Privacy Policy

Last updated: 25 June 2026

1. Who we are and the scope of this policy

This Privacy Policy explains how JWBN Ltd ("JWBN", "we", "us" or "our") collects, uses, shares and protects personal data. JWBN Ltd is a private limited company registered in the Republic of Cyprus under registration number HE 484041, with its registered office at 5 Artemidos Ave., Artemidos Tower, 8th Floor, 6020 Larnaca, Cyprus.

JWBN is a business-to-business marketing and management agency for content creators. We provide services to creators and their businesses, including account and platform management, marketing and social strategy, content production and photoshoots, collaborations and partnerships, and brand deals and sponsorships.

For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the Cyprus Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data (Law 125(I)/2018), JWBN Ltd is the data controller of the personal data described in this policy.

This policy applies to personal data we process through our website at jwbn.org and in the course of providing our services. Where we act as a processor on behalf of a client (for example, when managing a creator's third-party platform accounts on their instructions), the relevant data processing is governed by our written engagement agreement with that client rather than by this policy.

2. The personal data we collect

We collect and process the following categories of personal data.

• Website contact-form data. When you submit our contact form, we collect the name, email address and message content you provide, together with any other information you choose to include in your message.
• Client and business-contact data. In the course of discussing, agreeing and delivering our services, we process the personal data of clients and their representatives, such as names, business and personal email addresses, telephone numbers, job titles, billing and invoicing details, and the contents of our correspondence and meetings with you.
• Service-delivery data. Where relevant to an engagement, we process information needed to deliver our services, such as social-media account details and credentials provided to us by the client, campaign and performance information, content and creative materials, and details of brand partners and collaborators.
• Technical and essential-storage data. Our website uses only essential first-party storage. Specifically, we store a cookie-consent preference key in your browser to remember your cookie choice. We do not currently operate analytics or advertising cookies. See our Cookie Policy for details.

We do not intentionally collect special categories of personal data (such as data revealing health, religious beliefs or political opinions) through our website. Please do not include such information in contact-form messages.

3. How we collect personal data

We collect personal data directly from you when you contact us, enquire about our services, enter into an engagement with us, or correspond with us. We also receive personal data from clients in connection with the services we deliver on their behalf, and we may receive limited information from third parties such as brand partners, platforms and payment or invoicing providers in the ordinary course of business.

4. How we use personal data and our lawful bases

We process personal data only where we have a lawful basis to do so under Article 6 of the GDPR. The lawful bases we rely on are set out below.

• Performance of a contract (Article 6(1)(b)). To respond to enquiries that are a step towards entering an engagement, to negotiate and conclude engagement agreements, to deliver our services, to manage our client relationship and to administer billing and invoicing.
• Legitimate interests (Article 6(1)(f)). To operate, secure and improve our website and business; to respond to general enquiries; to manage and develop relationships with clients, brand partners and collaborators; to keep records of our dealings; and to establish, exercise or defend legal claims. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may object to this processing as described in section 9.
• Compliance with a legal obligation (Article 6(1)(c)). To comply with our legal and regulatory obligations, including accounting, tax and record-keeping requirements under Cyprus and EU law, and to respond to lawful requests from competent authorities.
• Consent (Article 6(1)(a)). Where we ask for your consent for a specific purpose (for example, optional communications). You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

Because we operate on a business-to-business basis, much of the personal data we process relates to individuals in their professional or business capacity, including sole traders and individual creators.

5. Sharing your personal data and third-party processors

We do not sell your personal data. We share personal data only where necessary for the purposes set out above, with the following categories of recipients.

• Service providers and processors who process personal data on our behalf and under our instructions, such as our website host and form provider (Netlify), email and productivity providers, and accounting, invoicing and professional advisers. Our website contact form is processed using Netlify Forms, which stores submissions on our behalf.
• Brand partners, platforms and collaborators, where sharing is necessary to deliver an engagement and is consistent with our instructions from the relevant client.
• Competent authorities, regulators and advisers, where we are required to share data to comply with the law, enforce our agreements, or protect our rights, property or safety.

We put in place written agreements with our processors that require them to protect personal data and to process it only on our instructions, as required by Article 28 of the GDPR.

6. International transfers

Some of our service providers, including our website and form host (Netlify), may process personal data outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we ensure an appropriate safeguard is in place, such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required following the Court of Justice of the European Union's judgment in Case C-311/18 ("Schrems II"), or transfers to a country covered by a European Commission adequacy decision. You may request further information about these safeguards using the contact details in section 14.

7. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected, and to meet our legal, accounting and regulatory obligations.

• Contact-form messages are retained for as long as needed to deal with your enquiry and for a reasonable period afterwards, after which they are deleted or anonymised unless they have become part of a client relationship.
• Client and engagement records are retained for the duration of the engagement and for a period afterwards consistent with applicable limitation periods and our statutory record-keeping obligations (including accounting and tax records, which under Cyprus law are generally retained for at least six years).

When personal data is no longer required, we securely delete or anonymise it.

8. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include access controls, use of reputable service providers, and limiting access to personal data to those who need it. No method of transmission or storage is completely secure, but we work to protect your information and to maintain its confidentiality.

9. Your rights

Subject to the conditions and exceptions in the GDPR and Law 125(I)/2018, you have the following rights in relation to your personal data.

• Right of access — to obtain confirmation of whether we process your data and a copy of it.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to have your data deleted in certain circumstances ("right to be forgotten").
• Right to restriction of processing — to limit how we use your data in certain circumstances.
• Right to data portability — to receive certain data in a structured, commonly used and machine-readable format, where the processing is based on consent or contract and carried out by automated means.
• Right to object — to object to processing based on our legitimate interests, on grounds relating to your particular situation.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time.

10. How to exercise your rights

To exercise any of your rights, please contact us at [email protected]. We may need to verify your identity before responding. We will respond without undue delay and within one month of receiving your request, although this period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will tell you if an extension applies. Exercising these rights is normally free of charge, but we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive, as permitted by law.

11. Right to lodge a complaint

If you have concerns about how we handle your personal data, we encourage you to contact us first so that we can try to resolve them. You also have the right to lodge a complaint with the supervisory authority in Cyprus:

Office of the Commissioner for Personal Data Protection of the Republic of Cyprus
15 Kypranoros Street, 1061 Nicosia, Cyprus
Telephone: +357 22 818 456
Email: [email protected]
Website: dataprotection.gov.cy

If you are located in another EEA country, you may also lodge a complaint with your local supervisory authority.

12. California privacy notice (CPRA)

This section applies to residents of California to the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CPRA"), applies to our processing. We do not sell your personal information, and we do not share your personal information for cross-context behavioural advertising, as those terms are defined under the CPRA. We collect and use personal information only for the business purposes described in this policy. California residents may contact us at [email protected] with any privacy request, and we will not discriminate against you for exercising your rights.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational or regulatory reasons. The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review it periodically.

14. Contact us

If you have any questions about this Privacy Policy or our handling of your personal data, please contact us:

JWBN Ltd
5 Artemidos Ave., Artemidos Tower, 8th Floor, 6020 Larnaca, Cyprus
Email: [email protected]