Privacy Statement
JollyCase BV is committed to protecting your personal data and to processing it lawfully, fairly and transparently. This Privacy Statement describes how we collect and process personal data in connection with the JollyCase upc service.
Introduction
JollyCase BV (“JollyCase”, “we”, “us” or “our”) is committed to protecting your personal data and to processing it lawfully, fairly and transparently. This privacy statement (the “Privacy Statement”) describes how we collect and process personal data in connection with the JollyCase upc service (the “Service”), a professional reference tool for European patent professionals accessible at upc.jollycase.eu, and how you can exercise your rights under applicable data protection law.
This Privacy Statement applies to personal data processed in connection with the Service and the website at jollycase.eu and upc.jollycase.eu (together, the “Website”). It is to be read together with our Terms and Conditions and with the AI disclaimer notice that we display at first signup. Unless otherwise stated, defined terms used in this Privacy Statement that are also defined in Regulation (EU) 2016/679 (the “GDPR”) have the same meaning here.
The Service is offered on a business-to-business basis to professional users established in the European Union. References in this Privacy Statement to a “user” or to “you” are to such professional users (whether acting in their own name or on behalf of their firm, employer or organization), as well as, where relevant, to visitors of the Website and to other natural persons whose personal data we process in connection with the Service.
Controller
The controller responsible for the processing of personal data described in this Privacy Statement is:
JollyCase BV
Registered office: Steenstraat 30, 3530 Houthalen-Helchteren, Belgium
CBE/KBO number: 1036.887.438
Privacy enquiries: info@jollycase.eu
If you have any question relating to this Privacy Statement or to the processing of your personal data, you may contact us using the details above. We have not appointed a Data Protection Officer; you may always address your enquiry to the contact address above.
Personal data we process
This article describes the categories of personal data we process in connection with the Service. We have organised the categories by the situation in which they are collected. Where a single processing activity gives rise to several legal bases (for example, contract performance and legitimate interest), we identify the primary legal basis in the relevant table.
Account holders and subscribers
The following processing activities apply when you create a JollyCase account, take out a Free Trial or a paid subscription and use the Service.
- (a) account data: email address, display name, password (in hashed form, managed through Firebase Auth);
- (b) professional profile data: country of professional establishment (mandatory, EU27 only), professional role (mandatory: in-house industry, private practice or law firm, patent examiner at the EPO or a national patent office, or academic or researcher), company or firm name (optional), role or title (optional);
- (c) acceptance records: version and timestamp of this Privacy Statement, version and timestamp of the Terms and Conditions, version and timestamp of the AI disclaimer notice;
- (d) subscription and billing data: subscription status, subscription period, Subscription Fee, invoices, billing identifier and other transaction data, handled through Stripe Payments Europe Ltd. (“Stripe”), which acts as our payment service provider. Payment card data is collected and processed by Stripe and is not stored by JollyCase;
- (e) usage data: sessions completed, decisions explored, bookmarks created, AI tokens consumed, and other technical metrics, in each case associated with your account identifier.
(i) to create and operate your account; (ii) to authenticate you and to secure access to the Service; (iii) to provide the Service and its features; (iv) to manage your subscription, the Free Trial, renewals and cancellations; (v) to invoice and collect the Subscription Fee (through Stripe); (vi) to keep evidence of your acceptance of our Terms and Conditions, this Privacy Statement and the AI disclaimer notice; (vii) to monitor usage of the Service, to detect misuse and to ensure compliance with the Terms and Conditions, including the restrictions relating to judicial use, geographic eligibility and acceptable use; (viii) to comply with our legal obligations (in particular tax, accounting and consumer-protection law to the extent applicable in a B2B context); and (ix) to respond to your questions and provide support.
Performance of the contract concluded with you (Article 6(1)(b) GDPR) for the activities directly necessary to operate the Service and to manage your subscription.
