BlazeSQL Privacy Policy
Last Updated: February 9, 2026
Privacy Is Our Priority
BlazeSQL is built for data teams who take security seriously. Everything is encrypted, nothing is used for training, and you control how your data flows.
Encrypted at every layer. AES-256 at rest, TLS 1.2+ in transit — all data on BlazeSQL servers is encrypted. No exceptions.
Data stored in Firestore is protected by custom security rules that control access at the document level.
Your database is never imported or copied. With offline mode enabled (on by default for the Desktop App), BlazeSQL sends only schema metadata — table names, column names, and data types — to generate SQL queries. When offline mode is disabled, query results are also sent for deeper AI analysis.
You control where your data lives. With the Desktop App (offline mode on by default), query results never leave your device. The Web App sends results encrypted to BlazeSQL’s servers for AI analysis, dashboards, and collaboration. You choose the right balance for your organization.
Zero Data Retention on all AI calls. ZDR is enabled on every Google Vertex AI model call — your data is never stored by Google and never used for model training.
| Deployment | Query Results | Best For |
|---|---|---|
| Desktop App | Stored locally on your device — never touch our servers | Maximum data isolation |
| Web App | Stored encrypted on GCP — enables dashboards and collaboration | Best performance, maximum AI intelligence, teams and sharing |
| Database Connection API | Stored locally on your device — same isolation as Desktop App | Web and embedded analytics with maximum data isolation |
Read the full legal text below for complete details on how we collect, process, store, and protect your data.
How Your Data Flows
The following diagrams show the data flow architecture for each deployment model.
Desktop App
Web App
Database Connection API
Data Controller
Blaze Analytics vGmbH Registration: B279099 VAT: LU35935057 23 Boulevard Friedrich Wilhelm Raiffeisen, 2411 Luxembourg
Privacy Contact: enterprise@blazesql.com General Support: support@blazesql.com
What This Policy Covers
This policy explains how Blaze Analytics vGmbH ("BlazeSQL," "we," "us") collects, processes, stores, and protects personal data when you use our website (blazesql.com) and AI-powered SQL analytics service ("the Service"). The Service includes the BlazeSQL Desktop App, Web App, and Database Connection API.
For detailed information about our security measures and infrastructure, see our Security Overview.
Personal Data We Collect
Account Data
- Email address and password — for authentication and account management
- Name and role — to personalize your experience and for team management
Service Data
- Database metadata: Schema names, table names, column names, and data types from databases you connect. This is the minimum data BlazeSQL needs to generate SQL queries. Stored encrypted on our servers.
- Unique values for categorical columns (optional): Column value samples to improve query accuracy. Stored encrypted.
- Database credentials: Stored encrypted on our servers to execute queries on your behalf. This applies to all deployment models (Web App, Desktop App, and Database Connection API). Exceptions: SQL Server connections using Windows Authentication use your device credentials and do not require cloud-stored credentials. Connections using Entra Authentication are token-based and do not require stored credentials.
- Chat messages: Your natural language questions and BlazeSQL's responses. Stored encrypted.
- Query results — Web app: Stored encrypted on our servers for dashboards, sharing, and quick access.
- Query results — Desktop app: With offline mode enabled (on by default), stored locally on your device and not sent to our servers. Disabling offline mode sends results to our servers for deeper analysis.
- Query results — Database Connection API: Stored locally on your device — never sent to our servers. Same data isolation as the Desktop App.
- Saved queries and dashboards: Stored encrypted for your ongoing use.
Technical Data
- Server logs: IP address, browser type, referring pages, timestamps.
- Usage data: We collect aggregated, anonymized usage statistics to improve the Service. These are not tied to individual queries or users.
Google API Data
If you connect BigQuery databases via Google APIs, our use of that data adheres to the Google API Services User Data Policy, including Limited Use requirements.
Legal Bases for Processing (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract (Art. 6(1)(b)) |
| Account authentication | Performance of contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Product improvement (aggregated analytics) | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
How We Use Your Data
- To provide the Service: Generating SQL queries, running them against your database, returning results, enabling dashboards and collaboration.
- To maintain and improve the Service: Monitoring performance, fixing bugs, improving features based on aggregated usage patterns.
- To communicate with you: Service notifications, support responses, and (with consent) product updates.
- To ensure security: Detecting and preventing unauthorized access, fraud, and abuse.
We do not:
- Sell or share personal data with third parties for advertising or marketing
- Use customer data to train AI models (unless explicitly opted in via separate agreement)
- Access your data for any purpose other than providing the Service
Automated Decision-Making (GDPR Article 22)
BlazeSQL uses artificial intelligence to process your natural language questions and generate SQL queries. This AI processing is integral to providing the Service and operates as follows:
- What the AI does: Interprets your questions, generates SQL queries, and (when enabled) analyzes query results to provide summaries and insights.
- What the AI does not do: It does not make decisions that produce legal effects or similarly significant effects on you. It does not profile users for automated decision-making purposes.
- Human oversight: All AI-generated queries are visible to you before execution. You control which queries run against your database.
- Zero Data Retention: AI model calls are made with Zero Data Retention enabled — your data is not stored by Google and is not used for model training.
