Privacy Policy

Last updated: April 11, 2026 · Effective: April 11, 2026 · Version 1.0

1. Introduction & Scope

This Privacy Policy (“Policy”) describes how White Hat Technology SRL (“Company,” “we,” “us,” or “our”), a Romanian limited liability company registered in Bucharest, European Union, collects, uses, stores, discloses, and otherwise processes Personal Data in connection with the Jump SSH application (“App”), our website at www.jumpssh.ro (“Website”), and all related services, features, and functionality we provide (collectively, the “Service”).

This Policy applies to all individuals who access or use the Service, including registered account holders, trial users, and visitors to our Website. It covers data collected through the App on Android and iOS devices, through our Website, through our application programming interfaces (APIs), and through any communication you have with us (e.g., email support requests).

By creating an account, installing the App, or otherwise accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any aspect of this Policy, you must discontinue use of the Service immediately. Your continued use of the Service following the posting of changes to this Policy will be deemed as your acceptance of those changes.

This Policy should be read in conjunction with our Terms & Conditions, which govern your use of the Service. In the event of a conflict between this Policy and the Terms & Conditions with respect to privacy matters, this Policy shall prevail.

2. Data Controller Information

The data controller responsible for your Personal Data is:

White Hat Technology SRL
Bucharest, Romania, European Union
Website: www.jumpssh.ro
General contact: support@jumpssh.ro

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy and our data protection practices. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:

Data Protection Officer
White Hat Technology SRL
Email: dpo@whitehat.technology

As White Hat Technology SRL is established within the European Union (Romania), we serve as our own EU representative for the purposes of the General Data Protection Regulation. Our lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).

3. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below, consistent with definitions provided under the General Data Protection Regulation (EU) 2016/679 (“GDPR”):

4. Legal Basis for Processing (GDPR Article 6)

We process your Personal Data only when we have a valid legal basis to do so under the GDPR. Depending on the specific processing activity, we rely on one or more of the following legal bases:

4.1 Performance of a Contract (Article 6(1)(b))

Processing is necessary for the performance of the contract between you and White Hat Technology SRL when you create an account and use the Jump SSH Service. This includes processing your account registration data, storing your SSH host configurations to provide the core functionality of the App, authenticating your sessions, and delivering the features you have requested.

4.2 Legitimate Interests (Article 6(1)(f))

We may process certain data where it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your rights and freedoms. Our legitimate interests include: maintaining the security and integrity of the Service, detecting and preventing fraud, abuse, and unauthorized access, improving the App’s performance and user experience, resolving technical issues and providing customer support, and maintaining internal records for administrative purposes. We conduct balancing tests to ensure our legitimate interests do not override your fundamental rights.

4.3 Consent (Article 6(1)(a))

For certain processing activities, we rely on your explicit consent. This applies to optional features such as receiving promotional communications, enabling push notifications, and participating in beta testing programs. Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal. You may withdraw consent by adjusting your settings within the App, by contacting us at dpo@whitehat.technology, or by using the unsubscribe mechanism provided in any communication.

4.4 Legal Obligations (Article 6(1)(c))

We may process your Personal Data where it is necessary for compliance with a legal obligation to which we are subject. This includes retaining certain records as required by Romanian tax and commercial law, responding to lawful requests from courts, law enforcement agencies, and regulatory authorities, and fulfilling our obligations under applicable anti-money laundering and counter-terrorism financing regulations where applicable.

5. Categories of Personal Data We Collect

We adhere to the principle of data minimisation and collect only the Personal Data that is necessary to provide, maintain, and improve the Service. Below is a comprehensive description of the categories of data we collect:

5.1 Account Data

When you register for a Jump SSH account, we collect your email address (used as your unique account identifier and for account-related communications), your display name or username (visible within the App for personalisation purposes), and your password (stored exclusively as a bcrypt hash with a cost factor of 12; we never store your password in plain text). This data is collected directly from you at the time of registration and is necessary for the performance of our contract with you.

5.2 Device Data

To ensure compatibility, optimise performance, and provide effective technical support, we collect limited device information, including: device manufacturer and model (e.g., “Samsung Galaxy S24”), device brand, operating system name and version (e.g., “Android 15” or “iOS 18.2”), and the version of the Jump SSH App installed on your device. We do not collect unique hardware identifiers such as IMEI, serial numbers, or advertising identifiers.

5.3 Connection Metadata

When you access the Service, we automatically collect certain connection metadata, including: your IP address at the time of login, approximate geographic location derived from your IP address (city and country level only, not precise coordinates), login and logout timestamps, and the type of network connection used (e.g., Wi-Fi, mobile data). IP-based geolocation is performed using a third-party service (ip-api.com), and this process is described in further detail in Section 10 of this Policy.

