Privacy · last updated July 5, 2026
Privacy Policy
Jaagaa is built around a simple promise: your customer data stays in yourcloud account. We don't want a copy and we've designed the platform so we can't see in.
1. The model in one paragraph
Each Jaagaa app runs on a Cloudflare account that you own (BYO) — or, during a trial, on an isolated, short-lived Cloudflare account from our pool. Your application data (customers, files, messages, settings) lives in that account's D1 database and R2 bucket. We never copy that data to our own servers. Our platform only stores the small amount of metadata required to operate the control plane (your account email, app slugs, provisioning logs, billing records).
2. What we collect & why
We collect only the data we need to run the platform. Specifically:
- Account info: your email, name, and OAuth identity (Google or GitHub) — used to sign you in and to scope your apps.
- Cloud credentials: encrypted Cloudflare API tokens you supply — used to deploy and update your apps. Encrypted at rest with a key not stored alongside the ciphertext.
- Deployment metadata: app slugs, primary apex, hosting mode (BYO/trial), provisioning status, installed release SHA — used to render the operator console and to push updates.
- Billing: Stripe customer id, plan, subscription status — used to bill paid plans. We do not store your card details; Stripe does.
- Operational logs: deploy logs, error traces (without customer-data payloads) — used to debug failed deployments. Retained 30 days then deleted.
- Marketing analytics: anonymized pageview counts on jaagaa.ai — used to understand which pages are useful. No cross-site cookies.
3. What we do not collect
- Your application's customer data, files, or messages. They live in your cloud account; we have no copy, no backup, no analytics on them.
- AI prompts and outputs from your tenants. Those go directly from your Worker to your AI provider, with your AI keys.
- Anything we don't need. We avoid creating data that we'd have to protect.
4. Who we share with
We don't sell or rent your data. We share narrowly with the subprocessors required to run the platform:
- Cloudflare — your apps and ours run there.
- OVH — our control-plane backend (jg-api) is hosted on OVH dedicated servers in Europe.
- Stripe — billing and payments.
- Resend — transactional email (sign-in links, deploy completions).
- Google / GitHub — OAuth sign-in (only if you choose those providers).
Each subprocessor is bound by its own data-protection terms. We don't add new ones without updating this page first.
5. Security
- All traffic between you, Jaagaa, and your cloud is HTTPS.
- API tokens are encrypted at rest with a key stored separately from the ciphertext.
- Sessions use signed HMAC cookies scoped to the jaagaa.ai domain; we don't store session state on third parties.
- We follow least-privilege: our staff have no standing access to production data.
6. Your rights
Depending on where you live (GDPR, CCPA, UK GDPR, etc.) you have rights including access, correction, deletion, and portability. Because your application data is already in your cloud account, exercising portability is usually just exporting from your provider. For control-plane data (your account, billing, deployment metadata), email [email protected]with your request and we'll respond within 30 days.
7. Children
Jaagaa is not directed to children under 16. We do not knowingly collect data from children. If you believe we have, contact us and we'll delete it.
8. International transfers
Control-plane data is processed in the European Union (OVH datacenters). Customer data stays wherever Cloudflare provisions it for your account, which you choose when you sign up for Cloudflare.
9. Changes
We may update this policy. Material changes will be announced at least 14 days before they take effect via the console banner and the email on your operator account.
10. Contact
Privacy questions, requests, or concerns: [email protected]. Our data-protection lead reads this inbox.