Privacy Policy
Last updated: May 24, 2026
AiTiPro (A New Way), based in Portugal, operates the Jenny platform, a SaaS project management service for consulting firms. This privacy policy explains how we collect, use, store, and protect your personal data in compliance with the European Union's General Data Protection Regulation (GDPR).
1Data Controller
AiTiPro (A New Way)
Portugal
bilal@aitipro.pt
Controller: Bilal Machraa
jenny.aitipro.com
Jenny Platform
For any questions related to data protection or to exercise your rights, you can contact us directly via the email address above.
2Data We Collect
2.1 Account Data
Name, email address, password (hashed), organizational role (admin, project manager, consultant, viewer), and language/theme preferences.
2.2 Project Data
Project information, phases, milestones, deliverables, tasks, sessions, and meeting notes that you create on the platform.
2.3 Time Logs
Logged hours, activity descriptions, utilization rates, and associated billing information.
2.4 Financial Data
Invoices, payment records, project budgets, and subscription information. Payments are processed by Stripe; we do not store credit card data on our servers.
2.5 Client Data
Client company names, contacts, contact email addresses, and client portal communication information.
2.6 Uploaded Files
Documents, images, and other files you upload to projects, deliverables, or portal communications.
2.7 Technical Data
IP address, browser type, operating system, session timestamps, and access logs for security and service maintenance purposes.
2.8 Waitlist and Beta Data
Email addresses and optional data you submit when joining the waitlist or beta programs, such as name, sector, and request source.
3How We Use Your Data
- Providing and maintaining the project management service
- Authenticating and managing user sessions
- Processing payments and managing subscriptions
- Sending email notifications (welcome, overdue alerts, weekly digest)
- Syncing data with third-party integrations (Google Calendar, Google Tasks, HubSpot) when enabled by you
- Generating reports and analytics about your project activity
- Managing waitlist requests, beta access, and communications related to service availability
- Improving platform security, performance, and reliability
- Complying with legal and regulatory obligations
4Legal Basis for Processing
Performance of Contract (Art. 6(1)(b) GDPR)
Processing your account, project, time, and financial data is necessary for the performance of the service contract between you and AiTiPro.
Legitimate Interest (Art. 6(1)(f) GDPR)
We use technical data and access logs to ensure platform security, prevent fraud, and improve the service. Processing for internal analytics purposes is kept to the minimum necessary.
Consent (Art. 6(1)(a) GDPR)
For optional third-party integrations (Google Calendar, Google Tasks, HubSpot) and marketing communications, we request your explicit consent, which you can revoke at any time.
Legal Obligation (Art. 6(1)(c) GDPR)
We may process personal data when necessary to comply with tax, accounting, or other legal obligations applicable in Portugal and the EU.
5Sub-processors and Third Parties
We share personal data only with the following service providers, all bound by Data Processing Agreements (DPAs):
| Service | Purpose | Data Location |
|---|---|---|
| Neon (PostgreSQL) | Primary database | Frankfurt, Germany (EU) |
| Vercel | Application hosting and CDN | EU (Frankfurt) + global edge |
| Stripe | Payment processing and invoicing | EU/US (EU-US DPF) |
| Resend | Transactional email delivery | US (EU-US DPF) |
| Uploadthing | File storage | US (EU-US DPF) |
| Google APIs | Calendar and Tasks (optional integration) | EU/US (EU-US DPF) |
| HubSpot | CRM synchronization (optional) | EU/US (EU-US DPF) |
6Data Retention Periods
| Data Type | Retention Period |
|---|---|
| Account data | While account is active + 30 days after deletion |
| Project data | While account is active + 90 days after deletion |
| Financial records | 7 years (legal tax obligation in Portugal) |
| Time logs | While account is active + 90 days after deletion |
| Uploaded files | While account is active + 30 days after deletion |
| Waitlist and beta data | 24 months or until consent is withdrawn/deletion is requested |
| Session data | Until logout or 7 days of inactivity |
| Security logs | 12 months |
7Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Right of Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You can request correction of inaccurate or incomplete personal data.
Right to Erasure
You can request deletion of your personal data, subject to legal retention obligations (e.g., 7-year tax records).
Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON).
Right to Restriction of Processing
You can request restriction of processing of your data in specific circumstances provided for in the GDPR.
Right to Object
You can object to the processing of your personal data based on legitimate interests, including direct marketing.
To exercise any of these rights, send an email to bilal@aitipro.pt with the subject "GDPR Request". We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Comissao Nacional de Protecao de Dados (CNPD) in Portugal or the data protection authority in your country of residence.
8Cookies
Jenny uses strictly necessary cookies for platform operation (authentication, CSRF protection, language and theme preferences). We do not use tracking or advertising cookies. For detailed information, please see our Cookie Policy.
9International Transfers
Your primary database is hosted in Frankfurt, Germany (EU), on Neon servers. However, some of our sub-processors operate in the United States.
For transfers to the US, we ensure that sub-processors are certified under the EU-US Data Privacy Framework (DPF) or that European Commission Standard Contractual Clauses (SCCs) are in place.
You can request a copy of the applicable safeguards by contacting us at bilal@aitipro.pt.
10Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Passwords stored with secure hashing (bcrypt/argon2)
- Role-based access control (RBAC) with four permission levels
- Session tokens with automatic expiration
- Input validation at all system boundaries
- Client portal with magic link authentication (no passwords)
11Children's Privacy
Jenny is a B2B service designed for consulting firms and professionals. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us so we can delete it.
12Changes to This Policy
We may update this privacy policy periodically. Significant changes will be communicated by email or through a notice on the platform at least 30 days in advance. Continued use of the service after notification constitutes acceptance of the changes. We recommend periodically reviewing this page.
13Contact
For questions about this privacy policy or the processing of your personal data:
AiTiPro (A New Way)
Privacy Officer: Bilal Machraa
Email: bilal@aitipro.pt
Supervisory authority: Comissao Nacional de Protecao de Dados (CNPD)