service, please see our Service Description.

3. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Consent (Article 6(1)(a)): When you submit a contact form or subscribe to communications, you provide explicit consent for us to process your data.
• Legitimate Interests (Article 6(1)(f)): To respond to your inquiries, improve our services, maintain website and infrastructure security, and conduct automated malware scanning of uploaded files to protect the platform and all users.
• Contractual Necessity (Article 6(1)(b)): When processing is necessary to fulfill a contract or provide hosting, development, or consulting services you've requested.
• Legal Obligation (Article 6(1)(c)): When required by law (e.g., tax records, accounting).

4. How We Use Your Data

Junovy uses your personal data for the following purposes:

• To respond to your inquiries and provide customer support
• To provide web hosting, DevOps consulting, and application development services
• To manage your hosting infrastructure and maintain service availability
• To deliver Junovy Business Suite services (see Service Description)
• To send you updates about your projects, services, and scheduled maintenance
• To improve our website and user experience
• To send marketing communications (only with your consent)
• To analyze website usage and performance
• To comply with legal obligations and prevent fraud
• To maintain website and infrastructure security and protect against threats
• To perform automated malware scanning of uploaded files to protect the security of the platform and its users (see Section 4a below)

4a. Automated File Scanning

To protect the security and integrity of our platform and all users, we perform automated malware scanning on all files uploaded to Junovy Business Suite services (including Cloud Storage, Team Chat, and Office).

4a.1 What We Scan and How

All uploaded files are scanned using ClamAV, an open-source antivirus engine. Scanning is signature-based only: files are compared against a database of known malware signatures. We do not perform content analysis, classification, or profiling of your files. The scanning process is fully automated with no human review of file contents.

4a.2 Legal Basis

We process this data under the following legal bases:

• Legitimate Interests (Article 6(1)(f) GDPR): Protecting the platform, its infrastructure, and all users from malware and security threats. We have conducted a balancing test and determined that the security interest outweighs the minimal privacy impact, given that only signature matching is performed and no file content is analysed or stored.
• Security Obligation (Article 32 GDPR): As a data processor and controller, we are required to implement appropriate technical measures to ensure a level of security appropriate to the risk. Malware scanning is an essential component of this obligation.

4a.3 What Happens When Malware Is Detected

When a file is identified as containing malware:

• The file is quarantined (prevented from being accessed or downloaded by other users)
• The uploading user is notified by email with the file name and the detected threat type
• Quarantined files are automatically deleted after 30 days unless a successful appeal is made
• A scan log entry is retained for 90 days for security audit purposes, containing the file name, hash, scan result, and timestamp (no file content is stored)

4a.4 False Positive Appeals

If you believe a file has been incorrectly flagged as malware, you may appeal by contacting [protected email] within 30 days of the notification. Please include:

• The file name and the notification you received
• A description of the file and its intended use

We will review the file manually within 5 business days and notify you of the outcome. If the appeal is successful, the file will be restored to your account.

4a.5 Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for our file scanning activities in accordance with Article 35 GDPR. The DPIA is available at DPIA: File Scanning.

5. Cookies & Tracking Technologies

The junovy.com marketing site does not set any cookies or localStorage entries until you interact with the cookie consent banner. The banner offers three choices: Decline All, Manage Preferences (per-category toggles), and Accept All. Your choice is recorded in localStorage under the key junovy_cookie_consent.

If you accept the Functional category, we load our self-hosted Chatwoot live chat widget, which sets one first-party cookie (cw_conversation) to preserve your chat session. If you decline functional cookies, Chatwoot is not loaded at all.

The junovy.com marketing site does not use analytics cookies, marketing cookies, advertising cookies, or any third-party tracking technology. Authenticated product subdomains (Junovy Cloud, Chat, Talk, Office, Sites, Money) set their own application cookies required for login and session management; see the Cookie Declaration for the full breakdown.

You can change your choice at any time by clearing your browser storage for junovy.com and reloading the page — the consent banner will reappear.

6. Data Sharing & Third Parties

We do not sell your personal data. We share information only with carefully selected third-party processors who assist in operating our services, all of whom are required to comply with GDPR and maintain appropriate security measures.

