privacy policy

last updated may 5, 2026

jollygig is a team-health product. its entire reason to exist is to surface honest signal about how a team is doing — without exposing who said what. this policy explains what data we collect, what we never collect, and what you can do about it.

the rule that comes first

survey responses are not tied to people. when a member answers the weekly three-question check-in, the response is stored as { teamId, domain, emotion, intensity, week } — and nothing else. no name, no email, no user id, no timestamp finer than a calendar week. this is enforced in our database rules, not just in our application code. it is structurally impossible to query "what did alex say" because the data needed to answer that question does not exist in the response.

what we collect

account data

  • your work email (used for sign-in via magic link).
  • your display name and the role title you set during onboarding.
  • for managers: the name of your team and any strata bands you configured.
  • for members: which strata bands you place yourself in (private to you).

activity data (per user, private to that user)

  • a participation ledger — "did i submit a response this week" — stored against your account. this lets you see your own check-in history on /me. it is never joined to the response you submitted.
  • your pause preferences, if you've opted to skip a week or longer.

aggregated team data (visible to managers)

  • counts and percentages: how many people responded this week, what fraction matched a given pattern, what the trend is over time.
  • persona signals — named patterns that surface only when at least 5 people contributed.
  • strata-band breakdowns, but only when each band has 5 or more responses on its own — below that, the band simply isn't shown.

billing data

  • processed by stripe. we store only the brand, last four digits, and expiration of a card — never the full number, never the cvc.

what we never collect

  • individual response content tied to a person, even by inference.
  • raw timestamps below daily granularity on responses.
  • free-text answers to surveys (the survey itself doesn't ask for any).
  • browser fingerprints, ip-based tracking, or third-party advertising identifiers.
  • contact lists, calendars, or any data from your workspace beyond what you provide.

how the firewall is enforced

the firestore security rules block all client-side writes to the survey-response collection. the only writer is a single trusted server endpoint that constructs the response document field-by-field, with no user_id field present. an automated test (in our ci) reads back posted responses and asserts the absence of that field. if it ever fails, the deploy is blocked.

your rights

you can view your own data at any time, export it as json from /me/data, or request that we delete your account. deletion clears your account record, your participation ledger, your pause preferences, your action plans (if a manager), and removes your team memberships.

deletion does not remove your past survey responses — those are not tied to you, and removing aggregate signal would harm other members of your team. that's by design and not negotiable; it's the price of the firewall.

retention

aggregated signal is retained for as long as your team chooses (default 12 months, configurable in team settings). your account record persists until you delete it. account deletion removes your data immediately.

third parties

  • firebase (google). we use firebase auth for magic-link sign-in and firestore for storage. data is stored in google's us-central region.
  • stripe. processes payment if you upgrade past the trial.
  • email delivery. magic-link and notification emails are sent through a transactional email provider.

we do not sell, license, or otherwise share your data with anyone for marketing or advertising.

security incidents

if we ever discover a breach that affects your data, we will notify you within 72 hours of discovery, describe what happened in plain language, and tell you what we are doing about it.

contact

questions, concerns, or requests for deletion can go to privacy@jollygig.app. we usually reply within a business day.