ExtractMethod Ltd operates Jotterly (jotterly.co). This policy explains what personal data we collect, why we collect it and what we do with it. We operate in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our role

For your account and our running of the platform, Jotterly is the data controller. For the personal data a community collects about its own members, supporters and buyers (for example through its events, shops and fundraising), the community is the data controller and Jotterly acts as their data processor, handling that data on their instructions. Where someone buys from a community's shop, that community is the merchant of record for the sale.

1. What we collect

If you create an account

  • your name and email address
  • your organisation name

When you create events, shops or collect payments

  • event, shop and item details you enter
  • ticket purchase records and attendee information
  • transaction records

When you make a purchase (a ticket or a shop item)

  • your name and email address
  • order details: what you bought, quantities, price paid and the payment reference
  • payment information, which is handled securely by Stripe — we never see or store your card details

You do not need a Jotterly account to buy a ticket or a shop item. This data is shared with the community you bought from (the merchant of record) so they can admit you to the event or fulfil your order and handle any refund, and with Stripe to process the payment. It is held separately from any Jotterly account data and is not used for marketing.

Sign-in activity

  • the date, time, IP address and device of your recent sign-ins, used to help detect unauthorised access to your account. We keep these records for up to 90 days and then delete them automatically. You can review your recent sign-ins on your account security page.

If you join a community as a member or offer to volunteer

  • your name and email address
  • which communities you have joined
  • any volunteer roles you have offered to help with, and the events they relate to
  • any messages you leave with a donation or a volunteer offer

Technical information

  • IP address
  • browser type and version
  • device information
  • usage and analytics data

2. Why we collect it

We use your data to:

  • provide and run the Jotterly service
  • process ticket purchases and payments
  • send confirmation emails and transaction receipts
  • improve the service
  • prevent fraud and keep the platform secure
  • meet our legal obligations

3. Our legal basis for processing

  • Contract: to provide the ticketing and fundraising service you have signed up for
  • Legitimate interests: to improve the service and prevent fraud
  • Legal obligation: to comply with tax and financial regulations
  • Consent: for any marketing communications, where you have opted in

Our legitimate interests assessment

We rely on "legitimate interests" as a legal basis for some of our data processing. UK GDPR requires us to balance our business interests against your privacy rights, which we've done through a formal Legitimate Interests Assessment (LIA). Our legitimate interests are:

  • Improving the service: we analyse how you use Jotterly to fix bugs, add features, and make the platform more reliable
  • Preventing fraud and security: we monitor for suspicious activity to protect your account, payment information, and the platform from misuse

We've balanced these against your privacy by collecting only the minimum data needed, encrypting sensitive information in transit and at rest, limiting how long we keep data (typically 2 years for analytics, 6 years for financial records), and restricting access within our team. You can object to these uses at any time by emailing [email protected], and we're happy to share our full assessment on request.

Marketing communications and your consent

When you create a Jotterly account, we ask if you'd like to receive marketing emails from us. This is completely optional — you can decline, and it won't affect your account or service access. We send two types of email:

Transactional emails (always sent, no consent needed): password resets and account confirmations, order receipts and payment confirmations, service updates about outages or security changes, and responses to your support requests.

Marketing emails (only if you've opted in): feature announcements and product updates, tips on getting the most from Jotterly, and relevant new-event alerts.

You can unsubscribe from marketing emails anytime by clicking the unsubscribe link at the bottom of any marketing email, or by emailing [email protected]. Withdrawing marketing consent won't affect transactional emails. We never sell your email address or data, and we don't use it for profiling or share it with third parties for their marketing.

4. Who we share your data with

We do not sell your data. We share it with the community whose event, shop or campaign you take part in, and with service providers (data processors) who act on our instructions and are bound by data processing agreements:

  • Stripe: processes payments. When you pay, Stripe receives your payment and order details and acts as a data controller for that payment data under its own Privacy Policy
  • Cloudflare: content delivery and privacy-friendly web analytics
  • Google Analytics: usage analytics, loaded only if you accept analytics cookies; US-based, with appropriate transfer safeguards
  • Meta (Facebook): measures and optimises our advertising through the Meta Pixel, loaded only if you accept analytics cookies; US-based, with appropriate transfer safeguards
  • Cloud infrastructure providers: hosting and file storage (primarily in the EU)
  • An email delivery provider: to send confirmations, password resets and other service emails
  • An error-monitoring provider: to help us find and fix faults

We can provide the specific providers behind these categories to community administrators on request, or as set out in our data processing agreement.

