Privacy Policy

Last updated: 2026-02-16

1. Introduction

Jugg.ai (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. This policy complies with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

Jugg.ai is the data controller for personal data processed through this platform. For questions about this policy or your data rights, contact our Data Protection Officer at privacy@jugg.ai.

3. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, and authentication credentials (managed by Auth.js)
  • GitHub data: access tokens (encrypted at rest), repository URLs, and installation IDs
  • Usage data: projects created, pipeline runs, features, credit transactions
  • Technical data: IP address, user agent, browser type, and device information
  • Billing data: Stripe customer ID, credit balance, transaction history

4. Purpose of Processing

We process your data for the following purposes:

  • Service delivery: To operate the AI agent pipeline and manage your projects (lawful basis: contract)
  • Authentication: To verify your identity and manage access (lawful basis: contract)
  • Billing: To process payments and manage credits (lawful basis: contract)
  • Security: To detect and prevent fraud, abuse, and security threats (lawful basis: legitimate interest)
  • Compliance: To maintain audit logs for SOC 2 compliance (lawful basis: legitimate interest)
  • Analytics: To understand usage patterns and improve the service (lawful basis: consent)
  • Marketing: To send product updates and relevant communications (lawful basis: consent)

5. Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Audit logs: Retained for 2 years for SOC 2 compliance.
  • Billing data: Retained for 7 years as required by financial regulations.
  • Usage data: Retained while your account is active. Deleted with account deletion.
  • Technical data: Retained for 90 days for security and debugging purposes.

6. Third-Party Processors

We share data with the following third-party processors:

  • Auth.js — self-hosted authentication (no third-party data transfer)
  • Anthropic — AI model processing for agent operations (USA)
  • Neon — database hosting (USA/EU)
  • Vercel — application hosting and deployment (USA, global CDN)
  • GitHub — repository access and code management (USA)
  • Stripe — payment processing (USA, PCI DSS compliant)
  • Inngest — background job processing (USA)

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access: Request a copy of your personal data.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your data. Use the “Delete My Account” button in Settings, or contact us.
  • Right to restrict processing: Request we limit how we use your data.
  • Right to data portability: Receive your data in a machine-readable format.
  • Right to object: Object to processing based on legitimate interest.
  • Right to withdraw consent: Withdraw consent at any time via the consent settings in your account.

To exercise any of these rights, email privacy@jugg.aior use the in-app controls in your account Settings.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including: encryption at rest (AES-256-GCM) for sensitive fields such as GitHub tokens, encryption in transit (TLS 1.3), access controls and audit logging, regular security audits, and rate limiting on all endpoints.

9. Cookies

We use essential cookies for authentication (managed via secure HTTP-only cookies) and optional analytics cookies subject to your consent. You can manage your cookie preferences in the consent settings of your account.

10. International Transfers

Some of our third-party processors operate outside the EEA. We ensure adequate safeguards through EU Standard Contractual Clauses (SCCs) and adequacy decisions where available.

11. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) at ico.org.uk.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of any material changes via email or in-app notification. Your continued use of the platform constitutes acceptance of the updated policy.