6.1 Third-Party Data Processors

The following organisations process personal data on our behalf:

• Hetzner Online GmbH (Gunzenhausen, Germany) — Cloud infrastructure and primary authoritative DNS hosting. All core service data is stored on Hetzner servers within the EU. A Data Processing Agreement is in place under Article 28 GDPR.
• BunnyWay d.o.o. (Bunny.net) (Ljubljana, Slovenia) — Secondary authoritative DNS, operated as a backup to our primary DNS provider. Processes DNS query metadata only; no account or service data is shared. A Data Processing Agreement is in place under Article 28 GDPR.
• OVHcloud SAS (Roubaix, France) — AI inference for Juno AI Assistant. User prompts are sent to OVHcloud AI Endpoints for processing and are not stored after the response is returned. All processing occurs within the EU. A Data Processing Agreement is in place under Article 28 GDPR.
• Mailjet SAS (Sinch Group) (Paris, France) — Transactional email delivery (account notifications, password resets, service communications). Processes recipient email addresses and message content. A Data Processing Agreement is in place under Article 28 GDPR.
• Internet Security Research Group (ISRG) (San Francisco, USA) — Issues SSL/TLS certificates via Let's Encrypt. Processes domain names only; no personal data is shared.

6.2 Self-Hosted Services

Collabora Online (used for document editing in Junovy Office) and Chatwoot (the live chat widget served from ask.junovy.com) are both self-hosted on Junovy infrastructure. They do not receive or store data independently of Junovy and are not third-party data processors. Chatwoot is only loaded on junovy.com after you affirmatively accept cookies; see Section 5 and the Cookie Declaration for details.

For a detailed breakdown of processors per service, see our Service Description.

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses
• Adequacy decisions by the European Commission
• Data processing agreements with GDPR-compliant providers

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Contact Form Submissions: Retained for 2 years after last contact, unless a business relationship is established.
• Client Project Data: Retained for the duration of the project plus 7 years for legal and accounting purposes.
• Hosting Service Data: Retained for the duration of the service agreement plus 30 days, unless longer retention is required for backups or legal purposes.
• Server Logs: Retained for 90 days for security and troubleshooting purposes.
• Email Correspondence: Retained for 3 years after last communication.
• Analytics Data: Anonymized after 14 months.
• Malware Scan Logs: Scan metadata (file name, hash, result, timestamp) is retained for 90 days. Quarantined files are deleted after 30 days unless a successful appeal is made.
• Junovy Business Suite Data: Retention varies by service. See our Service Description for details.

9. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

• Right of Access (Article 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing (Article 18): Request that we limit how we use your data.
• Right to Data Portability (Article 20): Request your data in a structured, machine-readable format.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

To exercise any of these rights, please contact us at [protected email] . We will respond to your request within 30 days.

For a plain-language explanation of your rights, see Your Rights.

10. Data Security & Privacy by Design

Privacy by design and by default (Article 25 GDPR) is built into Junovy from the ground up. Concretely, this means we host all personal data inside the European Union, we use no third-party analytics, advertising, or tracking vendors of any kind on our marketing site, and consent-gated services (such as our Chatwoot live chat) are loaded only after affirmative user action. These choices are architectural: they cannot be toggled off, and they apply to every user automatically.

We also implement the technical and organisational measures required by Article 32 GDPR, including:

• TLS 1.2+ encryption for all traffic to and from Junovy services.
• Secure server infrastructure with regular security updates.
• Access controls and authentication mechanisms, including role-based access control and least-privilege principles for staff access.
• Encrypted storage for sensitive credentials, managed via HashiCorp Vault.
• Automated malware scanning of all uploaded files (see Section 4a).
• Automatic dependency scanning and regular security updates.
• Encrypted backups stored in EU-based object storage.
• Strict network segmentation between marketing, product, and administrative systems.
• A documented incident response plan.

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Data Breach Notification

If a personal data breach occurs, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly and without undue delay, in plain language and with a description of the likely consequences and the measures we are taking, in accordance with Article 34 GDPR.

If you believe you have found a security vulnerability in any Junovy service, please report it to [protected email] . We appreciate responsible disclosure and will acknowledge your report within one business day.

11a. Data Protection Officer (Article 37 GDPR)

Junovy is a small Dutch business and is not required to appoint a Data Protection Officer under Article 37 GDPR: we do not carry out large-scale systematic monitoring of individuals, nor do we process special categories of personal data on a large scale. All privacy questions, data subject requests, and breach reports should be sent to the privacy contact above, which is handled directly by the person responsible for Junovy.

12. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately, and we will delete the information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting the updated policy on this page and updating the "Last Updated" date. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Junovy
[protected]
The Netherlands

KvK: 71813977
Privacy Inquiries: [protected email]
General Contact: Contact Form
All Privacy Documents: Privacy Center

Back to Home