JurisAI
TermsPrivacySupport

JurisAI Legal

Privacy Policy

Your privacy matters. Here is how we collect, use, and protect your data.

Last updated: March 2026

1. Introduction

This Privacy Policy describes how Gweens Craft ("we," "us," "our") collects, uses, stores, and protects personal data when you use the JurisAI mobile application and website (collectively, the "Service"). It is written in compliance with the Kenya Data Protection Act, 2019 (DPA) and the regulations made thereunder.

By using the Service, you consent to the practices described in this Policy. If you do not agree, please discontinue use of the Service.

2. Data Controller

The data controller responsible for your personal data is:

Gweens Craft
Email: jurisaisupport@gweenscraft.co.ke
Website: jurisai.gweenscraft.co.ke
Jurisdiction: Republic of Kenya

3. Data We Collect

3.1 Account Information

When you register, we collect:

  • Email address
  • Password (stored as a salted hash — we never store your plain-text password)
  • Display name or username (optional)
  • Profile photo URL (if you sign in with Google)

3.2 Usage Data

When you use the Service, we automatically collect:

  • AI queries you submit and the responses generated
  • Chat session history (stored to provide conversation continuity)
  • Bookmarks you save and synchronise
  • Daily query count (to enforce free-tier limits)
  • Token usage per session (for cost accounting)
  • Feature interaction events (e.g., app download button taps) recorded anonymously

3.3 Payment Information

We do not store your card number, bank account details, or M-Pesa PIN. Payments are processed entirely by our third-party providers (see Section 6). We store only the transaction reference, amount, status, payment method, and timestamp.

3.4 Device and Log Data

Our servers automatically log your IP address, device type, operating system version, app version, and error logs when you interact with the Service. These are used solely for security monitoring and debugging.

4. How We Use Your Data

We use the data we collect to:

  • Create and manage your account and authenticate your identity.
  • Process payments and maintain subscription records.
  • Generate AI-powered legal answers in response to your queries.
  • Synchronise your bookmarks across devices (premium users).
  • Enforce daily query quotas and subscription limits.
  • Send transactional emails (receipts, password resets, account notices).
  • Monitor service health, detect fraud, and prevent abuse.
  • Improve the Service through aggregated, anonymised analytics.
  • Comply with applicable law and respond to lawful requests from authorities.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

5. Legal Basis for Processing

Under the DPA 2019, we process your personal data on the following bases:

  • Performance of a contract — to deliver the Service you signed up for.
  • Consent — for optional features (e.g., Google Sign-In).
  • Legitimate interests — for security, fraud prevention, and service improvement, where these do not override your rights.
  • Legal obligation — where we are required to process data by law.

6. Third-Party Services

We share data only with the following trusted processors to deliver the Service. Each is bound by its own privacy policy and applicable law:

  • Supabase (Supabase Inc., USA) — Cloud database and authentication hosting. Your account data, chat history, bookmarks, and transaction records are stored in Supabase. Data is encrypted at rest and in transit.
  • OpenAI (OpenAI LLC, USA) — Powers the AI legal assistant. Your query text is sent to OpenAI to generate answers. OpenAI does not use API data to train its models by default. See OpenAI Privacy Policy.
  • Paystack (Paystack Payments Ltd, Nigeria) — Processes card payments. Your card details are handled exclusively by Paystack and are never transmitted to our servers. See Paystack Privacy Policy.
  • Safaricom M-Pesa (Safaricom PLC, Kenya) — Processes M-Pesa STK push payments. Your M-Pesa PIN is entered directly on Safaricom's secure prompt and is never shared with us.
  • Google (Google LLC, USA) — Used for Google Sign-In (OAuth 2.0). We receive your Google account email and profile name. See Google Privacy Policy.
  • Fly.io (Fly.io Inc., USA) — Hosts our API backend in the Johannesburg region. Request logs are retained for 30 days.

7. Data Retention

  • Account data — retained while your account is active.
  • Chat history — retained indefinitely to support conversation continuity; you can delete sessions in the app.
  • Transaction records — retained for seven (7) years as required by Kenyan tax law.
  • Server logs — retained for up to 30 days then automatically purged.
  • Upon account deletion, all personal data is deleted within 30 days, except transaction records we are legally required to retain.

8. Your Rights

Under the Kenya Data Protection Act, 2019 you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your account and associated data (right to be forgotten).
  • Restriction — ask us to limit how we process your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email jurisaisupport@gweenscraft.co.ke. We will respond within 21 days as required by the DPA. You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya if you believe we have violated your rights.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • TLS 1.2+ encryption for all data in transit.
  • AES-256 encryption for data at rest in Supabase.
  • Password hashing using bcrypt with per-user salts.
  • Row-Level Security (RLS) policies in the database so users can only access their own data.
  • Service role credentials stored exclusively in server-side environment variables — never exposed in client-side code.
  • Rate limiting to prevent brute-force and denial-of-service attacks.

No system is 100% secure. If you believe your account has been compromised, please contact us immediately at jurisaisupport@gweenscraft.co.ke.

10. Children's Privacy

The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us and we will promptly delete the account.

11. Cookies and Local Storage

The JurisAI mobile app uses device local storage (SharedPreferences) to cache bookmarks and user preferences for offline access. No advertising or tracking cookies are used. The JurisAI website uses only strictly necessary session cookies required for authentication.

12. International Data Transfers

Some of our third-party processors (Supabase, OpenAI, Fly.io) are based outside Kenya. By using the Service, you consent to your data being transferred to and processed in jurisdictions that may have different data protection laws than Kenya. We ensure such transfers are subject to appropriate safeguards (standard contractual clauses or equivalent).

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or an in-app notice. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

14. Contact

For privacy enquiries or to exercise your rights, contact us at:

Gweens Craft — Data Controller
Email: jurisaisupport@gweenscraft.co.ke
Website: jurisai.gweenscraft.co.ke/support