Privacy Policy

Last updated: April 2026

This policy explains how Joinery (operated by Joinery, Inc., a Delaware corporation) collects, uses, and protects data. It covers three groups of people:

1. Customers — organizations and individuals who sign up for a Joinery account
2. Members — the people whose data customers store in Joinery
3. Visitors — people browsing getjoinery.com

1. What we collect and why

From customers (you, the account holder)

• Account information — name, email address, organization name. We need this to create and manage your account.
• Billing information — payment is processed entirely by Stripe or PayPal. We store only their reference IDs (customer ID, subscription ID, transaction ID). We never receive, transmit, or store credit card numbers, CVVs, or bank account details.
• Support communications — emails or messages you send us. We keep these to provide support and improve the product.

From your members

When you use hosted Joinery, the member data you store — names, emails, event registrations, payment history, custom fields, and anything else you collect — is processed on our servers. We act as a data processor on your behalf. You are the data controller and determine what data to collect from your members and how to use it.

We access member data only to operate the service (storing it, displaying it to you, running features you've enabled). We do not use member data for our own marketing, analytics, advertising, or any other purpose.

From visitors to getjoinery.com

• Server logs — IP address, browser type, pages visited, referring URL, and timestamp. This is standard web server operation. Logs are used for security monitoring and are not shared with third parties.
• Cookies — we use session cookies for authentication (keeping you logged in). We do not use third-party advertising cookies or cross-site tracking cookies.

2. How we use your data

• To operate the service — storing your data, running features, processing payments through Stripe/PayPal, sending emails through your Mailgun account.
• To improve the platform — we may analyze aggregate, non-identifying usage patterns (which features are used, page load times, error rates) to improve Joinery. This is never used to identify, profile, or target individual users.
• To communicate with you — account notifications, service updates, and responses to your support requests. We don't send marketing email unless you opt in.
• To maintain security — monitoring for abuse, unauthorized access, and system integrity.

3. What we never do

These aren't aspirational. They are commitments.

• We do not sell personal data to anyone, for any reason.
• We do not share data with advertising networks.
• We do not run behavioral advertising or retargeting.
• We do not build profiles of your members for our own use.
• We do not use cross-site or cross-device tracking.
• We do not contact your members directly for any marketing purpose.
• We do not monetize your data. Our revenue comes from subscriptions, services, and referral partnerships — never from your data.
• We do not voluntarily disclose your data to law enforcement or government agencies. We comply with valid legal process (subpoenas, court orders, warrants) as required by law, but we do not volunteer information beyond what is legally compelled. If permitted by law, we will notify you before disclosing your data in response to legal process.

4. Third-party services and integrations

Joinery follows a bring-your-own-keys model for third-party integrations. Rather than routing your data through our accounts with these services, you connect your own accounts directly. This means your data flows between your Joinery instance and your service provider — we don't aggregate it, and we don't have access to your third-party accounts.

Available integrations include:

• Payment processing — Stripe and PayPal, using your own merchant accounts. Payment data (card numbers, bank details) is handled entirely by your payment processor. Joinery stores only reference IDs.
• Email delivery — Mailgun (API) or any SMTP provider, using your own account credentials. Email content and recipient addresses pass through your email provider for delivery.
• Mailing list sync — Mailchimp, using your own API key. Syncs subscriber data between Joinery and your Mailchimp account.
• Bot protection — hCaptcha or Google reCAPTCHA, using your own site keys. Protects forms from automated submissions.
• Scheduling — Acuity Scheduling and Calendly, using your own API credentials. Manages appointment booking and calendar integration.

Each integration is optional and activated only when you provide your own API keys. Your relationship with each service is governed by that service's own terms and privacy policy. We do not receive commissions, referral fees, or data from these services.

For hosted Joinery, our servers are hosted in the United States. Your data is stored on infrastructure we manage directly.

We do not use third-party analytics services (like Google Analytics) that track individual users across sites. Any analytics we run are first-party and aggregate.

