Privacy Policy
1. Scope
This Privacy Policy governs the Company's collection, use, disclosure, and retention of Personal Information across the Company's institutional and consumer surfaces, including jilsovereign.com, retail.jilsovereign.com, office.jilsovereign.com, admin.jilsovereign.com, getjil.com, wallet.jilsovereign.com, the Company's mobile applications, and any application programming interfaces and supporting infrastructure operated under any of those domains (collectively, the "Services"). For Protected Health Information processed on behalf of a Covered Entity customer, the controlling instrument is the Business Associate Agreement signed with that customer; this Privacy Policy is supplemental and subordinate to that Agreement to the extent of any conflict.
2. The Company's Role
The Company is, depending on context, either a "Controller," a "Service Provider," a "Processor," a "Business Associate," or a "Custodian" of records. The Company's role with respect to a particular dataset is as follows:
| Data Category | Company Role | Notes |
|---|---|---|
| Customer Protected Health Information processed under a Business Associate Agreement | Business Associate / Processor | Customer is the Covered Entity / Controller. Use is governed by the BAA, not this Policy. |
| Customer or prospective-customer business contact information collected through the Services | Controller | Used for sales, support, account administration. |
| Wallet end-user account information (getjil.com / wallet) | Controller | End user holds custody of cryptographic keys; the Company does not custody assets. |
| Marketing analytics and aggregated usage statistics | Controller | Aggregated and de-identified before analytical use. |
3. Personal Information the Company Collects
3.1 Information you provide
- Account-registration and contact information: name, business email, organization, role.
- Authentication credentials: WebAuthn public keys, TOTP-recovery secrets (encrypted), session tokens.
- Payment information for retail subscriptions: handled by Stripe; the Company never stores card primary account numbers.
- Communications you send to the Company including support tickets, sales inquiries, feedback, and email correspondence.
3.2 Information collected automatically
- Device and connection metadata: IP address, browser user agent, time zone, language preference, referring URL.
- Service interaction logs: pages visited, features used, error events, performance metrics.
- Cookies and similar identifiers: see Section 8.
3.3 Information from third parties
- OAuth provider profile data (Google, Apple) when an end user chooses to sign in via OAuth.
- Stripe transaction confirmations.
- Public-record data the Company ingests in the course of providing detection services (the public-record data is not Personal Information about the Company's customer).
4. Use of Personal Information
The Company uses Personal Information only for purposes that are reasonably necessary to deliver, operate, secure, improve, and bill for the Services, including:
- providing the Services and supporting customer use;
- processing payments and account administration;
- communicating with you, including security notices and material service updates;
- detecting, investigating, preventing, and responding to fraud, abuse, security incidents, and violations of the Company's terms;
- complying with legal obligations including record-retention obligations under HIPAA, federal, state, and applicable foreign law;
- improving the Services, including the use of de-identified or aggregated data; and
- defending the Company's legal rights.
5. Disclosure of Personal Information
The Company does not sell Personal Information. The Company discloses Personal Information only:
- to subprocessors listed in the Subprocessor List, under written agreement;
- to a customer when the Personal Information was provided to the Company on that customer's behalf;
- in response to lawful subpoena, court order, or other legal process consistent with the procedure at /docs/legal/JIL_Subpoena_Response_Procedure.html;
- to protect the Company's rights and safety, the rights and safety of users, or the public, where the Company in good faith believes such disclosure is necessary; and
- in connection with a corporate transaction (merger, acquisition, financing) subject to confidentiality obligations binding on the recipient.
6. Retention
The Company retains Personal Information for as long as needed to fulfill the purposes for which it was collected and to comply with legal obligations. Retention windows include:
- Account information: for the life of the account plus four (4) years for tax and audit purposes.
- HIPAA audit logs: fifteen (15) years to align with FRE 902(14) admissibility windows and exceed the 6-year HIPAA Security Rule minimum.
- Marketing analytics: aggregated indefinitely; user-level retention limited to twenty-five (25) months.
- Court Ready Evidence Bundles: governed by the customer's instructions in the Underlying Agreement; default retention is fifteen (15) years.
7. Security
The Company maintains an Information Security Program described at a high level in the Information Security Policy Summary. Material elements include encryption in transit and at rest using AWS Key Management Service customer-managed keys; multi-factor authentication enforced for all privileged access; immutable audit logs; an annual third-party penetration test; and a documented Incident Response Plan summarized at /docs/legal/JIL_Incident_Response_Plan_Summary.html.
8. Cookies
The Company uses session cookies for authentication and a small number of strictly necessary functional cookies. The Company does not use third-party advertising cookies and does not sell or share Personal Information with advertising networks. A cookie banner is presented to users in jurisdictions where one is required.
9. International Transfers
Personal Information processed under a Business Associate Agreement is stored exclusively in United States AWS regions, enforced by Service Control Policy. The Company's marketing surfaces are served from a global edge network operated by Cloudflare with origin servers located in the European Union, in compliance with the Standard Contractual Clauses for transfers to and from the United States as applicable.
10. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict processing of, or port your Personal Information; to object to certain processing; to opt out of the sale or sharing of your Personal Information (the Company does not sell or share); and to lodge a complaint with a supervisory authority. To exercise any of these rights, contact privacy@jilsovereign.com. The Company will respond within thirty (30) days, extended once by sixty (60) days where reasonably necessary.
Where the Personal Information is held by the Company as a Business Associate or Service Provider on behalf of a customer, the Company will refer the request to the customer and assist the customer in responding within the timelines required by HIPAA or other applicable law.
11. Children
The Services are not directed to children under sixteen (16) and the Company does not knowingly collect Personal Information from children under sixteen.
12. Changes to this Policy
The Company may update this Privacy Policy from time to time; material changes will be communicated through the Services and where required by applicable law. The "Effective" date at the top of this Policy reflects the most recent revision.
13. Contact
For privacy inquiries, complaints, or to exercise your rights, contact:
JIL Sovereign Technologies, Inc.
Attn: Privacy Office
privacy@jilsovereign.com