Privacy Policy
Last updated: April 11, 2026 · Effective: April 11, 2026 · Version 1.0
1. Introduction & Scope
This Privacy Policy (“Policy”) describes how White Hat Technology SRL (“Company,” “we,” “us,” or “our”), a Romanian limited liability company registered in Bucharest, European Union, collects, uses, stores, discloses, and otherwise processes Personal Data in connection with the Jump SSH application (“App”), our website at www.jumpssh.ro (“Website”), and all related services, features, and functionality we provide (collectively, the “Service”).
This Policy applies to all individuals who access or use the Service, including registered account holders, trial users, and visitors to our Website. It covers data collected through the App on Android and iOS devices, through our Website, through our application programming interfaces (APIs), and through any communication you have with us (e.g., email support requests).
By creating an account, installing the App, or otherwise accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any aspect of this Policy, you must discontinue use of the Service immediately. Your continued use of the Service following the posting of changes to this Policy will be deemed as your acceptance of those changes.
This Policy should be read in conjunction with our Terms & Conditions, which govern your use of the Service. In the event of a conflict between this Policy and the Terms & Conditions with respect to privacy matters, this Policy shall prevail.
2. Data Controller Information
The data controller responsible for your Personal Data is:
White Hat Technology SRL
Bucharest, Romania, European Union
Website: www.jumpssh.ro
General contact: support@jumpssh.ro
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy and our data protection practices. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:
Data Protection Officer
White Hat Technology SRL
Email: dpo@whitehat.technology
As White Hat Technology SRL is established within the European Union (Romania), we serve as our own EU representative for the purposes of the General Data Protection Regulation. Our lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
3. Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below, consistent with definitions provided under the General Data Protection Regulation (EU) 2016/679 (“GDPR”):
- Personal Data — any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Processing — any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Data Subject — the identified or identifiable natural person to whom the Personal Data relates. In the context of this Policy, this refers to you, the user of our Service.
- Controller — the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For this Service, the Controller is White Hat Technology SRL.
- Processor — a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
- Consent — any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
- Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- Supervisory Authority — an independent public authority established by a Member State pursuant to Article 51 of the GDPR. Our lead supervisory authority is ANSPDCP (Romania).
4. Legal Basis for Processing (GDPR Article 6)
We process your Personal Data only when we have a valid legal basis to do so under the GDPR. Depending on the specific processing activity, we rely on one or more of the following legal bases:
4.1 Performance of a Contract (Article 6(1)(b))
Processing is necessary for the performance of the contract between you and White Hat Technology SRL when you create an account and use the Jump SSH Service. This includes processing your account registration data, storing your SSH host configurations to provide the core functionality of the App, authenticating your sessions, and delivering the features you have requested.
4.2 Legitimate Interests (Article 6(1)(f))
We may process certain data where it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your rights and freedoms. Our legitimate interests include: maintaining the security and integrity of the Service, detecting and preventing fraud, abuse, and unauthorized access, improving the App’s performance and user experience, resolving technical issues and providing customer support, and maintaining internal records for administrative purposes. We conduct balancing tests to ensure our legitimate interests do not override your fundamental rights.
4.3 Consent (Article 6(1)(a))
For certain processing activities, we rely on your explicit consent. This applies to optional features such as receiving promotional communications, enabling push notifications, and participating in beta testing programs. Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal. You may withdraw consent by adjusting your settings within the App, by contacting us at dpo@whitehat.technology, or by using the unsubscribe mechanism provided in any communication.
4.4 Legal Obligations (Article 6(1)(c))
We may process your Personal Data where it is necessary for compliance with a legal obligation to which we are subject. This includes retaining certain records as required by Romanian tax and commercial law, responding to lawful requests from courts, law enforcement agencies, and regulatory authorities, and fulfilling our obligations under applicable anti-money laundering and counter-terrorism financing regulations where applicable.
5. Categories of Personal Data We Collect
We adhere to the principle of data minimisation and collect only the Personal Data that is necessary to provide, maintain, and improve the Service. Below is a comprehensive description of the categories of data we collect:
5.1 Account Data
When you register for a Jump SSH account, we collect your email address (used as your unique account identifier and for account-related communications), your display name or username (visible within the App for personalisation purposes), and your password (stored exclusively as a bcrypt hash with a cost factor of 12; we never store your password in plain text). This data is collected directly from you at the time of registration and is necessary for the performance of our contract with you.
