Legal

Privacy Policy

Last updated: 26 April 2026

01 Who We Are

JrDev (“we”, “us”, “our”) operates the platform at jrdev.io. We are the data controller for the personal data described in this policy. This policy explains what data we collect, why we collect it, and how we use it, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For data-related enquiries, contact us at support@jrdev.io.

02 Information We Collect

We collect only data that is necessary to operate the platform. This includes:

Account data (all users)

  • Username, first name, last name, and email address provided at registration.
  • Password stored as a bcrypt hash — we cannot read your password.
  • Profile picture (uploaded image file or a generated default).
  • Account role (Developer or Business) and email-verification status.
  • Two-factor authentication secret (if you enable 2FA), stored encrypted.

Developer profile data

  • Headline, short bio, location, availability status, and desired career goal.
  • Technology skills list and verified skills earned through completed sprints.
  • Optional external links: GitHub, LinkedIn, and portfolio URL.
  • Custom profile content you write (markdown or HTML).
  • Pinned projects: title, description, link, and tags.
  • Profile appearance preferences (theme, animation, colours).
  • Sprint statistics: contracts attempted, completed, and prototypes delivered.
  • A saved contractor address and saved signature image (base64 PNG), stored so you do not need to re-enter them each time you e-sign a contract. These are stored only if you choose to save them.
  • Stripe Connect account ID and onboarding status, used to facilitate payouts to you for completed sprints and prize pools.

Business account data

  • Company name and company address provided when creating a sprint listing.
  • Stripe customer ID used to process listing payments. Card details are stored by Stripe, not by us.

Sprint and contract data

  • Sprint listing details: deliverables, timeline, payment amount, and technologies required.
  • Developer registered address and digital signature image collected at the point of e-signing a contract.
  • Prototype submission: GitHub repository URL and demo video URL.
  • Post-sprint ratings (1–5 stars) and optional written reviews exchanged between business and developer.
  • Stripe payment intent ID and escrow status for sprint payments.
  • In-app sprint messages and extension requests exchanged between parties during a sprint.

Prize pool data

  • Entry fee payment intent ID and payment completion status (for paid pools).
  • Submission: GitHub repository URL and demo video URL.
  • Voting choices cast during the voting phase.
  • Payout records: amount awarded and transfer date for winning entries.

Waitlist data

  • Name, email address, intended role, and career goal provided when joining the waitlist.

03 Lawful Basis for Processing

Under UK GDPR, we rely on the following lawful bases:

  • Contract performance: account creation, sprint listings, e-signed contracts, prize pool participation, and payment processing are all necessary to deliver the service you have signed up for.
  • Legal obligation: we retain contract and financial records (including signatures and payment data) as required by applicable law.
  • Legitimate interests: platform security (fraud prevention, abuse detection), platform improvement using aggregated and anonymised usage data, and maintaining the integrity of ratings and reviews.
  • Consent: optional profile fields (bio, social links, portfolio content, saved signature) are processed on the basis of your consent, which you may withdraw at any time by removing the data from your profile settings.

04 How We Use Your Information

  • To create and maintain your account and authenticate your sessions.
  • To facilitate sprint listings, contract generation and e-signing, and developer–business matching.
  • To hold sprint payments in escrow and release or refund them in accordance with contract outcomes.
  • To process prize pool entry fees and distribute payouts to winners via Stripe Connect.
  • To send transactional emails: account verification, sprint status notifications, contract activity, and prize pool results.
  • To display your developer profile and sprint statistics to businesses browsing the platform.
  • To investigate and mediate disputes between businesses and developers.
  • To improve the platform using aggregated, anonymised usage data.

05 Data Sharing

We do not sell your personal data. Information is shared only in the following circumstances:

  • With other platform users as necessary for the service — for example, a business sees a developer’s profile and sprint history when they join a listing; both parties can view the signed contract and submission materials for their shared sprint.
  • With Stripe for payment processing and Stripe Connect payouts. Stripe processes card and bank details under its own privacy policy. We share only the minimum data required (email, account ID, payment amounts).
  • With our hosting infrastructure (Vercel and associated cloud providers) for the purpose of operating the platform. These providers are contractually bound to protect your data.
  • If required by law or to protect our legal rights or the safety of users.

06 Data Security

  • Passwords are hashed using bcrypt and are never stored in plain text.
  • Sessions are signed with a secure secret key using Flask’s cryptographic session management.
  • Card payment data is handled entirely by Stripe and never stored on our servers.
  • Digital signature images and contractor addresses are stored in the database and accessible only to the parties involved in that contract (developer, business, and JrDev admin for dispute resolution).
  • Two-factor authentication (TOTP) is available for additional account security and we recommend enabling it.
  • All data in transit is encrypted via HTTPS/TLS.

07 Data Retention

  • Account data is retained for as long as your account is active. If you delete your account, your profile and optional data are deleted; records required for legal or financial compliance are retained for the minimum period required by law.
  • Contract and payment records (including signed contracts, signature images, addresses, and Stripe payment references) are retained for 7 years to comply with financial and legal record-keeping obligations.
  • Sprint messages are retained for the lifetime of the associated sprint and for a reasonable period thereafter to support dispute resolution.
  • Waitlist entries are retained until the waitlist purpose is fulfilled or you request removal.

08 Your Rights

Under UK GDPR, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure: request deletion of your data where we have no legal obligation to retain it. You can delete optional profile data yourself in your account settings at any time.
  • Restriction: ask us to restrict processing of your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.

To exercise any of these rights, email support@jrdev.io. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

09 Cookies

JrDev uses a single session cookie to keep you logged in. This cookie is strictly necessary for the platform to function and does not track you across other websites. We do not use third-party tracking, advertising, or analytics cookies.

10 Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Where changes are material, we will notify registered users by email.

11 Contact

If you have any questions about this privacy policy, please visit our Support page or email support@jrdev.io.

Questions? Reach our team any time at support@jrdev.io or via the Support page.