Last updated: April 2026

Privacy Policy

rawquery is a data platform. We handle your data to provide the service, and we take that responsibility seriously. This policy explains exactly what we collect, why, and how we protect it.

Who we are

rawquery is a product of SIA Wyrd, a company registered in Latvia (European Union). SIA Wyrd is the data controller for the purposes of GDPR. Our infrastructure is hosted in Frankfurt, Germany (EU).

Contact: hello@rawquery.dev

What data we collect

Account information: Your email address and, if you signed up with a password, a hashed password (Argon2id). We do not store your password in plain text. If you signed up or linked your account with GitHub or Google, we also store the provider name and an opaque provider user ID so we can recognise you on subsequent logins. We never request, receive, or store your GitHub or Google password, and we do not retain the OAuth access tokens the providers issue to us — they are used once to read your verified email and then discarded.

Workspace data: Workspace names, member roles, saved queries, transform definitions, chart configurations, and page layouts you create.

Connector credentials: When you connect a data source (Postgres, Stripe, HubSpot, etc.), we store the credentials encrypted at rest using AES (Fernet encryption) in our database. These are never logged and never exposed via the API.

Your synced data: Data you sync from your sources is stored as Apache Iceberg tables on S3-compatible storage (MinIO, self-hosted on the same server). This data stays in the EU at all times.

Usage metrics: Query counts, storage usage, and sync history for billing and operational purposes.

Why we collect it

We collect data for three purposes: to provide the service (authentication, query execution, data sync), to operate the platform (billing, quota enforcement, operational monitoring), and to communicate with you (transactional emails: verification, password reset, quota alerts).

Our legal basis under GDPR is contract performance (Article 6(1)(b)) for service delivery, and legitimate interest (Article 6(1)(f)) for operational and security purposes.

How we store and protect your data

All data is stored on EU infrastructure in Frankfurt, Germany. There are no transatlantic transfers.

Passwords are hashed with Argon2id (64 MB memory cost), the current best-in-class algorithm against brute force and GPU attacks. Connector credentials are encrypted at rest with AES via Fernet. Your synced data is stored in Apache Iceberg format on self-hosted S3-compatible storage. Every query, sync, and API call is scoped to your workspace - cross-tenant access is prevented at every layer.

Data processing

When you connect a data source, rawquery acts as a data processor on your behalf. We sync data from your sources, store it in Iceberg tables, and execute SQL queries against it. We do not access, analyze, or use your synced data for any purpose other than providing the service to you.

Cookies and tracking

We do not use tracking cookies. No third-party cookies, no analytics cookies, no advertising cookies. Authentication is handled via JWT tokens stored in browser memory. The only cookie we set is a short-lived, strictly necessary session cookie when you access password-protected shared content (charts and pages). This cookie is httpOnly, secure, and expires after 24 hours.

We use Umami for website analytics. Umami is self-hosted on our own server, is privacy-focused, does not use cookies, does not collect personal data, and is fully GDPR-compliant. No Google Analytics, no Facebook pixel, no tracking pixels of any kind.

Third parties and sub-processors

We use a minimal set of sub-processors:

• UpCloud - Infrastructure hosting (Frankfurt, Germany). Provides the dedicated server where all data resides.
• Paddle - Payment processing (Merchant of Record). Paddle (Paddle.com Market Limited) processes all payments, billing, and taxes on our behalf. We do not store your card details.
• GitHub (optional) - If you choose to sign in with GitHub, GitHub Inc. (USA) authenticates you and returns your primary verified email and a user ID. We request only the read:user user:email scopes. GitHub's privacy policy: github.com/site/privacy.
• Google (optional) - If you choose to sign in with Google, Google LLC (USA) authenticates you and returns an OpenID Connect identity token containing your verified email, a stable subject ID, and your profile name. We request only the openid email profile scopes. Google's privacy policy: policies.google.com/privacy.

Signing in with GitHub or Google is optional. You can always use email and password, and you can unlink a social identity at any time from Settings → Connected accounts, provided you still have at least one way to log in.

We do not sell, share, or provide your data to any other third party. Email is sent via our self-hosted Postfix and Listmonk stack - no external email service.

Your rights

Under GDPR, you have the right to:

• Access - Request a copy of the data we hold about you.
• Rectification - Correct inaccurate information (you can update your email and password directly in the application).
• Deletion - Delete your account at any time from your profile settings. Upon deletion, your data enters a 30-day retention period, after which it is permanently and irreversibly deleted.
• Data portability - Export your data at any time via SQL queries or in Iceberg format (open standard Parquet files you can read with any tool).
• Right to object - Object to processing of your data. Contact us at hello@rawquery.dev.

Data retention

Active accounts: Your data is kept for as long as your account exists and the service is active.

Deleted accounts: When you delete your account, all associated data (account information, workspace data, synced data, connector credentials) enters a 30-day retention period. After 30 days, everything is permanently deleted. This retention period allows for accidental deletion recovery.

Contact

For any questions about this privacy policy or how we handle your data: hello@rawquery.dev

Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you via email. The "last updated" date at the top of this page indicates when the policy was last revised.