Privacy Policy

Last updated: February 9, 2026

At Powerful Thinking Inc., doing business as DBToAgent ("we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, and related services (collectively, the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored securely using bcrypt hashing)
  • Company name (optional)
  • Profile picture (if using Google OAuth)

1.2 Database Connection Information

To provide our Service, you provide database connection credentials including:

  • Database host, port, and name
  • Database username and password
  • SSL certificates (if applicable)

Database credentials are encrypted at rest and in transit. We use your credentials solely to establish read-only connections to execute the queries you request through our AI agent.

1.3 Usage Data

We automatically collect certain information when you use the Service:

  • Chat messages and queries sent to AI agents
  • Session metadata (timestamps, duration)
  • Agent configuration and settings
  • Feature usage and interaction data

1.4 Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card numbers or full payment details. We receive only:

  • Stripe customer ID
  • Subscription status and plan type
  • Last 4 digits of your payment method (for display purposes)

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Execute database queries on your behalf through AI agents
  • Generate AI Insights and recommendations based on your data patterns
  • Process payments and manage your subscription
  • Send service-related notifications (account changes, security alerts)
  • Provide customer support
  • Detect and prevent fraud, abuse, and security incidents

3. Your Database Data

This is important — we want to be crystal clear:

  • We do not store your database data. Query results are streamed directly to your browser and are not persisted on our servers.
  • Read-only access by default. We recommend (and default to) read-only database credentials.
  • Schema metadata (table names, column names, and data types) is cached temporarily to optimize AI agent performance. This cache is refreshed periodically and can be cleared by you at any time.
  • AI Insights analysis processes your schema metadata and aggregate statistical patterns. It does not export or store individual records.
  • Session storage options: You can choose to store your conversation history in our cloud, in your own database, or in a separate database you control.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share information only in these circumstances:

  • Service providers: We use third-party services that help us operate (Stripe for payments, Google Cloud for hosting, LLM providers for AI processing).
  • LLM providers: Chat messages are sent to the configured LLM provider (e.g., OpenAI, Anthropic, or your self-hosted model) to generate responses. We do not send your raw database data to LLM providers — only the AI-generated SQL queries and formatted results.
  • Legal compliance: We may disclose information if required by law, court order, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.

5. Data Security

We implement industry-standard security measures:

  • All data in transit is encrypted using TLS 1.2+
  • Database credentials are encrypted at rest
  • Authentication tokens use JWT with expiration
  • Infrastructure hosted on Google Kubernetes Engine with network policies
  • Static egress IP available for enterprise customers (firewall whitelisting)
  • Dual-layer SQL permission enforcement (AI prompt + SQL parser)

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Chat sessions: Retained according to your session storage configuration. Cloud-stored sessions are deleted when you delete them or within 30 days of account deletion.
  • Schema cache: Refreshed periodically, fully cleared on agent deletion.
  • Payment records: Retained as required by law (typically 7 years for financial records).

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Opt out of marketing communications
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@dbtoagent.com.

8. Cookies

We use minimal cookies:

  • Authentication token: Stored in localStorage (not a cookie) to maintain your login session.
  • Essential cookies: Required for the Service to function (CSRF protection, session management).

We do not use third-party tracking cookies or advertising cookies.

9. International Data Transfers

Our Service is hosted in the United States (Google Cloud, us-central1 region). If you access the Service from outside the US, your data may be transferred to and processed in the US. We ensure appropriate safeguards are in place for such transfers.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: