Privacy Policy - Jodie

Last Updated: 08 May 2026

Welcome to Jodie (“we,” “our,” or “us”). We value your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal information when you visit our website https://heyjodie.com (the “Website”), as well as your rights under UK data-protection laws.

1. Who We Are

• Name of Entity: JODIE AI LIMITED (the “Data Controller”)
• Company Number: 16685106
• Registered Address: 45 Albemarle Street, Mayfair, London, W1S 4JL
• Contact Email: team [at] heyjodie.com
• Data Protection Officer: data-protection-officer [at] heyjodie.com

We are responsible for deciding how and why we hold and use your personal data. Should you have questions about this Privacy Policy or wish to exercise any legal rights, please contact us using the details above.

Our Role (Controller vs. Processor): For personal data collected when you visit our Website, create a Jodie account, or communicate with us directly, we act as the Data Controller. When callers contact a business that uses Jodie and we process that caller’s personal data on the business’s behalf (for example, call audio and transcripts produced when Jodie answers a call), we act as a Data Processor on the instructions of the Jodie subscriber, who is the Controller of that data. If you are a caller with a request about a specific call, please direct it to the business you were trying to reach; they are responsible for responding.

2. What Information We Collect

We may collect and process the following categories of personal data:

1. Identification & Contact Details

   • Name, email address, phone number, and postal address.

2. Call & Communication Information

   • Call audio and recordings, voicemail, AI-generated transcripts and summaries, caller telephone numbers, call metadata (time, duration, routing), messages, bookings and similar information generated when calls are handled through the Services. Where this data relates to callers contacting a Jodie subscriber, we process it as a Processor on the subscriber’s behalf (see section 1).

3. Account & Login Information

   • Username, password (hashed), or other account credentials if you register an account.

4. Financial Information

   • Payment details or bank information (if relevant to transactions or fees).

5. Marketing & Communications Data

   • Your preferences for receiving marketing communications from us; social-media handles if you connect via social platforms.

6. Technical & Usage Data

   • IP address, browser type, device identifiers, cookie and pixel data, session re-play recordings, click paths, scroll depth, heat-map statistics, and other information about how you interact with our Website and marketing emails.
   • Sources: collected automatically via cookies, pixels, JavaScript, and similar technologies from:
     • Google Analytics 4 (GA4)
       Behavioural analytics (page views, events, user flows, approximate geolocation).
     • Microsoft Clarity
       Session re-play, scroll and click heat-maps, and aggregated performance metrics.
     • Meta (Facebook) Pixel
       Conversion tracking, ad attribution, and custom-audience building.
     • TikTok Pixel
       Conversion tracking, ad attribution, and audience measurement for TikTok advertising campaigns.
     • Reddit Pixel
       Conversion tracking and ad attribution for Reddit advertising campaigns.
     • LinkedIn Insight Tag
       Conversion tracking, website demographics, and retargeting for LinkedIn advertising campaigns.
     • ProveSrc
       Website verification and trust signals for social proof and credibility.
     • Tolt
       User engagement tracking and behavioral analytics.
     • Intercom
       Customer support chat functionality and user communication management.

7. Other Data You Provide

   • Any other personal data you voluntarily share with us when filling out forms or contacting us (e.g., support queries).

Note: We typically do not collect special-category personal data (e.g., health, religious, or ethnic information). If we ever need to handle such data, we will request your explicit consent or rely on another lawful basis under UK law.

3. How We Collect Your Data

• Direct Interactions: You provide data when you fill out forms, register for an account, request services, or communicate with us.
• Automated Technologies: As you navigate the Website, GA4, Microsoft Clarity, Meta Pixel, TikTok Pixel, Reddit Pixel, LinkedIn Insight Tag, ProveSrc, and Tolt automatically collect Technical & Usage Data through cookies and similar technologies.
• Third Parties: We may receive personal data from analytics providers (Google, Microsoft, Meta, TikTok, Reddit, LinkedIn, ProveSrc, Tolt), payment processors, and marketing partners.

