Privacy Policy

Data Controller

Marcus Hernandez Email: privacy@ondatra.sh

What Data We Process and Why

Website (ondatra.sh)

When you visit this website, the following data is processed automatically to deliver the pages to your browser:

  • IP address
  • Date and time of your visit
  • Pages requested
  • Browser information

We use Simple Analytics for privacy-first website analytics. No cookies. No personal data collected.

Account Registration (account.ondatra.sh)

Creating an account is entirely voluntary. When you choose to register, the following data is processed:

  • Email address: to send verification codes and identify your account
  • API keys: generated by you, used to authenticate CLI requests

We do not store passwords. Authentication is via email OTP (one-time password).

Providing this information is not a legal or contractual obligation. It is only needed to use the OAuth2 authentication service.

OAuth2 Provider Authentication (oauth2.ondatra.sh)

When you use ondatrasql auth <provider> to connect to third-party services (Google Sheets, Fortnox, etc.), the following data is processed to facilitate the token exchange:

  • OAuth2 refresh token: temporarily stored (max 2 minutes), encrypted with a client-generated key (AES-256-GCM) that only your CLI can decrypt, deleted after retrieval
  • API key hash: to verify that only the requesting user can retrieve the token

We never see or store:

  • Your data from third-party services (invoices, spreadsheets, etc.)
  • Your access tokens (generated during refresh, returned to your CLI, not stored)
  • Your files, models, or query results

Contact Form

Using the contact form is entirely voluntary. When you choose to send a message, the following data is processed:

  • Name: to know who we are communicating with
  • Email address: to reply to your message
  • Subject and message: to understand your inquiry

The message is delivered to our inbox via Scaleway TEM and Proton Mail. It is not stored in any database on this website. We retain the email only as long as necessary to handle your inquiry.

OndatraSQL CLI

The CLI runs entirely on your machine. It does not send telemetry, usage data, or analytics.

The only network requests the CLI makes are:

  • To oauth2.ondatra.sh for OAuth2 provider authentication and token refresh
  • To third-party APIs you configure (Google, Fortnox, etc.)

We do not use any personal data for marketing, profiling, or any other purpose. No automated decision-making takes place.

We process your personal data based on legitimate interest (GDPR Article 6(1)(f)). We consider this processing to be expected by you when you visit the website, create an account, or authenticate with a provider.

Third-Party Services

We use the following services that process data on our behalf (data processors):

  • Bunny.net: website delivery, edge scripts, database. Processes hosting data, API keys, and encrypted tokens (temporary). Based in the EU (Slovenia).
  • Scaleway: transactional email delivery. Processes email addresses for OTP and contact form delivery. Based in the EU (France).
  • Proton Mail: email hosting. Contact form messages are delivered to our Proton Mail inbox. Based in Switzerland.
  • Simple Analytics: website analytics. No personal data processed. Based in the EU (Netherlands).

We do not share your data with any other third parties.

Transfers Outside the EU/EEA

All data processing takes place within the EU/EEA and Switzerland. Switzerland is covered by an adequacy decision from the European Commission, ensuring an equivalent level of data protection. We do not transfer personal data to any other countries.

Data Retention

  • Hosting data: Bunny.net retains access logs in accordance with their data retention policies
  • Accounts: stored until you request deletion
  • API keys: stored until you delete them or request account deletion
  • OAuth2 tokens in transit: encrypted, deleted within 2 minutes
  • Session tokens: expire after 30 days

Security

All communication with this website and our services is encrypted via HTTPS. Refresh tokens are encrypted at rest with a client-generated key that we cannot decrypt. No passwords are stored. Authentication is passwordless.

Your Rights

Under the GDPR, you have the right to:

  • Access: request a copy of the personal data we hold about you
  • Rectification: request correction of inaccurate data
  • Erasure: request deletion of your data
  • Restriction: request that we limit how we process your data
  • Objection: object to our processing based on legitimate interest
  • Data portability: receive your data in a structured, commonly used format

You can manage your API keys and delete your account directly at account.ondatra.sh. Deleting your account permanently removes all associated data (API keys, sessions, pending authentication requests, and temporary tokens). No data is retained after deletion. For all other requests, contact us at privacy@ondatra.sh.

Supervisory Authority

If you believe your data has been processed in violation of the GDPR, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY): www.imy.se

Cookies and Tracking

This website does not use cookies or any tracking technologies.

Changes

We may update this policy. Changes will be posted on this page with an updated date.

Last updated: April 3, 2026