Privacy Policy

Last updated: 2026-05-11.

This policy describes how theAIstep (operator of kumbukumbu.dev and the Kumbukumbu managed memory service) handles personal data. We aim to collect the minimum we need to operate the service, and to be explicit when we go beyond that.

1. Who we are

theAIstep is the legal entity behind Kumbukumbu — the open-core memory infrastructure for AI (ASMIS engine, Rust-powered RAG, native knowledge graphs, 3D visualization, autonomous optimization). Contact: hello@kumbukumbu.dev.

theAIstep also operates other brands under separate domains (jagora.dev, lisaba.dev, sawabona.dev); each publishes its own privacy policy. This one covers Kumbukumbu only.

2. Scope

This policy covers the kumbukumbu.dev marketing website, the Kumbukumbu documentation, and the Kumbukumbu managed memory service. Self-hosted installations of the Kumbukumbu Apache-2.0 engines (ASMIS, RAG, Viz, Sidekick) run entirely on your infrastructure and are not in scope — we have no visibility into them.

3. Data we collect

3.1 Anonymous web analytics

When you visit kumbukumbu.dev, we may record aggregated analytics: page views, referrers, country (derived from IP, not the IP itself), browser, device class. No third-party tracking pixels or advertising cookies.

3.2 Account data (managed service)

If you create an account on the Kumbukumbu managed service:

3.3 Memory contents and embeddings

The Kumbukumbu managed service stores the memory records you submit (text, embeddings, knowledge-graph edges, metadata). This data belongs to you. We store it to deliver the service and do not read its content for any other purpose. The premium memory types (regulatory_evidence, audit_trail, signed_intent) are treated with the same care as standard types but benefit from immutability and cryptographic-signature guarantees described in §10.

3.4 Payment data

Payment is processed by Stripe (and other providers, depending on the SKU). We do not store card numbers or payment credentials on our servers — the provider holds them.

3.5 Service usage data

We record the operations needed for the service to function: API calls, embedding generations, search queries (metadata only, not the natural-language content), quota consumption, error rates. This data is keyed to your account and used for service operation, support, and billing.

4. Why we collect it

5. What we do not do

6. Cookies

The marketing site uses only the cookies strictly necessary for it to function (session, theme preference, language preference). No analytics or advertising cookies. The managed-service dashboard sets session cookies after authentication.

7. Data location and retention

Managed-service data is stored in EU data centers by default. Customers on the Sovereignty tier can request specific regions, multi-region replication, or on-premise deployment. Account data is retained as long as your account is active, then 12 months after closure for tax and dispute purposes. Memory records are retained per the retention configured by your tier; on plan downgrade, retention drops to the new tier's window.

8. Sub-processors

The current list is available on request. Material changes are announced at least 30 days in advance to active customers.

9. Your rights (GDPR and equivalent)

You have the right to access, rectify, export, restrict the processing of, and erase your personal data. To exercise any of these rights, write to hello@kumbukumbu.dev. We respond within 30 days.

10. Security

Account data is encrypted at rest (Fernet AES-128-CBC + HMAC-SHA256) on managed tiers (ALCHEMY and above). Transport is TLS 1.2+ only. The audit_trail memory type is append-only and tamper-evident. The signed_intent memory type carries a cryptographic co-signature. We disclose breaches that affect your personal data within 72 hours of discovery.

11. Children

Our services are not intended for users under 16. We do not knowingly collect data from children.

12. Changes

Material changes to this policy will be announced via email to active account holders at least 30 days before they take effect, and the “Last updated” date above will be revised.

13. Contact

For privacy questions or to exercise your rights: hello@kumbukumbu.dev.