Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, profile picture (via Clerk authentication)
• Database Connections: Connection names, hostnames, ports, database names (credentials are encrypted)
• Queries: SQL queries you write, edit, or save
• Query Metadata: Query titles, folders, tags, execution history
• Organization Information: Organization name, team members, billing information
• Support Communications: Messages you send to our support team

1.2 Information Automatically Collected

• Usage Data: Features you use, pages you visit, time spent in the Service
• Device Information: Browser type, operating system, IP address
• Log Data: Access times, error logs, performance metrics
• Cookies and Tracking: We use cookies and similar technologies (see Section 7)

1.3 Information from Third-Party Services

• Authentication Data: From Clerk (user ID, email, profile information)
• Payment Data: From Stripe (billing address, payment method - we do not store full credit card numbers)
• AI Service Data: Query text and schema information sent to AI providers (OpenAI) for processing

2. How We Use Your Information

We use your information to:

• Provide the Service: Process queries, manage connections, enable collaboration
• AI Features: Send queries and schema information to AI providers to generate SQL and assistance
• Improve the Service: Analyze usage patterns, fix bugs, develop new features
• Communicate: Send service updates, security alerts, billing information
• Security: Detect fraud, prevent abuse, enforce our Terms of Service
• Legal Compliance: Comply with legal obligations, respond to legal requests

3. Information Sharing and Disclosure

3.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

3.2 Service Providers

We share information with trusted service providers who help us operate the Service:

• Clerk: Authentication and user management
• Stripe: Payment processing (they handle payment data according to their privacy policy)
• OpenAI: AI feature processing (query text and schema, not actual data)
• Supabase: Database hosting and storage
• Liveblocks: Real-time collaboration features
• Email Services: Transactional emails (via Loops or similar)

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

3.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to:

• Protect our rights, property, or safety
• Prevent fraud or abuse
• Respond to legal process
• Enforce our Terms of Service

3.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

3.5 With Your Consent

We may share your information with your explicit consent or at your direction.

4. Data Storage and Security

4.1 Data Storage

• Your data is stored on secure servers hosted by Supabase
• Database credentials are encrypted using industry-standard encryption
• Query text and metadata are stored in our database
• Query results are NOT permanently stored unless you explicitly save them

4.2 Security Measures

We implement technical and organizational measures to protect your information:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Access controls and authentication
• Regular security audits
• Secure credential storage (vault system)

However, no method of transmission or storage is 100% secure. You are responsible for:

• Using strong passwords
• Keeping your account credentials secure
• Securing your database connections

4.3 Data Retention

• We retain your data while your account is active
• After account deletion, we may retain data for up to 90 days for backup and legal purposes
• You can request immediate deletion of your data (see Section 8)

5. AI Features and Data Processing

5.1 How AI Features Work

When you use AI features (ghost text, ask mode, plan mode, agent mode):

• For AI Completions: Your query text and relevant schema information (table names, column names, data types) are sent to AI providers (OpenAI) to generate SQL suggestions
• For Embeddings: Schema information (table names, column names, data types) is sent to AI providers' embedding APIs to generate vector embeddings that improve AI suggestions (this happens when schemas are synced, not on every request)
• AI providers use this information to generate SQL suggestions and improve their models
• We do NOT send: Your actual database data, query results, or database credentials to AI providers

5.2 AI Provider Data Usage

AI providers may use your query text and schema information to:

• Generate responses to your requests
• Improve their AI models (subject to their privacy policies)
• Train their systems (OpenAI's data usage policy applies)

5.3 Opting Out

You can opt out of AI features by:

• Not using AI features (ghost text, ask mode, plan mode, agent mode)
• Using the Free plan (which does not include AI features)
• Contacting us to disable AI features on your account

6. Your Rights and Choices

6.1 Access and Correction

You can access and update your account information through the Service settings.

6.2 Data Portability

You can export your queries and data through the Service's export features.

6.3 Deletion

You can delete your account and data by:

• Using the account deletion feature in settings
• Contacting us at hi@creamsql.com

We will delete your data within 30 days, except where we are required to retain it by law.

6.4 Opt-Out Rights

• Marketing Emails: Unsubscribe via the link in emails or account settings
• Cookies: Adjust your browser settings (see Section 7)
• AI Features: Don't use AI features or contact us to disable them

6.5 California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect
• Right to delete your personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

7. Cookies and Tracking Technologies

7.1 Cookies We Use

• Essential Cookies: Required for the Service to function (authentication, session management)
• Analytics Cookies: Help us understand how you use the Service (we may use services like PostHog, Mixpanel, or Google Analytics)
• Functional Cookies: Remember your preferences and settings

7.2 Managing Cookies

You can control cookies through your browser settings. However, disabling cookies may affect Service functionality.

We use a consent banner to manage analytics tracking. DataFast analytics loads only after you click Accept. Your choice is stored locally in your browser under cookie_consent_analytics, and you can change it any time using Cookie preferences under Legal in the footer.

7.3 Third-Party Tracking

We may use third-party analytics services that use cookies and similar technologies. These services have their own privacy policies.

8. Children's Privacy

CreamSQL is not intended for children under 13 (or 16 in the EU). We do not knowingly collect information from children. If you believe we have collected information from a child, please contact us immediately.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using the Service, you consent to the transfer of your information to these countries.

We ensure appropriate safeguards are in place for international transfers, including:

• Standard contractual clauses
• Adequacy decisions
• Other legal mechanisms as required

10. EU/UK Privacy Rights

If you are in the EU or UK, you have additional rights under GDPR:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing of your data
• Right to Withdraw Consent: Withdraw consent for data processing

To exercise these rights, contact us at hi@creamsql.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email to your registered address
• Notice within the Service
• Updated "Last Updated" date

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Data Controller Information

Data Controller: CreamSQL

Address: Utah, USA

Email: hi@creamsql.com

For EU/UK residents, if you have questions or concerns about our data practices, you can also contact your local data protection authority.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: hi@creamsql.com
• Address: Utah, USA

14. Specific Data Practices

14.1 Database Connections

• Connection credentials are encrypted and stored securely
• We do not access your databases except as necessary to execute queries you request
• You are responsible for ensuring you have proper authorization to access databases

14.2 Query Storage

• Queries you write are stored on our servers
• Query results are NOT stored unless you explicitly save them
• You can delete queries at any time

14.3 Schema Caching

• We cache database schema information to improve performance
• Schema information includes table names, column names, and data types
• This information is used for AI features and query assistance

14.4 Collaboration Features

• When you collaborate, your edits and cursor position are shared with other users in real-time
• Collaboration data is processed by Liveblocks and is not permanently stored

14.5 Vector Embeddings

• For AI features, we generate and store vector embeddings of your schema information
• These embeddings are used to find relevant tables/columns for AI queries
• Embeddings are stored per organization and are isolated from other organizations