4. Why We Process Your Data (Legal Bases)

We use your personal data only where UK law permits. Common lawful bases include:

1. Consent

   • Where you give explicit consent (e.g., when accepting optional analytics or marketing cookies).

2. Contractual Necessity

   • To perform our obligations under a contract (e.g., providing services you’ve registered for).

3. Legal Obligation

   • To comply with UK legal or regulatory requirements.

4. Legitimate Interests

   • To operate, improve, and secure our Website; analyse how it is used; prevent fraud; and market our services (including through GA4, Microsoft Clarity, Meta Pixel, TikTok Pixel, Reddit Pixel, LinkedIn Insight Tag, ProveSrc, and Tolt), provided such interests do not override your rights and freedoms.

5. How We Use Your Data

We may use your personal data to:

• Provide Services: Facilitate services, maintain your account, and process transactions.
• Customer Support: Handle your inquiries, troubleshoot issues, and manage customer-service requests.
• Marketing & Communications: Send newsletters or promotions (only if you have opted in). You can withdraw consent at any time.
• Analytics & Improvements:
  • GA4 helps us understand traffic sources, popular pages, and overall Website performance.
  • Microsoft Clarity provides session re-plays and heat-maps so we can see where users experience friction and improve usability.
  • The Meta Pixel lets us measure the effectiveness of our ads and reach users with more relevant content.
  • TikTok Pixel allows us to track conversions and optimise our TikTok advertising campaigns.
  • Reddit Pixel helps us measure the effectiveness of Reddit advertising and reach relevant audiences.
  • LinkedIn Insight Tag enables us to track conversions and gather insights about our LinkedIn advertising performance.
  • ProveSrc provides website verification and social proof to enhance user trust and credibility.
  • Tolt tracks user engagement and provides behavioral analytics to improve user experience.
  • Intercom enables customer support chat functionality, allowing us to communicate with users and provide assistance.
• Legal & Compliance: Comply with regulatory requirements, detect fraud, or enforce our rights.

6. Cookies, Pixels & Tracking Technologies

Our Website relies on first-party and third-party cookies, pixels and local-storage objects to function. We use them to:

• Store user preferences and session information.
• Analyse traffic and user interactions via Google Analytics 4 and Microsoft Clarity.
• Measure advertising performance through the Meta Pixel, TikTok Pixel, Reddit Pixel and LinkedIn Insight Tag.
• Provide website verification and social proof through ProveSrc, and engagement analytics through Tolt.
• Enable customer-support chat functionality through Intercom.

These technologies are integral to how the Website is delivered. If you do not want them to run in your browser, you can disable cookies or similar tracking via your browser settings, or stop using the Website. By continuing to use the Website, you acknowledge that these cookies and similar technologies are necessary for the Website to function as intended.

You can also manage advertising preferences directly with the providers listed below.

Opt-Out Links

Service	How to Opt Out
Google Analytics 4	Install the Google Analytics Opt-out Browser Add-on or disable cookies in your browser.
Microsoft Clarity	Disable cookies in your browser or enable “Do Not Track”.
Meta Pixel	Adjust ad preferences in your Facebook/Instagram account settings or use industry opt-out tools (e.g., YourAdChoices).
TikTok Pixel	Adjust ad preferences in your TikTok account settings.
Reddit Pixel	Adjust ad preferences in your Reddit account settings.
LinkedIn Insight Tag	Adjust ad preferences in your LinkedIn account settings or use LinkedIn’s opt-out page.
ProveSrc	Disable cookies in your browser or contact us to opt out of verification tracking.
Tolt	Disable cookies in your browser or enable “Do Not Track”.
Intercom	Disable cookies in your browser or adjust chat preferences in the Intercom widget.