Subprocessors
We use the following third-party services to provide BlazeSQL:
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, data storage, computing | All service data | EU / US (configurable for enterprise) |
| Google Vertex AI | AI model inference (with Zero Data Retention enabled) | Chat prompts (not retained) | EU / US |
| Google Cloud Firestore | Database for application data storage | Account data, metadata, query results | Per GCP region |
| Intercom | Customer support and live chat | Name, email, support conversations | US |
| Stripe | Payment processing | Payment details, billing email, transaction data | US |
Zero Data Retention (ZDR) is enabled on all Vertex AI model calls. Google does not store prompts, responses, or customer data from these calls, and does not use them for model training. See Google's ZDR documentation.
International Data Transfers
Blaze Analytics vGmbH is based in Luxembourg (EU). Data processed within the European Economic Area requires no additional transfer mechanism.
For any processing that involves transfers outside the EEA (including subprocessors based in the US such as Stripe and Intercom), we rely on:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission
- Google Cloud Platform's data processing terms, which include SCCs for international transfers
Enterprise customers can request deployment in specific GCP regions to meet data residency requirements. Contact Enterprise@BlazeSQL.com for regional deployment options.
Data Retention
- Account data: Retained while your account is active. Deleted upon account termination.
- Service data (chats, queries, dashboards, results): Retained until you delete them or close your account. Self-service deletion is available at any time.
- Server logs: Retained for a minimum of 1 year for security and audit purposes. Available for audit or deleted upon request.
- Backups: Retained for up to 30 days following deletion, then permanently removed.
Data Breach Notification
In the event of a personal data breach, BlazeSQL will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. Where a breach is likely to result in a high risk to individuals' rights and freedoms, affected data subjects will be notified directly in accordance with GDPR Article 34.
Affected customers will receive notification that includes the nature of the breach, the data affected, measures taken, and recommended steps to protect themselves.
Your Rights
Under GDPR (and similar regulations where applicable), you have the right to:
| Right | How to Exercise |
|---|---|
| Access your personal data | Contact support@blazesql.com or use in-app data export |
| Rectify inaccurate data | Update your profile in-app or contact support |
| Erase your data ("right to be forgotten") | Use self-service deletion in-app, or contact support for bulk deletion |
| Export your data (portability) | Request machine-readable export via support (fulfilled within 14 days) |
| Restrict processing | Contact support@blazesql.com |
| Object to processing | Contact support@blazesql.com |
| Withdraw consent for marketing | Unsubscribe link in any marketing email |
| Not be subject to solely automated decisions | See "Automated Decision-Making" section above |
| Lodge a complaint | Contact your local data protection authority |
Requests are fulfilled within 30 days (or 14 days for data export), as required by applicable law.
Cookies and Tracking Technologies
Marketing Website (blazesql.com)
The BlazeSQL marketing website uses cookies for analytics, marketing attribution, and consent management. Cookie consent is managed via Cookiebot — you can review and adjust your preferences at any time through the cookie banner.
The following third-party services may set cookies on the marketing website:
| Service | Purpose | Cookie Examples |
|---|---|---|
| Cookiebot | Cookie consent management | CookieConsent |
| Google Analytics | Website analytics | _ga, _ga_* |
| Google Tag Manager | Tag management | (manages other tags) |
| Google Ads | Conversion tracking | _gcl_au |
| HubSpot | CRM and marketing automation | hubspotutk, __hstc, __hssc |
| Microsoft Clarity | Session recording and heatmaps | _clck, _clsk |
| Facebook/Meta Pixel | Advertising | _fbp |
| LinkedIn Insight | B2B advertising | _lfa (via Leadfeeder) |
| PostHog | Product analytics | ph_phc_* |
These cookies are only set with your consent (except strictly necessary cookies like Cookiebot's consent cookie).
Product (blazesql.com/app)
The BlazeSQL product uses essential cookies only:
- Session cookies: Maintain your logged-in state. Strictly necessary for the Service to function.
- Authentication tokens: Stored in local storage or session storage to maintain your session.
- Intercom chat widget: Sets a first-party session cookie for live chat support.
- User preferences: Local storage may be used for UI preferences (e.g., theme, layout settings).
The product does not use advertising, analytics, or tracking cookies. No third-party tracking cookies are set within blazesql.com/app.
California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:
- Right to know what personal information is collected, used, and disclosed
- Right to delete personal information
- Right to opt out of the sale or sharing of personal information
- Right to non-discrimination for exercising your privacy rights
BlazeSQL does not sell personal information.
To exercise your rights, contact support@blazesql.com or enterprise@blazesql.com. We will verify your identity before fulfilling requests.
Children's Privacy
BlazeSQL is not directed at individuals under 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.
Changes to This Policy
We will notify you of material changes at least 30 days before they take effect, via email or in-app notification. The "Last Updated" date at the top of this page reflects the most recent revision.
Data Protection Contact
Given the nature and scale of our data processing, BlazeSQL has designated a data protection contact reachable at enterprise@blazesql.com. Questions about data protection can be directed there.
Privacy Contact: enterprise@blazesql.com Enterprise privacy requirements: Enterprise@BlazeSQL.com General Support: support@blazesql.com
If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For Luxembourg residents, this is the Commission Nationale pour la Protection des Données (CNPD).
© 2026 Blaze Analytics vGmbH (Registration: B279099, VAT: LU35935057), 23 Boulevard Friedrich Wilhelm Raiffeisen, 2411 Luxembourg