5.2 Device Data
To ensure compatibility, optimise performance, and provide effective technical support, we collect limited device information, including: device manufacturer and model (e.g., “Samsung Galaxy S24”), device brand, operating system name and version (e.g., “Android 15” or “iOS 18.2”), and the version of the Jump SSH App installed on your device. We do not collect unique hardware identifiers such as IMEI, serial numbers, or advertising identifiers.
5.3 Connection Metadata
When you access the Service, we automatically collect certain connection metadata, including: your IP address at the time of login, approximate geographic location derived from your IP address (city and country level only, not precise coordinates), login and logout timestamps, and the type of network connection used (e.g., Wi-Fi, mobile data). IP-based geolocation is performed using a third-party service (ip-api.com), and this process is described in further detail in Section 10 of this Policy.
5.4 SSH Host Configurations
To provide the core functionality of the App, we store your SSH host configurations, which may include: remote server hostnames or IP addresses, SSH port numbers, SSH usernames, authentication method preferences (password, key-based), connection labels and grouping information, and custom connection parameters (such as keepalive intervals, terminal encoding preferences). All SSH host configurations are stored in encrypted form both on your device (using AES-256 encryption via the Android Keystore or iOS Keychain) and on our servers (encrypted at rest). We do not store your SSH passwords or the content of your private SSH keys on our servers.
5.5 Session Metadata
We collect metadata about your SSH sessions to provide connection history, diagnostics, and support. This includes: session start and end times, session duration, the SSH protocol version used, connection success or failure status and error codes, and the type of session initiated (terminal, SFTP, port forwarding). This metadata does not include the content of your SSH sessions, the commands you execute, or the output you receive.
5.6 Usage Data
We collect anonymised and aggregated usage data to understand how the App is used and to improve the Service. This includes: features accessed and frequency of use, total number of sessions and connections, App launch counts and session duration, and general interaction patterns (e.g., which screens are visited most frequently). This data is collected in aggregate form and is not used to build individual user profiles.
6. Data We Do NOT Collect
Privacy-First Design
Jump SSH is built on the principle of privacy by design and privacy by default. We have deliberately architected the App so that the following categories of data are never collected, intercepted, accessed, stored, or transmitted to our servers:
- SSH terminal input and output content — Your commands, shell output, and all data transmitted within your SSH sessions remain strictly between your device and the remote server. Jump SSH acts as a transparent conduit; we do not perform deep packet inspection, content analysis, or logging of SSH session payloads. Your terminal sessions are yours alone.
- File contents transferred via SFTP — When you upload, download, or manage files through the built-in SFTP client, the content of those files is transferred directly between your device and the remote server. We do not intercept, scan, cache, or store any file contents. We record only minimal transfer metadata (file name, size, timestamp, success/failure) for your transfer history.
- Private SSH key content — Your private SSH keys are generated and stored exclusively on your device, protected by the operating system’s secure hardware-backed keystore (Android Keystore or iOS Secure Enclave). Private key material is never transmitted to our servers, never included in backups to our cloud infrastructure, and never accessible to our employees.
- GPS or precise location data — We do not request, access, or use your device’s GPS, Wi-Fi triangulation, Bluetooth beacons, or any other precise location services. The only location-related data we process is approximate city/country-level geolocation derived from your IP address during authentication, as described in Section 5.3.
- Contacts, address books, or social graphs — The App does not request permission to access your device contacts, phone book, call history, or any social networking data.
- Photos, camera, or media library — The App does not request access to your device’s camera, photo library, or media storage, unless you explicitly choose to import an SSH key file from your device storage.
- Microphone or audio data — The App does not access your device’s microphone or record any audio.
- Browsing history or web activity — We do not track, collect, or monitor your browsing history, search queries, or web activity, whether inside or outside the App.
- Advertising identifiers — We do not collect Google Advertising ID (GAID), Apple Identifier for Advertisers (IDFA), or any similar advertising tracking identifiers. The App contains no advertising SDKs, no ad networks, and no programmatic advertising infrastructure.
- Biometric data — While the App may use biometric authentication (fingerprint, face recognition) as a convenience feature to unlock the App, biometric data is processed entirely by your device’s operating system. We never receive, store, or have access to your biometric templates or raw biometric data.
