Privacy Policy

DRAFT v1.0 — pending counsel review. This Privacy Policy is operative for the JULOAI ERP platform pending final legal review.

1. About this Policy

This Privacy Policy explains how JULOAI Technology, Ltd. ("JULOAI", "we") handles personal information in connection with the JULOAI ERP platform (the "Service"). It applies whenever you visit juloai.com, use the authenticated product at erp.juloai.com, receive our emails, or otherwise interact with us.

When we act as a service provider / processor for a subscribing organization (your employer or the organization that invited you), that organization is the controller of its Customer Data and its own privacy notice governs how that data is collected and used. This Policy describes what we do with personal information.

2. Information we collect

2.1 Account information

Name, business email, password (hashed), profile image (if you upload one), time zone, locale, 2FA settings, session information, and role within each organization.

2.2 Customer Data that contains personal information

The Service is a general-purpose ERP. In the course of normal use, subscribing organizations may submit personal information about:

  • customer contacts (name, email, phone, address, billing info);
  • supplier contacts;
  • employees (names, roles, timesheets, compensation data if submitted);
  • approvers, attachment authors, and other users' actions;
  • personal information present in uploaded documents (invoices, receipts, contracts, attachments).

We process this data on behalf of the subscribing organization, on its instructions, to provide the Service.

2.3 Automatically collected information

  • IP address, device type, browser and OS, approximate location (based on IP), referrer URL, pages viewed, and timestamps — for security, diagnostics, and rate-limiting;
  • authentication and session cookies;
  • service logs (system logs and audit logs of in-app actions).

2.4 Communications

If you email us, complete a form, or fill out a support request, we keep the content of that communication.

2.5 Information from third parties

Where you choose to connect a third-party service (for example single sign-on via a social provider), we receive the profile fields that service shares with us.

3. How we use information

We use the information we collect to:

  • operate, maintain, and secure the Service;
  • authenticate users and prevent unauthorized access;
  • provide AI/OCR extraction where you explicitly enable it (see §6);
  • respond to support requests;
  • send service notifications (for example, billing, security, or breaking-change alerts);
  • improve and develop the Service, including debugging, performance, and analytics in aggregated form;
  • comply with legal obligations and defend legal claims.

We do not sell personal information. We do not use Customer Data to train general-purpose foundation AI models.

3.1 Meaningful consent (Canada)

Where Canadian law applies, we rely on your meaningful consent for the collection, use, and disclosure of personal information that is not otherwise permitted by law. We describe our practices in plain language in this Policy and in the in-app prompts that accompany optional features such as AI/OCR. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

3.2 Legal bases (GDPR)

Where GDPR applies, our legal bases are:

  • Contract — to provide the Service you or your organization requested;
  • Legitimate interests — security, fraud prevention, product improvement, and direct B2B communications, where these are not overridden by your rights and interests;
  • Consent — for optional features such as AI/OCR processing and marketing emails;
  • Legal obligation — where required by applicable law.

4. When we share information

We share personal information only with:

  • Subprocessors — providers that host, email, authenticate, or otherwise help us run the Service. A current list (Hetzner, Resend, Anthropic, OpenAI, Stripe where enabled, and others) is kept at the Subprocessor List page. Each subprocessor is bound by confidentiality and security obligations.
  • Your organization's administrators — account actions are visible to admins of the organizations you belong to.
  • As required by law — where we receive a valid legal request or to defend a claim.
  • On a business transfer — in a merger, acquisition, or asset sale, with notice and equivalent protections.

5. International transfers

The Service is operated primarily from Canada, but our subprocessors may process personal information in other jurisdictions (including the United States and the European Union). Where required, we rely on legally recognised transfer mechanisms such as the EU Standard Contractual Clauses.

6. AI and OCR features

When you enable a feature that sends documents to an AI / OCR provider (for example, invoice scanning), we transmit the document to the configured provider and return the extracted fields. We tell you at the point of enablement which provider will receive which data, and we record your consent. You can disable AI/OCR features at any time from settings; prior extractions we have already stored remain linked to their source documents.

We choose AI/OCR providers that contractually commit not to use inputs for general-purpose model training in their API offerings.

7. Retention

We retain personal information for as long as necessary to provide the Service and to comply with our legal obligations. When an organization closes its subscription, Customer Data is deleted after 30 days unless a longer retention is legally required. Account-level audit and system logs may be retained longer for security and compliance.

8. Your rights

Depending on where you live, you may have the right to:

  • access the personal information we hold about you;
  • correct inaccurate information;
  • request deletion or export of your information;
  • object to or restrict certain uses;
  • withdraw consent;
  • complain to your local data protection authority.

For Customer Data, please contact the subscribing organization directly — they are the controller. For account-level data we hold about you, write to [email protected]. We will respond within the timeframe required by applicable law.

9. Security

We maintain administrative, technical, and physical safeguards appropriate to the sensitivity of the data we process, including encryption of data in transit (TLS), encryption of data at rest for our primary database, access controls and least-privilege review, secrets management, logging, and breach notification procedures. No system is perfectly secure, and we cannot guarantee absolute security.

10. Children

The Service is not intended for children under 16. We do not knowingly collect personal information from children. If we become aware that we have collected such information, we will delete it.

11. Changes

We may update this Policy. When we do, we will post the revised Policy and update the "effectiveAt" date. For material changes, we will also give you advance notice through the Service or by email and require you to re-consent where required by law.

12. Contact

  • Questions or requests: [email protected]
  • Mail: JULOAI Technology, Ltd. · Privacy Office · British Columbia, Canada.

You may also contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/ if you are not satisfied with our response.