5.4 SSH Host Configurations

To provide the core functionality of the App, we store your SSH host configurations, which may include: remote server hostnames or IP addresses, SSH port numbers, SSH usernames, authentication method preferences (password, key-based), connection labels and grouping information, and custom connection parameters (such as keepalive intervals, terminal encoding preferences). All SSH host configurations are stored in encrypted form both on your device (using AES-256 encryption via the Android Keystore or iOS Keychain) and on our servers (encrypted at rest). We do not store your SSH passwords or the content of your private SSH keys on our servers.

5.5 Session Metadata

We collect metadata about your SSH sessions to provide connection history, diagnostics, and support. This includes: session start and end times, session duration, the SSH protocol version used, connection success or failure status and error codes, and the type of session initiated (terminal, SFTP, port forwarding). This metadata does not include the content of your SSH sessions, the commands you execute, or the output you receive.

5.6 Usage Data

We collect anonymised and aggregated usage data to understand how the App is used and to improve the Service. This includes: features accessed and frequency of use, total number of sessions and connections, App launch counts and session duration, and general interaction patterns (e.g., which screens are visited most frequently). This data is collected in aggregate form and is not used to build individual user profiles.

6. Data We Do NOT Collect

Privacy-First Design

Jump SSH is built on the principle of privacy by design and privacy by default. We have deliberately architected the App so that the following categories of data are never collected, intercepted, accessed, stored, or transmitted to our servers:

7. How We Use Your Data

We use the Personal Data we collect for the following specific purposes:

7.1 Account Management and Authentication

We use your account data to create and maintain your Jump SSH account, authenticate your identity when you sign in, manage your account settings and preferences, and communicate with you about account-related matters such as password resets, security alerts, and service announcements.

7.2 Service Delivery and Core Functionality

We process your SSH host configurations and session metadata to provide the core functionality of the App, including establishing SSH connections to your configured servers, displaying your connection history and session logs, synchronising your host configurations across your devices (when enabled), and providing SFTP file transfer capabilities.

7.3 Security and Fraud Prevention

We use connection metadata, IP addresses, and login history to protect the security of your account and the Service. This includes detecting and preventing unauthorised access attempts, identifying suspicious login patterns (e.g., logins from unusual geographic locations), enforcing rate limiting to prevent brute-force attacks, and maintaining audit logs for security incident investigation.

7.4 Technical Support

When you contact us for support, we may use your account data, device data, and session metadata to diagnose and resolve technical issues, reproduce and investigate bug reports, and provide personalised assistance based on your specific configuration and environment.

7.5 Service Improvement and Analytics

We use aggregated and anonymised usage data to understand how the App is used and which features are most valuable, identify performance bottlenecks and areas for optimisation, guide product development and feature prioritisation, and ensure compatibility across the widest range of devices and operating systems.

7.6 Legal Compliance

We may process your data as necessary to comply with applicable laws and regulations, respond to lawful requests from public authorities, establish, exercise, or defend legal claims, and enforce our Terms & Conditions.

8. Data Storage & Security

We implement comprehensive technical and organisational measures to protect your Personal Data against unauthorised access, alteration, disclosure, or destruction. Our security practices are designed with the sensitivity of SSH-related data firmly in mind.

8.1 On-Device Security

SSH credentials, private keys, and connection passwords stored on your device are encrypted using AES-256 encryption. Encryption keys are managed by the operating system’s hardware-backed keystore: Android Keystore (backed by Trusted Execution Environment or Secure Element hardware) on Android devices, and iOS Keychain (backed by the Secure Enclave) on Apple devices. This ensures that even if your device storage is compromised, your sensitive SSH data remains protected. The App supports additional on-device protection through biometric lock (fingerprint or face recognition) and PIN/password App lock.

8.2 Server-Side Security

Account and configuration data stored on our servers is maintained in a MySQL database hosted in a data centre located in Romania, within the European Union. Our server-side security measures include encryption at rest for all stored data, strict access controls with role-based permissions and multi-factor authentication for administrative access, regular security audits and vulnerability assessments, network-level firewalls and intrusion detection systems, database backups that are themselves encrypted and stored securely, and server hardening in accordance with industry best practices (CIS benchmarks).

8.3 Data in Transit

All communications between the Jump SSH App and our servers are encrypted using TLS 1.2 or higher (TLS 1.3 preferred). We enforce HTTPS for all API endpoints and web traffic. Certificate pinning is implemented in the App to prevent man-in-the-middle attacks. SSH connections between your device and your remote servers use industry-standard SSH-2 protocol encryption, which is established directly between your device and the remote host without passing through our infrastructure.

