Privacy Policy
Last updated: April 17, 2026
Effective date: April 17, 2026
Summary: Jamdesk is a documentation platform. We process the data described below to run the service, bill customers, and (if enabled) answer questions using AI. We do not sell your data, and we do not use it to train AI models.
1. Information We Collect
Information You Provide
When you create an account or use our services, you may provide:
- Account Information: Email address, name, and password
- Payment Information: Billing details processed by Stripe (we never store full card numbers)
- Content: Documentation, images, and other files you upload
- Communications: Messages you send to our support team
Command-Line Interface (CLI)
The Jamdesk CLI runs entirely on your machine. It does not collect telemetry, analytics, or usage data. The CLI only transmits data to our servers when you explicitly trigger platform features (like deployments), and only the minimum data needed for that action — your documentation content and configuration.
Automatic Collection
When you use our services, we automatically collect:
- Usage Data: Pages visited, features used, actions taken
- Device Information: Browser type, operating system, device identifiers
- Log Data: IP address, access times, referring URLs
- Analytics: Aggregated usage statistics via Google Analytics
2. How We Use Your Information
We use your information to:
- Provide, maintain, and improve our platform
- Process transactions and send related information
- Send technical notices, updates, and security alerts
- Respond to support requests
- Analyze trends and usage to improve the experience
- Detect and prevent fraud or unauthorized activity
- Comply with legal obligations
For visitors in the EEA, UK, or Switzerland, our legal bases under GDPR Art. 6 are: contract (to provide the services), legitimate interests (security, fraud prevention, service improvement, and direct business communications to existing customers), consent (marketing analytics and advertising cookies where required), and legal obligation (tax, accounting, responding to lawful requests).
3. Information Sharing
We do not sell your personal information. We share information only in these circumstances:
Service Providers
We share personal information with trusted third-party service providers who process it on our behalf. We use providers in the following categories:
| Category | Purpose | Typical Data Shared |
|---|---|---|
| Cloud infrastructure & hosting | Hosting, storage, authentication, CDN, DDoS protection | Account data, content, IP addresses, request metadata |
| Payment processing | Subscription billing and tax compliance | Billing information (no full card numbers stored by us) |
| Email & messaging | Transactional and marketing email, live chat | Email address, message content |
| AI inference & retrieval | Documentation chat, search embeddings (when enabled) | Chat queries, documentation context, embeddings |
| Analytics & advertising measurement | Marketing-site analytics and ad measurement | Pseudonymous cookie identifiers, truncated IP (only after consent in the EU/UK) |
| Security & abuse prevention | Rate limiting, fraud detection, log monitoring | Hashed IPs, request metadata |
The authoritative, continuously-updated list of specific sub-processors — including name, location, and data categories — is maintained at jamdesk.com/subprocessors, along with our advance-notice terms for any changes.
Legal Requirements
We may disclose information if required by law or to:
- Comply with legal process or government requests
- Protect the rights, privacy, or safety of Jamdesk, users, or others
- Enforce our terms of service
Business Transfers
If Jamdesk is involved in a merger, acquisition, consolidation, reorganization, change of control, divestiture, bankruptcy or insolvency proceeding, sale of equity or assets, or any similar transaction, your information may be transferred to the successor or acquiring party as part of that transaction, without your further consent or approval. We will provide notice of any such transfer only to the extent required by applicable law, and the receiving party's use of your information will be governed by this Policy (or a privacy policy no less protective of your rights) unless you are notified otherwise.
4. Cookies and Tracking
We use cookies and similar technologies to:
- Keep you logged in
- Remember your preferences
- Understand how you use our services
- Improve performance
Types of Cookies
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, basic functionality | Session / 1 year |
| Analytics | Usage statistics (Google Analytics) | 2 years |
Managing Cookies
Control cookies through your browser settings. Disabling essential cookies may affect functionality. See our Cookie Policy for details on specific cookies.
