Getting Started Concepts CLI Reference Environment Variables DuckDB Configuration Validation Scripting Examples Lineage & Metadata
Blueprints Blog Contact About

Privacy Policy

How OndatraSQL handles your data

Data Controller

Marcus Hernandez Email: privacy@ondatra.sh

What Data We Process and Why

Website (ondatra.sh)

When you visit this website, the following data is processed automatically to deliver the pages to your browser:

  • IP address
  • Date and time of your visit
  • Pages requested
  • Browser information

We use Simple Analytics for privacy-first website analytics. No cookies. No personal data collected.

Account Registration (account.ondatra.sh)

Creating an account is entirely voluntary. When you choose to register, the following data is processed:

  • Email address — to send verification codes and identify your account
  • License keys — generated by you, used to authenticate CLI requests

We do not store passwords. Authentication is via email OTP (one-time password).

Providing this information is not a legal or contractual obligation — it is only needed to use the OAuth2 authentication service.

OAuth2 Provider Authentication (oauth2.ondatra.sh)

When you use ondatrasql auth <provider> to connect to third-party services (Google Sheets, Fortnox, etc.), the following data is processed to facilitate the token exchange:

  • OAuth2 refresh token — temporarily stored (max 2 minutes), encrypted at rest (AES-256-GCM), deleted after retrieval
  • License key hash — to verify that only the requesting user can retrieve the token

We never see or store:

  • Your data from third-party services (invoices, spreadsheets, etc.)
  • Your access tokens (generated during refresh, returned to your CLI, not stored)
  • Your files, models, or query results

OndatraSQL CLI

The CLI runs entirely on your machine. It does not send telemetry, usage data, or analytics.

The only network requests the CLI makes are:

  • To oauth2.ondatra.sh for OAuth2 provider authentication and token refresh
  • To third-party APIs you configure (Google, Fortnox, etc.)

We do not use any personal data for marketing, profiling, or any other purpose. No automated decision-making takes place.

We process your personal data based on legitimate interest (GDPR Article 6(1)(f)). We consider this processing to be expected by you when you visit the website, create an account, or authenticate with a provider.

Third-Party Services

We use the following services that process data on our behalf (data processors):

  • Bunny.net — website delivery, edge scripts, database. Processes hosting data, license keys, and encrypted tokens (temporary). Based in the EU (Slovenia).
  • Scaleway — transactional email delivery. Processes your email address for OTP delivery. Based in the EU (France).
  • Simple Analytics — website analytics. No personal data processed.

We do not share your data with any other third parties.

Transfers Outside the EU/EEA

All data processing takes place within the EU/EEA. We do not transfer personal data to countries outside the EU/EEA.

Data Retention

  • Hosting data — Bunny.net retains access logs in accordance with their data retention policies
  • Accounts — stored until you request deletion
  • License keys — stored until you delete them or request account deletion
  • OAuth2 tokens in transit — encrypted, deleted within 2 minutes
  • Session tokens — expire after 30 days

Security

All communication with this website and our services is encrypted via HTTPS. Refresh tokens are encrypted at rest with AES-256-GCM. No passwords are stored — authentication is passwordless.

Your Rights

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data
  • Restriction — request that we limit how we process your data
  • Objection — object to our processing based on legitimate interest
  • Data portability — receive your data in a structured, commonly used format

You can manage your license keys directly at account.ondatra.sh. For all other requests, contact us at privacy@ondatra.sh.

Supervisory Authority

If you believe your data has been processed in violation of the GDPR, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY): www.imy.se

Cookies and Tracking

This website does not use cookies or any tracking technologies.

Changes

We may update this policy. Changes will be posted on this page with an updated date.

Last updated: April 3, 2026