When you create a Sankofa account, we collect your name, work email, and the team / organization you belong to. When you use the platform, we process whatever telemetry your apps send us — events, error reports, replays, flag decisions — strictly as a data processor on behalf of you, the data controller. We do not enrich, resell, or share your event data with third parties.
Operational data (account name, billing) is used to run your account. Telemetry data is used to render the dashboards you query and to enforce per-tier quotas. We do not train models on customer data without an explicit per-tenant opt-in.
Cloud tenants pin their data to one of three regions on signup — EU (Frankfurt), US (Virginia), or AF (Cape Town). Data does not leave the chosen region for production traffic. Enterprise tenants can self-host on their own infrastructure with the same binary; we have no access to that data.
Operational data persists for the life of your account plus 30 days. Telemetry retention is set per product tier — see the docs limit tables. After retention expires, data is removed from primary storage within 24 hours and from backups within 35 days.
Under GDPR you have the right to access, correct, port, restrict, and delete personal data. As a data processor, we surface engine endpoints that let you, the controller, fulfill these requests for your users in seconds. Account-level deletion is self-serve in settings; sub-account requests go through the API.
We use a small number of sub-processors (cloud infra, payments, email). The current versioned list is published at docs.sankofa.dev/resources/compliance. We notify all customers 30 days before adding a new sub-processor.
Marketing site (sankofa.dev) sets one functional cookie for your theme preference. The dashboard sets a session cookie for authentication. We do not use third-party analytics cookies on either property.
Sankofa is a B2B platform. We do not knowingly collect personal data from anyone under 16. If your application directs end-user data to us from minors, you are responsible for ensuring parental consent under your applicable jurisdiction.
Privacy questions, DPA requests, sub-processor objections: [email protected]. Security or data-incident reports: [email protected].