Privacy notice
Effective: 2026-06-26 · Last updated: 2026-06-26 · UK GDPR + PECR
1. Who we are (the data controller)
Pixel & Shovel Ltd, trading as Jeanus, registered in England and Wales, with registered office in Brighton, United Kingdom. We are the data controller for the marketing site and for our direct contacts (sales enquiries, contracts, billing). When you use Jeanus to run your own business, we are the data processor for the data you put into your tenant - your customers, leads, contacts, and team. We process that data on your behalf under our Data Processing Agreement.
ICO registration: ZC068491 (verifiable on the ICO public register).
Contact: hello@pixelandshovel.co.uk. We do not have a statutory Data Protection Officer (we're below the threshold), but data protection enquiries land directly with Sam Ball, who handles them.
2. What personal data we collect
We collect personal data in five contexts. We try to keep each minimal.
- When you visit the marketing site: anonymous request logs (IP address, user agent, page, timestamp) retained for 30 days for security and abuse detection. Analytics (page views, scroll depth, button clicks) via Google Analytics 4 - only after you accept the cookie banner.
- When you sign up: work email, password (bcrypt-hashed by Supabase, we never see it in plain text), first name, company name, business vertical, optional referral code.
- When you use the CRM as an authenticated user: account profile data (role, rep code, tenant), session cookies, audit log of which authenticated user did what and when, the CRM content you create (customers, leads, products, activities, files).
- When we bill you: billing contact, company name, VAT number where applicable. Payment method details (card numbers) are collected directly by Stripe and never touch Jeanus servers.
- When you contact us: whatever you put in the email or form (name, email, what you asked).
3. Why we process it (purposes)
- To provide and operate the Jeanus CRM service.
- To authenticate you, keep your session active, and protect your account.
- To respond to your support requests and contract enquiries.
- To process payments and send invoices.
- To send essential service emails (verification, password reset, breach notice, billing).
- To detect and prevent abuse, fraud and security incidents.
- To improve the product through aggregated, non-identifying usage analytics (only with your cookie consent).
4. Our lawful basis for processing (UK GDPR Article 6)
Under UK GDPR Article 6, we need a lawful basis for every category of processing. Ours are:
- Contract (Art. 6(1)(b)): processing your account data, your CRM content and your billing data is necessary to deliver the Service you have signed up for.
- Legitimate interests (Art. 6(1)(f)): security logs, fraud prevention, product analytics on the marketing site, and contacting prospective customers who actively reached out to us. We balance this against your rights and do not rely on legitimate interests for anything intrusive.
- Consent (Art. 6(1)(a)): optional analytics cookies on the marketing site, and marketing emails to prospects who opted in. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): retaining billing records for HMRC and other tax-law requirements.
5. Your rights under UK GDPR
Under UK GDPR (Articles 12-22) you have the following rights in respect of your personal data:
- Right of access (Art. 15): ask for a copy of the personal data we hold about you.
- Right to rectification (Art. 16): tell us if it's wrong; we'll correct it.
- Right to erasure (Art. 17, "right to be forgotten"): ask us to delete your data. We'll delete unless we have a legal reason to keep it (for example, billing records we have to retain for tax).
- Right to restriction (Art. 18): ask us to stop processing your data while we sort something out.
- Right to data portability (Art. 20): ask for your data in a machine-readable format (CSV / JSON). Built into the CRM at every list page; available on request for anything else.
- Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing.
- Rights related to automated decision-making (Art. 22): we do not make automated decisions that produce legal or similarly significant effects on you. Our AI features (drafts, summaries, briefings) are assistive only - a human always decides whether to act on the output.
6. How to exercise your rights
Email hello@pixelandshovel.co.ukwith "Data subject request" in the subject line and tell us which right you want to exercise. We'll respond within one calendar month (the UK GDPR statutory limit), usually much sooner. We may need to verify your identity before acting. There is no charge for a reasonable request.
If you're an end user of a customer's Jeanus tenant (i.e. our customer is using Jeanus to manage their relationship with you), the customer is the data controller and you should contact them first. We'll route the request to them if you reach out to us by mistake.
7. Who we share data with (subprocessors)
We use a small number of carefully chosen subprocessors to deliver Jeanus. Every one is named, with their role, region, certifications and DPA, on the subprocessors page. In summary:
- Vercel - application hosting + CDN (UK / global edge).
- Supabase - database + authentication (EU / Frankfurt).
- Anthropic - Claude AI for AI features (US).
- Stripe - subscription billing (EU / Ireland for European customers).
- Resend - transactional email (US).
We do not sell personal data to anyone. We do not share personal data with advertising networks. We do not train AI models on your data; Anthropic's terms confirm prompts to the Claude API are not used to train Anthropic models.
8. How long we keep it (retention)
- Marketing site request logs: 30 days.
- Marketing analytics (GA4, if you accept): standard GA4 retention (default 14 months).
- Account + sign-up data: while your subscription is active, plus 30 days after cancellation for data export. Then deleted from active systems within a further 30 days.
- CRM content (your tenant data): deleted on customer request, or 30 days after subscription cancellation if no other instructions. Encrypted backups overwritten on the standard 30-day rotation thereafter.
- Billing records: retained for 7 years to comply with HMRC tax record-keeping requirements.
- Server / audit logs: 12 months.
- Email correspondence with us: retained for as long as needed to handle the matter, then deleted.
9. How we keep it safe (security)
Encryption in transit (TLS 1.2+), encryption at rest (AES-256, including backups), multi-factor authentication for staff accounts, three-layer tenant isolation, daily backups, and 72-hour breach notification. Full detail on our security page.
10. International transfers
Our primary infrastructure is in the UK and EU. Three of our subprocessors (Anthropic, Resend, and parts of Vercel's global CDN) host or process data in the United States. Those transfers are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, which each vendor includes in their DPA.
Stripe and Supabase keep European customer data inside the EU. Vercel routes primary compute through London (UK).
11. Cookies
We use three categories of cookies and similar storage. The cookie banner asks for your consent to the analytics category before it loads.
| Type | Purpose | Opt-in? |
|---|---|---|
| Essential | Login session, CSRF protection, tenant context | No (mandatory) |
| Analytics | Google Analytics 4 - page views, scroll depth, button clicks on the marketing site only | Yes |
| localStorage | Your cookie choice, UI preferences (collapsed cards, dismissed banners) | No (functional) |
Change your cookie choice
Click below to re-open the cookie banner.
12. Marketing emails
We only send marketing emails to people who opted in. Every marketing email has a one-click unsubscribe link. You can also email hello@pixelandshovel.co.uk to be removed. Transactional emails (verification, billing, breach notice) are not marketing and you cannot unsubscribe from those while your account is active.
13. Complaints
If you're unhappy with how we handle your data, please tell us first - hello@pixelandshovel.co.uk - so we have a chance to fix it. You also have the right to lodge a complaint with the UK Information Commissioner's Office at any time at ico.org.uk/make-a-complaint, or by calling 0303 123 1113.
14. Changes to this notice
If we change this notice in a way that affects how we use your data, we'll email tenant admins before the change takes effect and surface a notification in-app. The "Last updated" date at the top of this page always reflects the most recent edit. Older versions are available on request.
15. Related documents
- Security overview - encryption, tenant isolation, incident response.
- Subprocessors - every third party we route customer data through.
- Data Processing Agreement - the contract under which we process customer data.