Dataomen Privacy Policy

1. Definitions

To ensure absolute clarity regarding data handling, the following definitions apply throughout this Policy:

• “Account Data” refers to personally identifiable information (PII) and billing details required to create your account, identify you as a user, and process payments.
• “Customer Data” refers to all proprietary enterprise data, database schemas, synced records, uploaded files, and raw metrics that you ingest, upload, or connect to the Services for analytical processing.
• “Subprocessor” refers to verified third-party infrastructure providers (e.g., Cloudflare, Vercel, Stripe) that Dataomen utilizes to deliver the Service.
• “LLM Providers” refers to third-party providers of Large Language Models (e.g., OpenAI, Anthropic) utilized for instantaneous AI inference under strict zero-retention agreements.

2. The Information We Collect

To provide our multi-tenant analytical architecture, we collect specific categories of information based on your interactions with the platform.

A. Account Information (Identity Data)

When you register for Dataomen, our authentication infrastructure (managed via Supabase) collects strictly necessary identity data to provision your logical tenant environment. This includes:

• Full name and corporate affiliation.
• Business email address.
• Cryptographic password hashes and authentication tokens.
• Multi-factor authentication (MFA) setup details (if enabled).

B. Billing Information (Financial Data)

If you subscribe to a paid compute or storage tier, you must provide valid payment information. Our third-party payment processor (Stripe) collects and processes this data on our behalf.

• This includes your billing address, corporate tax ID, and transaction history.
• Dataomen does not directly store, process, or transmit your raw credit card numbers or primary account numbers (PAN). All financial handling is tokenized and compliant with PCI-DSS standards via Stripe.

C. Customer Data (Ingested Payloads)

This category encompasses the core operational data you bring to the platform. You retain 100% ownership of this data. We collect and process this data only upon your explicit instruction (e.g., configuring a sync engine or uploading a file). This includes:

• Integration Payloads: Data synchronized via our API connectors from external platforms such as Shopify, Salesforce, Snowflake, and Stripe.
• File Uploads: Raw CSV, JSON, and Parquet files uploaded to our ingestion drop zones.
• Database Schemas: Metadata regarding the structure of your data used to facilitate accurate natural-language-to-SQL (nl2sql) translations.

D. Telemetry, Usage, and Analytical Prompts

To ensure infrastructure stability, optimize vectorized execution pipelines, and calculate compute-based billing, we automatically collect diagnostic and usage information:

• AI Prompts & Queries: The natural language prompts you submit to our semantic router and the resulting DuckDB SQL queries generated.
• System Telemetry: API latency metrics, synchronization success/failure rates, DuckDB compute memory utilization, and storage scan volumes.
• Device and Network Data: IP addresses, browser user agents, operating system types, and timestamped access logs.

3. How We Use Your Information

Dataomen adheres to the principle of data minimization. We strictly limit the processing of your data to the following operational and legal necessities:

A. Executing the Core Service

• Vectorization and Analysis: Processing, normalizing, and vectorizing your Customer Data to execute high-speed analytical queries and render declarative React-based dashboards.
• Semantic Routing: Routing your natural language prompts through our LLM pipelines to generate accurate SQL commands specific to your data schema.

B. Account Management and Support

• Authentication: Verifying your identity and maintaining secure sessions via Supabase.
• Billing: Calculating compute usage, processing subscription renewals, and issuing invoices.
• Customer Support: Investigating failed API synchronizations, diagnosing query logic errors, and responding to your direct inquiries.

C. Security and Infrastructure Health

• Anomaly Detection: Monitoring telemetry via our watchdog services to identify and terminate runaway recursive queries, memory exhaustion events, or unauthorized scraping attempts.
• Threat Mitigation: Flagging suspicious login locations or attempts to bypass multi-tenant isolation boundaries.

4. Artificial Intelligence & Data Processing (ZERO TRAINING GUARANTEE)

5. Data Sharing and Subprocessors

Dataomen does not sell, rent, or trade your Account Data or Customer Data to any third parties, data brokers, or advertising networks.

We share information solely with verified third-party infrastructure providers (Subprocessors) strictly required to operate our modular SaaS pipeline. By using the Services, you consent to the processing of your data by the following categories of Subprocessors:

• Authentication & Relational Database: Supabase manages encrypted user credentials, role-based access control (RBAC), and relational metadata state.
• Edge Computing & Storage: Cloudflare provides our Web Application Firewall (WAF), global edge routing, and highly durable object storage (Cloudflare R2) for Parquet files.
• Compute & Hosting Platforms: Vercel and Render host our frontend interfaces and orchestrate our backend Python API compute engines.
• Payment Processing: Stripe manages all secure financial transactions and subscription lifecycle events.
• AI Inference Providers: Proprietary LLM APIs used strictly for instantaneous, stateless query generation under the Zero-Retention policies detailed in Section 4.

6. Multi-Tenant Security and Data Protection

Dataomen implements enterprise-grade, defense-in-depth security architectures to protect your data. While your Customer Data resides on distributed cloud infrastructure shared with other customers, it is logically and cryptographically isolated.

• Cryptographic Tenant Isolation: Every single row of data, uploaded file, and cached schema is partitioned using a unique, immutable tenant_id.
• Row-Level Security (RLS): We enforce strict Row-Level Security policies at the database layer. Every analytical query generated by the AI or user is automatically wrapped in tenant-specific execution context, physically preventing any query from scanning rows belonging to a different tenant.
• Encryption at Rest and in Transit: All data transmitted between your browser, our APIs, and our Subprocessors is encrypted in transit using TLS 1.2/1.3. All Customer Data stored in Cloudflare R2 and Supabase is encrypted at rest using industry-standard AES-256 encryption.

Disclaimer: Despite our rigorous security protocols, no method of transmission over the Internet or electronic storage is entirely secure. We cannot guarantee absolute security against advanced persistent threats or zero-day vulnerabilities.

7. Data Retention, Sanitization, and Deletion

Dataomen enforces strict data lifecycle management to minimize liability and respect your data ownership.

• Active Accounts: We retain your Account Data and Customer Data for as long as your account is active and in good standing.
• Account Termination & 30-Day Grace Period: Upon the cancellation, termination, or suspension of your account (due to user request or non-payment), your data immediately enters a thirty (30) day frozen grace period. During this time, compute access is revoked, but data is held intact to allow for potential reactivation or data export.
• Permanent Sanitization (Hard Deletion): Upon the expiration of the 30-day grace period, our automated sanitization protocols execute irreversible hard deletions of your entire logical environment. This includes purging all Customer Data, AI memory caches, synchronized integration databases, and uploaded files across Cloudflare R2 and Supabase.
• Irreversibility: Once the sanitization protocol completes, your data cannot be recovered under any circumstances.

8. Global Data Privacy Rights

Dataomen operates globally and respects international privacy frameworks, including the UAE Personal Data Protection Law (PDPL), the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA). Depending on your jurisdiction, you possess specific rights regarding your Account Data and Customer Data:

• Right to Access / Know: You have the right to request a comprehensive report of the Account Data we hold about you.
• Right to Portability: You may export your normalized Customer Data, analytical outputs, and query histories directly via the platform dashboard at any time.
• Right to Rectification: You may update, correct, or complete inaccurate Account Data via your account settings.
• Right to Erasure (“Right to be Forgotten”): You may request the immediate execution of our data sanitization protocols to permanently delete your Account Data and Customer Data prior to the standard 30-day grace period by contacting us.
• Right to Restrict Processing: You may request that we temporarily halt processing your data while a legal dispute is resolved.

To exercise any of these Data Subject Rights (DSR), please submit a formal request to legal@dataomen.com. We will authenticate your identity and respond to your request within thirty (30) days as required by law.

9. Cookies and Tracking Technologies

Our React-based frontend dashboard utilizes specific tracking technologies strictly to ensure platform functionality and security. We do not use third-party advertising or retargeting cookies within the authenticated SaaS application.

• Strictly Necessary Cookies: We rely on Supabase authentication tokens (stored in HTTP-only cookies or local storage) required to verify your session, maintain RLS context, and keep you securely logged into the platform. You cannot opt out of these if you wish to use the Service.
• Functional Storage: We utilize local storage to remember your explicit user interface preferences, such as dark/light mode toggles and sidebar collapse states.
• Performance and Analytics: We may utilize privacy-respecting product analytics to monitor page load times, API latency, and UI feature adoption. This data is aggregated and anonymized, used strictly to improve the engineering performance of the platform.

10. Third-Party Integrations and APIs

The core value of Dataomen relies on pulling data from third-party services (e.g., Shopify, Salesforce, Snowflake, Stripe) via our API integration modules.

If you explicitly authenticate and connect these third-party services, you authorize Dataomen to access, ingest, and process that data under the terms of this Privacy Policy. However, Dataomen is not responsible for the privacy practices, data collection policies, terms of service, or security breaches of Shopify, Salesforce, Snowflake, Stripe, or any other external API provider. We strongly encourage you to review the privacy policies of any third-party service before linking them to your Dataomen workspace.

11. Cross-Border Data Transfers

As a globally distributed cloud platform, Dataomen and its Subprocessors may transfer, process, and store your information in jurisdictions outside of your country of residence (including the United States and the European Union). By using the Services, you consent to the transfer of your data to these jurisdictions. We ensure that all cross-border transfers comply with applicable data protection laws by utilizing standard contractual clauses (SCCs) and requiring our Subprocessors to maintain rigorous, globally recognized security certifications (e.g., SOC 2 Type II, ISO 27001).

12. Children's Privacy

The Services are explicitly designed for enterprise, commercial, and professional use. Dataomen does not knowingly collect, process, or solicit personal information from individuals under the age of eighteen (18). If we become aware that we have inadvertently collected personal data from a minor, we will immediately take steps to execute our sanitization protocols and delete such information.

13. Changes to this Privacy Policy

Dataomen reserves the right to update, modify, or completely overhaul this Privacy Policy at our sole discretion to reflect changes in our technology architecture, Subprocessor usage, or legal obligations.

If we make material changes to how we treat your Account Data or Customer Data (such as modifying our AI training stance), we will provide prominent notice by posting a banner on the platform dashboard and sending an email to the primary address associated with your account. Your continued use of the Services following the effective date of such updates constitutes your full acceptance of the revised Privacy Policy.

14. Contact Information and Data Protection Officer

If you have any questions, concerns, formal disputes, or requests regarding this Privacy Policy or our data handling practices, please contact our Legal and Data Protection team:

*For urgent security or privacy incidents, please include "URGENT: PRIVACY" in the subject line of your email to ensure expedited routing to our engineering and legal teams.*