Privacy Policy
This Privacy Policy explains how Jiskta ("we", "us", or "our") collects, uses, stores, and shares your personal data when you use our website (jiskta.com) and the Jiskta Climate Data API (api.jiskta.com). We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and applicable national data protection laws.
We keep this policy short and plain. If you have questions, email [email protected].
1. What Data We Collect and Why
| Category | Data collected | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Email address, password hash (via Supabase Auth) | Account creation and authentication | Contract (Art. 6(1)(b)) |
| API key | SHA-256 hash of your API key, key prefix (e.g. sk_live_abcd••••) | Authenticating API requests, displaying key on dashboard | Contract (Art. 6(1)(b)) |
| Credit & usage counters | Total credits purchased, total credits used (aggregate counters — no per-query log) | Credit balance tracking, billing disputes | Contract (Art. 6(1)(b)) |
| Purchase records | Paddle transaction ID, package purchased, amount (EUR), credits added, timestamp | Credit fulfillment, accounting, dispute resolution | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) |
| Company / billing details | Company name, VAT number, billing address, country (provided voluntarily at checkout for VAT invoice purposes) | Generating compliant VAT invoices, Paddle tax verification, accounting records | Legal obligation (Art. 6(1)(c)); Contract (Art. 6(1)(b)) |
| Server logs | IP address, HTTP method, endpoint, response code, user-agent (standard web server logs) | Security monitoring, debugging, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Voucher redemptions | Voucher code redeemed, associated API key ID, timestamp | Preventing double-redemption, credit fulfillment | Contract (Art. 6(1)(b)) |
We do not collect: payment card numbers (handled entirely by Paddle as Merchant of Record), location data, device fingerprints, per-query logs, or any data from cookies beyond session state (see Section 6). We intentionally do not log which geographic regions or time ranges you query. Company and VAT details are collected only if you choose to provide them at checkout for invoice purposes.
2. How We Store Your Data
Your account data is stored in Supabase, a managed Postgres database hosted in the EU (AWS eu-west-1, Ireland). Supabase acts as a data processor under a Data Processing Agreement with us.
Our API server runs on a dedicated server in Paris, France (EU). Server logs are stored locally on that server for up to 30 days, then deleted.
We store aggregate credit counters (total purchased, total used) while your account is active. We do not log individual queries — there is no per-request log of what you queried.
3. Third-Party Processors
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Auth, database (accounts, keys, purchases) | Email, key hashes, purchases | EU (AWS eu-west-1) |
| Paddle | Payment processing & Merchant of Record (handles VAT, invoicing, compliance in all countries) | Email (for receipts), purchase amount & package, company name & VAT number if provided. Card data never touches our servers. | UK / EU (DPA + Standard Contractual Clauses apply) |
| Cloudflare | DNS, CDN, tunnel (website + API traffic) | IP address, request metadata (no body content) | Global (EU nodes preferred; DPA + SCCs apply) |
We do not sell, rent, or share your personal data with any other third parties. We may disclose data if required by law or court order.
4. International Transfers
Paddle acts as our Merchant of Record and is incorporated in the UK (with EU operations). Transfers to Paddle are covered by their Data Processing Agreement and Standard Contractual Clauses (SCCs) as defined by the European Commission. Cloudflare may route traffic through non-EU infrastructure; their Data Processing Addendum and SCCs apply. We do not make any other transfers outside the EEA.
5. Your Rights Under GDPR
If you are in the EU/EEA, you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure ("right to be forgotten") — request deletion of your data, subject to our legal retention obligations (e.g. accounting records).
- Restriction — ask us to pause processing while a dispute is resolved.
- Portability — receive your data in a machine-readable format (JSON/CSV).
- Objection — object to processing based on legitimate interest (e.g. server logs). We will stop unless we have compelling grounds.
- Withdraw consent — where we rely on consent (currently none), you may withdraw it at any time without affecting prior processing.
To exercise any right, use the Data & Privacy section on your dashboard (export or delete with one click), or email [email protected]. We will respond within 30 days. We may ask you to verify your identity before acting on a request. You also have the right to lodge a complaint with your national data protection authority.
6. Cookies and Local Storage
Our website uses browser localStorage (not cookies) to maintain your Supabase authentication session. This data stays on your device and is never transmitted except as part of normal API authentication. We do not use advertising cookies, analytics cookies, or any third-party tracking scripts.
Cloudflare may set a __cf_bm cookie for bot management on our domain. This is a security cookie and does not track you for advertising purposes.
7. Children
The Service is intended for users aged 18 and over, or for companies and researchers. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently done so, contact us and we will delete it.
8. Security
We implement reasonable technical and organisational measures including: HTTPS on all endpoints, hashed (not stored) raw API keys, role-based Supabase access controls, and a dedicated (not shared) server with restricted SSH access. No system is completely secure; we cannot guarantee absolute security but we will notify you and the relevant supervisory authority of any breach as required by law.
9. Data Retention
- Account & API key data: retained while your account is active + 30 days after closure (or longer if required for open billing disputes). You can delete your account instantly from the dashboard.
- Credit counters (total purchased / total used): retained while your account is active. We do not store per-query logs.
- Purchase records & company/VAT details: retained for 7 years for accounting/tax compliance (Art. 6(1)(c)). These are anonymised (email removed) upon account deletion but the financial records and VAT invoice data are kept to meet legal obligations.
- Voucher redemptions: retained for 2 years after redemption, then deleted.
- Server access logs: retained for 30 days, then deleted.
10. Changes to This Policy
We may update this policy. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The current version is always available at jiskta.com/privacy.
11. Contact & Data Controller
For any privacy-related question, request, or complaint:
Jiskta
Email: [email protected]
You have the right to lodge a complaint with your national supervisory authority. In Belgium this is the Gegevensbeschermingsautoriteit (GBA).