Google Analytics
We use Google Analytics to understand how visitors use our site. Google Analytics processes pseudonymous identifiers (not anonymous data) to measure site usage. For visitors in the EU, EEA, and UK, we use Google Consent Mode v2 and default analytics and advertising storage to denied until you consent. You can opt out at any time via our Cookie Preferences, or site-wide with the Google Analytics Opt-out Add-on.
Global Privacy Control & Do Not Track
We honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we automatically disable all non-essential cookies regardless of your region. We do not currently respond to the older "Do Not Track" (DNT) header, as there is no uniform standard for it. We recommend using GPC instead.
5. Data Security
We implement the technical and organizational measures described on our Security page, including TLS in transit, provider-managed AES-256 encryption at rest, least-privilege access controls, and logging. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
Data Breach Notification
Where a breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, consistent with GDPR Art. 33. We will notify affected individuals without undue delay where required by applicable law (GDPR Art. 34; U.S. state breach-notification laws). Notifications are sent to the primary account email on file and will describe, to the extent then known, the nature of the breach, the data affected, the steps we are taking, and any recommended protective actions. For business customers, incident notification may be further governed by separately-negotiated incident-response terms in a Master Services Agreement, which, where they exist, control.
6. Data Retention
We keep your information while your account is active or as needed to provide services. Our target retention periods following account deletion are:
- Account data: generally deleted within 30 days
- Content: generally removed within 30 days
- Backups: typically overwritten within 90 days on our backup rotation
- Logs: anonymized or deleted within 12 months
These periods are targets and may be shorter or longer in individual cases. We may retain data longer where required by law (for example, tax and accounting records), to resolve billing disputes, pursue or defend legal claims, comply with a legal hold, or prevent fraud and abuse. Aggregated or de-identified data may be retained indefinitely.
Where we retain personal data beyond these targets in response to a verified deletion request, we will limit further processing of that data to the specific purpose that justifies the retention (for example, responding to a legal hold or defending a claim), consistent with GDPR Art. 17(3) and comparable provisions.
7. Your Rights
You have the right to:
- Access: Request a copy of your personal data
- Correct: Fix inaccurate or incomplete information
- Delete: Request deletion of your data
- Export: Get your data in a portable format
- Restrict: Limit how we process your data
- Object: Opt out of certain processing
- Withdraw Consent: Revoke previously given consent
To exercise these rights, email privacy@jamdesk.com.
Before fulfilling a request, we may need to verify your identity, typically by matching the email address on file with the account. For requests that would expose sensitive data, or where we cannot reasonably verify you, we may require additional information or decline the request. We do not charge a fee unless the request is manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or decline (GDPR Art. 12(5); CPRA § 1798.145(h)).
8. International Data Transfers
Jamdesk is based in the United States. If you access our services from outside the US, your information may be transferred to and processed in the US or other countries where our providers operate.
We transfer personal data out of the EEA, UK, and Switzerland using the European Commission's 2021 Standard Contractual Clauses (Module 2: Controller-to-Processor), the UK International Data Transfer Addendum, and — for Switzerland — the FDPIC-recognized SCCs. Where a recipient is certified under the EU–US Data Privacy Framework or UK Extension, we may also rely on that adequacy decision. These mechanisms are incorporated by reference into our Data Processing Addendum.
9. California Privacy Rights (CCPA/CPRA)
California residents have the following rights:
- Right to Know: What personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing:We do not sell personal information for money. We use Google Ads on our marketing site for campaign measurement; under CPRA, the resulting exchange of limited identifiers (such as IP address and cookie IDs) may be considered "sharing" for cross-context behavioral advertising. You can opt out by (i) enabling Global Privacy Control in your browser, which we honor, (ii) opening Cookie Preferences from our footer and disabling advertising cookies, or (iii) emailing privacy@jamdesk.com.
- Right to Limit Use of Sensitive Personal Information: We do not collect or use "sensitive personal information" as defined by CPRA § 1798.140(ae) (government IDs, precise geolocation, race or ethnicity, religion, health data, biometric data, etc.).
