Privacy Policy

Download (.md)

Effective Date: 2026-04-27

By using or accessing our App or website, you acknowledge awareness of the practices and policies outlined below, and consent that we will process your personal data as described in this Privacy Policy.

We may modify this Privacy Policy from time to time. We will notify you of material changes by email or within the App at least 30 days before the changes take effect.

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Organisation name (if applicable)
  • Authentication credentials (managed through Supabase Auth)

We automatically collect certain information when you use the App:

  • IP addresses (truncated to the first two bytes for analytics; full IP retained only in security logs)
  • Browser type and version
  • Device information
  • Access times and dates
  • Features used within the App
  • Error logs and performance data

If you subscribe to paid services, our payment processor (Stripe) collects:

  • Billing name and address
  • VAT registration number (if applicable)
  • Payment card information (processed securely by Stripe; we do not store full card details)

To connect to your object stores, we collect and securely store:

  • Storage connection credentials, encrypted at rest in Supabase Vault
  • Storage provider information (Azure Blob Storage, Amazon S3, Google Cloud Storage, or local paths)

1.5Sandbox Content (Optional)

If you choose to use the Eddytor-hosted sandbox (AWS eu-west-1, Ireland) instead of connecting your own object store, the data you place into the sandbox is stored on our infrastructure for the duration of your account. Sandbox data is deleted immediately upon account cancellation or downgrade away from the sandbox.

If you enable AI Actions ("magic dust") or connect an LLM through Eddytor, we collect:

  • The LLM provider you select (OpenAI, Google Gemini, Anthropic Claude, or a self-hosted Ollama endpoint)
  • API keys or endpoint configuration you provide, encrypted at rest in Supabase Vault
  • Your Content (the data you store in Lakehouse tables, your schemas, your queries, your business data) belongs entirely to you or your organisation.
  • Where you connect your own object store, Your Content is stored in object stores that YOU control (Azure Blob Storage, Amazon S3, Google Cloud Storage, or local filesystem). Eddytor does NOT store copies of Your Content on our servers.
  • Where you use the Eddytor-hosted sandbox, Your Content is stored on our infrastructure solely to provide the sandbox functionality and is deleted immediately on cancellation.
  • Eddytor does NOT have persistent access to Your Content outside of active sessions.
  • Eddytor does NOT use Your Content for any purpose other than providing the service you requested.
  • Eddytor does NOT use Your Content to train, fine-tune, or evaluate machine learning or AI models — neither our own nor any third party's.

When you use Eddytor, we process Your Content in-memory to:

  • Execute queries you request
  • Perform data operations (insert, update, delete, merge)
  • Apply schema changes
  • Enforce column constraints
  • Execute AI Actions you initiate (forwarding only the data necessary to fulfil the request to your selected LLM provider)

This processing is transient and performed solely to deliver the functionality you requested.

When you initiate an AI Action, Eddytor transmits the data necessary to perform that action to the LLM provider you have selected. Your relationship with that LLM provider — including data handling, retention, and any training opt-outs — is governed by your agreement with that provider. Eddytor is not a party to and is not responsible for the LLM provider's use or retention of data submitted through your selected provider, except where you use a local Ollama endpoint that Eddytor itself hosts and maintains, in which case we apply the same "no training, no retention beyond the session" guarantee that applies to Eddytor-hosted services.

We use the information we collect to:

  • Provide, maintain, and improve the App
  • Process transactions and send related information
  • Send administrative information (updates, security alerts, support messages)
  • Respond to your comments, questions, and support requests
  • Monitor and analyse usage patterns and trends (using Matomo with anonymised IP truncation)
  • Detect, prevent, and address technical issues
  • Protect against fraudulent or illegal activity

We do NOT sell, rent, or trade your personal information. We may share information only in the following circumstances:

We share information with subprocessors who perform services on our behalf. The current list of subprocessors is published at https://www.eddytor.com/subprocessors. Subprocessors are contractually obligated to protect your information and use it only for the services they provide to us.

We will provide at least 30 days' notice (by email or in-app) before adding a new subprocessor or replacing an existing one.

If a subprocessor materially breaches GDPR, sells personal data, or commences training on customer data without authorisation, we will take action to terminate or replace that subprocessor as soon as commercially reasonable. We cannot, however, be held liable for the independent acts of a subprocessor.

We may disclose information if required by law or in response to valid legal requests by public authorities.

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

We implement appropriate technical and organisational measures to protect your information:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of sensitive data at rest (Supabase Vault for credentials and tokens)
  • Secure authentication mechanisms
  • Regular security assessments
  • Access controls and audit logging

We are following industry best practices with the goal of obtaining SOC 2 certification. We are not currently certified.

In the event of a personal data breach affecting your information, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR, and will notify affected users without undue delay where required by Article 34 GDPR.

No method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

  • Account Information: Retained while your account is active. On deletion, account data is deleted immediately, except where outstanding payment is owed, in which case the minimum information required to recover the debt is retained until the debt is settled or written off.
  • Usage Logs: Retained for up to 90 days for operational and security purposes.
  • Sandbox Content: Retained while your account is active and deleted immediately on cancellation or downgrade.
  • Your Content (BYO storage): We do not retain Your Content. It exists only in your object stores under your control.
  • Billing Records: Retained for the period required by Danish bookkeeping law (currently 5 years).

Depending on your location, you may have the following rights:

You may request access to the personal information we hold about you. Account data export is available self-service in the App.

You may request correction of inaccurate personal information.

You may delete your account self-service in the App. Account data is deleted immediately, except as noted in Section 6.

Your Content is already in your control in standard, open Lakehouse table formats, which you can access directly through your object store. Sandbox Content can be exported self-service.

You may object to or request restriction of certain processing activities.

We respond to data subject requests within one calendar month of receipt, in accordance with Article 12(3) GDPR. We may extend this period by two further months for complex requests, with notice.

To exercise these rights, contact us at privacy@eddytor.com.

Eddytor's self-developed services run in Hetzner Helsinki (Finland, EU). Our subprocessors are primarily located in the EU (Supabase eu-north-1 in Stockholm, AWS eu-west-1 in Ireland for sandbox).

Where you select an LLM provider that processes data outside the EU/EEA (such as OpenAI, Google Gemini, or Anthropic Claude in their default regions), data sent to that provider in the course of fulfilling AI Actions you initiate may be transferred outside the EU/EEA. Such transfers are governed by your agreement with the LLM provider.

For any subprocessor we engage that operates outside the EU/EEA, we ensure appropriate safeguards are in place (typically Standard Contractual Clauses) in compliance with applicable data protection laws.

The App is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it promptly.

We use cookies only for authentication and session management. We do not use cookies for advertising or third-party tracking.

We use Matomo for analytics. Matomo is configured to:

  • Anonymise IP addresses by truncating to the first two bytes
  • Process analytics data within the EU
  • Operate without third-party data sharing

You can control cookies through your browser settings.

The App may contain links to third-party websites. We are not responsible for the privacy practices of these websites.

We may update this Privacy Policy from time to time. We will notify you at least 30 days before any change takes effect, by email or through the App. Your continued use of the App after such modifications constitutes your acknowledgement of the modified Privacy Policy.

For GDPR-related inquiries, contact our Data Protection Officer at dpo@eddytor.com.

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Eddytor ApS CVR: DK42920673 Email: privacy@eddytor.com Website: https://www.eddytor.com

For general support: support@eddytor.com

By using the App, you acknowledge that you have read and understood this Privacy Policy.

Eddytor ApS