Privacy Policy
Last updated on July 4, 2026
We are VPALGO s.r.o., ID No. 19615574, with our registered seat at Moravské Prusy 141, 682 01 Prusy-Boškůvky, the Czech Republic, recorded under file No. C 135361/KSBR at the Regional Court in Brno (“we”, “us”, or “DataLoam”), and we operate the software product DataLoam. We provide a database client extension for Visual Studio Code with AI-powered features that enables users (“you”) to connect to databases, explore and manage database structures, and generate queries through an integrated interface. To provide our Services, we need to collect some of your personal data, whether you are using www.dataloam.io (“Site”), our VS Code extension (“Extension”), or our web platform (“Platform”) — collectively, our “Services.” This Privacy Policy (the “Privacy Policy”) is intended to inform you about our practices regarding the collection, use, and disclosure of information that you may submit to us when using our Services. This Privacy Policy should be read alongside, and in addition to, our Terms of Service. Unless otherwise defined in this Privacy Policy, terms used have the same meaning as in the Terms of Service.
This Privacy Policy may be updated to reflect changes in legislation, so please review it now and then. You can always find the most recent version on our Site. If we make substantial changes, we will try to provide a notice prior to any changes taking effect. What constitutes a substantial change will be determined at our sole discretion. By continuing to access or use our Service after those revisions become effective, you agree to be bound by the revised terms. If you do not agree to the new terms, please stop using the Services.
The Privacy Policy only covers data processing carried out by us. The Privacy Policy does not address, and we are not responsible for, the privacy practices of any other parties.
We do not knowingly collect or ask for information from people under the age of 18. If you are such a person, please do not use our service or send us your information. We delete information that we learn is collected from a person under the age of 18 without verified parental consent.
To learn more about data management or if you have any other questions, please contact us at support@dataloam.io.
What data is processed
We may collect the following types of information about you:
Personal Identifiable Information
Through our Services, we may collect and process information that can be used to identify or contact you as an individual known as your personal identifiable information (“PII”), including but not limited to:
- email address
- first and last name
- payment and billing details (processed by our third-party payment processor)
- account settings and preferences
- and other PII you may provide to us
Technical Information
We and/or our authorised external service providers may automatically collect technical data when you visit or interact with our Services. Technical data may include, in particular:
- the URL of the site visited before using our Service
- the time and date of user visits
- IP address
- the browser name and type
- the type of computer or device accessing our Service
- time spent on the Service and other similar technical information
In a limited number of cases it is possible to use technical data and identify you as an individual, thus making them PII, however, we never use technical data to identify you as an individual.
We use technical data to:
- Provide, operate, and maintain our Services
- Improve, personalize, and expand our Services
- Understand and analyze how you use our Services
- Develop new products, services, features, and functionality
- Communicate with you, either directly or through one of our partners, including for customer service
- Find and prevent fraud
AI Usage Data
When you use the AI-powered features of the Software, certain data may be transmitted from the Extension through our servers to third-party AI providers:
- Database metadata, such as table names, column names, data types, indexes, constraints, and relationships
- Queries, instructions, and prompts you submit through the AI-powered interface
- Relevant database context — for certain AI-powered features, the Extension may run queries against your connected database and transmit a limited sample of actual values and, in some cases, rows or query results, so the feature can better understand the structure, meaning, and context of your data
These operations are initiated and approved by you before any data is transmitted. Because this content comes from your database, it may include personal data your database contains; you control which databases and operations you connect and approve.
We may store your AI queries and prompts for the purpose of improving our Services (e.g., improving AI response quality, debugging, analytics). Stored prompts are retained for 7 days and then deleted. Operational metadata (timestamp, model used) is retained separately, as shown in the retention table below.
We choose AI providers and AI routing providers that offer zero-retention or no-training processing options for customer-submitted content where available. This means that, where these options are enabled, prompts, database metadata, sampled values, and related AI context are processed only to provide the requested AI functionality and are not retained by the provider for model training. Details of the providers we use are listed in the sub-processors section below.