Compliance with our legal obligations (Article 6(1)(c) GDPR), in particular for invoicing, accounting and tax-related retention.
Our legitimate interests (Article 6(1)(f) GDPR) in (i) securing the Service and our infrastructure, (ii) monitoring usage to detect misuse and to enforce the Terms and Conditions, (iii) keeping evidence of acceptance of our policies, and (iv) operating and improving the Service. Where we rely on legitimate interests, we have carried out a balancing test and consider that our interests do not override your fundamental rights and freedoms, taking into account the limited and professional nature of the data processed.
AI chat queries and decision-context payloads
Where you use the per-decision AI chat feature, additional processing applies. We have set out this processing separately so that the AI-specific data flows and the related instructions are clearly visible.
- (a) the chat queries you submit;
- (b) the decision-context payload loaded with each query (the text of the relevant UPC decision and related metadata);
- (c) the AI responses generated by the AI model and returned to you;
- (d) technical metadata of the interaction (timestamp, token usage, model version).
To generate AI responses to your chat queries about specific UPC decisions, to deliver those responses to you, to operate and secure the AI chat feature, to record token usage for billing-related purposes, and to monitor for abuse and misuse.
Performance of the contract concluded with you (Article 6(1)(b) GDPR) for the delivery of the AI chat feature, and our legitimate interests (Article 6(1)(f) GDPR) in securing and operating the AI chat feature and in monitoring for abuse.
Chat queries and decision-context payloads are transmitted to Google’s Gemini API for processing. JollyCase calls the Gemini API through a paid API tier. Under the Google API terms applicable to that paid tier, Google has committed not to use submitted content to train its models. The data transmitted to Google is subject to Google’s API data-handling commitments, available on the Google Cloud / Google AI documentation.
Despite these protections, we instruct you not to enter confidential, privileged, client-identifying, personally sensitive or otherwise sensitive information into the AI chat. A persistent warning to that effect is displayed in the AI chat interface and forms part of our contractual position towards you. This Privacy Statement does not, and is not intended to, override or qualify that warning.
Semantic search
Semantic search is performed using an open-source embedding model that runs in the backend of the service. Your semantic search queries are not transmitted to external AI providers for the purposes of embedding generation. This Privacy Statement therefore does not describe any external transfer in respect of semantic search queries themselves.
This is without prejudice to the analytics and logging that may apply at the level of the Service generally, as described elsewhere in this Privacy Statement.
Website visitors
When you visit the Website, we may process information such as your IP address, browser type and version, device characteristics, pages viewed, time spent on pages, referring URL and approximate geographic location derived from your IP address.
To operate the Website, to monitor and improve its performance and usability, to detect and prevent fraud and abuse, and to protect the security of the Website and the Service.
Our legitimate interest in operating and securing a properly functioning Website (Article 6(1)(f) GDPR). Where consent is required under applicable law (in particular for non-essential cookies and similar technologies), we rely on your consent within the meaning of Article 6(1)(a) GDPR and Article 129 of the Belgian Electronic Communications Act.
Persons who contact us
When you contact us (for example by email), we may process your name, contact details, the content of your message, and any related metadata.
To respond to your question, to provide information about the Service, to provide support, and to keep a record of our correspondence.
Performance of the contract or pre-contractual steps taken at your request (Article 6(1)(b) GDPR) and our legitimate interest in managing our correspondence and supporting our users and prospects (Article 6(1)(f) GDPR).
Newsletter and marketing recipients (optional)
If you subscribe to a JollyCase newsletter or otherwise agree to receive communications from us, we may process your email address, display name and preferences.
To send you the newsletter and other communications about the Service.
Your consent (Article 6(1)(a) GDPR) where consent is required, and otherwise our legitimate interest in keeping our users and prospects informed about the Service (Article 6(1)(f) GDPR). You may withdraw your consent or object at any time by following the unsubscribe link in any communication or by contacting us using the details set out above.
