Back to home
Privacy-First Architecture

Privacy Policy

Last updated: November 27, 2024

TL;DR - The Privacy Promise

  • Your CSV data never leaves your browser. It's processed locally using DuckDB WASM.
  • Only your natural language queries are sent to our AI service to generate SQL.
  • We use cookies only for authentication and session management.
  • We never sell your data to third parties.

1. Data Processing & Storage

Local Processing: CSVLens uses DuckDB WASM, which runs entirely in your browser. When you upload a CSV file:

  • The file is loaded into your browser's memory only
  • All SQL queries execute locally on your device
  • No raw data is transmitted to our servers or any third party
  • Your data is automatically cleared when you close the browser tab

What We Don't Store: We do not store, cache, or have access to your CSV files or the data within them.

2. AI Query Processing

When you ask a question in natural language, we send the following to our AI service:

  • Your question text (e.g., "Show me revenue by month")
  • Your CSV column names and data types (not the actual data)
  • Context about previous queries in your session

What We Don't Send: We never send your actual CSV data values to the AI service. The AI only sees schema information (column names and types) to generate appropriate SQL queries.

3. Cookies & Authentication

We use cookies for essential functionality only:

  • Authentication cookies: To keep you logged in
  • Session cookies: To maintain your workspace state
  • Security cookies: To prevent CSRF attacks

What We Don't Use: We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

4. Information We Collect

Account Information:

  • Email address (for authentication)
  • Username and profile information
  • Payment information (processed securely through Stripe, we don't store card details)

Usage Information:

  • Number of queries executed (for billing purposes)
  • Token usage for AI queries
  • Feature usage patterns (aggregated and anonymized)
  • Error logs (without your data content)

5. Data Security

We implement industry-standard security measures:

  • All connections use HTTPS/TLS encryption
  • Passwords are hashed using bcrypt
  • API keys are stored securely and never exposed to the client
  • Regular security audits and updates

6. Your Rights

You have the right to:

  • Access your personal information
  • Request deletion of your account and associated data
  • Export your account data
  • Opt out of non-essential communications
  • Request corrections to your personal information

To exercise these rights, contact us at privacy@csvlens.app

7. Third-Party Services

We use the following third-party services:

  • OpenAI / Anthropic: For AI-powered SQL generation (receives queries and schema, not data)
  • Stripe: For payment processing (PCI-DSS compliant)
  • Vercel: For hosting and infrastructure

These services have their own privacy policies and security measures.

8. Data Retention

  • Account information is retained until you delete your account
  • Usage logs are retained for 90 days for debugging and analytics
  • Deleted accounts are permanently removed within 30 days
  • Your CSV data is never retained - it exists only in your browser session

9. Children's Privacy

CSVLens is not intended for users under 13 years of age. We do not knowingly collect information from children under 13.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or through the application. Your continued use of CSVLens after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy or how we handle your data:

  • Email: privacy@csvlens.app
  • Support: support@csvlens.app