Privacy Policy
Last updated: 2026-05-11.
This policy describes how theAIstep (operator of jagora.dev
and the connected services listed in §2) handles personal data. We aim to collect the
minimum we need to operate the service, and to be explicit when we go beyond that.
1. Who we are
theAIstep is the legal entity behind the Jagora platform and the sibling services (Zelo, Ushahidi, Oluso, Codemap, Lisaba, Sawabona, Kumbukumbu). Contact: hello@jagora.dev.
2. Scope
This policy covers the marketing websites listed above and the managed SaaS services accessible through them. Self-hosted installations of our open-source software run entirely on your infrastructure and are not in scope — theAIstep has no visibility into them.
3. Data we collect
3.1 Anonymous web analytics
When you visit any of the marketing websites, we may record aggregated analytics: page views, referrers, country (from IP, not the IP itself), browser, and device class. We do not use third-party tracking pixels or advertising cookies.
3.2 Account data (managed SaaS)
If you create an account on a managed SaaS service:
- Email address (for authentication and transactional email)
- Display name (optional, for billing receipts)
- Organization / company name (optional)
- Billing address and VAT number (when applicable for invoicing)
3.3 Payment data
Payment is processed by our payment provider (Stripe by default; other providers may apply depending on the product, see Sawabona payment providers). We do not store card numbers or payment credentials on our servers — the provider holds them.
3.4 Service usage data
When you use a managed SaaS, we record the operations needed for the service to function: API calls, license validations, quota consumption, error rates. This data is keyed to your account and used for service operation, support, and billing.
3.5 Audit and evidence data
Some products (Ushahidi-saas, Kumbukumbu premium memory types, Oluso evidence) generate cryptographically signed audit records on your behalf. These records belong to you — we hold them for the retention period you choose, and you can export them at any time. We do not analyze the content of your audit records for any purpose other than the operational integrity check that signing requires.
4. Why we collect it
- Operate the service. Authentication, license validation, quota enforcement, billing.
- Support. Respond to your requests, diagnose issues you report.
- Security. Detect abuse, rate-limit, audit our own access to your data.
- Compliance. Tax records, payment compliance, lawful requests.
- Product improvement. Aggregated, de-identified usage patterns — never per-user content analysis.
5. What we do not do
- We do not sell your data.
- We do not train AI models on the content of your accounts, audit records, memory contents, or licensed code.
- We do not run third-party advertising trackers on the marketing sites.
- We do not access self-hosted installations of our open-source software.
6. Cookies
The marketing sites use only the cookies strictly necessary for them to function (session, theme preference, language preference). No analytics or advertising cookies. Managed SaaS dashboards may set additional session cookies after authentication.
7. Data location and retention
Managed SaaS data is stored in EU data centers by default. Customers on the Sovereignty tier can request specific regions and self-hosted deployment. Account data is retained as long as your account is active, then 12 months after closure for tax and dispute purposes. Audit records are retained per the retention period configured in your tier; on plan downgrade, retention drops to the new tier's window.
8. Sub-processors
We use the following sub-processors. Each is bound by a data-processing agreement:
- Stripe (and other payment providers, where applicable) — payment processing.
- Netcup / Railway — hosting and infrastructure.
- Cloudflare — edge networking and TLS.
- Transactional email provider — account notifications.
The current list is available on request. Material changes are announced at least 30 days in advance to active customers.
9. Your rights (GDPR and equivalent)
You have the right to access, rectify, export, restrict the processing of, and erase your personal data. You can also object to processing where we rely on legitimate interest. To exercise any of these rights, write to hello@jagora.dev. We respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.
10. Security
Account data is encrypted at rest (Fernet AES-128-CBC + HMAC-SHA256) on managed
SaaS. Transport is TLS 1.2+ only. License keys are stored as key_hash;
plaintext is shown to you once at creation/rotation/transfer and never re-emitted.
We disclose breaches that affect your personal data within 72 hours of discovery.
11. Children
Our services are not intended for users under 16. We do not knowingly collect data from children.
12. Changes
Material changes to this policy will be announced via email to active account holders at least 30 days before they take effect, and the “Last updated” date above will be revised.
13. Contact
For privacy questions or to exercise your rights: hello@jagora.dev.