7. Who We Share Your Data With

1. Service Providers

   • Analytics, advertising-pixel and customer-support vendors named in section 2: Google LLC (GA4), Microsoft Corporation (Clarity), Meta Platforms Ireland Ltd (Meta Pixel), TikTok Technology Limited (TikTok Pixel), Reddit Inc. (Reddit Pixel), LinkedIn Corporation (LinkedIn Insight Tag), ProveSrc Ltd (ProveSrc), Tolt Ltd (Tolt), and Intercom Inc. (Intercom).
   • Sub-processors that we engage to deliver the Services. Categories include: telephony and call-routing providers, speech-to-text and text-to-speech providers, large-language-model and other AI-inference providers, cloud-hosting and storage providers, payment processors, email and transactional-message providers, and IT-support tooling. The identities of our sub-processors are commercially sensitive; subscribers may request the current sub-processor list under a non-disclosure agreement by emailing data-protection-officer [at] heyjodie.com.

2. Business Partners

   • If you request or opt in to co-branded services or partnerships.

3. Legal or Regulatory Authorities

   • When required to comply with the law or to protect our rights.

4. Corporate Transactions

   • In connection with a sale, merger, or transfer of part of our business or assets, your personal data may be disclosed to the prospective buyer or merged entity.

We use commercially reasonable efforts to require these third parties to handle personal data in line with applicable laws and our security expectations. We do not warrant the acts or omissions of any third party. To the maximum extent permitted by law, our liability for any third party’s acts or omissions is subject to the limitations and exclusions in our Terms of Service.

8. Where We Process Your Data (Data Residency and International Transfers)

We currently process personal data in Ireland (within the European Economic Area) and in the United States. Both regions are used by default for telephony, AI processing, storage and continuity. We may add, change or remove processing locations from time to time at our sole discretion, and we are not required to give individual users advance notice of any such change. We do not offer single-region pinning. If your business requires personal data to remain in a specific jurisdiction, you must agree that requirement with us in writing before subscribing. Absent a written agreement signed by us, you accept that personal data may be processed in either or both regions, and to the maximum extent permitted by law we accept no liability arising from the location of processing.

What is processed where

• Account, billing and support data (the data you provide when you sign up, contact us, or pay us): typically hosted in Ireland and the United States, with payment data also processed by our payment processor in its operating regions.
• Call audio, transcripts, AI-generated summaries, messages and bookings (data created when calls are handled by the Services on a subscriber’s behalf): typically processed in Ireland and the United States by our telephony, speech-processing, AI-inference and storage sub-processors.
• Website analytics, advertising-pixel and customer-support data: processed in the United States and other locations as described by each provider in their own policies (see section 2).

Legal mechanisms for transfers outside the UK and EEA

Where Data Protection Laws require us to put a transfer mechanism in place for a transfer of personal data to a country that has not been deemed adequate by the UK government or the European Commission (which currently includes the United States for most general-purpose transfers), we rely on one or more of the following safeguards as applicable to the transfer and the recipient:

• the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
• the EU Standard Contractual Clauses (2021); or
• where the recipient is independently certified, the EU-US Data Privacy Framework and its UK Extension.

Where appropriate, we maintain supplementary technical and organisational measures (including encryption in transit and at rest, access controls and contractual restrictions on further use). You may request a summary of the safeguards in place for a given transfer by contacting our Data Protection Officer at data-protection-officer [at] heyjodie.com. We are not required to disclose commercially sensitive contract terms, and any safeguard summary is provided without warranty.

Notice of sub-processor changes

For data we process on a subscriber’s behalf as a Processor (call audio, transcripts and related call data), we will use reasonable efforts to give the subscriber prior notice before adding or replacing a sub-processor that handles that data. Failure to provide notice in time will not, by itself, give rise to any liability beyond the limitations and exclusions set out in our Terms of Service.

9. How We Protect Your Information

We take technical and organisational measures to protect your personal data from unauthorised access or disclosure, including:

• Encryption (in transit and at rest, where appropriate).
• Secure data storage in controlled facilities.
• Access controls, multi-factor authentication, and staff training on data protection.
• Regular audits of our security controls and vendor due-diligence reviews.

