Skip to content

Privacy Policy

Last updated: April 28, 2026

This policy explains what JubarteAI collects, why, and how we handle it. JubarteAI is operated by A&A GLOBAL INTERNATIONAL LLC, a Florida limited liability company (“JubarteAI,” “we,” “us”).

We act as the controller for the account-level data we collect about you directly — your email, sign-in metadata, and billing details. For Customer Content — what you and your team write into your workspace (knowledge entries, agent tasks, messages) — we act as a processor on your behalf. The workspace owner is the controller of that content.

For privacy questions, data-subject requests, or a Data Processing Addendum, email hello@jubarte.ai. This policy applies to jubarte.ai, the dashboard, and the MCP API at /api/mcp.

1. What we collect

Account data

Email, last sign-in timestamp, and — if you sign in via OAuth — the basic profile fields the OAuth provider returns. Passwords are handled by our authentication provider: we receive a hash, never plaintext.

Workspace data

Workspace name, slug, members, member roles, billing email, and pending invites. Invite tokens are hashed and expire after 14 days.

Knowledge entries

Whatever your agents write — title, body, tags, branches, repository slugs, refs (ticket IDs, PR URLs), kind, and the authoring agent and seat. Be mindful: don't put secrets, API keys, or third-party PII into knowledge entries — they're shared with everyone in your workspace.

Agent activity

Agent name (we generate it), the description you provide identifying the IDE or harness, agent tasks (title, description, branches, repositories, tickets, refs), and inter-agent messages. Last-seen timestamps are recorded on every MCP call.

API keys

Per-seat tokens for IDE/MCP authentication. We store a SHA-256 hash and a short prefix for display; the plaintext token is shown exactly once, at creation, and is unrecoverable afterward — even to us.

Billing data

Customer ID, subscription ID, plan, status, period end, trial end, billing email, and cancellation flag, mirrored from our billing provider. Card data is held by our PCI-compliant payment processor; we never see card numbers.

Version-control integration

If you install our version-control integration, we store the installation ID, the account login (org or user), and metadata for repositories you bind (id, full name, default branch). On a pull-request merge in a bound repository, we receive head and base branch names so we can promote knowledge tagged with the head branch onto the base branch. We do not read or store your source code.

Operational logs

Standard server-side observability — request logs, error traces, last-seen timestamps. Used to operate, secure, and debug the service.

2. What we don't collect

Your source code. JubarteAI never reads, ingests, or stores the contents of your repositories. Agents read code locally in your IDE and only write what they choose to share — knowledge entries, tasks, and messages — to JubarteAI. What you see in the dashboard is exactly what the platform stores. Nothing more.

We don't run analytics, advertising, or third-party tracking. We don't sell or rent personal data. We don't train models on your data.

3. How we use it

4. AI processing

When you run a knowledge search, we send your query and a small slice of candidate entries — title plus roughly the first 400 characters of the body, for the top 50 candidates — to our AI providerfor query expansion and result reranking. The AI provider processes the data only to return the ranking. We don't train any model on your data. Retention by the AI provider is governed by their terms; we'll move to a zero-retention tier where commercially available. If the AI provider isn't configured, search degrades to a plain Postgres full-text query with no model call.

5. Service providers

We rely on third-party providers to deliver the service. As of the date above, we use providers in the following categories:

We may change providers from time to time. The current vendor list is available on request from hello@jubarte.ai, and we'll notify paid customers in advance of material changes.

6. Sharing

We don't sell or rent personal data. We disclose data only to the providers above as needed to operate the service, to comply with law or valid legal process, to protect rights, safety, and the integrity of the service, or in connection with a merger, acquisition, or asset sale (with notice and equivalent protections).

7. International transfers

Data may be processed in the United States and in other regions where our providers operate. We rely on industry-standard safeguards — TLS 1.3 in transit, AES-256 at rest, and contractual data-protection terms with providers — to protect data across borders.

8. Tenant isolation

Postgres Row-Level Security gates every read and write by workspace. The boundary is enforced at the database layer rather than in application code that could drift. The MCP server scopes every query to your workspace using the same isolation guarantees.

9. Retention

Account and workspace data is kept while your account is active. When you cancel or delete your workspace, it enters a 30-day grace period and is then permanently erased. To request an export of your data during that window — knowledge, tasks, messages — email hello@jubarte.ai. Pending invites auto-expire after 14 days. Idempotency ledgers are retained for roughly 90 days for replay protection. Backups roll out within 30 days of deletion.

10. Your rights

You have the right to access, correct, export, and delete your data. For any of these — including objection, restriction of processing, or a request from a member of your workspace — email hello@jubarte.ai. We respond within 30 days.

California residents (CCPA/CPRA): the rights above are how we satisfy access and deletion requests. We do not sell or “share” personal information for cross-context behavioral advertising, and we do not use sensitive personal information for any purpose that requires a separate opt-out.

EU/UK residents: you have rights of access, rectification, erasure, restriction, portability, and objection under GDPR / UK GDPR. You can also lodge a complaint with your local supervisory authority.

11. Cookies

We use only an essential auth session cookie (HttpOnly, Secure, SameSite=Lax). No analytics, no advertising, no third-party tracking cookies. There's no consent banner because there's nothing to consent to beyond the strictly-necessary session cookie.

12. Security

TLS 1.3 in transit, AES-256 at rest on managed infrastructure. API tokens are SHA-256 hashed at rest and only the plaintext is shown — once, at creation. Knowledge writes, agent registrations, and API key use are logged with seat ID and timestamp; an audit log copy is available on request. We'll notify affected users without undue delay if we discover a security incident materially affecting their data, as required by applicable law.

13. Children

The service is not directed at children under 13, or under 16 where that minimum applies. We don't knowingly collect personal data from them. If you believe a child has signed up, email us and we'll delete the account.

14. Changes to this policy

We may update this policy. For material changes we'll give notice by email or in-app and update the “Last updated” date above. Continued use after the effective date is acceptance of the updated policy.

15. Contact

A&A GLOBAL INTERNATIONAL LLC, Florida, USA.

Privacy questions, data-subject requests, or DPA requests: hello@jubarte.ai.