8.4 Password Security

Account passwords are hashed using the bcrypt algorithm with a cost factor of 12, providing strong resistance against brute-force and rainbow table attacks. We never store passwords in plain text, reversible encryption, or weak hash formats (such as MD5 or SHA-1). Password reset tokens are cryptographically random, single-use, and expire after 24 hours.

8.5 Cloud Synchronisation

Cloud synchronisation of SSH host configurations is not enabled by default. If you choose to enable synchronisation, your configuration data is encrypted before transmission and stored encrypted on our servers. You may disable synchronisation at any time through the App settings, and you may request deletion of all synchronised data from our servers.

9. Data Retention Periods

We retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The specific retention periods for each category of data are as follows:

When your data reaches the end of its retention period, it is automatically deleted or anonymised. Where deletion is not immediately possible (for example, because the data is stored in backup archives), we ensure the data is securely isolated and protected from any further processing until deletion is possible.

10. Data Sharing & Third Parties

No Data Sales No Advertising

We do not sell, rent, lease, or trade your Personal Data to any third party. We do not share your data with advertisers, data brokers, or marketing platforms. We do not monetise your data in any way.

10.1 Third-Party Service Providers

We engage a limited number of third-party service providers who process data on our behalf to support the operation of the Service. Each provider is bound by data processing agreements that comply with GDPR requirements:

10.2 Law Enforcement and Legal Obligations

We may disclose your Personal Data to law enforcement agencies, regulatory authorities, courts, or other public bodies if we are required to do so by applicable law, regulation, or legal process (such as a valid court order, subpoena, or search warrant). In such cases, we will disclose only the minimum data necessary to comply with the legal obligation. Where legally permitted, we will notify you of any such request before disclosure. We will challenge any request that we believe to be overbroad, unlawful, or otherwise improper.

10.3 Business Transfers

In the event that White Hat Technology SRL undergoes a merger, acquisition, reorganisation, or sale of assets, your Personal Data may be transferred as part of that transaction. We will notify you via email or a prominent notice within the App of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data.

11. International Data Transfers

Your Personal Data is primarily stored and processed within the European Union, specifically in Romania. We are committed to ensuring that any transfer of Personal Data outside the European Economic Area (EEA) is carried out in compliance with GDPR requirements.

11.1 Data Stored in the EU

Our primary database servers and application infrastructure are located in Romania, a member state of the European Union. The vast majority of your Personal Data never leaves the EU.

11.2 Google Firebase

Data processed through Google Firebase (crash reports and push notification tokens) may be transferred to and processed on Google servers located outside the EEA, including in the United States. These transfers are governed by Google’s Data Processing Terms, which incorporate the European Commission’s Standard Contractual Clauses (SCCs) as the transfer mechanism. Google also maintains additional certifications and safeguards, including the implementation of supplementary technical and organisational measures as recommended by the European Data Protection Board (EDPB).

11.3 ip-api.com

IP geolocation queries sent to ip-api.com involve the transmission of your IP address to servers that may be located outside the EEA. However, the only data transmitted is the IP address itself for the sole purpose of the geolocation lookup, and no other Personal Data is shared. The IP address is not retained by ip-api.com beyond the duration of the query.

If you have questions about the specific safeguards applied to international transfers of your data, please contact our DPO at dpo@whitehat.technology.

12. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights with respect to your Personal Data. These rights are not absolute and may be subject to limitations as provided for by applicable law:

How to Exercise Your Rights

To exercise any of the rights described above, you may contact us by email at dpo@whitehat.technology or by postal mail at our registered address. To protect your privacy and security, we may take reasonable steps to verify your identity before fulfilling your request, such as confirming your email address or requesting additional information. We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. We do not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

13. Cookies & Tracking Technologies

13.1 Website

Our website at www.jumpssh.ro is served through Cloudflare, which may set strictly necessary cookies for security and performance purposes (such as DDoS protection and bot detection). We use Cloudflare Web Analytics for understanding website traffic and usage patterns. Cloudflare Web Analytics is a privacy-first analytics solution that does not use any client-side state (no cookies, no localStorage, no fingerprinting) and does not track individual visitors across sites. All analytics data is aggregated and anonymised. We do not use Google Analytics, Facebook Pixel, or any third-party tracking or remarketing technologies on our website.

13.2 Mobile Application

The Jump SSH mobile application does not use cookies, tracking pixels, web beacons, advertising SDKs, or any form of cross-app tracking technology. We do not participate in any mobile advertising network or programmatic advertising platform. The App does not use the Identifier for Advertisers (IDFA) on iOS or the Google Advertising ID (GAID) on Android. The App does not implement Apple’s SKAdNetwork or any attribution tracking framework.