7. How We Use Your Data
We use the Personal Data we collect for the following specific purposes:
7.1 Account Management and Authentication
We use your account data to create and maintain your Jump SSH account, authenticate your identity when you sign in, manage your account settings and preferences, and communicate with you about account-related matters such as password resets, security alerts, and service announcements.
7.2 Service Delivery and Core Functionality
We process your SSH host configurations and session metadata to provide the core functionality of the App, including establishing SSH connections to your configured servers, displaying your connection history and session logs, synchronising your host configurations across your devices (when enabled), and providing SFTP file transfer capabilities.
7.3 Security and Fraud Prevention
We use connection metadata, IP addresses, and login history to protect the security of your account and the Service. This includes detecting and preventing unauthorised access attempts, identifying suspicious login patterns (e.g., logins from unusual geographic locations), enforcing rate limiting to prevent brute-force attacks, and maintaining audit logs for security incident investigation.
7.4 Technical Support
When you contact us for support, we may use your account data, device data, and session metadata to diagnose and resolve technical issues, reproduce and investigate bug reports, and provide personalised assistance based on your specific configuration and environment.
7.5 Service Improvement and Analytics
We use aggregated and anonymised usage data to understand how the App is used and which features are most valuable, identify performance bottlenecks and areas for optimisation, guide product development and feature prioritisation, and ensure compatibility across the widest range of devices and operating systems.
7.6 Legal Compliance
We may process your data as necessary to comply with applicable laws and regulations, respond to lawful requests from public authorities, establish, exercise, or defend legal claims, and enforce our Terms & Conditions.
8. Data Storage & Security
We implement comprehensive technical and organisational measures to protect your Personal Data against unauthorised access, alteration, disclosure, or destruction. Our security practices are designed with the sensitivity of SSH-related data firmly in mind.
8.1 On-Device Security
SSH credentials, private keys, and connection passwords stored on your device are encrypted using AES-256 encryption. Encryption keys are managed by the operating system’s hardware-backed keystore: Android Keystore (backed by Trusted Execution Environment or Secure Element hardware) on Android devices, and iOS Keychain (backed by the Secure Enclave) on Apple devices. This ensures that even if your device storage is compromised, your sensitive SSH data remains protected. The App supports additional on-device protection through biometric lock (fingerprint or face recognition) and PIN/password App lock.
8.2 Server-Side Security
Account and configuration data stored on our servers is maintained in a MySQL database hosted in a data centre located in Romania, within the European Union. Our server-side security measures include encryption at rest for all stored data, strict access controls with role-based permissions and multi-factor authentication for administrative access, regular security audits and vulnerability assessments, network-level firewalls and intrusion detection systems, database backups that are themselves encrypted and stored securely, and server hardening in accordance with industry best practices (CIS benchmarks).
8.3 Data in Transit
All communications between the Jump SSH App and our servers are encrypted using TLS 1.2 or higher (TLS 1.3 preferred). We enforce HTTPS for all API endpoints and web traffic. Certificate pinning is implemented in the App to prevent man-in-the-middle attacks. SSH connections between your device and your remote servers use industry-standard SSH-2 protocol encryption, which is established directly between your device and the remote host without passing through our infrastructure.
8.4 Password Security
Account passwords are hashed using the bcrypt algorithm with a cost factor of 12, providing strong resistance against brute-force and rainbow table attacks. We never store passwords in plain text, reversible encryption, or weak hash formats (such as MD5 or SHA-1). Password reset tokens are cryptographically random, single-use, and expire after 24 hours.
8.5 Cloud Synchronisation
Cloud synchronisation of SSH host configurations is not enabled by default. If you choose to enable synchronisation, your configuration data is encrypted before transmission and stored encrypted on our servers. You may disable synchronisation at any time through the App settings, and you may request deletion of all synchronised data from our servers.
9. Data Retention Periods
We retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The specific retention periods for each category of data are as follows:
- Account data — Retained for the duration of your active account. Upon account deletion, all account data is permanently erased from our production systems within 30 calendar days. Encrypted backups containing account data are purged on a rolling 90-day cycle.
- Session logs — Connection session metadata (start time, end time, duration, status) is retained for 90 days from the date of the session, after which it is automatically and irreversibly deleted.
- Login history — Authentication records (IP address, timestamp, geolocation, device information) are retained for 12 months to support security auditing and fraud detection, after which they are automatically purged.
- Transfer logs — SFTP file transfer metadata (file names, sizes, timestamps, success/failure status) is retained for 60 days, after which it is automatically deleted. No file content is ever stored.
- Password reset codes — One-time password reset tokens expire and are deleted after 24 hours from issuance, regardless of whether they have been used.
- Support correspondence — If you contact us for support, we retain your support tickets and related correspondence for up to 24 months after the ticket is resolved, to provide context for any follow-up issues and for quality assurance purposes.
- Aggregated analytics data — Anonymised and aggregated usage statistics that cannot be used to identify any individual are retained indefinitely for trend analysis and product development purposes.
When your data reaches the end of its retention period, it is automatically deleted or anonymised. Where deletion is not immediately possible (for example, because the data is stored in backup archives), we ensure the data is securely isolated and protected from any further processing until deletion is possible.
10. Data Sharing & Third Parties
No Data Sales No Advertising
We do not sell, rent, lease, or trade your Personal Data to any third party. We do not share your data with advertisers, data brokers, or marketing platforms. We do not monetise your data in any way.
10.1 Third-Party Service Providers
We engage a limited number of third-party service providers who process data on our behalf to support the operation of the Service. Each provider is bound by data processing agreements that comply with GDPR requirements:
- ip-api.com (IP Geolocation) — When you log in, we send your IP address to ip-api.com to determine your approximate geographic location (city and country level). This is used solely for security purposes (detecting suspicious login locations). The IP address sent to this service is used for the geolocation query only and is not retained by ip-api.com beyond the request. No other Personal Data is shared with this service.
- Google Firebase (Crash Reporting and Push Notifications) — We use Google Firebase Crashlytics for crash reporting and Firebase Cloud Messaging for push notifications. Crashlytics collects technical crash data (stack traces, device state at time of crash, device model, OS version) to help us identify and fix bugs. Firebase Cloud Messaging processes device tokens necessary to deliver push notifications. Google processes this data in accordance with its data processing terms and applicable Standard Contractual Clauses. You may disable push notifications in your device settings at any time.
10.2 Law Enforcement and Legal Obligations
We may disclose your Personal Data to law enforcement agencies, regulatory authorities, courts, or other public bodies if we are required to do so by applicable law, regulation, or legal process (such as a valid court order, subpoena, or search warrant). In such cases, we will disclose only the minimum data necessary to comply with the legal obligation. Where legally permitted, we will notify you of any such request before disclosure. We will challenge any request that we believe to be overbroad, unlawful, or otherwise improper.
10.3 Business Transfers
In the event that White Hat Technology SRL undergoes a merger, acquisition, reorganisation, or sale of assets, your Personal Data may be transferred as part of that transaction. We will notify you via email or a prominent notice within the App of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data.
11. International Data Transfers
Your Personal Data is primarily stored and processed within the European Union, specifically in Romania. We are committed to ensuring that any transfer of Personal Data outside the European Economic Area (EEA) is carried out in compliance with GDPR requirements.
11.1 Data Stored in the EU
Our primary database servers and application infrastructure are located in Romania, a member state of the European Union. The vast majority of your Personal Data never leaves the EU.
11.2 Google Firebase
Data processed through Google Firebase (crash reports and push notification tokens) may be transferred to and processed on Google servers located outside the EEA, including in the United States. These transfers are governed by Google’s Data Processing Terms, which incorporate the European Commission’s Standard Contractual Clauses (SCCs) as the transfer mechanism. Google also maintains additional certifications and safeguards, including the implementation of supplementary technical and organisational measures as recommended by the European Data Protection Board (EDPB).
11.3 ip-api.com
IP geolocation queries sent to ip-api.com involve the transmission of your IP address to servers that may be located outside the EEA. However, the only data transmitted is the IP address itself for the sole purpose of the geolocation lookup, and no other Personal Data is shared. The IP address is not retained by ip-api.com beyond the duration of the query.
If you have questions about the specific safeguards applied to international transfers of your data, please contact our DPO at dpo@whitehat.technology.
12. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights with respect to your Personal Data. These rights are not absolute and may be subject to limitations as provided for by applicable law:
- Right of Access (Article 15) — You have the right to obtain confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, to obtain access to the Personal Data together with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the envisaged retention periods, and the existence of your other rights. We will provide you with a copy of your Personal Data in a commonly used electronic format upon request.
- Right to Rectification (Article 16) — You have the right to obtain without undue delay the rectification of inaccurate Personal Data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. You may update certain account information directly within the App settings.
- Right to Erasure / Right to Be Forgotten (Article 17) — You have the right to obtain the erasure of Personal Data concerning you without undue delay where: the data is no longer necessary for the purposes for which it was collected; you withdraw your consent and there is no other legal basis for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased for compliance with a legal obligation. You may delete your account directly within the App, which will trigger the erasure process described in Section 9.
- Right to Restriction of Processing (Article 18) — You have the right to obtain restriction of processing where: you contest the accuracy of the Personal Data (for a period enabling us to verify accuracy); the processing is unlawful and you oppose erasure, requesting restriction instead; we no longer need the data but you require it for the establishment, exercise, or defence of legal claims; or you have objected to processing pending verification of whether our legitimate grounds override yours.
- Right to Data Portability (Article 20) — You have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format (JSON or CSV), and you have the right to transmit that data to another controller without hindrance from us. This right applies where the processing is based on consent or contract performance and is carried out by automated means. We will provide your data export within 30 days of your request.
- Right to Object (Article 21) — You have the right to object, on grounds relating to your particular situation, at any time to the processing of Personal Data concerning you which is based on legitimate interests (Article 6(1)(f)). We shall no longer process the Personal Data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
- Right to Withdraw Consent (Article 7(3)) — Where processing is based on your consent, you have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw consent through the App settings, by contacting our DPO, or by using the unsubscribe mechanism in any marketing communication.
- Right to Lodge a Complaint with a Supervisory Authority — Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of Personal Data relating to you infringes the GDPR. The competent supervisory authority in Romania is ANSPDCP (see Section 18).
How to Exercise Your Rights
To exercise any of the rights described above, you may contact us by email at dpo@whitehat.technology or by postal mail at our registered address. To protect your privacy and security, we may take reasonable steps to verify your identity before fulfilling your request, such as confirming your email address or requesting additional information. We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. We do not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
13. Cookies & Tracking Technologies
13.1 Website
Our website at www.jumpssh.ro is served through Cloudflare, which may set strictly necessary cookies for security and performance purposes (such as DDoS protection and bot detection). We use Cloudflare Web Analytics for understanding website traffic and usage patterns. Cloudflare Web Analytics is a privacy-first analytics solution that does not use any client-side state (no cookies, no localStorage, no fingerprinting) and does not track individual visitors across sites. All analytics data is aggregated and anonymised. We do not use Google Analytics, Facebook Pixel, or any third-party tracking or remarketing technologies on our website.
13.2 Mobile Application
The Jump SSH mobile application does not use cookies, tracking pixels, web beacons, advertising SDKs, or any form of cross-app tracking technology. We do not participate in any mobile advertising network or programmatic advertising platform. The App does not use the Identifier for Advertisers (IDFA) on iOS or the Google Advertising ID (GAID) on Android. The App does not implement Apple’s SKAdNetwork or any attribution tracking framework.
14. Children’s Privacy
Jump SSH is a professional-grade SSH terminal application designed for system administrators, developers, and IT professionals. The Service is not designed for, directed at, or intended to be used by children under the age of 16 (or the applicable age of digital consent in your jurisdiction).
We do not knowingly collect, solicit, or process Personal Data from children under 16. We do not knowingly allow children under 16 to register for an account or use the Service. In compliance with the United States Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect Personal Data from children under the age of 13 in the United States.
If we become aware that we have collected Personal Data from a child under the applicable minimum age without verification of parental consent, we will take immediate steps to delete that information from our servers. If you are a parent or guardian and you believe that your child has provided us with Personal Data without your consent, please contact us immediately at dpo@whitehat.technology. We will investigate and delete any such data within 48 hours of verification.
If you are under the age of 16, please do not attempt to register for an account, provide any Personal Data to us, or use the Service. If you are between 16 and 18 years of age, we recommend that you review this Privacy Policy with a parent or guardian before using the Service.
15. Data Breach Notification
We take data security incidents extremely seriously. In the event of a Personal Data Breach, we follow a rigorous incident response protocol in full compliance with GDPR Articles 33 and 34:
15.1 Notification to Supervisory Authority
In the event of a Data Breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (ANSPDCP) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. If notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The notification will include the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences of the breach, and the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.
15.2 Notification to Affected Users
When a Data Breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will communicate the breach to the affected Data Subjects without undue delay. This notification will be delivered via email to the registered email address associated with your account, as well as through an in-App notification upon next login. The notification will describe in clear and plain language the nature of the breach, the name and contact details of our DPO, the likely consequences of the breach, and the measures we have taken or propose to take to address the breach, including measures to mitigate its possible adverse effects.
15.3 Documentation and Post-Incident Review
We maintain a comprehensive internal breach register documenting all Personal Data Breaches, regardless of whether they trigger the notification obligations above. This register includes the facts relating to the breach, its effects, and the remedial action taken. Following any significant security incident, we conduct a thorough post-incident review to identify root causes, assess the effectiveness of our response, and implement additional safeguards to prevent recurrence.
16. Automated Decision-Making and Profiling
Jump SSH does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, as described in Article 22 of the GDPR.
Specifically, we do not use algorithms or artificial intelligence to make decisions about your access to the Service, the features available to you, or the terms under which the Service is provided. We do not create profiles about you based on your usage patterns for the purpose of making automated decisions. We do not use scoring, ranking, or classification systems that affect your rights or interests. All decisions that may significantly affect you (such as account suspension or termination) are made by human administrators with appropriate oversight and review processes. You will always have the right to obtain human intervention, to express your point of view, and to contest any decision that affects you.
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.
17.1 Notification of Changes
For minor changes (such as typographical corrections, formatting updates, or clarifications that do not materially affect data processing), we will update the “Last updated” date at the top of this Policy. For material changes that significantly affect how we collect, use, or share your Personal Data, we will provide you with prominent notice before the changes take effect. This notice may be provided through an in-App notification or alert, via email to the address associated with your account, through a prominent banner or notice on our Website, or through the App update notes in the app stores.
17.2 Material Changes and Re-Consent
Where material changes expand the scope of data collection, introduce new categories of data processing, or change the purposes for which your data is used, we will seek your renewed consent before applying such changes to your existing data. If you do not consent to material changes, you may continue to use the Service under the terms of the previous version of this Policy, or you may choose to delete your account.
17.3 Version History
We maintain a version history of this Privacy Policy. Previous versions of this Policy are available upon request by contacting our DPO at dpo@whitehat.technology.
- Version 1.0 — April 11, 2026 (initial publication)
18. Supervisory Authority
If you believe that our processing of your Personal Data infringes the GDPR or other applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. As White Hat Technology SRL is established in Romania, our lead supervisory authority is:
ANSPDCP — Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal
(National Supervisory Authority for Personal Data Processing)
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work, if different from Romania. We kindly request that you contact us first at dpo@whitehat.technology so that we may attempt to address your concerns directly before you escalate to a supervisory authority.
19. Contact Information
If you have any questions, concerns, or complaints about this Privacy Policy, our data protection practices, or if you wish to exercise any of your rights as a Data Subject, you may contact us through any of the following channels:
General Inquiries
White Hat Technology SRL
Email: support@jumpssh.ro
Website: www.jumpssh.ro
Data Protection Officer
Email: dpo@whitehat.technology
Response Time Commitments:
- General privacy inquiries: We will acknowledge receipt within 5 business days and provide a substantive response within 30 calendar days.
- Data Subject rights requests (access, erasure, portability, etc.): We will respond without undue delay, and in any event within one calendar month of receipt, in accordance with GDPR Article 12(3). This period may be extended by up to two additional months where necessary, taking into account the complexity of the request.
- Data breach notifications to affected users: Without undue delay, and in accordance with the procedures described in Section 15.
- Complaints: We will acknowledge receipt within 5 business days and provide a substantive response within 30 calendar days.
We are committed to resolving any privacy concerns or disputes you may have. If you are not satisfied with our response, you have the right to escalate your complaint to the supervisory authority as described in Section 18.
This Privacy Policy was last updated on April 11, 2026, is effective as of April 11, 2026, and constitutes Version 1.0 of the Jump SSH Privacy Policy.