This policy explains how Blaze Analytics vGmbH ("BlazeSQL," "we," "us") collects, processes, stores, and protects personal data when you use our website (blazesql.com) and AI-powered SQL analytics service ("the Service").

For detailed information about our security measures and infrastructure, see our Security Overview.

Personal Data We Collect

Account Data

Email address and password — for authentication and account management
Name and role — to personalize your experience and for team management

Service Data

Database metadata: Schema names, table names, column names, and data types from databases you connect. This is the minimum data BlazeSQL needs to generate SQL queries. Stored encrypted on our servers.
Unique values for categorical columns (optional): Column value samples to improve query accuracy. Stored encrypted.
Database credentials: Stored encrypted on our servers to execute queries on your behalf. This applies to all deployment models. Exceptions: SQL Server connections using Windows Authentication use your device credentials and do not require cloud-stored credentials. Connections using Entra Authentication are token-based and do not require stored credentials.
Chat messages: Your natural language questions and BlazeSQL's responses. Stored encrypted.
Query results — Desktop app: With offline mode enabled (on by default), stored locally on your device and not sent to our servers. Disabling offline mode sends results to our servers for deeper analysis.
Query results — Web app: Stored encrypted on our servers for dashboards, sharing, and quick access.
Query results — Database Connection API: Stored locally on your device — same isolation as Desktop App.
Saved queries and dashboards: Stored encrypted for your ongoing use.

Technical Data

Server logs: IP address, browser type, referring pages, timestamps.
Usage data: We collect aggregated, anonymized usage statistics to improve the Service. These are not tied to individual queries or users.

Google API Data

If you connect BigQuery databases via Google APIs, our use of that data adheres to the Google API Services User Data Policy, including Limited Use requirements.

Legal Bases for Processing (GDPR Article 6)

Purpose	Legal Basis
Providing the Service	Performance of contract (Art. 6(1)(b))
Account authentication	Performance of contract (Art. 6(1)(b))
Security monitoring and fraud prevention	Legitimate interest (Art. 6(1)(f))
Product improvement (aggregated analytics)	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

How We Use Your Data

To provide the Service: Generating SQL queries, running them against your database, returning results, enabling dashboards and collaboration.
To maintain and improve the Service: Monitoring performance, fixing bugs, improving features based on aggregated usage patterns.
To communicate with you: Service notifications, support responses, and (with consent) product updates.
To ensure security: Detecting and preventing unauthorized access, fraud, and abuse.

We do not:

Sell or share personal data with third parties for advertising or marketing
Use customer data to train AI models (unless explicitly opted in via separate agreement)
Access your data for any purpose other than providing the Service

Automated Decision-Making (GDPR Article 22)

BlazeSQL uses artificial intelligence to process your natural language questions and generate SQL queries. This AI processing is integral to providing the Service and operates as follows:

What the AI does: Interprets your questions, generates SQL queries, and (when enabled) analyzes query results to provide summaries and insights.
What the AI does not do: It does not make decisions that produce legal effects or similarly significant effects on you. It does not profile users for automated decision-making purposes.
Human oversight: All AI-generated queries are visible to you before execution. You control which queries run against your database.
Zero Data Retention: AI model calls are made with Zero Data Retention enabled — your data is not stored by Google and is not used for model training.

Subprocessors

We use the following third-party services to provide BlazeSQL:

Subprocessor	Purpose	Data Processed	Location
Google Cloud Platform (GCP)	Cloud infrastructure, data storage, computing	All service data	EU / US (configurable for enterprise)
Google Vertex AI	AI model inference (with Zero Data Retention enabled)	Chat prompts (not retained)	EU / US
Google Cloud Firestore	Database for application data storage	Account data, metadata, query results	Per GCP region
Intercom	Customer support live chat	Name, email, support conversations	EU (Netherlands / Germany)
Stripe	Payment processing	Payment details, billing email, transaction data	US

Zero Data Retention (ZDR) is enabled on all Vertex AI model calls. Google does not store prompts, responses, or customer data from these calls, and does not use them for model training. See Google's ZDR documentation.

