Privacy Policy
Last updated: 2026-05-11.
This policy describes how theAIstep (operator of kumbukumbu.dev
and the Kumbukumbu managed memory service) handles personal data. We aim to collect
the minimum we need to operate the service, and to be explicit when we go beyond that.
1. Who we are
theAIstep is the legal entity behind Kumbukumbu — the open-core memory infrastructure for AI (ASMIS engine, Rust-powered RAG, native knowledge graphs, 3D visualization, autonomous optimization). Contact: hello@kumbukumbu.dev.
theAIstep also operates other brands under separate domains (jagora.dev, lisaba.dev, sawabona.dev); each publishes its own privacy policy. This one covers Kumbukumbu only.
2. Scope
This policy covers the kumbukumbu.dev marketing website, the Kumbukumbu
documentation, and the Kumbukumbu managed memory service. Self-hosted installations
of the Kumbukumbu Apache-2.0 engines (ASMIS, RAG, Viz, Sidekick) run entirely on your
infrastructure and are not in scope — we have no visibility into them.
3. Data we collect
3.1 Anonymous web analytics
When you visit kumbukumbu.dev, we may record aggregated analytics: page
views, referrers, country (derived from IP, not the IP itself), browser, device
class. No third-party tracking pixels or advertising cookies.
3.2 Account data (managed service)
If you create an account on the Kumbukumbu managed service:
- Email address (authentication, transactional email)
- Display name (optional, for billing receipts)
- Organization / company name (optional)
- Billing address and VAT number (when applicable for invoicing)
3.3 Memory contents and embeddings
The Kumbukumbu managed service stores the memory records you submit (text, embeddings,
knowledge-graph edges, metadata). This data belongs to you. We store it to deliver
the service and do not read its content for any other purpose. The premium memory
types (regulatory_evidence, audit_trail,
signed_intent) are treated with the same care as standard types but
benefit from immutability and cryptographic-signature guarantees described in §10.
3.4 Payment data
Payment is processed by Stripe (and other providers, depending on the SKU). We do not store card numbers or payment credentials on our servers — the provider holds them.
3.5 Service usage data
We record the operations needed for the service to function: API calls, embedding generations, search queries (metadata only, not the natural-language content), quota consumption, error rates. This data is keyed to your account and used for service operation, support, and billing.
4. Why we collect it
- Operate the service. Authentication, memory operations, quota enforcement, billing.
- Support. Respond to your requests, diagnose issues you report.
- Security. Detect abuse, rate-limit, audit our own access to your data.
- Compliance. Tax records, payment compliance, lawful requests.
- Product improvement. Aggregated, de-identified usage patterns — never per-tenant content analysis.
5. What we do not do
- We do not sell your data.
- We do not train AI models on the content of your memory records or your embeddings.
- We do not run third-party advertising trackers on kumbukumbu.dev.
- We do not access self-hosted installations of the Kumbukumbu engines.
6. Cookies
The marketing site uses only the cookies strictly necessary for it to function (session, theme preference, language preference). No analytics or advertising cookies. The managed-service dashboard sets session cookies after authentication.
7. Data location and retention
Managed-service data is stored in EU data centers by default. Customers on the Sovereignty tier can request specific regions, multi-region replication, or on-premise deployment. Account data is retained as long as your account is active, then 12 months after closure for tax and dispute purposes. Memory records are retained per the retention configured by your tier; on plan downgrade, retention drops to the new tier's window.
8. Sub-processors
- Stripe (and other payment providers, where applicable) — payment processing.
- Netcup / Railway — hosting and infrastructure.
- Cloudflare — edge networking and TLS.
- Transactional email provider — account notifications.
The current list is available on request. Material changes are announced at least 30 days in advance to active customers.
9. Your rights (GDPR and equivalent)
You have the right to access, rectify, export, restrict the processing of, and erase your personal data. To exercise any of these rights, write to hello@kumbukumbu.dev. We respond within 30 days.
10. Security
Account data is encrypted at rest (Fernet AES-128-CBC + HMAC-SHA256) on managed
tiers (ALCHEMY and above). Transport is TLS 1.2+ only. The
audit_trail memory type is append-only and tamper-evident. The
signed_intent memory type carries a cryptographic co-signature. We
disclose breaches that affect your personal data within 72 hours of discovery.
11. Children
Our services are not intended for users under 16. We do not knowingly collect data from children.
12. Changes
Material changes to this policy will be announced via email to active account holders at least 30 days before they take effect, and the “Last updated” date above will be revised.
13. Contact
For privacy questions or to exercise your rights: hello@kumbukumbu.dev.