Jumped

Privacy Policy

Jumped Privacy Policy

Last updated: June 2, 2026

1. Overview and Controller

This Privacy Policy explains how FarFlash Group ("we", "us", or "our") collects, uses, discloses, and protects personal information when you use Jumped, including short links, hub pages, analytics, dashboards, API access, and organization features (the "Service").

We are the controller of personal information described in this policy for the Service. Contact us at privacy@jumped.to for privacy questions or requests.

2. Scope

This policy applies to the groups above. Third-party websites and services you link to have their own privacy practices; we are not responsible for them.

  • Account holders who register, sign in, or manage Links, Hubs, and settings.
  • Visitors who click Links or view published Hub pages (we collect limited technical and analytics data about those interactions).
  • Organization administrators who view audit logs or manage members within their enterprise workspace.

3. Information We Collect

We collect the following categories of information:

  • Account and profile: name, email, profile image, password hash (if applicable), plan, role, timezone, country, marketing preferences, two-factor status, and onboarding status.
  • Link and Hub data: slugs, destination URLs, titles, descriptions, themes, campaigns, UTM values, routing rules, publish state, and notes.
  • Billing: subscription status, Stripe customer identifiers, and payment metadata processed by our payment provider (we do not store full card numbers).
  • Usage and analytics: click events, hub views, timestamps, referrers, user agents, device and browser signals, and approximate location derived from IP or hosting headers.
  • Security and operations: session data, authentication logs, rate-limit signals, abuse investigations, API key metadata (hashed secrets, prefix, last used), and audit log entries.
  • Communications: support messages and email delivery metadata.

4. Sources of Information

We collect information from:

  • You, when you register, update settings, create Links or Hubs, or contact support.
  • Automatic collection, when you or Visitors use the Service (cookies, logs, analytics events, request headers).
  • Third parties, such as Google (OAuth profile data), Stripe (billing), Resend (email delivery), and infrastructure providers that supply hosting or geo headers.

5. Purposes and Legal Bases

We use personal information to:

  • Provide, operate, secure, and improve the Service (contract and legitimate interests).
  • Authenticate users, enforce Terms, detect abuse, and comply with law (legitimate interests and legal obligation).
  • Measure link and hub performance and present analytics to account owners (contract and legitimate interests).
  • Process payments and manage subscriptions (contract).
  • Send transactional and security communications (contract and legitimate interests).
  • Send marketing emails only if you opt in; you may withdraw consent in Settings (consent).
  • Maintain audit logs for enterprise governance and platform safety (legitimate interests and contract for enterprise customers).

6. Cookies and Similar Technologies

We use cookies and similar technologies to maintain sessions, protect accounts, remember preferences, and operate the dashboard.

OAuth providers such as Google may set their own cookies when you sign in; their use is governed by their policies. You can control cookies through browser settings, but disabling necessary cookies may prevent sign-in.

  • Strictly necessary: authentication and security (required for signed-in use).
  • Functional: preferences such as timezone or UI state where applicable.
  • Analytics: operational metrics for the Service (not third-party ad networks on public marketing pages unless disclosed separately).

7. Public Links and Hub Pages

Short links and published hub pages are designed to be shared publicly. Anyone with the URL may access the destination or page unless the destination requires its own authentication. Do not include private or sensitive information in public slugs, titles, descriptions, or hub content.

8. Analytics and Location

We derive approximate country, region, and city from IP addresses or hosting provider headers for analytics and account defaults. We may withhold or limit geo display for OFAC-sanctioned or restricted locations. Analytics may be incomplete due to privacy tools, bots, or network conditions.

9. Audit Logs

When accounts make changes in the dashboard, we may record audit log entries including action type, timestamps, actor and subject accounts, summaries of changes, and request context.

Platform operators with appropriate roles may view IP addresses in audit logs for security and support. Enterprise organization administrators see approximate location (not full IP) for members within their role-based visibility tier. Staff members do not receive enterprise audit access unless permitted by product rules.

10. Service Providers and Subprocessors

We use trusted providers to operate the Service. They process information on our instructions and only as needed to provide their services.

We may add or change providers with notice where required. Enterprise customers may request additional information about subprocessors by contacting us.

  • Hosting and edge: Vercel (application hosting, request processing, geo headers).
  • Database: Neon or compatible PostgreSQL hosting (account and product data).
  • Email: Resend (transactional and product email).
  • Authentication: Google (OAuth sign-in, where enabled).
  • Payments: Stripe (subscriptions and billing).
  • Caching and rate limiting: Upstash Redis (where configured).

11. Sharing and Disclosure

We do not sell personal information. We may share information with:

  • Service providers listed above, under contractual safeguards.
  • Law enforcement or regulators when required by law or valid legal process.
  • Parties involved in a merger, acquisition, financing, or sale of assets, subject to appropriate protections.
  • Others when you direct us to share or when necessary to protect rights, safety, and integrity of the Service.

12. International Transfers

We are based in Canada and may process information in Canada, the United States, and other countries where our providers operate. Where required, we rely on appropriate safeguards such as contractual clauses or comparable mechanisms for cross-border transfers.

13. Data Retention

We retain information for as long as needed to provide the Service and for legitimate business purposes.

When you request account deletion, we apply a grace period (currently thirty days) before purge, during which you may restore access. After purge, residual copies may remain in backups for a limited time.

  • Account and Link/Hub data: until you delete your account or we delete it under our deletion process, plus limited backup retention.
  • Click and hub analytics: according to your plan limits and operational needs; older events may be aggregated or deleted.
  • Audit logs: for security, compliance, and enterprise governance for a period consistent with operational needs.
  • Abuse, security, and legal records: as needed to enforce Terms, resolve disputes, and comply with law.

14. Security

We use reasonable technical and organizational measures designed to protect personal information, including encryption in transit, access controls, and API key hashing (full secrets are shown only once at creation). No method of transmission or storage is completely secure; use strong passwords and two-factor authentication where available.

15. Your Rights and Choices

Depending on your location, you may have rights to access, correct, delete, port, or restrict certain processing of your personal information, and to object to processing based on legitimate interests.

To exercise rights, contact privacy@jumped.to. We will verify your request and respond as required by applicable law, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) where it applies.

We do not sell personal information. California residents may have additional rights under the CPRA; contact us to exercise them.

You can update account information and marketing preferences in the dashboard. Marketing emails include an unsubscribe mechanism consistent with Canada's Anti-Spam Legislation (CASL) where applicable.

16. Marketing Communications

We send product and marketing emails only if you opt in at sign-up, on the legal acceptance screen, or in account settings. You may opt out at any time in Settings or via unsubscribe links in emails.

17. Account Deletion

You may request account deletion from the dashboard. Deletion is scheduled after a grace period during which you may cancel the request. After purge, we remove associated account data subject to backups, legal holds, and abuse-prevention records described in this policy.

18. Automated Decision-Making

We use automated systems for security, abuse detection, rate limiting, geo restrictions, and routing. We do not make solely automated decisions that produce legal or similarly significant effects about you without human review where required by law.

19. Children

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, contact privacy@jumped.to.

20. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted with a new effective date (current policy version: 2026-06-02). Material changes may require you to accept updated terms before continuing to use the Service.

21. Complaints

If you are not satisfied with our response, Canadian residents may contact the Office of the Privacy Commissioner of Canada. Other jurisdictions may provide local supervisory authorities.

22. Contact

Privacy questions or requests: privacy@jumped.to. General support: hello@jumped.to. FarFlash Group operates Jumped.