Privacy Policy

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• • Account Registration Data: Your email address, name, and profile information provided during sign-up
• • Authentication Information: OAuth tokens from Google, magic link tokens, and QR code login session data
• • Database Connection Information: Database host, port, database name, username, and encrypted connection strings
• • Content You Create: SQL queries, scripts, saved queries, and configurations you create through the Service
• • Communication Data: Emails, support tickets, and any messages you send to us
• • Payment Information: Billing address and subscription details (if applicable). Payment processing is handled by third-party providers

2.2 Information Collected Automatically

We automatically collect certain information when you use the Service:

• • Device Information: Device type, operating system, browser type and version
• • IP Address and Location: Your IP address and approximate geographic location based on IP
• • Usage Information: Pages visited, features used, queries executed, time spent on features, and interaction patterns
• • Authentication Events: Login success/failure, token refresh events, logout events, and authentication method used
• • Session Information: Session duration, session tokens (encrypted and stored locally)
• • AI Usage Data: Prompts sent to AI models, generated responses (processed but not stored), token usage (prompt and completion tokens), and model/provider information
• • API Usage Metrics: Endpoint accessed, request timestamp, response time, success/failure status, and associated costs
• • Error Data: Error messages, stack traces, and diagnostic information when the Service encounters issues

2.3 Information from Third Parties

We may receive information from third-party sources:

• • Google OAuth: When you sign in via Google, we receive your verified email, name, and Google account ID
• • AI Model Providers: Usage metrics and billing information from providers like OpenAI, Google Gemini, DeepSeek, and other LLM services
• • Email Service Providers: Delivery status and engagement metrics for magic link emails

3.1 Service Delivery and Functionality

• • Creating and maintaining your account and user profile
• • Authenticating your identity and verifying permissions
• • Processing your requests and executing database queries
• • Managing database connections and credentials securely
• • Storing and retrieving your saved scripts and configurations
• • Providing AI-powered SQL assistance and query suggestions
• • Managing conversation threading and query history

3.2 Service Improvement and Analytics

• • Analyzing usage patterns to improve our Service and develop new features
• • Understanding which features are most valuable to users
• • Monitoring service performance and identifying optimization opportunities
• • Conducting research and analytics on aggregate usage data
• • Testing new features and functionalities

3.3 Security and Safety

• • Detecting, investigating, and preventing fraud, abuse, and security incidents
• • Protecting against malicious, deceptive, or illegal activity
• • Enforcing our Terms and other agreements
• • Maintaining audit trails for compliance and security purposes
• • Implementing rate limiting and abuse prevention

3.4 Communication

• • Sending service-related announcements and updates
• • Responding to your inquiries and providing customer support
• • Notifying you about changes to our Service or policies
• • Sending security alerts and notifications about account activity

3.5 Billing and Account Management

• • Calculating and charging usage-based fees
• • Tracking token usage and API costs
• • Processing refunds and managing subscriptions
• • Providing usage reports and billing information

3.6 Legal Compliance

• • Complying with applicable laws, regulations, and legal obligations
• • Responding to lawful requests from government authorities
• • Establishing, exercising, or defending legal claims

4.1 Where Your Data is Stored

Your information is stored on secure servers located in [Data Center Location - typically US or multi-region]. We use a combination of PostgreSQL (for user accounts) and MongoDB (for application data, queries, connections, and audit logs).

4.2 Data Retention Periods

• • Account Data: Retained as long as your account is active. After account deletion, retained for 30 days before permanent deletion
• • Saved Scripts and Queries: Retained as long as your account is active. Deleted when you remove them or 30 days after account termination
• • Conversation History and Threads: Retained as long as your account is active, or as specified in your privacy settings
• • Audit Logs: Retained for a minimum of 1 year for security and compliance purposes
• • API Usage Records: Retained for 90 days for billing and analytics purposes
• • Backup Data: Retained for up to 30 days to enable data recovery
• • Log Files: Retained for up to 30 days for security and debugging

4.3 Encrypted Storage

Database credentials and connection strings are encrypted at rest using industry-standard encryption algorithms. API keys and sensitive tokens are not logged or stored in plaintext.

4.4 Client-Side Storage

Your authentication tokens are stored in browser localStorage for session persistence. Access tokens are valid for 15 minutes with automatic refresh starting 60 seconds before expiry. Refresh tokens are valid for 30 days. You can clear this data anytime by logging out or clearing your browser cache.

5.1 When We Share Your Information

We do not sell your personal information to third parties. We may share information in the following circumstances:

5.2 Service Providers

We share information with trusted service providers who assist us in operating our Service:

• • Cloud Infrastructure Providers: For data hosting, backups, and security
• • Payment Processors: For handling payments and billing (PCI-DSS compliant)
• • Email Service Providers: For sending notifications and magic links
• • AI Model Providers: For processing AI queries (OpenAI, Google, etc.)
• • Analytics Providers: For understanding usage patterns
• • Logging and Monitoring Services: For error tracking and security

5.3 Legal Requirements and Protection

We may disclose your information when required by law or when we believe in good faith that disclosure is necessary to:

• • Comply with applicable laws, regulations, and lawful government requests
• • Enforce our Terms and other agreements
• • Protect the security or integrity of our Service
• • Protect the rights, privacy, safety, or property of SQL Studio, users, or the public
• • Respond to claims of illegal activity or abuse

5.4 Business Transitions

If SQL Studio undergoes a merger, acquisition, bankruptcy, or other business reorganization, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

5.5 Aggregate and De-identified Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. This may be used for research, marketing, analytics, and other purposes without restriction.

