Privacy Policy

Last Updated: March 27, 2025

Tembo Data Systems, Inc. ("dba", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information about you when you use our websites, products, and services (collectively, the "Services").

Please read this Privacy Policy carefully. By using our Services, you agree to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not access or use the Services.

1. Information We Collect

We collect information that you provide directly to us, information we obtain automatically when you use the Services, and information from third-party sources.

Information You Provide to Us

We collect information you provide when you:

• Create an account (email address, name, password)
• Complete forms or profiles (company name, job title, contact information)
• Connect your database or infrastructure (connection credentials, configuration settings)
• Communicate with us (questions, feedback, support requests)
• Make payments (billing information, payment card details through our payment processors)

Database Information

When you connect your database to our service, we collect information such as:

• Database metrics and statistics (performance data, query patterns, resource usage)
• Log data (error messages, system events)
• Schema information (table structures, indexes, constraints)
• Configuration details (database settings, parameters)

We do not access or store the actual data contents of your database tables unless explicitly requested by you for troubleshooting purposes.

Information We Collect Automatically

When you use our Services, we automatically collect certain information, including:

• Usage data (features used, actions taken, frequency and duration of use)
• Device information (IP address, browser type, operating system)
• Log data (access times, pages viewed, error logs)

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Process transactions and manage your account
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Develop new products, services, and features
• Monitor and analyze trends, usage, and activities in connection with our Services
• Detect, investigate, and prevent security incidents and other malicious, fraudulent, or illegal activity
• Comply with legal obligations and enforce our terms and policies

3. AI Features and Data Processing

To provide its features, dba makes AI requests to our server. This happens for many different reasons. For example, we send AI requests when you ask questions in chat, and we also send AI requests in the background for building up context or looking for issues to show you.

An AI request generally includes context such as your recently viewed files, your conversation history, and relevant pieces of code based on language server information. This code data is sent to our infrastructure on AWS, and then to the appropriate language model inference provider. Note that the requests always hit our infrastructure on AWS even if you have configured your own API key in the settings.

We currently do not have the ability to direct-route from dba to your enterprise deployment of OpenAI/Azure/Anthropic. We may be able to provide a self-hosted server deployment option.

You own all the code generated by dba.

4. How We Share Your Information

We may share information about you as follows:

• With vendors, service providers, and consultants that perform services for us
• In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company
• Between and among dba and our current and future parents, affiliates, subsidiaries, and other companies under common control and ownership
• When we believe in good faith that disclosure is necessary to comply with applicable law, regulation, or legal process
• To protect the rights, property, and safety of dba, our users, and the public
• With your consent or at your direction

5. Infrastructure Security

We depend on the following subprocessors, organized from most critical to least. Note that data is sent to our servers to power all of dba's AI features.

• AWS Sees database and code data Our front-end and API application infrastructure are hosted on AWS. All servers are in the US.
• Tembo Cloud Stores metadata about system state Our API stores its data in Postgres databases supplied by Tembo Cloud, a powerful Postgres service that the dba team has seperately created and operates.
• Anthropic Sees database and code data We rely on many of Anthropic's models to give AI responses. We have a zero data retention agreement with Anthropic.
• LangFuse Sees database and code data We use Langfuse for traces, evals, prompt management and metrics to debug and improve our LLM processes.
• Sentry Sees no database or code data We use Sentry for exception tracking.
• Slack Sees no database or code data We use Slack as an internal communication tool. We may send snippets of prompts in our internal chats for debugging.
• Linear Sees no database or code data We use Linear as an internal communication tool. We may send snippets of prompts in our internal issues for debugging.
• Plausible Sees no database or code data We use Plausible for user analytics. No code data is stored with Plausible; only event data such as "number of page views" or "user actions".
• Stripe Sees no database or code data We use Stripe to handle billing. Stripe will store your personal data (name, credit card, address).
• Clerk Sees no database or code data We use Clerk to handle auth. Clerk may store some personal data (name, email address).

None of our infrastructure is in China. We do not directly use any Chinese company as a subprocessor, and to our knowledge none of our subprocessors do either.

We assign infrastructure access to team members on a least-privilege basis. We enforce multi-factor authentication for AWS. We restrict access to resources using both network-level controls and secrets.

6. Certifications and Third-Party Assessments

dba is SOC 2 Type 1 certified. Please email hi@dba.ai to request a copy of the report.

We commit to doing at-least-annual penetration testing by reputable third parties. Please email hi@dba.ai to request an executive summary of the latest report.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information, including:

• Access: You can request a copy of the personal information we hold about you.
• Correction: You can request that we correct inaccurate or incomplete information.
• Deletion: You can request that we delete your personal information in certain circumstances.
• Restriction: You can request that we restrict the processing of your information in certain circumstances.
• Data portability: You can request a copy of your information in a structured, commonly used, and machine-readable format.
• Objection: You can object to our processing of your information in certain circumstances.

To exercise any of these rights, please contact us at privacy@dba.ai.

8. Account Deletion

You can delete your account at any time in the Settings dashboard (click "Advanced" and then "Delete Account"). This will delete all data associated with your account. We guarantee complete removal of your data within 30 days (we immediately delete the data, but some of our databases and cloud storage have backups of no more than 30 days).

It's worth noting that if any of your data was used in model training (which would only happen if you were not on privacy mode at the time), our existing trained models will not be immediately retrained. However, any future models that are trained will not be trained on your data, since that data will have been deleted.

9. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.

When we no longer need to use your personal information, we will remove it from our systems and records and/or take steps to anonymize it so that you can no longer be identified from it.

10. Children's Privacy

Our Services are not intended for children under 16 years of age. We do not knowingly collect or solicit personal information from children under 16. If we learn we have collected personal information from a child under 16, we will delete that information as quickly as possible. If you believe that a child under 16 may have provided us with personal information, please contact us at privacy@dba.ai.

11. International Data Transfers

dba is based in the United States and the information we collect is governed by U.S. law. If you are accessing the Services from outside of the U.S., please be aware that information collected through the Services may be transferred to, processed, stored, and used in the U.S. and other jurisdictions. Data protection laws in the U.S. and other jurisdictions may be different from those of your country of residence. Your use of the Services or provision of any information therefore constitutes your consent to the transfer to and from, processing, usage, sharing, and storage of information about you in the U.S. and other jurisdictions as set out in this Privacy Policy.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information. This section describes your CCPA rights and explains how to exercise those rights.

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. You also have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.

To exercise the rights described above, please submit a verifiable consumer request to us by emailing privacy@dba.ai.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the email address specified in your account) or by means of a notice on our website prior to the change becoming effective.

14. Vulnerability Disclosures

If you believe you have found a vulnerability in dba, please email security@dba.ai.

We commit to acknowledging vulnerability reports within 5 business days, and addressing them as soon as we are able to. We will publish the results in the form of security advisories on our GitHub security page. Critical incidents will be communicated both on the GitHub security page and via email to all users.

15. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@dba.ai.