Sub-processors and third-party services
We use a limited number of third-party providers to deliver the Service. Where these providers process personal data on our behalf, they act as our processors and are bound by data processing agreements requiring them to process personal data only on our instructions and to apply appropriate technical and organizational measures. The main categories of providers are described below.
We use Google’s Firebase Authentication service to manage user authentication, and Google’s Firestore service to store account, profile, usage and acceptance data. The contracting entity is Google Ireland Limited.
Firestore data is stored on Google infrastructure within the European Union (region: eur3).
Firebase Authentication is a globally distributed service with no configurable data residency; user authentication data is processed on Google’s global infrastructure subject to Google’s standard data processing terms.
We use the Google Gemini API (paid tier) to generate responses to per-decision AI chat queries, as described in article 3.2. The contracting entity is Google Ireland Limited. Under the paid-tier API terms, Google has committed not to use submitted content to train its models.
We use Stripe Payments Europe Ltd. (Stripe) to process subscription payments. Stripe acts as a separate controller or as a joint controller in respect of payment-card data and related fraud prevention processing, in accordance with its own terms. Stripe’s privacy notice is available at stripe.com/privacy.
We use Scaleway to host the application backend and serve the Service. The contracting entity is Scaleway SAS, a French company. Infrastructure is located within the European Union.
A current and complete list of sub-processors is available on request from the contact address set out in article 2. We may engage additional sub-processors over time; where this involves a material change, we will update this Privacy Statement and, where appropriate, inform our users in advance.
International data transfers
JollyCase is established in Belgium and our processing infrastructure is, to the extent within our control, configured to host personal data within the European Union.
Some of our sub-processors are part of corporate groups established outside the European Economic Area (in particular Google LLC for parts of the Google services, and Stripe, Inc. for parts of the Stripe services). Where personal data is transferred to a country outside the European Economic Area that does not benefit from an adequacy decision of the European Commission, we take steps to put appropriate safeguards in place under Chapter V GDPR, such as the Standard Contractual Clauses approved by the European Commission and, where applicable, supplementary measures. You may obtain further information about the safeguards applicable to a specific transfer by contacting us at the address set out in article 2.
Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by applicable law (in particular for accounting, tax or evidence purposes).
Where your account is deleted, JollyCase will delete or anonymize your personal data in accordance with this Privacy Statement, subject to personal data that must be retained for legal, accounting, tax, fraud-prevention, security or dispute-handling purposes. Once data has been anonymized, it no longer relates to an identified or identifiable natural person and is no longer subject to the GDPR.
| Data category | Retention period |
|---|---|
| Account data, professional profile data, acceptance records | For the duration of your account, and for 90 days thereafter for security, fraud-prevention and dispute-handling purposes. Acceptance records (Terms and Conditions, Privacy Statement, AI disclaimer notice versions and timestamps) are retained for an additional 5 years after the end of the account for evidential purposes. |
| Subscription and billing data | For the duration of your account and for 7 years thereafter, in accordance with applicable accounting and tax law. |
| AI chat queries and decision-context payloads | AI chat messages and decision-context payloads are processed to generate and return AI responses. Full AI chat histories are not retained server-side as complete conversation histories. AI chat history may be stored locally in your browser. Technical metadata, such as timestamp, model version and token usage, may be retained for billing, usage-control, security and abuse-prevention purposes for as long as necessary for those purposes. |
| Usage data (sessions, decisions explored, bookmarks, tokens) | For the duration of your account and for 90 days thereafter, after which the data is deleted or anonymized. |
| Correspondence and support tickets | For the duration of the correspondence and for a reasonable period thereafter (typically up to 24 months) for follow-up, dispute-handling and continuous-improvement purposes. |
| Website logs and analytics data | Operational logs generated by the Service are retained for 400 days, after which they are automatically deleted. These logs may contain identifiable data such as IP addresses and are retained solely for security, troubleshooting and fraud-prevention purposes. |
You may at any time delete your account and your associated personal data through the Account page of the Service. Account deletion triggers the deletion or anonymization of your personal data in accordance with the retention periods set out above, save for personal data that we are legally required to retain for a longer period (for example, accounting data) or that we may need to retain for the establishment, exercise or defense of legal claims. Once data has been deleted or anonymized, the GDPR rights of access, rectification, erasure and portability can no longer be exercised in relation to that data.
Security
We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These measures include, where appropriate, encryption of data in transit and, where technically feasible, at rest, strict access controls based on the principle of least privilege, regular review of access rights, monitoring of systems and networks, regular back-ups, and engagement of sub-processors that themselves apply adequate security measures.
Notwithstanding these measures, no system can be guaranteed to be entirely secure. You play an important role in protecting your account by using a strong password, by keeping your credentials confidential and by notifying us without undue delay of any suspected compromise.
Your rights
Subject to the conditions set out in the GDPR, you have the following rights in respect of your personal data:
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that personal data and information on how it is processed.
You have the right to have inaccurate personal data corrected and incomplete personal data completed.
You have the right to request the deletion of your personal data where, for example, it is no longer necessary for the purposes for which it was collected, where you have withdrawn your consent (in the limited cases where we process on the basis of consent), or where you have validly objected to processing.
You have the right to request that we restrict the processing of your personal data in certain circumstances, in particular where you contest its accuracy or have objected to processing.
Where processing is based on your consent or on the performance of a contract and is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to have it transmitted to another controller where technically feasible.
You have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interests (Article 6(1)(f) GDPR). Where we process your personal data for direct marketing purposes, you may object at any time and without giving reasons.
Where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, of your place of work or of the alleged infringement.
You can exercise most of these rights directly through the Account page of the Service, which allows you to export your data in a structured format and to delete your account and associated personal data. You may also exercise your rights by contacting us at the contact address set out above.
We will respond to your request within one (1) month of receipt. In cases of complexity or where we receive multiple requests simultaneously, we may extend this period by a further two (2) months; in such cases, we will inform you of the extension and of the reasons for it within one (1) month of receipt of your request. Where we are unable to identify you from the information provided, we may ask for additional information solely for the purpose of verifying your identity.
Supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority. As JollyCase is established in Belgium, the lead supervisory authority is the Belgian Data Protection Authority:
Gegevensbeschermingsautoriteit / Autorité de Protection des Données (GBA/APD)
Drukpersstraat 35 / Rue de la Presse 35, 1000 Brussels, Belgium
Website: www.gegevensbeschermingsautoriteit.be / www.autoriteprotectiondonnees.be
Telephone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
You also have the right to lodge a complaint with the supervisory authority of your habitual residence or place of work within the European Union.
Automated decision-making and profiling
We do not use your personal data for automated decision-making producing legal effects or similarly significant effects on you within the meaning of Article 22 GDPR. AI-generated outputs (decision summaries, case cards, AI chat responses and semantic search ranking) are made available to you as reference material; they are not used to take any automated decision in respect of you.
Children’s data
The Service is offered exclusively to professional users acting in the course of their professional activity. We do not knowingly process personal data of children. If we become aware that we have inadvertently collected personal data of a child, we will take appropriate steps to delete that data.
Links to third-party services
The Website and the Service may contain links to third-party services or websites (for example, links to published European patents on Espacenet). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy statements independently.
Changes to this Privacy Statement
We may update this Privacy Statement from time to time. When we do, we will update the effective date shown at the top of this document. If we make significant changes, we will notify you through the Service with reasonable advance notice; where the change affects processing carried out on the basis of your consent or requires your acknowledgment, a notice will be displayed within the Service upon your next login.
Where a change affects processing activities carried out on the basis of your consent, we will seek your renewed consent before the change takes effect.
Contact
If you have any question or request relating to this Privacy Statement or to the processing of your personal data, please contact us at info@jollycase.eu or at the registered office address set out above.