Legal
Privacy Policy
Last updated: April 7, 2025
1. Data Controller
The data controller for all personal data processed through the BeQuery platform is:
BeQuery is established in Italy and subject to EU Regulation 2016/679 (GDPR). This policy applies to all users of the BeQuery platform, website, and related services.
2. Data We Collect
We collect and process the following categories of personal data:
Account Data
- Email address (used for authentication via Supabase Auth)
- Display name or username (if provided)
- Authentication tokens and session cookies
- Account creation date and last login timestamp
MySQL Credentials
When you connect a MySQL database, we collect the connection credentials you provide (host, port, username, password, database name). These credentials are encrypted at rest using AES-256-GCM encryption before storage. We never store plaintext passwords.
Cloned Database Content
BeQuery copies the database tables you select from your MySQL instance into an isolated PostgreSQL environment. This cloned data is owned entirely by you and is only used to provide the query service. We do not analyse, sell, or share your business data.
Usage and Query Data
- SQL queries you execute (stored as query history)
- Query execution timestamps and durations
- Sync logs and error messages
- Feature usage for product improvement
Team Data
- Team name and membership
- Member roles (admin, member)
- Invitations sent and accepted
Technical Data
- IP address (collected by Vercel infrastructure for DDoS protection)
- Browser type and version (from request headers)
- Supabase authentication cookies (essential for session management)
3. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6:
Contract performance (Art. 6(1)(b))
Processing your account data, MySQL credentials, cloned data, and query history is necessary to provide the BeQuery service you subscribed to.
Legitimate interests (Art. 6(1)(f))
We process usage data and technical logs to maintain platform security, prevent abuse, diagnose errors, and improve the product. Our legitimate interest does not override your rights.
Consent (Art. 6(1)(a))
Where we process data beyond what is strictly necessary for the service (e.g., optional analytics), we will ask for your explicit consent.
Legal obligation (Art. 6(1)(c))
We may retain certain data to comply with Italian tax law, accounting obligations, or lawful requests from competent authorities.
4. How We Use Your Data
- —Authenticating your identity and maintaining your session
- —Connecting to your MySQL databases and performing scheduled data syncs
- —Providing isolated PostgreSQL environments for safe query execution
- —Storing and displaying your query history
- —Managing team memberships and access control
- —Sending transactional emails (account invites, password resets)
- —Diagnosing errors and improving platform reliability
- —Processing subscription payments (handled by our payment processor)
We do not sell your personal data, use it for advertising, or share it with third parties beyond the processors listed in Section 7.
5. Data Storage and Security
We take security seriously. The following measures protect your data:
AES-256-GCM Encryption
All MySQL credentials are encrypted at rest using AES-256-GCM before being written to our database. Decryption keys are stored separately.
Encrypted Transit
All data in transit is protected by TLS 1.2 or higher. We enforce HTTPS on all endpoints.
Tenant Isolation
Each team's cloned data lives in a dedicated PostgreSQL schema. Row-level security policies prevent cross-tenant data access.
Access Controls
Internal access to production systems is restricted to authorised personnel using role-based access controls and multi-factor authentication.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33-34.
6. Data Retention
We retain your data only for as long as necessary:
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days |
| MySQL credentials | Until connection is removed or account deleted |
| Cloned database content | Until connection is removed or account deleted |
| Query history | 12 months rolling (configurable) |
| Sync logs and error logs | 90 days |
| Billing records | 10 years (Italian tax law requirement) |
| Security and access logs | 12 months |
When you delete your account, all personal data is permanently deleted within 30 days, except where retention is required by law.
7. Third-Party Processors
We use the following sub-processors to operate the platform. All processors are bound by data processing agreements and appropriate safeguards.
Supabase
Authentication, primary database (PostgreSQL), storage
Servers: EU / US (AWS)
Vercel
Application hosting, serverless functions, CDN
Servers: EU / US
We do not share your data with any other third parties for marketing, advertising, or analytics purposes.
8. International Data Transfers
BeQuery is an EU-based company (Italy). Some of our sub-processors operate servers in the United States (Supabase on AWS, Vercel).
Transfers of personal data to the United States are made under the EU–US Data Privacy Framework (Commission Implementing Decision of 10 July 2023) and/or Standard Contractual Clauses (SCCs) adopted by the European Commission. Where applicable, we verify that our processors are certified under the Data Privacy Framework or have executed SCCs.
You can request a copy of the transfer safeguards applicable to your data by contacting us at privacy@bequery.pro.
9. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of them, contact us at privacy@bequery.pro. We will respond within 30 days.
Right of access (Art. 15)
Request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
Ask us to correct inaccurate or incomplete personal data.
Right to erasure (Art. 17)
Request deletion of your personal data. You can also delete your account directly from the dashboard.
Right to data portability (Art. 20)
Receive your personal data in a structured, machine-readable format.
Right to restriction of processing (Art. 18)
Ask us to limit how we process your data in certain circumstances.
Right to object (Art. 21)
Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
Right to withdraw consent
Where processing is based on consent, withdraw it at any time. Withdrawal does not affect past processing.
Right to lodge a complaint
You have the right to lodge a complaint with the Italian data protection authority (Garante per la protezione dei dati personali) at garanteprivacy.it, or with the supervisory authority in your EU member state.
10. Cookies
We use only essential cookies required for the platform to function. We do not use tracking, advertising, or analytics cookies. For full details, see our Cookie Policy.
11. Children's Privacy
BeQuery is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@bequery.pro.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice in the platform. The updated policy will take effect 14 days after notification for existing users, or immediately for new users. The "last updated" date at the top of this page indicates when it was last revised.
13. Contact Us
For any privacy-related questions, data subject requests, or concerns, please contact: