Skip to main content

Privacy Policy

Last updated: February 2026

1. Introduction

Welcome to Sovarium. We are committed to protecting your privacy and handling your data transparently and securely. This Privacy Policy explains how Sovarium Ltd ("we," "us," "our") collects, uses, and protects information when you use our AI-powered data analysis platform.

By using Sovarium, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our services.

2. Information We Collect

2.1 Account Information

When your organization creates an account with Sovarium, we collect:

  • Name and email address of authorized users
  • Organization name and billing information
  • Database credentials for connecting to your data sources (encrypted at rest with AES-256-GCM)

2.2 Usage Data

We collect information about how you interact with our platform:

  • Natural language queries you submit
  • Conversation history with the AI assistant
  • Feature usage patterns and analytics
  • Device information, browser type, and IP addresses

2.3 Data Source Connection Information

To provide our services, we store:

  • Encrypted database credentials (AES-256-GCM encryption at rest)
  • Database schema metadata (table names, column names, data types)
  • Semantic layer configurations you create (business-friendly descriptions and relationships)

3. How We Handle Your Data

3.1 Data Security Architecture

Our platform is designed with a security-first approach that minimizes exposure of your sensitive data:

  • Raw query results are NEVER stored. When you ask a question, we execute SQL queries directly on your data warehouse and return results to your browser in real-time. We do not retain the raw data.
  • LLMs only see schema metadata and aggregated data. Our AI models never access row-level records from your database unless specifically requested. They only see table structures, column names, and aggregated insights.
  • Only aggregated insights are stored. We save chart configurations, aggregated data points (sums, averages, counts), and AI-generated explanations—but never individual records.
  • All credentials are encrypted at rest. Database credentials are encrypted using AES-256-GCM encryption before storage.
  • Queries execute on your data warehouse. Your data never leaves your infrastructure during query execution. We simply send SQL to your warehouse and receive results.

3.2 What the AI Can Access

Our AI models have access to:

  • Database schema information (table and column names, data types)
  • Semantic layer descriptions you provide
  • Aggregated query results only (no row-level data)

The AI cannot and does not access individual customer records or personally identifiable information from your database unless specifically requested.

3.3 Data Retention

We retain different types of data for varying periods:

  • Account data: Retained for 90 days after account termination
  • Aggregated insights: Default retention of 90 days, configurable per organization
  • Audit logs: Retained for 5 years for security and compliance purposes

4. How We Use Your Information

We use collected information for the following purposes:

  • Service provision: To provide, operate, and maintain our platform
  • Query generation: To generate accurate SQL queries based on your natural language questions
  • Platform improvement: To improve our AI models and platform features
  • Communication: To send service updates, security alerts, and support messages
  • Security: To detect and prevent fraud, abuse, and security incidents
  • Compliance: To comply with legal obligations and enforce our Terms & Conditions

5. Information Sharing

We do not sell your data. We share information only in the following limited circumstances:

  • Service providers: Companies like Cloudflare that provide our essential infrastructure.
  • AI providers: LLM providers like Gemini to provide the AI insights.
  • Legal requirements: We may disclose information if required by law, court order, or government regulation
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity

6. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights under GDPR:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request restriction of processing of your data
  • Portability: Request transfer of your data to another service
  • Objection: Object to processing of your data for certain purposes

To exercise any of these rights, please contact us at privacy@sovarium.com.

7. Data Transfers

Your data may be processed and stored in countries outside your jurisdiction. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

8. Cookies and Tracking

We use cookies and similar tracking technologies for the following purposes:

  • Essential cookies: Required for authentication and core platform functionality
  • Analytics cookies: To understand how users interact with our platform and improve user experience

You can control cookies through your browser settings, though disabling essential cookies may affect platform functionality.

9. Security Measures

We implement industry-standard security measures to protect your data:

  • TLS/HTTPS encryption for all data in transit
  • AES-256-GCM encryption for sensitive data at rest (database credentials)
  • Regular security audits and penetration testing
  • Role-based access controls (RBAC) for platform access
  • Secure session management with device fingerprinting

While we take extensive measures to secure your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes via email or through a prominent notice on our platform. Continued use of Sovarium after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us: