Privacy Policy
Effective: May 1, 2026
Your privacy matters to us. This Privacy Policy explains how JUG Software Ltda. ("JUG", "we", "us", "our") collects, uses, shares, stores and protects personal data of users ("User", "you") of the Juggler platform (the "Platform"), in accordance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018).
If you do not agree with this Policy, do not access or use the Platform.
Summary of this Policy
- We collect data you provide directly (account, profile) and data generated automatically (session token, operational usage data).
- If you choose Sign in with Google, we receive your name, email and profile picture from Google.
- When a jug workspace sends you an invite, we process the message, role, permission, hourly rate and proposed date.
- We use your data to provide the Platform, send operational notifications and comply with legal obligations. We do not use your data for advertising or targeted marketing.
- We share data with infrastructure providers (AWS), email delivery (Brevo) and, when applicable, with Google (Sign in with Google). We do not sell personal data.
- You have rights over your data under the LGPD, including access, correction, deletion and portability.
1. Data We Collect
1.1 Data you provide
Account information: when you create an account with email and password we collect your name, email address and password (stored only as a BCrypt hash — we cannot read your password in plain text).
Professional profile content: we collect and store the information you add to your freelancer profile, including headline, bio, area, seniority, years of experience, work model, availability, available-from date, hourly rate and chosen currency, skills, languages, phone number, location data (city, state, country and timezone), portfolio, LinkedIn, GitHub, Behance, Dribbble, Twitter/X and Instagram links, public visibility settings and whether to display your hourly rate publicly.
Profile identifier (handle): the public username/slug you choose for your profile URL. If you do not pick a handle, we automatically generate a random public token (e.g. /u/abc12345) that serves as an alternative profile URL.
Avatar and uploaded files: if you choose to publish a profile picture, it is uploaded as a base64 image, validated for size and format (JPEG or PNG, up to 5 MB) and stored in a private AWS S3 bucket with access controlled by IAM policies.
Sign in with Google (optional): if you choose to sign in with your Google account, we receive the following information associated with that account: full name, email address and profile picture URL. We do not receive your Google password. We do not request access to contacts, calendar, emails or any other data in your Google account. This flow is also subject to Google's terms and privacy policy.
1.2 Data provided by other users
We receive data when a jug workspace interacts with you on the Platform. Specifically: (a) your email address, when the workspace uses it to send an invite (Workspace Contact Request); (b) the content of the invite message; (c) the proposed role, permission, hourly rate and start date; (d) the workspace name and the identification (name/email) of the member who sent the invite, which become visible to you on the received-invites screen.
1.3 Data collected automatically
Authentication token: when you sign in, a token is generated and stored locally in your browser (localStorage) to keep you signed in. On our servers we store only a cryptographic hash of the token.
Operational usage data: we collect information necessary to run the Platform, such as API requests. We do not collect browsing analytics, tracking cookies, IP addresses for profiling, or behavioral tracking.
2. How We Use Your Data
How we use your data depends on how you use the Platform:
To provide and operate the Platform: authenticate you (including via Sign in with Google, when applicable), secure your account, process and display your profile content and send operational notifications (received invites, account updates).
To improve the Platform: identify and fix technical issues, analyze aggregated usage patterns to improve existing features and develop new ones. For improvements we work with aggregated, de-identified information.
For operational communications: send transactional emails about events on your account — welcome, password recovery, workspace invite received, reminders for invites near expiration, accept/decline confirmations and relevant Platform updates. We do not send marketing or promotional emails.
To enable invites between Users and workspaces: process and store messages, proposals and responses for Project Invites (Workspace Contact Requests), including the decline reason when provided, and — upon acceptance — automatically create the corresponding workspace membership on jug, transferring your name and email to that context.
To comply with legal obligations: meet regulatory requirements and respond to lawful requests.
3. Legal Bases for Processing (Art. 7, LGPD)
Processing of your personal data is based on the following legal grounds:
| Purpose | Legal basis |
|---|---|
| Provide the Platform, authenticate, display profile | Performance of contract (Art. 7(V)) |
| Acceptance of Terms of Use at registration | Consent (Art. 7(I)) |
| Platform improvements, operational communications, security | Legitimate interest (Art. 7(IX)) |
| Regulatory obligations | Compliance with legal obligation (Art. 7(II)) |
4. How We Share Your Data
4.1 Service providers
| Third party | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, CDN and file storage (S3) | All data (infrastructure) |
| Google LLC | Authentication via Sign in with Google (OpenID Connect / OAuth 2.0), when the User chooses this flow | Google identifiers, name, email and profile picture; cookies on the google.com domain are set by Google itself during the redirect |
| Brevo (Sendinblue) | Transactional email delivery (welcome, invites, password recovery, account notifications) | Name, email address and content of the notifications sent |
These providers act on our instructions and are subject to contractual confidentiality and security obligations.
4.2 Profile visibility and search engine indexing
When you set your profile as public, the information marked as public — including name, picture, headline, bio, area, skills, languages, location (city/state/country), social links and (if you enable "display hourly rate publicly") your hourly rate — becomes accessible to anyone with the link. Public pages may be indexed by search engines (Google, Bing and similar) and appear with a preview (avatar, name, headline and description) when shared on social networks and messaging apps, following the Open Graph, Twitter Cards and schema.org structured data protocols. Workspace invites, sensitive data (phone, email) and account settings are never made public. You can switch visibility between public and private at any time; after switching, search engines and social networks may keep cached content for some time before reindexing.
4.3 Legal requirements
We may disclose personal data when necessary to: (a) comply with applicable law, regulation or court order, (b) protect the rights, safety or property of JUG, Users or third parties, or (c) detect and prevent fraud or illegal activity.
4.4 What we do not do
We do not sell, rent or trade personal data. We do not share data with third parties for marketing, advertising or behavioral profiling.
5. Storage and Security
We implement technical and organizational measures to protect your data:
- Infrastructure: data stored on AWS servers in the us-east-1 region (USA), with encryption in transit and at rest
- Passwords: hashed with BCrypt before storage — we cannot access your password in plain text
- Tokens: stored as cryptographic hashes on our servers
- Database: connections protected by TLS/SSL
- Communication: all data exchange between your browser and the Platform is protected by HTTPS
- Files: avatars and images are stored in a private S3 bucket with access controlled by IAM policies
While we implement safeguards designed to protect your data, no system is impenetrable. We cannot guarantee absolute security against intrusion by third parties.
6. International Data Transfers
Data is processed and stored in the United States (AWS us-east-1). These transfers are carried out on the basis of Article 33(II) of the LGPD (standard contractual clauses) and are protected by appropriate technical and organizational measures described in section 5.
7. Data Retention
Retention depends on the type of data, purpose and legal requirements:
- Active account: data retained while the account is active
- Account deletion: personal data removed within 30 days of request, except where retention is required to meet legal obligations
- Received invites: messages, proposals, responses and decline reasons are removed along with the account on deletion; pending or expired invites are erased in the same 30-day window
- Workspace membership after acceptance: when you accept an invite, you become a member of the corresponding workspace on jug; deleting your Juggler account does not automatically undo workspace memberships already created — to leave a workspace you must use the jug interface or request removal from the workspace administrator
- Public content: if your account is deactivated, profiles that were set as public may remain briefly accessible during the removal period and in search engine caches for some time after definitive removal
8. Your Rights (Art. 18, LGPD)
You have the following rights regarding your personal data:
- Confirm whether we process your data
- Access the personal data we hold about you
- Correct incomplete, inaccurate or outdated data
- Request anonymization, blocking or deletion of unnecessary data or data processed in violation of the LGPD
- Request portability of your data to another service provider
- Request information about public and private entities with which we have shared your data
- Withdraw consent at any time, without affecting processing that occurred before withdrawal
- Request deletion of data processed on the basis of consent
How to exercise your rights
You can manage some information directly in your profile settings. For requests that cannot be completed in the Platform, contact us at privacidade@usejug.com. We will respond within 15 business days.
We may ask for additional information to verify your identity. If we cannot verify your identity, we may be unable to fulfill your request.
Data portability
Upon request, we will provide a copy of your personal data and profile content in a structured, machine-readable format.
9. Cookies and Local Storage
The Platform does not use tracking, analytics, advertising or behavioral profiling cookies. We use browser localStorage to maintain the User's session and operational state, storing: (a) email and authentication token; (b) a local copy of your freelancer profile to avoid unnecessary requests; (c) the list of your received invites; (d) theme preferences (light/dark/system) and language. This storage is strictly necessary for the Platform to function and does not track behavior across sessions or websites. When you choose Sign in with Google, Google itself sets session cookies on the accounts.google.com domain during the redirect — those cookies are controlled by Google and governed by Google's privacy policy, not by JUG.
10. Children
The Platform is intended for users aged 18 or older. We do not knowingly collect data from anyone under 18. If we learn that we have collected a minor's data, we will delete it promptly and close the associated account.
11. Changes to this Policy
We may update this Privacy Policy from time to time. We will post changes on this page and, if material, notify Users by email and display a notice in the Platform at least 30 days in advance. If you disagree with changes, you may stop using the Platform before the effective date and request deletion of your data at no cost.
12. Data Protection Officer (DPO)
For questions about personal data protection, the official contact channel for JUG's Data Protection Officer (DPO) is:
JUG Software Ltda.
Email: privacidade@usejug.com
13. National Data Protection Authority (ANPD)
If you believe processing of your personal data violates the LGPD, or if you are not satisfied with our response, you have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD) at www.gov.br/anpd.