Privacy Policy
Last updated: 2026-05-27
Operator: Jen Built It LLC ("we," "us," "our") Address: 10800 S Lloyd Drive, Worth, IL 60482, USA Privacy contact: privacy@jenbuiltit.com
This Policy describes what personal information Jen Built It LLC collects when you interact with jenbuiltit.com, including the affiliate program, the Bio Builder, and the newsletter. We follow this Policy across every page, form, and email under this domain.
We do not sell your personal information. We do not "share" it for cross-context behavioral advertising as that term is defined by the California Privacy Rights Act (CPRA). See our Do Not Sell or Share My Personal Information page for details.
1. What we collect, and why
1.1 If you visit the homepage or any public page
We collect what every modern website collects:
- Server logs through Cloudflare: IP address, browser User-Agent string, timestamp, referring page, requested URL, response code.
- No tracking cookies, no analytics scripts, no advertising pixels. We do not use Google Analytics. We do not embed Facebook Pixel, X Pixel, TikTok Pixel, or any other tracker.
Why: to keep the site running and to debug bad responses. Logs are retained for 30 days.
1.2 If you apply to the affiliate program
You submit:
- Your display name
- Your email address
- An optional website or social profile URL
- A description of who your audience is
- A description of why you want to join
- A confirmation that you are a US person for tax purposes
- An optional newsletter consent checkbox
- An agreement to our Affiliate Terms
We also record the timestamp of your submission and your IP address.
Why: to evaluate whether to admit you to the affiliate program. We store this in our Airtable base under our account and in our Cloudflare D1 database. If approved, we store your assigned referral code, commission rate, and (after your first payout threshold) your PayPal email and W-9 status.
1.3 If you sign in to the affiliate dashboard
We create a session record with: your email, a hashed session token, your User-Agent, your country (via Cloudflare's IP geolocation), and timestamps. The plaintext session token lives only in a cookie on your device and is never readable by JavaScript.
Why: to keep you signed in for up to 30 days. Sessions expire automatically. You can sign out from any page to end your session immediately.
1.4 If you click an affiliate referral link (/r/CODE)
We log: timestamp, the referral code, the destination, the source UTM tag if present, the referrer URL, your country, and a hashed identifier from your IP + User-Agent.
Why: to give credit to the affiliate who referred you and to detect fraud. We do not use this data to retarget you elsewhere.
1.5 If you sign up for the newsletter
We collect your email address and the time + IP of your consent. You only receive emails when we ship a new tool — about once a month.
Why: the consent log is your CAN-SPAM / GDPR proof. The email is the address we send to. We do not share newsletter signups with any third party.
1.6 If you create a bio with Bio Builder
We store: your email address, the JSON config of the bio you built (name, tagline, link list, social handles, theme/colors), timestamps, and a view counter. We send you a confirmation email and an edit-link email when you request one.
Why: to host your bio at jenbuiltit.com/bio-builder/view/<id> and to let you edit it later without a password.
1.7 If you submit feedback via the Feedback widget
We collect your message, optional email, URL you were on, and your User-Agent.
Why: so we can read it and fix the bug or build the feature.
2. What we don't collect
- We do not collect payment card data. When card payments are involved (Stripe for App Hub Pro, Resume Prune, etc.), Stripe handles the entire payment flow and we never see card numbers.
- We do not collect bank account or routing numbers. Affiliate payouts run through PayPal Goods & Services using only the email you provide.
- We do not collect Social Security Numbers, ITINs, or tax IDs through this Worker. W-9s (when required at $400 affiliate earnings) are collected on a separate flow with Cloudflare R2 encrypted-at-rest storage.
3. Who we share data with
| Processor | What goes there | Purpose | Where they're based |
|---|---|---|---|
| Cloudflare | All HTTP requests, D1 database, R2 (W-9 storage when enabled) | Hosting, CDN, DDoS protection, database, file storage | US |
| Airtable | Affiliate applications, approved affiliate records, conversions, payouts, coupons, click logs | System of record for the affiliate program | US |
| Resend | Email addresses of recipients, email content (welcome, magic-link, release-announcement, bio-confirm, bio-edit-link, application-received) | Transactional + marketing email delivery | US |
| n8n (self-hosted on Hostinger) | Webhook payloads (feedback, signups, Stripe events) | Automation workflows | EU + US per region |
| Stripe | Subscription events for products with Stripe checkout (App Hub Pro, future Resume Prune, future Giveaway Widget) | Payment processing for the destination product, not for the affiliate program | US |
| PayPal | Payee email + payout amount | Affiliate commission disbursement | US |
We do not share, sell, or rent your personal information to any other third party. We do not use your data to train AI models.