International Data Transfers

Blaze Analytics vGmbH is based in Luxembourg (EU). Data processed within the European Economic Area requires no additional transfer mechanism.

For any processing that involves transfers outside the EEA (including subprocessors based in the US such as Stripe), we rely on:

EU Standard Contractual Clauses (SCCs) as approved by the European Commission
Google Cloud Platform's data processing terms, which include SCCs for international transfers

Enterprise customers can request deployment in specific GCP regions to meet data residency requirements. Contact [email protected] for regional deployment options.

Data Retention

Account data: Retained while your account is active. Deleted upon account termination.
Service data (chats, queries, dashboards, results): Retained until you delete them or close your account. Self-service deletion is available at any time.
Server logs: Retained for a minimum of 1 year for security and audit purposes. Available for audit or deleted upon request.
Backups: Retained for up to 30 days following deletion, then permanently removed.

Data Breach Notification

In the event of a personal data breach, BlazeSQL will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. Where a breach is likely to result in a high risk to individuals' rights and freedoms, affected data subjects will be notified directly in accordance with GDPR Article 34.

Your Rights

Under GDPR (and similar regulations where applicable), you have the right to:

Right	How to Exercise
Access your personal data	Contact [email protected] or use in-app data export
Rectify inaccurate data	Update your profile in-app or contact support
Erase your data ("right to be forgotten")	Use self-service deletion in-app, or contact support for bulk deletion
Export your data (portability)	Request machine-readable export via support (fulfilled within 14 days)
Restrict processing	Contact [email protected]
Object to processing	Contact [email protected]
Withdraw consent for marketing	Unsubscribe link in any marketing email
Not be subject to solely automated decisions	See "Automated Decision-Making" section above
Lodge a complaint	Contact your local data protection authority

Requests are fulfilled within 30 days (or 14 days for data export), as required by applicable law.

Cookies and Tracking Technologies

Marketing Website (blazesql.com)

The BlazeSQL marketing website uses cookies for analytics, marketing attribution, and consent management. Cookie consent is managed via Cookiebot — you can review and adjust your preferences at any time through the cookie banner.

The following third-party services may set cookies on the marketing website:

Service	Purpose	Cookie Examples
Cookiebot	Cookie consent management	CookieConsent
Google Analytics	Website analytics	_ga, _ga_*
Google Tag Manager	Tag management	(manages other tags)
Google Ads	Conversion tracking	_gcl_au
HubSpot	CRM and marketing automation	hubspotutk, __hstc, __hssc
Microsoft Clarity	Session recording and heatmaps	_clck, _clsk
Facebook/Meta Pixel	Advertising	_fbp
LinkedIn Insight	B2B advertising	_lfa (via Leadfeeder)
PostHog	Product analytics	ph_phc_*

These cookies are only set with your consent (except strictly necessary cookies like Cookiebot's consent cookie).

Product (blazesql.com/app)

The BlazeSQL product uses essential cookies only:

Session cookies: Maintain your logged-in state. Strictly necessary for the Service to function.
Authentication tokens: Stored in local storage or session storage to maintain your session.
Chat widget: Sets a first-party session cookie for live chat support.
User preferences: Local storage may be used for UI preferences (e.g., theme, layout settings).

The product does not use advertising, analytics, or tracking cookies. No third-party tracking cookies are set within blazesql.com/app.

California Residents (CCPA/CPRA)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. BlazeSQL does not sell personal information. To exercise your rights, contact [email protected].

Children's Privacy

BlazeSQL is not directed at individuals under 16. We do not knowingly collect personal data from children.

Changes to This Policy

We will notify you of material changes at least 30 days before they take effect, via email or in-app notification. The "Last Updated" date at the top of this page reflects the most recent revision.

Data Protection Contact

Given the nature and scale of our data processing, BlazeSQL has designated a data protection contact reachable at [email protected]. Questions about data protection can be directed there.

Privacy Contact: [email protected]

Enterprise privacy requirements: [email protected]

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For Luxembourg residents, this is the Commission Nationale pour la Protection des Données (CNPD).

Privacy Policy