Privacy Policy

When you create an account, we collect your name, email address, and organization details. When you connect data sources via OAuth (such as Google BigQuery or Firestore), we receive an access token and refresh token scoped to the permissions you authorize. We do not collect or store your Google account password. We also collect usage data such as feature interactions, query metadata (not query content), and error logs to improve our service.

Datost is designed with a "bring your own cloud" architecture. Your data stays in your infrastructure. We never see, store, or process your raw database content. Queries execute directly against your data sources within your environment. For cloud-hosted data sources connected via OAuth, queries are executed on your behalf using the authorized credentials you provide.

Datost's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. When you connect Google BigQuery or Firestore, we request only the minimum scopes necessary: read-only access to BigQuery data and project listing for Firestore. OAuth tokens are encrypted at rest using AES-256-GCM and are used solely to execute queries and list projects on your behalf. We do not use Google user data for advertising, serving ads, or determining credit-worthiness. We do not sell or transfer Google user data to third parties, including advertising platforms, data brokers, or information resellers. Datost employees do not access your Google user data unless you provide explicit consent, it is necessary for security investigation, it is required by law, or the data is aggregated and anonymized for internal operations. All employees, agents, and contractors are bound by these Limited Use restrictions.

When using AI features, queries are processed through Anthropic's Claude API according to their privacy policy. Datost does not store query content beyond the active session. AI-generated SQL queries are presented for your review before execution. You can configure data retention policies per your compliance requirements.

All credentials, OAuth tokens, and configurations are encrypted using AES-256-GCM with organization-specific derived keys. Database queries run directly from your infrastructure to your databases. We use PKCE (Proof Key for Code Exchange) for all OAuth flows to prevent authorization code interception. All data in transit is encrypted via TLS 1.2 or higher.

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers necessary to operate Datost: cloud infrastructure providers (for hosting), AI processing providers (Anthropic, for AI-powered query features), payment processors (for billing), and analytics providers (for service improvement). All service providers are bound by contractual data protection obligations. We do not share data between customers or with unauthorized third parties. We may disclose information if required by law, to comply with legal process, or to protect our legal rights. In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, and we will notify you before your data becomes subject to a different privacy policy.

You have the right to access, correct, or delete your personal information at any time. You can disconnect OAuth integrations and revoke access tokens from your account settings. You can request a copy of your data or ask us to delete your account by contacting support@datost.com. If you are in the EU, you have additional rights under GDPR including data portability and the right to lodge a complaint with a supervisory authority. California residents have rights under the CCPA including the right to know, delete, and opt out of the sale of personal information.

We use essential cookies to maintain your session and authentication state. We do not use third-party advertising cookies. Analytics cookies are used only to understand how users interact with our service and can be disabled in your browser settings.

We retain your account information for as long as your account is active. OAuth tokens are stored only while the integration is connected and are deleted upon disconnection. Query history and logs can be configured based on your compliance requirements. When you delete your account, all associated data is permanently removed within 30 days.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of Datost after changes constitutes acceptance of the updated policy.

For privacy-related questions, data requests, or to request our security documentation, please contact us at support@datost.com.