We are a single-person company (Jen Built It LLC), so by definition the team accessing your data is Jen + her tooling.
4. How long we keep your data
| Category | Retention |
|---|---|
| Server access logs (Cloudflare) | 30 days |
| D1 session tokens | 30 days from creation |
| D1 magic-link tokens | 15 minutes (user-initiated) or 7 days (admin-issued welcome links) |
| Newsletter signup record | Until you unsubscribe or delete the account |
| Affiliate application + record | Indefinitely while active; archived (not deleted) after termination so financial records are auditable |
| Click logs | 13 months rolling |
| Bio Builder bio | Indefinitely; you can delete via the export/delete endpoint |
| Feedback submissions | Indefinitely (these become product-improvement notes) |
| Conversion + payout records | 7 years (IRS tax record retention) |
5. Your rights
You have these rights regardless of where you live, and we honor them even if your jurisdiction doesn't require it:
5.1 Access (Article 15 GDPR / Cal. Civ. Code §1798.110)
You can request a copy of every piece of data we hold on you. We respond within 30 days. For affiliates: use the export endpoint in your dashboard. For everyone else: email privacy@jenbuiltit.com.
5.2 Deletion (Article 17 GDPR / Cal. Civ. Code §1798.105)
You can request deletion of your data. Some financial records (conversions, payouts) are retained for 7 years under IRS rules and cannot be deleted, but identifying fields (email, name) can be redacted. For affiliates: use the delete endpoint in your dashboard. For everyone else: email privacy@jenbuiltit.com.
5.3 Rectification (Article 16 GDPR)
You can correct any data we hold on you. For affiliate fields, email us. For your bio, use the edit link.
5.4 Portability (Article 20 GDPR)
We provide your data in JSON format on request. Same endpoint as access.
5.5 Objection / opt-out
- Newsletter: the one-click unsubscribe link in every newsletter.
- Affiliate program: close your account via the delete endpoint.
- Bio: delete the bio via the delete flow.
5.6 Do Not Sell or Share (CPRA §1798.135)
We do not sell or share your personal information. See Do Not Sell or Share My Personal Information.
5.7 No discrimination (CPRA §1798.125)
We do not charge you more or give you a worse service for exercising any privacy right. Deleted users can re-sign-up at the same terms.
6. Cookies
We set the following first-party cookies. We do not set third-party cookies.
| Cookie | Purpose | Lifetime |
|---|---|---|
jbi_session | Keeps you signed in to the affiliate dashboard. HttpOnly + Secure + SameSite=Lax. Required for the dashboard to work. | 30 days |
We do not use analytics cookies or advertising cookies. We don't need a consent banner because we don't set any non-essential cookies.
7. Security
We follow defense-in-depth practices: PBKDF2 / HMAC where applicable, parameterized SQL, per-IP and per-account rate limits, secrets stored in Cloudflare's secret store (never in code), HTTPS with HSTS, content-security-policy, anti-enumeration on every auth surface. See our Security policy for vulnerability disclosure.
No system is 100% secure. If a breach occurs, we will notify affected users within 72 hours per GDPR Art. 33 and applicable US state laws.
8. International transfers
Your data may be processed in the US (Cloudflare, Airtable, Resend, Stripe, PayPal) regardless of where you live. We rely on standard contractual clauses with these processors for EU-US transfers.
9. Children
This service is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe we have, email privacy@jenbuiltit.com and we will delete it.
10. Changes to this Policy
We may update this Policy. We'll change the "Last updated" date at the top. For material changes affecting your rights, we'll email active affiliates with a summary 14 days before the change takes effect.
11. Contact
- Privacy questions / data requests:
privacy@jenbuiltit.com - General support:
support@jenbuiltit.com - Mailing address: Jen Built It LLC, 10800 S Lloyd Drive, Worth, IL 60482, USA
We respond within 30 days. We don't have a fax machine.