Your information goes to Jotterly, which shares it only with your community to run your event or order, with Stripe to take payment, and with analytics providers if you allow cookies.
How your data flows through Jotterly

Communities as data controllers

When you attend an event, join a community, volunteer, or buy from a shop on Jotterly, you share your data with that community. Communities are also data controllers — they decide how to use your information independently of Jotterly, for example to organise events, send newsletters and member updates, track donations and volunteer contributions, manage memberships, and fulfil orders. Your data is then governed by their privacy policy, not ours, so we recommend reviewing it before joining or attending. If you have concerns about how a community uses your data, contact them directly, or email [email protected] and we can assist.

We may also disclose data where required by law or to protect our rights or the safety of users.

5. How long we keep your data

  • account information: until you delete your account, plus 6 years for financial records
  • transaction records: 6 years to meet tax and accounting requirements
  • sign-in activity: up to 90 days, then deleted automatically
  • analytics data: up to 2 years

6. Your rights

Under UK GDPR you have the right to:

  • access a copy of your personal data
  • correct inaccurate data
  • delete your data, subject to legal obligations
  • restrict how we process your data
  • receive your data in a portable format
  • object to processing based on legitimate interests
  • withdraw consent for marketing at any time
Your rights under UK GDPR: access, correct, delete, restrict, portability, object, and withdraw consent.
To use any of these, email [email protected]

Your right to erasure (deletion)

You can request deletion of your data — sometimes called the "right to be forgotten" — but there are exceptions. We will either delete your data or irreversibly anonymise it (for example replacing your name and email with a "deleted user" placeholder and removing access), which satisfies your erasure right while keeping records like transaction totals intact. This applies to your account profile information, community membership and volunteer records, event and shop records you created, and your marketing preferences. We cannot erase data we're legally obliged to retain — such as financial records and receipts (6 years under UK tax law) — and we keep sign-in logs for up to 90 days; that data is restricted to its legal purpose and then deleted or anonymised. To make a request, email [email protected] with "Request for Deletion" in the subject line; we'll confirm what can be removed and complete the process within 30 days. Any remaining copies in backups are purged within 90 days.

To exercise any of these rights, email us at [email protected]. We will respond within one month. We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

7. Cookies

We use essential cookies to keep you signed in, remember your preferences and protect against cross-site request forgery. We also use Cloudflare's privacy-friendly web analytics. Google Analytics and the Meta Pixel are loaded only if you accept analytics cookies via our cookie banner; if you decline, neither sets any cookies. You can also manage cookies through your browser settings.

8. Security

We take reasonable steps to protect your data, including:

  • encryption of data in transit and at rest
  • access controls and authentication
  • regular security assessments
  • secure payment processing via Stripe

Data breach notification

If a personal data breach occurs that poses a risk to you, we will notify you without undue delay. Under UK GDPR we must report serious breaches to the Information Commissioner's Office (ICO) within 72 hours, and where feasible we'll contact affected users before or at the same time. Our notification will describe what happened, the data affected, the likely consequences, the steps we're taking, and how to contact us. If you're affected, we recommend changing your Jotterly password, monitoring your account for unusual activity, and checking your payment cards if payment data was involved.

9. International transfers

Your data may be processed outside the UK. Where this happens we make sure appropriate safeguards are in place, such as standard contractual clauses or UK government adequacy decisions.

In practice, our cloud infrastructure and service providers are mainly in the European Union (which the UK government recognises as having adequate data protection), while Google Analytics and the Meta Pixel process data in the United States if you accept cookies. For US transfers we rely on Standard Contractual Clauses and UK–US data transfer agreements. If you'd rather avoid US transfers, you can decline analytics cookies via our cookie banner — essential cookies don't involve US transfers. Even when your data leaves the UK, Jotterly remains responsible for protecting it.

10. Children

Jotterly is for use by adults acting on behalf of their organisation. We do not knowingly collect personal data from children under 13 without parental consent. If you think we have, please get in touch.

11. Changes to this policy

We may update this policy from time to time. If we make a material change, we will notify registered users by email before it takes effect. The date at the top of this page reflects the most recent version.

12. Contact

For questions about this policy or to exercise your rights:

ExtractMethod Ltd
[email protected]
jotterly.co

13. Complaints

If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office:

ico.org.uk
0303 123 1113

We use a small number of cookies to keep Jotterly running and to learn how the site is used. Read more.