Privacy · GDPR

Privacy policy

Last updated: 17 May 2026

This policy describes how Jamodio collects, uses and protects users' personal data, in compliance with the General Data Protection Regulation (GDPR — EU 2016/679) and the French Data Protection Act (loi Informatique et Libertés).

In short — We collect only what is strictly necessary to operate the service (email, first name, studios you create). Your data is stored in France (Supabase Paris), never resold, and you can delete it yourself from the app (Settings → Delete my account).

1. Data controller

The data controller is Benoît Godard, individual entrepreneur (SIRET 10499100500018), 10 rue Tisserant, 92100 Boulogne-Billancourt, France. Contact: contact@jamodio.com.

No Data Protection Officer (DPO) is designated at this stage, as the activity does not meet the criteria for mandatory designation (Article 37 GDPR).

2. Data collected

2.1 Data you provide directly

Email — used to create your account, send you transactional emails (confirmation, welcome, invitations) and allow you to log in.
First name and last name (optional) — displayed to other musicians in the studios you join.
Password — stored hashed (bcrypt) by Supabase Auth, never accessible in clear text.
Preferences — language, theme, instruments, audio/video selection, video blur settings. Stored to personalize your experience.
Profile picture (optional) — if you upload one.

2.2 Data generated by use of the service

Studios you create — name, slug (identifier), creation date, owner.
Participation history — studios joined, dates.
Audio/video recordings that you make during your jam sessions (if you enable recording) — stored temporarily in the browser and downloadable by you. Currently no recording is stored on our servers.
Backing tracks that you upload — stored encrypted in Supabase Storage so they can be shared within a studio.
Technical audio metadata — selected instrument, VU level, measured latency, mode (agent / browser). Exchanged between musicians of the same studio to display the mixer. Not stored long-term.

2.3 Automatic technical data

IP address — necessary to establish real-time audio/video connections (WebRTC SFU). It is visible to the audio server but not stored in the database. Kept only in the server's technical logs (maximum 7 days, for diagnosis).
Browser / platform information — browser (Chrome, Firefox, Safari…), operating system, processor architecture (to suggest the right version of the desktop agent). Not stored in the database.
Email address of the sender/recipient of email invitations (kept only for the time of sending by Resend, not stored durably).

Currently not collected: no analytics tools (no Google Analytics, Plausible, Matomo…), no third-party trackers, no advertising pixels, no profiling cookies. Only one strictly essential cookie is used to maintain your session. See Cookie policy.

3. Purposes of processing

Your data is used to:

allow you to create an account and authenticate (legal basis: performance of the contract);
provide you with the remote jam service (studios, audio, video) (performance of the contract);
send you essential transactional emails (registration confirmation, studio invitations that you send, support) (performance of the contract);
diagnose technical incidents and improve the service (legitimate interest);
respond to your requests (support, questions, GDPR rights) (performance of the contract / legal obligation).

No processing for advertising or commercial purposes is carried out without your explicit consent. You will not receive unsolicited commercial newsletters.

4. Retention period

User account: kept as long as the account is active. Deleted immediately upon your request (Settings → Delete my account, or email to contact@jamodio.com).
Studios and participations: deleted with the account.
Technical logs (SFU server): 7 days rolling.
Transactional emails: Resend keeps delivery logs for 30 rolling days (in line with their policy).
DMARC reports: kept for up to 6 months for security analysis.

5. Recipients of the data

Your data is accessible to:

You — in full, via the application interface or upon request.
Other musicians in a studio you join — they see your first name/last name (if provided), your instrument and the audio/video streams you voluntarily share.
The publisher (Benoît Godard), strictly for administration and support purposes.
Our technical subprocessors, listed in the Legal notice: Vercel (frontend), Supabase (database + auth, Paris), OVH (SFU, Gravelines), Resend (emails).

No data is sold, rented, transferred or shared with third parties for commercial purposes.

6. Transfers outside the European Union

Supabase Inc. and Vercel Inc. are US companies. Jamodio user data is, however, stored exclusively in Supabase's eu-west-3 region (Paris, France) — it does not leave the EU. The Vercel infrastructure deploys the frontend code to a global CDN; only public data (HTML, CSS, JavaScript) transits through it, no personal data.

Contractual exchanges with these providers rely on the European Commission's Standard Contractual Clauses (SCCs), in accordance with the Schrems II ruling.

7. Your rights

Under the GDPR, you have the following rights regarding your data:

Right of access — obtain a copy of all data concerning you;
Right of rectification — correct inaccurate data (editable by yourself in Settings);
Right of erasure — delete your data (“Delete my account” function in Settings);
Right of portability — receive your data in a structured, machine-readable format (JSON);
Right of objection — object to processing based on legitimate interest;
Right of restriction — request the temporary freeze of processing;
Withdrawal of consent — at any time, for processing based on consent.

To exercise these rights, contact contact@jamodio.com. A response will be provided within a maximum of 30 days.

If you consider that your rights are not respected, you may lodge a complaint with the CNIL (Commission nationale de l'informatique et des libertés, the French data protection authority): cnil.fr/fr/plaintes.

8. Data security

Jamodio implements technical and organizational measures to protect your data:

TLS 1.3 encryption for all communications (HTTPS everywhere, WSS for WebSocket);
passwords hashed with bcrypt (never stored in clear text);
JWT authentication signed with automatic signing-key rotation;
Supabase Row-Level Security (RLS) policies to isolate data between users;
server-side rate limiting on the SFU (protection against abuse);
strict HTTP security headers (HSTS 2 years, CSP, X-Frame-Options DENY, etc.).

In the event of a data breach likely to result in a risk to your rights, a notification will be made to the CNIL within 72 hours and, where applicable, to the data subjects as soon as possible.

9. Minors

Jamodio is accessible from the age of 15 (age of digital consent in France, Article 8 GDPR). For users under 15, the consent of a holder of parental authority is required.

10. Changes

This policy may be updated to reflect technical or legal changes. The last update date (at the top of the page) indicates the current version. In the event of a substantial change, active users are notified by email.

This page is provided in English for convenience. The French version prevails in case of any discrepancy.