This Privacy Policy explains how Jiskta ("we", "us", or "our") collects, uses, stores, and shares your personal data when you use our website (jiskta.com) and the Jiskta Climate Data API (api.jiskta.com). We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and applicable national data protection laws.
We keep this policy short and plain. If you have questions, email [email protected].
| Category | Data collected | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Email address, password hash (via Supabase Auth) | Account creation and authentication | Contract (Art. 6(1)(b)) |
| API key | SHA-256 hash of your API key, key prefix (e.g. sk_live_abcd••••) |
Authenticating API requests, displaying key on dashboard | Contract (Art. 6(1)(b)) |
| Usage logs | Timestamp, credits used, regions scanned, query parameters (bounding box, time range, pollutants) | Credit deduction, billing disputes, abuse prevention, capacity planning | Contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) |
| Purchase records | Stripe session ID, package purchased, amount (EUR), credits added, timestamp | Credit fulfillment, accounting, dispute resolution | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) |
| Server logs | IP address, HTTP method, endpoint, response code, user-agent (standard web server logs) | Security monitoring, debugging, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Voucher redemptions | Voucher code redeemed, associated API key ID, timestamp | Preventing double-redemption, credit fulfillment | Contract (Art. 6(1)(b)) |
We do not collect: payment card numbers (handled entirely by Stripe), location data, device fingerprints, or any data from cookies beyond session state (see Section 6).
Your account data and usage logs are stored in Supabase, a managed Postgres database hosted in the EU (AWS eu-west-1, Ireland). Supabase acts as a data processor under a Data Processing Agreement with us.
Our API server runs on a dedicated server in Paris, France (EU). Server logs are stored locally on that server for up to 30 days, then deleted.
We store usage logs in the database for as long as your account is active, plus 12 months after account closure (for billing disputes and legal compliance). Account data is deleted within 30 days of account closure on request.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Auth, database (accounts, keys, logs) | Email, key hashes, usage logs, purchases | EU (AWS eu-west-1) |
| Stripe | Payment processing | Email (for receipts), purchase amount & package. Card data never touches our servers. | USA (Standard Contractual Clauses apply) |
| Cloudflare | DNS, CDN, tunnel (website + API traffic) | IP address, request metadata (no body content) | Global (EU nodes preferred; SCCs apply) |
We do not sell, rent, or share your personal data with any other third parties. We may disclose data if required by law or court order.
Stripe is based in the USA. Transfers to Stripe are covered by Standard Contractual Clauses (SCCs) as defined by the European Commission. Cloudflare may route traffic through non-EU infrastructure; their Data Processing Addendum and SCCs apply. We do not make any other transfers outside the EEA.
If you are in the EU/EEA, you have the following rights regarding your personal data:
To exercise any right, email [email protected]. We will respond within 30 days. We may ask you to verify your identity before acting on a request. You also have the right to lodge a complaint with your national data protection authority.
Our website uses browser localStorage (not cookies) to maintain your Supabase authentication session. This data stays on your device and is never transmitted except as part of normal API authentication. We do not use advertising cookies, analytics cookies, or any third-party tracking scripts.
Cloudflare may set a __cf_bm cookie for bot management on our domain. This is a security cookie and does not track you for advertising purposes.
The Service is intended for users aged 18 and over, or for companies and researchers. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently done so, contact us and we will delete it.
We implement reasonable technical and organisational measures including: HTTPS on all endpoints, hashed (not stored) raw API keys, role-based Supabase access controls, and a dedicated (not shared) server with restricted SSH access. No system is completely secure; we cannot guarantee absolute security but we will notify you and the relevant supervisory authority of any breach as required by law.
We may update this policy. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The current version is always available at jiskta.com/privacy.html.
For any privacy-related question, request, or complaint:
Jiskta
Email: [email protected]
You have the right to lodge a complaint with your national supervisory authority. In Belgium this is the Gegevensbeschermingsautoriteit (GBA).