Skip to content
Beta · Under construction · Expect rough edges

Privacy Policy — EU / EEA

GDPR addendum · Last updated: 2026-05-07

This page supplements the global Privacy Policy with the rights and procedures applicable under the EU General Data Protection Regulation (GDPR) and corresponding EEA national laws. The global policy controls; this page describes how those rights work in your jurisdiction.

Lawful basis for processing

We rely on the following GDPR Art. 6 bases:

  • Contract (Art. 6(1)(b)) — for account, authentication, vault sync, and subscription delivery.
  • Legitimate interest (Art. 6(1)(f)) — for security event logging, abuse prevention, and our shared provider-cache (so each user does not need to re-fetch the same EPG independently).
  • Consent (Art. 6(1)(a)) — for analytics cookies and any optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)) — for retention of payment records to satisfy tax and accounting law.

Your rights as a data subject

You have the rights granted under GDPR Articles 15–22:

  • Access (Art. 15) — request a JSON export of all data we hold via Settings → Data Management → Export JSON, or by emailing privacy@joyp.tv.
  • Rectification (Art. 16) — correct inaccurate data via Settings, or by request.
  • Erasure (Art. 17) — request account deletion by emailing privacy@joyp.tv from the address on the account. Vault blobs are removed within 30 days of deletion (grace window for accidental deletes). A self-service Settings UI for deletion is on the roadmap.
  • Restriction (Art. 18) — pause processing while a complaint or correction request is being investigated. Email us.
  • Portability (Art. 20) — the JSON export is a portable, structured format.
  • Objection (Art. 21) — object to processing based on legitimate interest. The shared provider-cache is the most likely target; opt-out is available on request.

We respond to verified requests within 30 days (extendable by two further months for complex requests, with notice).

International data transfers

Our infrastructure is hosted in AWS us-east-1 (United States). Transfers from the EEA to the US rely on contractual and technical safeguards including Standard Contractual Clauses where executed with the relevant subprocessor. We are not currently certified under the EU–US Data Privacy Framework. Vault credentials are end-to-end encrypted on your device before transmission, so the contents are not legible to anyone — including AWS or Joyp — at any point in transit or at rest.

Breach notification

In the event of a personal data breach likely to result in risk to your rights, we will notify the lead supervisory authority within 72 hours (GDPR Art. 33) and notify affected users without undue delay (Art. 34).

How to complain

You can lodge a complaint with the supervisory authority of your EU/EEA country of residence. A directory is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members.

Direct contact for any of the rights above: privacy@joyp.tv.