5.6 Third-Party Database Access

When you connect external databases to SQL Studio, we store only the connection credentials. We do not access or store data from your databases beyond what you explicitly query and display in the Service. You remain responsible for the security of your database credentials and access control policies.

6.1 AI Query Processing

When you send prompts to our AI assistant, the following occurs:

• • Your prompt and relevant schema information are sent to AI model providers
• • The AI provider processes your request and returns a response
• • Token usage (prompt and completion tokens) is tracked for billing purposes
• • Responses are not stored by us unless you save them
• • Some providers may retain data for safety and abuse prevention purposes as specified in their terms

6.2 Third-Party AI Providers

SQL Studio integrates with multiple AI model providers. When you use AI features, your data is transmitted to and processed by:

• • Google Gemini (Google AI)
• • OpenAI GPT models (OpenAI)
• • DeepSeek (DeepSeek)
• • Other LLM providers as you select

Each provider has their own privacy policies and data handling practices. We recommend reviewing their privacy policies before using our Service.

6.3 Model Training and Improvement

By default, AI providers may use interaction data to improve their models unless you opt out. You can:

• • Request that your data not be used for model training
• • Select privacy-focused model providers with stricter data policies
• • Contact us to discuss enterprise data handling agreements

6.4 Schema Information Sharing

To provide effective AI suggestions, we may share your database schema information (table names, column names, data types) with AI providers. We do not share actual data values unless they are part of your explicit query or configuration.

6.5 Sensitive Data Considerations

If your database contains sensitive information (HIPAA-regulated health data, GDPR-protected personal data, PCI-DSS payment card data, etc.), you should:

• • Avoid querying sensitive data through the AI assistant
• • Use data masking or anonymization techniques
• • Implement field-level encryption in your database
• • Contact us about enterprise data processing agreements

7.1 Security Infrastructure

We implement comprehensive security measures to protect your information:

• • HTTPS/TLS Encryption: All data in transit is encrypted using industry-standard TLS protocols
• • At-Rest Encryption: Sensitive data at rest is encrypted using AES-256 or equivalent
• • Database Encryption: PostgreSQL and MongoDB use encrypted storage
• • API Authentication: JWT tokens with cryptographic signatures
• • Rate Limiting: Protection against brute force and abuse attempts
• • Firewall and DDoS Protection: Network-level security controls

7.2 Access Controls

• • Role-Based Access Control: Users have appropriate permissions for their role
• • Principle of Least Privilege: Employees access only necessary data
• • Authentication Requirements: Strong authentication for system access
• • Audit Logging: All administrative access is logged

7.3 Incident Response

We maintain an incident response plan to address security breaches promptly. In the event of unauthorized access or data breach:

• • We will investigate the incident and determine the scope of compromise
• • We will notify affected users as required by applicable law
• • We will cooperate with law enforcement and regulators
• • We will implement corrective measures to prevent recurrence

7.4 Your Security Responsibilities

While we implement strong security, you are responsible for:

• • Maintaining the confidentiality of your credentials and tokens
• • Using strong, unique passwords for your account
• • Not sharing your account with others
• • Reporting unauthorized access or suspicious activity immediately
• • Keeping your device and browser security software up to date

8.1 GDPR Rights (EU Residents)

If you are a resident of the European Union, you have the following rights under the General Data Protection Regulation (GDPR):

• • Right of Access: Request a copy of your personal data we hold
• • Right to Rectification: Request correction of inaccurate data
• • Right to Erasure (“Right to be Forgotten”): Request deletion of your data
• • Right to Restrict Processing: Request limitations on how we use your data
• • Right to Data Portability: Request your data in a portable format
• • Right to Object: Object to certain processing activities
• • Right to Withdraw Consent: Withdraw consent to data processing at any time

8.2 CCPA Rights (California Residents)

If you are a resident of California, you have rights under the California Consumer Privacy Act (CCPA):

• • Right to Know: Request what personal information we collect and how it is used
• • Right to Delete: Request deletion of personal information we have collected
• • Right to Opt-Out: Opt out of the sale or sharing of your personal information
• • Right to Correct: Request correction of inaccurate personal information
• • Right to Limit Use: Limit use of sensitive personal information

8.3 Other Jurisdictional Rights

Depending on your jurisdiction, you may have additional privacy rights. These may include rights similar to GDPR or CCPA in other regions (Canada’s PIPEDA, Australia’s Privacy Act, etc.). Please contact us to learn about your specific rights.

8.4 Exercising Your Rights

To exercise any of these rights, please submit a request through our privacy portal or by contacting us at privacy@sqlstudio.io. We will verify your identity and respond within the timeframe required by applicable law (typically 30-45 days).

9.1 Types of Cookies We Use

• • Essential Cookies: Required for authentication, session management, and security
• • Preference Cookies: Remember your language, theme, and display preferences
• • Analytics Cookies: Track usage patterns to improve the Service
• • Third-Party Cookies: Set by service providers for functionality and analytics

9.2 Cookie Management

You can control cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling essential cookies may impact Service functionality.

9.3 Tracking Technologies

We may use other tracking technologies including:

• • Web Beacons: Small graphics used to track page views and email opens
• • Pixels: Used to measure campaign effectiveness
• • Local Storage: Stores user preferences and session data
• • Session Storage: Temporary storage of session information

9.4 Do Not Track

Some browsers include a “Do Not Track” feature. Our Service does not currently respond to Do Not Track signals, but you can disable tracking through browser settings and privacy extensions.

11.1 External Links

The Service may contain links to third-party websites and services. This Privacy Policy applies only to SQL Studio. We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party services before providing your information.

11.2 OAuth Providers

When you sign in via Google OAuth, you are subject to Google’s privacy policies in addition to ours. Google processes your authentication information according to their policies.

11.3 Database Providers

When you connect to external databases (PostgreSQL, MySQL, MSSQL, etc.), those providers may collect logs and metadata as specified in their terms. We are not responsible for their data practices.

12.1 Business Associate Agreements

If you are subject to HIPAA and process health information through the Service, we can execute a Business Associate Agreement (BAA) to ensure compliance.

12.2 Data Processing Agreements

If you are subject to GDPR or similar regulations, we can execute a Data Processing Agreement (DPA) that outlines our obligations as a data processor.

12.3 Enterprise Agreements

Organizations with specific data protection requirements can contact us to negotiate custom data handling agreements.

13.1 Your Audit Log Access

You can view your account’s audit log through the Settings > Audit Logs page. This log includes:

• • Login and logout events
• • Token refresh and revocation events
• • Connection creation and modification
• • Query execution (with metadata)
• • AI assistant usage

13.2 What is Logged

Audit logs capture:

• • Event type and timestamp
• • Your IP address
• • Your user agent/browser information
• • Associated resource (connection, query, etc.)

13.3 Retention of Audit Logs

We retain audit logs for a minimum of 1 year for security, compliance, and investigation purposes. Certain audit logs may be retained longer if required by applicable law.

14.1 Data Transfer Mechanisms

Your information may be transferred to and stored in countries other than your country of residence. These countries may have different data protection laws than your country of origin.

When we transfer data internationally, we implement appropriate safeguards including:

• • Standard Contractual Clauses (SCCs) for GDPR-compliant transfers
• • Data Processing Agreements with appropriate limitations
• • Encryption and security measures

14.2 EU-US Data Transfers

For EU users, we comply with applicable data protection frameworks for transferring data to the United States. Please contact us if you have questions about international data transfer mechanisms.

15.1 Breach Notification Policy

In the event of a confirmed data breach involving your personal information, we will:

• • Notify you without unreasonable delay (typically within 72 hours)
• • Describe the nature of the breach and data involved
• • Provide contact information for further assistance
• • Recommend measures you can take to protect yourself
• • Notify applicable regulatory authorities as required by law

15.2 Contact for Breach Reports

If you suspect a security breach, please contact us immediately at security@sqlstudio.io.

16.1 Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. The date of the most recent update appears at the top of this page.

16.2 Material Changes

If we make material changes to how we handle your information, we will notify you by email or through the Service. Your continued use of the Service after such notification constitutes your acceptance of the revised Privacy Policy.

16.3 Previous Versions

Previous versions of this Privacy Policy are available upon request.

18.1 Applicable Laws

This Privacy Policy and our data practices comply with applicable privacy and data protection laws, including:

• • GDPR (EU General Data Protection Regulation)
• • CCPA (California Consumer Privacy Act)
• • PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act)
• • LGPD (Brazil’s Lei Geral de Proteção de Dados)
• • Privacy Act 1988 (Australia)
• • Healthcare regulations (HIPAA for US health information)
• • Payment card industry standards (PCI-DSS for card data)

18.2 Certifications and Standards

SQL Studio maintains industry certifications and complies with security standards including ISO 27001 and SOC 2 Type II (where applicable).

18.3 Third-Party Audits

We undergo regular third-party audits to verify our compliance with privacy and security standards. Audit reports are available to enterprise customers under NDA.

19.1 Deleting Your Account

You can delete your account through Settings > Account > Delete Account. Upon deletion:

• • Your account will be deactivated immediately
• • Your saved scripts and conversation history will be marked for deletion
• • Your database connections will be removed from the Service
• • All active sessions and tokens will be revoked

19.2 Data Retention After Deletion

After account deletion, we retain:

• • Audit logs for compliance and security purposes (minimum 1 year)
• • Anonymized usage analytics
• • Backup data for 30 days to enable recovery if account deletion was accidental

19.3 Permanent Deletion

To request permanent deletion of all data including backup data, please contact privacy@sqlstudio.io with your account details and reason for deletion.