14. Children’s Privacy

Jump SSH is a professional-grade SSH terminal application designed for system administrators, developers, and IT professionals. The Service is not designed for, directed at, or intended to be used by children under the age of 16 (or the applicable age of digital consent in your jurisdiction).

We do not knowingly collect, solicit, or process Personal Data from children under 16. We do not knowingly allow children under 16 to register for an account or use the Service. In compliance with the United States Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect Personal Data from children under the age of 13 in the United States.

If we become aware that we have collected Personal Data from a child under the applicable minimum age without verification of parental consent, we will take immediate steps to delete that information from our servers. If you are a parent or guardian and you believe that your child has provided us with Personal Data without your consent, please contact us immediately at dpo@whitehat.technology. We will investigate and delete any such data within 48 hours of verification.

If you are under the age of 16, please do not attempt to register for an account, provide any Personal Data to us, or use the Service. If you are between 16 and 18 years of age, we recommend that you review this Privacy Policy with a parent or guardian before using the Service.

15. Data Breach Notification

We take data security incidents extremely seriously. In the event of a Personal Data Breach, we follow a rigorous incident response protocol in full compliance with GDPR Articles 33 and 34:

15.1 Notification to Supervisory Authority

In the event of a Data Breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (ANSPDCP) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. If notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The notification will include the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences of the breach, and the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

15.2 Notification to Affected Users

When a Data Breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will communicate the breach to the affected Data Subjects without undue delay. This notification will be delivered via email to the registered email address associated with your account, as well as through an in-App notification upon next login. The notification will describe in clear and plain language the nature of the breach, the name and contact details of our DPO, the likely consequences of the breach, and the measures we have taken or propose to take to address the breach, including measures to mitigate its possible adverse effects.

15.3 Documentation and Post-Incident Review

We maintain a comprehensive internal breach register documenting all Personal Data Breaches, regardless of whether they trigger the notification obligations above. This register includes the facts relating to the breach, its effects, and the remedial action taken. Following any significant security incident, we conduct a thorough post-incident review to identify root causes, assess the effectiveness of our response, and implement additional safeguards to prevent recurrence.

16. Automated Decision-Making and Profiling

Jump SSH does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, as described in Article 22 of the GDPR.

Specifically, we do not use algorithms or artificial intelligence to make decisions about your access to the Service, the features available to you, or the terms under which the Service is provided. We do not create profiles about you based on your usage patterns for the purpose of making automated decisions. We do not use scoring, ranking, or classification systems that affect your rights or interests. All decisions that may significantly affect you (such as account suspension or termination) are made by human administrators with appropriate oversight and review processes. You will always have the right to obtain human intervention, to express your point of view, and to contest any decision that affects you.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.

17.1 Notification of Changes

For minor changes (such as typographical corrections, formatting updates, or clarifications that do not materially affect data processing), we will update the “Last updated” date at the top of this Policy. For material changes that significantly affect how we collect, use, or share your Personal Data, we will provide you with prominent notice before the changes take effect. This notice may be provided through an in-App notification or alert, via email to the address associated with your account, through a prominent banner or notice on our Website, or through the App update notes in the app stores.

17.2 Material Changes and Re-Consent

Where material changes expand the scope of data collection, introduce new categories of data processing, or change the purposes for which your data is used, we will seek your renewed consent before applying such changes to your existing data. If you do not consent to material changes, you may continue to use the Service under the terms of the previous version of this Policy, or you may choose to delete your account.

17.3 Version History

We maintain a version history of this Privacy Policy. Previous versions of this Policy are available upon request by contacting our DPO at dpo@whitehat.technology.

18. Supervisory Authority

If you believe that our processing of your Personal Data infringes the GDPR or other applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. As White Hat Technology SRL is established in Romania, our lead supervisory authority is:

ANSPDCP — Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal
(National Supervisory Authority for Personal Data Processing)

Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work, if different from Romania. We kindly request that you contact us first at dpo@whitehat.technology so that we may attempt to address your concerns directly before you escalate to a supervisory authority.

19. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy, our data protection practices, or if you wish to exercise any of your rights as a Data Subject, you may contact us through any of the following channels:

General Inquiries
White Hat Technology SRL
Email: support@jumpssh.ro
Website: www.jumpssh.ro

Data Protection Officer
Email: dpo@whitehat.technology

Response Time Commitments:

We are committed to resolving any privacy concerns or disputes you may have. If you are not satisfied with our response, you have the right to escalate your complaint to the supervisory authority as described in Section 18.

This Privacy Policy was last updated on April 11, 2026, is effective as of April 11, 2026, and constitutes Version 1.0 of the Jump SSH Privacy Policy.