Despite our efforts, no system is entirely secure. If you suspect your data or interaction with us is no longer secure, please notify us immediately.

10. Data Retention

We retain your personal data only for as long as reasonably necessary to:

• Fulfil the purposes for which it was collected.
• Satisfy any legal, regulatory, tax, accounting, or reporting requirements.
• Resolve disputes or enforce our legal agreements and policies.

Where we act as a Processor for a Jodie subscriber, call recordings, transcripts and related call data are retained for the duration of the subscriber’s Subscription and for a reasonable period thereafter, or as otherwise configured by the subscriber within the Services; the subscriber (as Controller) determines the applicable retention period.

Retention periods for analytics data are controlled via GA4 (default 14 months), Microsoft Clarity (default 30 days), Meta Pixel (in accordance with Meta’s data-retention policies), TikTok Pixel (in accordance with TikTok’s data-retention policies), Reddit Pixel (in accordance with Reddit’s data-retention policies), LinkedIn Insight Tag (in accordance with LinkedIn’s data-retention policies), ProveSrc (in accordance with ProveSrc’s data-retention policies), Tolt (in accordance with Tolt’s data-retention policies), and Intercom (in accordance with Intercom’s data-retention policies). Once the retention period expires, we will securely delete or anonymise your personal data in compliance with applicable laws.

11. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and other applicable laws, you may have the right to:

• Access Your Data: Obtain a copy of the personal data we hold about you.
• Rectification: Request corrections to any inaccurate or incomplete data.
• Erasure (Right to be Forgotten): Ask us to delete your data under certain circumstances.
• Restriction of Processing: Request we limit how we use your data.
• Data Portability: Receive your data in a structured, commonly used format.
• Object to Processing: Object to certain processing activities, including direct marketing and analytics profiling.
• Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.

To exercise these rights, contact us at team [at] heyjodie.com or our Data Protection Officer at data-protection-officer [at] heyjodie.com. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your personal data has been processed unlawfully or your data protection rights have been violated. You can contact the ICO at https://ico.org.uk/ or by calling their helpline on 0303 123 1113.

12. Children’s Privacy

Our Website is not intended for individuals under the age of 13. We do not knowingly collect personal data from children. If you believe a child under the age of 13 has provided us with personal information, please contact us so we can investigate and delete it where required.

13. Links to Other Websites

Our Website may contain links to third-party sites not operated by us. We are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites or services before providing personal information.

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. The “Last updated” date at the top indicates when it was last revised. Your continued use of our Website after we post any updates signifies your acceptance of the revised policy.

15. Additional Information for California Residents (CCPA / CPRA)

If you are a California resident and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), applies to our handling of your personal information, the following information is provided in addition to (and not in substitution for) the rest of this policy. Nothing in this section creates rights or obligations beyond those required by the CCPA/CPRA.

• Categories of personal information we collect: identifiers (name, email, phone, IP address, device identifiers); commercial information (transaction and subscription records); audio information (where you call a business that uses the Services, the call recording and transcript); internet or network activity (cookies, page views, session replay); geolocation (approximate, derived from IP); professional information (where you tell us your role); and inferences drawn from the above.
• Sources: directly from you, automatically as you use the Website, and from analytics, advertising and payment providers.
• Purposes: to provide and operate the Services, process payments, communicate with you, deliver and measure advertising, comply with law, and as otherwise described in this policy.
• Categories of third parties: cloud-hosting, telephony, AI-inference, payment, customer-support and analytics service providers; advertising partners; and government bodies where required by law.
• Sale or sharing of personal information: we do not “sell” personal information for money. We do “share” personal information for cross-context behavioural advertising via the Meta, TikTok, Reddit and LinkedIn pixels and similar advertising tools described in section 2. To opt out, send a request to team [at] heyjodie.com or use the opt-out controls listed in section 6. We honour Global Privacy Control (GPC) browser signals as an opt-out request.
• Sensitive personal information: we do not use or disclose sensitive personal information for purposes other than those permitted under CCPA/CPRA without an opt-in.
• Your rights: to know, access, correct, delete, and limit the use of sensitive personal information; to opt out of sale or sharing; and to be free from discrimination for exercising these rights. You may use an authorised agent. To exercise these rights, contact team [at] heyjodie.com.
• Retention: see section 10.