Telemetry Data (Extension)
The Extension may collect telemetry data to help us improve the product and diagnose issues. Telemetry collection is opt-in — it is disabled by default and can be enabled or disabled at any time through the Extension settings. When enabled, telemetry may include:
- Feature usage statistics (which features are used and how often)
- Error reports and crash logs
- Extension version and VS Code environment information (VS Code version, OS type)
- IP address (used for geolocation at the country level, then discarded)
Analytics Data (Site, Platform and Extension)
Our Site (landing page), Platform (dashboard), and Extension use analytics services to help us understand how our Services are used and to improve them. The analytics data we collect includes page views, feature usage patterns, referral sources, and device/browser type.
On the Site, we use analytics that rely on cookies. These analytics cookies are placed only after you consent via our cookie banner, and they allow us to understand how visitors use the Site, including across sessions.
On the Platform and in the Extension, analytics may use session-based tracking to help us understand feature usage patterns. Analytics does not track personal information or database content.
Mailing List
If you choose to subscribe to our mailing list (opt-in), we will collect and store your email address for the purpose of sending you product updates, feature announcements, and other communications related to DataLoam. You can unsubscribe at any time by clicking the “Unsubscribe” link in any email, or by contacting us at support@dataloam.io.
What are the purposes and legal basis for processing your PII?
We process your PII in order to:
Provide our Services to you. This purpose includes mainly the following processing activities:
- creating and providing your account from PII you provide upon registration;
- informing you about updates and new features of our Service;
- notifying you about updates of our Terms of Service and this Privacy Policy;
- responding to you in relation to any queries you may have with respect to our Services;
- resolving potential agreement-related troubleshooting problems and disputes.
We process the email address, payment information and other data provided by you voluntarily when you use our Service.
Market our Services. We may send you marketing communications about our Services only if you have opted in to our mailing list. You can opt out at any time by clicking the “Unsubscribe” link in any email, or by contacting us at support@dataloam.io.
Improve our Services. This purpose includes the following processing activities using technical information:
- to influence current and future features;
- to prevent and detect security flaws and user interface issues.
Summary of legal bases:
| Data Category | Legal Basis | Purpose |
|---|---|---|
| Account Data | Performance of contract (Art. 6(1)(b)) | Account creation, authentication, service delivery |
| Billing Data | Performance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) | Payment processing, invoicing, tax compliance |
| AI Usage Data (transient processing) | Performance of contract (Art. 6(1)(b)) | Delivering AI-powered features |
| AI Prompts (storage) | Legitimate interest (Art. 6(1)(f)) | Service improvement, debugging |
| Telemetry Data (opt-in) | Consent (Art. 6(1)(a)) | Product improvement, error diagnosis |
| Analytics Data | Legitimate interest (Art. 6(1)(f)) | Usage analysis, service improvement |
| Mailing List (opt-in) | Consent (Art. 6(1)(a)) | Product updates, marketing |
Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest (see Your Rights below).
How we share your personal data
We only share your PII within DataLoam and with those of its employees, contractors and affiliated organizations that need to know the information in order to process it on DataLoam’s behalf or to provide the Services and those that have agreed not to disclose it to others.
We do not share your PII with other recipients unless one of the following circumstances applies:
It is necessary for the compliance with our obligations towards you. To the extent that our external service providers (sub-processors) need access to your PII to help us perform our Services for you, we have taken the appropriate contractual and organizational measures to ensure that your PII are processed in accordance with all applicable laws and regulations.
A full list of our sub-processors is maintained at www.dataloam.io/sub-processors. The list includes but is not limited to:
- Third-party AI providers (accessed via an AI routing service) — for processing AI queries
- Payment / Merchant of Record — for payment processing, invoicing, and tax handling
- Analytics provider — for product analytics
- Hosting/infrastructure provider — for application hosting
- Email service provider — for transactional and marketing emails
The list of external service providers we use may change from time to time as we change or remove some of the providers listed above and/or put in place other providers to assist us in providing the Services.
It is necessary for legal reasons. We may share your PII with recipients outside of DataLoam if we have a good-faith belief that access to and use of your PII is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, security or technical issues; and/or (iii) protect the interests, properties or safety of DataLoam, our users or the public as far as in accordance with the law. When possible, we will inform you about such processing.
