← nlqdb

Privacy Policy

Effective: 24 April 2026

1. Who we are

nlqdb (“we”, “us”, or “the service”) is operated by the nlqdb team. You can reach us at hello@nlqdb.com.

2. What this policy covers

This policy applies to nlqdb.com, nlqdb.ai, any subdomain of either (e.g. app.nlqdb.com, docs.nlqdb.com), the nlq command-line tool, the nlqdb MCP server, and any SDKs or embeddable components we publish. We refer to all of these collectively as “the service.”

3. Information we collect

3.1 Information you provide

• Email correspondence. If you email hello@nlqdb.com or another *@nlqdb.com address, we receive the email itself (sender, subject, body, any attachments). Inbound email is forwarded via Cloudflare Email Routing to a private mailbox and is not stored by the service.
• Account information (Phase 1 onward). When account sign-in launches, we’ll collect the identity information you provide through your sign-in method — typically an email address and display name from GitHub, Google, or a magic-link flow. We will never ask for your password.
• Data you entrust to nlqdb (Phase 1 onward). Databases you create and the queries you run against them are stored so the service can return the correct answer. We treat this data as yours.

3.2 Information collected automatically

• Request metadata. Our edge (Cloudflare) records standard server logs: IP address, user agent, requested URL, response status, and timing. These are used to run and secure the service and are retained for a short period at Cloudflare’s discretion.
• Error reports. When the service encounters a bug it sends a structured error report to Sentry, our error-tracking provider. Error reports do not intentionally include your query contents or credentials; we scrub known-sensitive fields before sending.
• Analytics. We do not use third-party tracking or advertising cookies. Product analytics (once we wire them up) will run on Plausible, a privacy-respecting analytics platform that does not use cookies and does not collect personally identifying information.

3.3 Cookies and local storage

The service uses cookies and browser local storage only for functional purposes: session identification, CSRF protection, anonymous-mode continuity, and remembering your preferences. We do not use cookies for advertising or cross-site tracking.

4. How we use information

We use the information above to:

• Provide the service you asked for (create databases, run queries, return answers).
• Respond to your emails.
• Operate and secure the service, including abuse detection and rate limiting.
• Fix bugs and improve reliability.
• Comply with legal obligations.

We do not sell your information. We do not use your data to train general-purpose models on behalf of third parties. Query contents are not used to improve third-party AI services.

5. How we share information

We share information only with service providers we rely on to run nlqdb, and only as necessary:

• Cloudflare — edge, CDN, DNS, email routing, storage (KV, D1, R2).
• Neon — serverless Postgres for user databases.
• Upstash — serverless Redis (Phase 3).
• Resend — transactional outbound email (Phase 1).
• Sentry — application error reporting.
• LLM providers — to translate your natural-language question into a query plan, we send the question and the relevant schema summary to one of Google (Gemini), Groq, Cloudflare Workers AI, or OpenRouter. Plans are cached so the same question isn’t re-sent. We do not send your row data to these providers.

We may also disclose information if required by law, to protect the rights or safety of the service or its users, or in the course of a business transfer. We will not share your information for any other purpose without your consent.

6. Where your data is processed

The service is operated on Cloudflare’s global edge network. Tenant Postgres databases currently live in AWS us-east-1 via Neon. Some processing occurs in additional regions as traffic is routed to the nearest edge. By using the service you acknowledge that your information may be processed in the United States, Switzerland, and other countries that may have different data-protection laws than your own.

7. Data retention

We retain information only as long as necessary to provide the service and meet legal obligations. In practice:

• Email correspondence: retained in the founder’s mailbox unless you ask us to delete it.
• Account data (Phase 1+): retained while your account is active; deleted within 30 days of account deletion.
• Databases you create: retained while your account is active or until you delete them.
• Edge logs and error reports: retained according to provider defaults (typically 7–90 days).

8. Your rights

Depending on where you live, you may have the right to:

• Access the information we hold about you.
• Correct information that is inaccurate.
• Delete your information (“right to be forgotten”).
• Export your data in a portable format.
• Object to or restrict how we process your information.
• Withdraw consent at any time (where we rely on consent).

To exercise any of these, email hello@nlqdb.com. We will respond within 30 days. If you are in the EEA, UK, or California, you also have the right to lodge a complaint with your data protection authority.

9. Security

We design the service to minimize the sensitive data it holds. API keys are stored in hashed form (Argon2id). Traffic is encrypted end-to-end with TLS. Internal service-to-service calls are signed. No system is perfectly secure; we will notify affected users without undue delay if we discover a breach that affects their information.

10. Children

The service is not directed to children under 13 (or 16 in the EEA). If you believe a child has provided us with information, please contact us and we will delete it.

11. Changes to this policy

We may update this policy as the service evolves. We will post the updated version at this URL and update the “Effective” date at the top. For material changes we will make a reasonable effort to notify active users via email.

12. Contact

Questions, requests, or concerns? hello@nlqdb.com.