How SchemaChat handles customer and workspace data

SchemaChat is a hosted AI analytics platform that enables businesses to connect data sources, generate insights, and build charts through natural language. References to "SchemaChat", "we", "us", or "our" in this policy refer to the operator of the SchemaChat service.

This policy applies to all visitors to our website, users of our application, and anyone whose personal data we process in connection with providing our services.

Account information: When you register, we collect your name, email address, password (stored in hashed form), authentication method (email/password or Google OAuth), account creation date, and subscription status.

Workspace and billing information: We collect workspace name, plan type, billing cycle, payment records (processed by Paddle — we do not store full card details), and subscription history.

Usage data: We collect information about how you use the Service, including AI questions asked, data sources connected, schema metadata, table names, column structures, SQL queries generated, charts created and saved, feature interactions, and session timing.

Technical data: We may collect IP address, browser type and version, operating system, device type, referring URLs, and general location (country/region derived from IP) for security, analytics, and service improvement purposes.

Support and communications: If you contact us for support, we collect the content of your messages, your email address, and any attachments or diagnostic information you share.

Data source metadata: For connected databases, we store connection configuration (credentials are encrypted at rest), schema information (table names, column names, data types), row counts, and limited query result previews used to generate AI responses.

Service delivery: To authenticate you, operate your workspace, enforce plan limits, generate AI-powered analytics, execute read-only queries against your connected data sources, display results and charts, and maintain your conversation history.

Billing and account management: To process subscription payments through Paddle, send billing receipts and renewal reminders, handle upgrades and downgrades, and enforce plan-level feature access.

Communications: To send transactional emails (account confirmation, password reset, billing notifications, usage alerts), service announcements, and — where you have opted in — product updates and feature announcements.

Security and compliance: To detect and prevent fraud, unauthorised access, abuse, and other harmful activity; to comply with legal obligations; to enforce our Terms of Service; and to protect the rights, property, and safety of SchemaChat, our users, and the public.

Product improvement: To analyse aggregate usage patterns, diagnose performance issues, test new features, and improve the reliability and quality of the Service. We use anonymised or aggregated data where possible for these purposes.

If you are located in the UK or European Economic Area, we process your personal data under the following legal bases: (a) Contract — processing necessary to provide the Service you have signed up for; (b) Legitimate interests — analytics, security, fraud prevention, and product improvement, balanced against your rights; (c) Legal obligation — where processing is required by applicable law; (d) Consent — where you have explicitly opted in, such as for marketing communications.

You may withdraw consent at any time where consent is the basis for processing. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

We use cookies and similar technologies to authenticate sessions, remember preferences, maintain security tokens, and — where you consent — to analyse aggregate usage through Google Analytics.

Strictly necessary cookies (authentication tokens, CSRF protection, session management) are required for the Service to function and cannot be disabled. Analytics and preference cookies are optional and can be declined at any time.

We do not use advertising cookies, cross-site tracking pixels, or share your data with advertising networks.

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

Service providers: We use trusted third-party providers to host infrastructure (cloud hosting), process payments (Paddle), send transactional emails (Resend), and provide AI model capabilities (Groq). These providers access data only as needed to perform services on our behalf and are bound by confidentiality obligations.

Legal requirements: We may disclose information if required by law, court order, or government authority, or where we believe disclosure is necessary to protect the rights or safety of SchemaChat, our users, or others.

Business transfers: In the event of a merger, acquisition, or sale of substantially all assets, your information may be transferred as part of that transaction. We will notify affected users before such a transfer occurs.

With your consent: We may share information in other ways with your explicit permission.

We retain your account and workspace data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required to meet legal obligations, resolve disputes, prevent fraud, or enforce our agreements.

Backup copies may persist for up to 90 days after deletion before being permanently purged from all systems. Aggregated, anonymised analytics data may be retained indefinitely.

AI conversation history, saved charts, and data source connections are deleted upon account deletion or workspace closure. Billing records are retained for 7 years in accordance with financial record-keeping obligations.

SchemaChat operates globally. Your information may be processed and stored in countries outside your country of residence, including the United Kingdom, the European Economic Area, and the United States. Where transfers occur from the UK or EEA to countries without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses.

By using the Service, you acknowledge that your information may be transferred to and processed in these locations.

We implement commercially reasonable technical and organisational security measures to protect your data against unauthorised access, accidental loss, destruction, or alteration. These measures include: encrypted storage of database credentials; HTTPS encryption for all data in transit; access controls restricting employee access to personal data; read-only query enforcement for all AI-generated database interactions; and regular security reviews.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that poses a significant risk to your rights, we will notify affected users as required by applicable law.

SchemaChat is intended for use by individuals who are at least 16 years of age (or the applicable age of digital consent in your country). We do not knowingly collect personal information from children under this age. If we become aware that a child has registered, we will delete their account and associated data promptly.

If you believe a child has created an account, please contact us at privacy@schemachat.co.

Depending on your location, you may have the following rights regarding your personal data: (a) Access — to request a copy of the personal data we hold about you; (b) Rectification — to correct inaccurate or incomplete data; (c) Erasure — to request deletion of your personal data where there is no compelling reason for us to continue processing it; (d) Restriction — to request that we restrict processing of your data in certain circumstances; (e) Portability — to receive your data in a machine-readable format; (f) Objection — to object to processing based on legitimate interests; (g) Withdraw consent — at any time where consent is the legal basis.

To exercise any of these rights, please email privacy@schemachat.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g. the UK Information Commissioner's Office).

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and how it is used, the right to delete personal information, the right to opt out of sale (we do not sell personal information), and the right to non-discrimination for exercising your rights.

To submit a CCPA request, contact privacy@schemachat.co with the subject line "CCPA Request".

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via a prominent notice in the Service at least 14 days before they take effect. The "Effective date" at the top of this page indicates when the policy was last updated.

We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions, data requests, or to exercise your rights, please contact us at privacy@schemachat.co. For general support enquiries, use the in-app support form or contact support@schemachat.co.