- Non-Discrimination: We will not penalize you for exercising your rights. We do not offer financial incentives or price or service differences in exchange for your personal information.
- Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We will require written, signed permission from you, and we may separately verify your identity directly. Agent requests without verification will be declined.
Categories of Information
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address | Yes |
| Commercial Information | Purchase history, billing | Yes |
| Internet Activity | Browsing history, interactions | Yes |
| Geolocation | General location from IP | Yes |
| Biometric Information | Fingerprints, face recognition | No |
| Sensitive Personal Info | SSN, health data, precise location | No |
California "Shine the Light" Law
Under California Civil Code Section 1798.83, California residents may request information about disclosure of personal data to third parties for direct marketing. We do not share personal information for third-party marketing.
10. Other US State Privacy Rights
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Indiana, Tennessee, Iowa, Kentucky, Rhode Island, and other states that enact comprehensive privacy laws may have similar rights, including:
- Access: Confirm and access your personal data
- Correct: Fix inaccuracies
- Delete: Remove data you provided or we obtained
- Portability: Get your data in a portable format
- Opt-Out: Opt out of targeted advertising, data sales, and profiling
We do not use personal data for targeted advertising on a cross-context basis beyond the Google Ads behavior described in Section 9, and we do not use it for profiling that produces legal or similarly significant effects. To exercise any of these rights, email privacy@jamdesk.com. Residents of these states may also designate an authorized agent subject to the verification procedure described in Section 9. We will respond within the timeframe required by applicable law (typically 45 days).
11. European Privacy Rights (GDPR)
If you are in the EEA, UK, or Switzerland, you have rights under the GDPR:
Legal Bases for Processing
- Contract: Processing needed to provide our services
- Consent: Where you have given explicit consent
- Legitimate Interest: For security, fraud prevention, and service improvement
- Legal Obligation: When required by law
Your GDPR Rights
In addition to the rights in Section 7, you may lodge a complaint with your local data protection authority.
Data Controller
Even Flow Solutions, LLC is the data controller for information collected through our services.
Data Processing Addendum
For organizations needing a formal data processing agreement, we offer a DPA with Standard Contractual Clauses. Visit our DPA page to learn more or request one.
12. AI Features and Automated Processing
When customers enable Jamdesk's AI documentation chat (retrieval-augmented generation, or "RAG"):
- Your published documentation is converted into numerical representations (embeddings) and stored with our vector-search provider to power retrieval.
- Retrieved documentation passages, together with the end user's question, are sent to our AI inference provider to generate a response.
- Our AI sub-processors are contractually prohibited from using your content to train their models.
- We do not use AI to make automated decisions that produce legal or similarly significant effects about you. AI features can be disabled from the Jamdesk dashboard.
The current AI and vector-search sub-processors are listed — by name, location, and data category — at jamdesk.com/subprocessors. Additional detail is on our Security page.
13. Children's Privacy
Our services are not directed to children under 13 (the US threshold under COPPA) or the applicable higher minimum age in your country (which ranges from 13 to 16 in parts of the EEA and UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email privacy@jamdesk.com and we will delete it.
14. Changes to This Policy
We may update this policy. For material changes, we will:
- Post the updated policy here
- Update the "Last updated" and effective dates
- Email account holders about significant changes
Continued use after changes means you accept the updated policy. For material changes that reduce your rights, we will seek affirmative acceptance where required by applicable law.
15. Contact Us
Questions about this policy or our data practices:
- Data controller: Even Flow Solutions, LLC (operating as Jamdesk)
- Mailing address: 1900 Broadway, New York, NY 10023, USA
- Email: privacy@jamdesk.com
- Website: www.jamdesk.com
For data requests (access, deletion, etc.), email us with the subject "Privacy Request" and include your account email.
This Policy describes our privacy practices. It is not a contract and does not create enforceable rights in any third party. Your use of the Jamdesk services is governed by our Terms of Service and, for business customers, any Master Services Agreement and our Data Processing Addendum.