16. Additional Information for Australian Residents

If you are in Australia, the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) apply to our handling of your personal information to the extent the Privacy Act applies to us.

• Cross-border disclosure (APP 8): as described in section 8, we disclose personal information to recipients in Ireland and the United States. We take reasonable steps to ensure overseas recipients handle personal information consistently with the APPs, including through the contractual safeguards described in section 8, but the steps we take are not a guarantee of compliance by the recipient. By using the Services in circumstances where your personal information will be disclosed overseas, you acknowledge that, to the extent the consent exception in APP 8.2(b) or any other exception in APP 8.2 applies, we are not accountable under APP 8.1 for the recipient’s acts or practices.
• Complaints: you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

17. Additional Information for Canadian Residents

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including Quebec’s Law 25 and the Quebec Act respecting the protection of personal information in the private sector) apply to our handling of your personal information to the extent those laws apply to us.

• Cross-border processing: we process personal information in Ireland and the United States. While the data is in those jurisdictions it is subject to local laws, including potential lawful access requests by foreign authorities, and we accept no liability for any access or processing required by such laws. The contractual safeguards described in section 8 are in place to protect your data, subject to those legal requirements.
• Complaints: you may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca, or, if you are in Quebec, the Commission d’acces a l’information du Quebec at cai.gouv.qc.ca.

18. Additional Information for New Zealand Residents

If you are in New Zealand, the Privacy Act 2020 applies to our handling of your personal information to the extent that Act applies to us. Under Information Privacy Principle 12, before disclosing personal information overseas we take reasonable steps to satisfy ourselves that the recipient is subject to comparable safeguards. Our cross-border safeguards are described in section 8. You may complain to the Office of the Privacy Commissioner at privacy.org.nz.

19. Additional Information for Residents of Ireland and the EEA

If you are in Ireland or another European Economic Area country, EU GDPR and the Irish Data Protection Act 2018 apply in addition to (and where they conflict, in place of) the UK GDPR references above, in each case only to the extent those laws apply to us. References in this policy to the UK Information Commissioner’s Office should be read as also referring to your local supervisory authority. You may complain to the Data Protection Commission (Ireland) at dataprotection.ie or to the supervisory authority in the EEA country where you live, work, or where the alleged infringement took place.

20. Limitations and Order of Precedence

Nothing in this policy is intended to limit any statutory rights you have under applicable Data Protection Laws that cannot lawfully be limited.

Subject to the paragraph above:

• this policy describes our practices and is not a contract; it does not create rights or obligations beyond what is required by applicable Data Protection Laws or expressly agreed between us in our Terms of Service or our Data Processing Addendum;
• to the maximum extent permitted by law, our total liability arising out of or in connection with our processing of personal data and our compliance (or alleged non-compliance) with this policy is subject to the limitations, exclusions and aggregate cap on liability set out in our Terms of Service;
• where any term of this policy conflicts with the Terms of Service or the Data Processing Addendum, the Terms of Service or the Data Processing Addendum (as applicable) prevail; and
• statements in this policy about specific countries, regulators, vendors, retention periods or technical measures are accurate to the best of our knowledge at the date stated above and may change without notice.

21. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

• General Email: team [at] heyjodie.com
• Data Protection Officer: data-protection-officer [at] heyjodie.com
• Address: 45 Albemarle Street, Mayfair, London, W1S 4JL
• ICO reference: ZB977748

For data protection matters specifically, please contact our Data Protection Officer. For complaints about data processing, you may also contact the ICO directly at https://ico.org.uk/.