5. Cookies and tracking

We use cookies only for essential functionality:

• Session cookies — these keep you logged in. They are HttpOnly (not accessible to JavaScript), set with SameSite=Lax (no cross-site request abuse), and marked Secure (HTTPS only). They expire when your session ends or after a reasonable inactivity period.
• CSRF tokens — these prevent cross-site request forgery attacks on forms. They are a security measure, not a tracking mechanism.

We do not use persistent tracking cookies, third-party cookies, pixel trackers, fingerprinting, or any other mechanism designed to follow you across websites.

6. Your members' data

This is important enough to say directly: your members' data belongs to you and your members, not to us.

• We process member data solely to provide the service you're paying for.
• We do not access member accounts or data unless you request it for support purposes.
• We do not use member data for our own analytics, marketing, machine learning, or product development.
• We do not share member data with any third party except as necessary to operate the service (Stripe for payments, Mailgun for email delivery via your own account).
• Your members can contact you to exercise their data rights. As the data controller, you decide how to respond. We provide the tools (data export, deletion) to help you comply.

7. Self-hosted instances

If you run Joinery on your own server (under the PolyForm Noncommercial license or a commercial license), your data stays on your infrastructure. We have no access to it, no telemetry, and no connection to your instance unless you initiate one (for example, checking for updates).

Self-hosted Joinery does not phone home. We do not collect usage data, crash reports, or any other information from self-hosted installations.

Your privacy obligations to your own members are your responsibility when self-hosting. We recommend publishing your own privacy policy for your site.

8. Data retention and deletion

While your account is active

We retain your data for as long as your account is active and you're using the service. You can export your data at any time through the admin interface or API.

When you cancel

When you cancel your account:

• Your data remains available for 30 days after cancellation so you can export anything you need or reactivate if you change your mind.
• After 30 days, we delete your data from our active systems — your organization data, your members' data, uploaded files, and configuration.
• Backups containing your data are purged within 60 days of deletion from active systems.
• If you want your data deleted immediately without the 30-day grace period, contact us and we'll process it within 14 days.

What we may retain

After deletion, we may retain:

• Basic account records (organization name, account holder email, billing history) as required for tax, legal, and accounting obligations.
• Aggregate, non-identifying usage statistics that cannot be traced back to you or your members.

We do not retain member data after your account is deleted.

9. Security

We protect your data with:

• All database queries use parameterized prepared statements (no SQL injection paths).
• All user-generated content is escaped on output (XSS prevention).
• Passwords are hashed with Argon2id.
• Sessions use HttpOnly, SameSite, and Secure cookie flags.
• HTTPS is enforced for all connections.
• The source code is available for inspection — you don't have to trust a black box.

No system is perfectly secure. If we discover a data breach affecting your account, we will notify you promptly with details of what happened and what we're doing about it.

10. Your rights

Depending on where you are, you may have specific legal rights regarding your personal data:

All customers

• Access — you can view and export all your data at any time through the admin interface or API.
• Correction — you can update your information at any time.
• Deletion — you can request deletion of your account and data. See "Data retention and deletion" above.
• Portability — you can export your data in standard formats. We do not charge for data export.

European Economic Area (GDPR)

If you are in the EEA, you have additional rights under the General Data Protection Regulation, including the right to restrict processing, object to processing, and lodge a complaint with your local data protection authority. Our legal basis for processing is contractual necessity (we need your data to provide the service you signed up for) and legitimate interest (security monitoring, platform improvement).

California (CCPA/CPRA)

If you are a California resident: we do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. You have the right to know what data we collect, request deletion, and opt out of sale — though there is nothing to opt out of, because we don't sell.

11. Children's privacy

Joinery is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. When we make material changes, we will notify active customers by email before the changes take effect. We will not reduce your privacy protections without giving you notice and the opportunity to export your data and leave.

13. Contact

Questions about this policy or your data:

• Email: privacy@getjoinery.com
• General: hello@getjoinery.com

Joinery, Inc. is a Delaware corporation.