Privacy Policy
Last updated: 2026-05-11.
This policy describes how theAIstep (operator of sawabona.dev
and the Sawabona managed licensing service) handles personal data. We aim to collect
the minimum we need to operate the service, and to be explicit when we go beyond that.
1. Who we are
theAIstep is the legal entity behind Sawabona — the open-core licensing engine for SaaS vendors. Contact: hello@sawabona.dev.
theAIstep also operates other brands under separate domains (jagora.dev, lisaba.dev, kumbukumbu.dev); each publishes its own privacy policy. This one covers Sawabona only.
2. Scope
This policy covers the sawabona.dev marketing website, the Sawabona
documentation, and the Sawabona managed licensing service. Self-hosted installations
of the Sawabona Apache-2.0 Rust core run entirely on your infrastructure and are not
in scope — we have no visibility into them.
3. Data we collect
3.1 Anonymous web analytics
When you visit sawabona.dev, we may record aggregated analytics: page
views, referrers, country (derived from IP, not the IP itself), browser, device
class. No third-party tracking pixels or advertising cookies.
3.2 Vendor account data (managed service)
If you create a vendor account on the Sawabona managed service:
- Email address (authentication, transactional email)
- Display name (optional, for billing receipts)
- Organization / company name (optional)
- Billing address and VAT number (when applicable for invoicing)
3.3 License data and end-customer data
When you issue licenses through Sawabona for your customers, we store the
minimum needed for license validation: license metadata (product, plan, status),
the key_hash of each license key (never the plaintext — that is
shown to your customer once at creation, rotation, or transfer and never re-emitted),
and end-customer contact details you supply. End-customer data is processed on your
behalf as a sub-processor; you remain the data controller.
3.4 Payment data
Payment to us is processed by Stripe (and other providers depending on the SKU). We do not store card numbers or payment credentials on our servers — the provider holds them. When you use Sawabona to charge your customers via integrated payment providers (Stripe, Paddle, Square, Flutterwave, Paystack), the cardholder data flows from your customer directly to the provider; Sawabona never touches it.
3.5 Service usage data
We record the operations needed for the service to function: API calls, license validations, quota consumption, error rates. This data is keyed to your vendor account and used for service operation, support, and billing.
4. Why we collect it
- Operate the service. Authentication, license validation, quota enforcement, billing.
- Support. Respond to your requests, diagnose issues you report.
- Security. Detect abuse, rate-limit, audit our own access to your data.
- Compliance. Tax records, payment compliance, lawful requests.
- Product improvement. Aggregated, de-identified usage patterns — never per-tenant content analysis.
5. What we do not do
- We do not sell your data or your customers' data.
- We do not train AI models on the content of your accounts or your end-customer data.
- We do not run third-party advertising trackers on sawabona.dev.
- We do not store plaintext license keys at rest.
- We do not access self-hosted installations of the Sawabona Rust core.
6. Cookies
The marketing site uses only the cookies strictly necessary for it to function (session, theme preference, language preference). No analytics or advertising cookies. The managed-service dashboard sets session cookies after authentication.
7. Data location and retention
Managed-service data is stored in EU data centers by default. Customers on a dedicated-deployment plan can request specific regions and dedicated infrastructure. Account data is retained as long as your account is active, then 12 months after closure for tax and dispute purposes. License records and audit logs are retained per the retention period of your plan.
8. Sub-processors
- Stripe (and other payment providers, where applicable) — payment processing.
- Netcup / Railway — hosting and infrastructure.
- Cloudflare — edge networking and TLS.
- Transactional email provider — account notifications.
The current list is available on request. Material changes are announced at least 30 days in advance to active customers. A separate Data Processing Agreement (DPA) is available on request.
9. Your rights (GDPR and equivalent)
You have the right to access, rectify, export, restrict the processing of, and erase your personal data. For end-customer data you process through Sawabona, your own customers exercise these rights through you (we assist on request). To exercise any of these rights, write to hello@sawabona.dev. We respond within 30 days.
10. Security
Vendor account data is encrypted at rest (Fernet AES-128-CBC + HMAC-SHA256). License
keys are stored as key_hash; plaintext is shown to your customer once at
creation/rotation/transfer and never re-emitted by us or by webhooks. Transport is
TLS 1.2+ only. We disclose breaches that affect your personal data within 72 hours
of discovery.
11. Children
Our services are not intended for users under 16. We do not knowingly collect data from children.
12. Changes
Material changes to this policy will be announced via email to active account holders at least 30 days before they take effect, and the “Last updated” date above will be revised.
13. Contact
For privacy questions or to exercise your rights: hello@sawabona.dev.