← Back to home
Last updated: 22 April 2026

Privacy Policy

Last updated: 22 April 2026

1. Who we are

Joust Technologies Ltd ("Joust", "we", "us") operates the Joust website and app, including client portal pages that your clients may access via a secure link.

Controller: Joust Technologies Ltd
Contact: contact@withjoust.com
Registered address: [insert registered address]

2. What data we collect

Account data
Name, email address, password (stored as a secure hash), and authentication and session identifiers (managed via Better Auth).

Workspace and business data
Projects, client records, proposal and contract content, invoice details, payment status, reminder settings, and related metadata.

Time tracking data
Time entries including timestamps, duration, project and task associations, and notes.

Client portal data
Information your clients view or submit through a portal link, such as approvals, signatures, and payment actions, tied to a secure portal token.

Payment data
Payment initiation and status data processed via Stripe and TrueLayer. We do not store full card details or bank credentials — these are handled directly by our payment providers.

Usage and device data
Log data including IP address, device and browser information, and product events used for security, reliability, and service improvement.

3. How we use your data

PurposeDescription
Providing the serviceCreating accounts, storing your projects and documents, generating proposals, contracts and invoices, and running client portal flows
Payments and billingProcessing subscription payments via Stripe and open banking payment links via TrueLayer
CommunicationsSending transactional emails via Resend, such as authentication, invoice reminders, and product notifications
SecurityPreventing abuse, investigating suspicious activity, and maintaining audit trails for sensitive actions such as signing, approvals, and payment state changes
Product improvementUnderstanding feature adoption and fixing issues, using aggregated usage data

4. Legal bases (UK GDPR / EU GDPR)

  • Contract: to provide the service you sign up for and fulfil our obligations to you.
  • Legitimate interests: security, fraud prevention, service reliability, and product improvement, where these are not overridden by your rights.
  • Consent: for any optional analytics or marketing cookies, which you can control via our cookie banner.
  • Legal obligation: where we are required to retain records for tax, accounting, or regulatory purposes.

5. Subprocessors and data sharing

We use the following third-party providers to operate Joust:

ProviderPurposeLocation
RailwayCloud hosting and databasesUS
StripeSubscription payment processingUS / EU
TrueLayerOpen banking payment initiationUK / EU
ResendTransactional email deliveryUS
Better AuthAuthentication and session management

We do not sell your data to third parties. We may disclose data where required by law or to protect the rights and safety of Joust, our users, or others.

6. International data transfers

Some of our subprocessors process data outside the UK and EU, primarily in the United States. Where this occurs, we rely on appropriate transfer mechanisms, including the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs), as applicable.

7. Data retention

Data typeRetention period
Active account dataRetained while your account is open
Deleted accountsRetained for 30 days, then deleted or anonymised
Financial records (invoices, payments)Retained for 7 years to meet UK tax and accounting obligations
Audit logs and security eventsRetained for 12 months
Server logsRetained for 90 days

8. Security

We take reasonable technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest
  • Secure password hashing
  • Access controls and least-privilege principles
  • Audit logging for sensitive actions
  • Regular backups hosted on Railway

No system is completely secure. If you believe your account has been compromised, please contact us immediately at contact@withjoust.com.

9. Your rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you
  • Rectification: ask us to correct inaccurate data
  • Deletion: ask us to delete your data, subject to legal retention obligations
  • Restriction: ask us to restrict processing in certain circumstances
  • Portability: receive your data in a portable format
  • Objection: object to processing based on legitimate interests

To exercise any of these rights, contact us at contact@withjoust.com. We will respond within 30 days.

If you are in the UK, you may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EU, you may contact your local supervisory authority.

10. Client data and roles

Joust operates as a platform used by freelancers and agencies ("customers") to manage their own clients. When a customer uploads client data to Joust — such as names, email addresses, or payment details — Joust acts as a data processor on that customer's behalf, and the customer acts as the data controller for that data.

Customers are responsible for providing appropriate privacy notices to their own clients and for ensuring they have a lawful basis to share that data with Joust. If you would like a Data Processing Agreement (DPA), please contact us at contact@withjoust.com.

11. Cookies

For information about how we use cookies and how to manage your preferences, please see our Cookie Policy.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or via an in-app notice before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent version.

Joust Technologies Ltd — contact@withjoust.com