Where do we transfer your data to
If you use our Services and are a European resident, you acknowledge and agree that your PII may be transmitted outside of the European Economic Area. In particular, AI providers and our AI routing service are primarily based in the United States. In such cases, we transfer your personal data only to a country that is considered to have an adequate level of protection in accordance with the EU Commission’s decision or there are appropriate safeguards in place to protect your personal data, such as standard contractual clauses (SCCs), the EU-US Data Privacy Framework, or binding internal company rules. Regardless of the country in which your personal data is processed, we take reasonable technical, legal and organizational measures to ensure that the level of protection is the same as in the European Union and the European Economic Area.
If we are involved in a merger, acquisition or other reorganization, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event.
What is the storage period
| Data Category | Retention Period |
|---|---|
| Account Data | Retained while account is active + 30 days after deletion |
| Billing Data (invoices, transactions) | 10 years after transaction (Czech tax law requirement) |
| AI Usage Metadata (timestamps, usage records) | Retained only as long as necessary to operate and monitor the Service, then deleted or aggregated |
| AI Prompts | 7 days, then deleted |
| Telemetry Data | Retained only as long as necessary for the purposes described, then deleted or aggregated |
| Analytics Data | Retained in aggregated, non-identifying form; individual-level events deleted or aggregated once no longer needed |
| Mailing List (email address) | Until you unsubscribe |
DataLoam stores your PII only if it is legally permitted and necessary for the purposes for which the data were collected or we are legally obliged to do so. After the retention period, data is deleted or anonymized.
Cookies
Site (Landing Page): Our Site uses a third-party analytics tool to measure how visitors use the Site. Its analytics cookie is set only after you accept analytics via the cookie banner shown on your first visit; if you decline, no analytics cookie is placed. The tool does not track you across other websites. You can withdraw your consent at any time by clearing your browser’s site data for the Site, which will cause the banner to appear again on your next visit. The specific cookies we use are listed in the table below.
Platform (Dashboard): The Platform uses only strictly necessary cookies for session management and authentication. These cookies are essential for the Platform to function and do not require consent under GDPR.
| Cookie | Category | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Keeps you signed in to the dashboard | Session |
| Security cookie | Strictly necessary | Helps keep your session secure | Session |
| Analytics cookie | Analytics (requires consent) | Helps us understand how the Site is used, via a third-party analytics tool. No cross-site tracking. | 12 months |
Your rights
Under the stipulated conditions, you can exercise all of the rights listed below, which are granted to you by legislation on the protection of personal data, in particular the General Data Protection Regulation (GDPR):
- right to rectification of inaccurate or incomplete personal data;
- right to obtain your personal data and transfer your data to another controller;
- right to object to the processing of your personal data;
- right to restriction of personal data processing;
- right to erasure of personal data;
- right to withdraw provided consent with processing;
- right to a complaint with the competent supervisory authority;
Please note that if you request us to restrict or erase certain processing of your personal data, this may lead to fewer possibilities to use our Services and Site.
How to use your rights. You may exercise your rights above, free of charge, in writing by sending an email to support@dataloam.io. We will respond within 30 days. We may require confirmation of your identity depending on your request.
Right to lodge a complaint. You have the right to lodge a complaint with the Czech supervisory authority: Úřad pro ochranu osobních údajů (ÚOOU), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz. You may also contact the supervisory authority in your country of residence.
Data security
We take all reasonable, appropriate security measures to protect our customers from unauthorized access to or unauthorized alteration, disclosure or destruction of PII we hold. Measures include, where appropriate:
- Encryption of data in transit (TLS/HTTPS)
- Short-lived authentication tokens for Extension-to-server communication
- API keys for third-party services are never exposed to the client
- Payment webhook signature verification
- Access controls limiting employee access to personal data
Should despite the security measures, a security breach occur that is likely to have negative effects to your privacy, we will inform you about the breach as soon as reasonably possible and notify the relevant supervisory authority within 72 hours where required by law. If you have any questions, feel free to contact us at support@dataloam.io.