Privacy Policy

Last updated: March 10, 2026

1. Introduction

Jarble, Corp. ("we", "us", "our") operates the Jarble platform at jarble.ai. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection regulations, including the General Data Protection Regulation (GDPR). We believe in transparency about our data practices and collect only what is necessary to operate the Service.

2. Data We Collect

Account Data

When you create an account via Auth0, we store your email address, display name, and Auth0 user ID. If you subscribe to a paid plan, we also store your Stripe customer ID.

Deployment Configuration

For each bot deployment you create, we store: bot name, description, system prompt, selected LLM provider and model, and platform connection settings.

Credentials (Encrypted)

LLM API keys and messaging platform tokens are encrypted using AES-256-GCM before storage. These are used solely to operate your deployments and can be deleted at any time.

Chat Data

We store user messages and bot responses for your web chat sessions, along with session metadata (creation time, session title). UI component blocks are stripped before storage to minimize data retained. Chat data is stored to enable conversation history and session continuity.

Marketplace Data

If you publish or install marketplace components, we store creator profiles, component metadata, reviews, and installation records.

Usage Analytics

We use PostHog for product analytics (page views, feature usage). Analytics are collected in identified-only mode, meaning only authenticated users are tracked. We do not track anonymous visitors.

Error Monitoring

We use Sentry for error tracking and performance monitoring. Sentry captures JavaScript errors and performance traces at a 10% sampling rate to help us identify and fix issues.

Beta Signup Data

If you apply for beta access, we collect your name, email address, experience level, and use case description.

3. How We Use Your Data

We use your data for the following purposes:

Operate the Service: Create and manage your account, process deployments, connect to messaging platforms, and proxy LLM requests
Process payments: Handle subscription billing and payment processing through Stripe
Transactional emails: Send account-related notifications (e.g., password resets, billing confirmations)
Reliability monitoring: Identify and fix bugs, monitor system performance, and ensure service stability
Usage analytics: Understand how users interact with the platform to improve the product

We never sell your data. We never use your chat data to train AI models.

4. Legal Basis (GDPR Art. 6)

We process your personal data under the following legal bases:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for - account management, deployment operations, payment processing
Legitimate interest (Art. 6(1)(f)): Error monitoring, security, fraud prevention, and product improvement - where our interest does not override your rights
Consent (Art. 6(1)(a)): Analytics tracking, marketing communications - which you may withdraw at any time

5. Data Storage & Security

We take the security of your data seriously. Our measures include:

Infrastructure: Kubernetes cluster hosted on Hetzner Cloud in the EU (Germany), with isolated containers per deployment
Encryption at rest: All sensitive credentials encrypted with AES-256-GCM
Container security: Non-root containers, all Linux capabilities dropped, service account tokens disabled
Network security: Network policies restrict container egress to only necessary endpoints (LLM APIs, messaging platforms, DNS)
Authentication: Stateless JWT tokens verified via JWKS (no persistent session cookies). Tokens are short-lived and validated on every request
RBAC: Users can only access their own deployments. All API endpoints enforce ownership checks

6. Data Retention

Account data: Retained while your account is active. Deleted upon request after account termination
Chat data: Retained while the associated deployment exists. Deleted when the deployment is deleted
Credentials: Deleted immediately when you remove them from the dashboard or when a deployment is deleted
Analytics data: Retained per PostHog and Sentry default retention policies
Billing data: Retained as required by applicable tax and financial regulations
Beta signup data: Retained until the beta program concludes, then deleted unless you create an account

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate or incomplete data
Right to erasure: Request deletion of your personal data ("right to be forgotten")
Right to data portability: Receive your data in a structured, machine-readable format
Right to restrict processing: Request that we limit how we use your data
Right to object: Object to processing based on legitimate interest
Right to withdraw consent: Withdraw consent for analytics or marketing at any time

To exercise any of these rights, contact us at privacy@jarble.ai. We will respond within 30 days.

8. EU AI Act Considerations

Jarble is a deployment platform, not an AI model provider. With respect to the EU AI Act:

We do not develop or train AI models - users choose their own LLM provider
Users configure their own system prompts and guardrails for bot behavior
We apply platform-level safety defaults, but users retain responsibility for their deployment configurations
No automated decisions with legal or similarly significant effects are made by the platform itself
We provide transparency about which AI providers are used and how messages are routed

9. Data Minimization

We actively minimize the data we collect and retain:

UI component blocks are stripped from chat messages before storage - only the text content is retained
Chat session titles are auto-generated from the first user message and truncated
Sentry error monitoring uses a 10% sampling rate, capturing only a fraction of events
PostHog analytics operates in identified-only mode - no anonymous visitor tracking
We collect only the data fields necessary to operate each feature

10. Children's Privacy

Jarble is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.

11. International Data Transfers

Our infrastructure is hosted in the EU (Hetzner Cloud, Germany). However, some of our third-party processors are located in the United States (Auth0, Stripe, Sentry, Neon, Vercel).

Where data is transferred outside the EU/EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) as adopted by the European Commission, and the processors' compliance with applicable data protection frameworks.

12. Cookies

Jarble does not use persistent tracking cookies. Authentication is handled via stateless JWT tokens stored in memory.

Third-party services integrated into the platform (Auth0, PostHog, Sentry) may set their own cookies as described in their respective privacy policies. We recommend reviewing those policies for details.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a notice on the Service, and update the "Last updated" date at the top of this page.

Your continued use of Jarble after changes are posted constitutes acceptance of the updated policy.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

privacy@jarble.ai

Jarble, Corp.
State of Delaware, United States