Privacy Policy

Last updated: April 23, 2026

Back to Home

At DuckViz, privacy is not an afterthought — it is foundational to how the platform works. This Privacy Policy explains what data we collect, how we use it, how we protect it, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act / CPRA (CCPA).

1. Data Controller

For the purposes of GDPR and UK GDPR, the data controller of your personal data is:

  • DuckViz (a trading name of Vikas Awaghade, sole proprietor under Indian law)
  • The Orchid, Ivy Estate Road, Wagholi, Pune 412207, Maharashtra, India
  • Email: support@duckviz.com

DuckViz does not currently have a designated Data Protection Officer (DPO) as it does not meet the size thresholds requiring one. Privacy requests can be sent to the email above and will be handled directly.

2. Our Privacy-First Architecture

DuckViz processes your data files entirely inside your browser using DuckDB-WASM. When you upload CSV, Excel, JSON, XML, or log files:

  • Files are parsed, ingested, and queried using an in-browser SQL engine. No file data is uploaded to our servers.
  • Charts, dashboards, data grids, reports, and presentations are rendered locally in your browser.
  • AI-generated dashboards, reports, and presentations are created from schema metadata — your actual data values never leave the browser.

3. Session Persistence and Local Storage

DuckViz stores application state in your browser's IndexedDB to enable session recovery across page refreshes:

  • DuckDB tables are exported as Parquet files and stored in IndexedDB.
  • Uploaded files are stored as ArrayBuffers in IndexedDB.
  • Application state (dashboard layouts, widget configurations, insight caches, ingestion progress) is stored as JSON in IndexedDB.

All IndexedDB data stays on your device and is never transmitted to our servers. You can clear all persisted data at any time by choosing "Start fresh" on the upload page. Individual datasets can be removed from the memory management popover.

4. What We Send to AI Providers

When you use AI-powered features (widget recommendations, key insights, report generation, presentation generation, SQL query generation), we send only your data schema and metadata to our AI provider (currently OpenAI). This includes:

  • Column names and data types
  • Table structure and relationships
  • Sample value descriptions (not actual values)
  • Detected data domain and format information
  • DuckDB SQL queries generated for your visualizations

We use the OpenAI API under their standard API terms, which prohibit the use of submitted data to train OpenAI models. We do not opt in to any training pipelines.

Log and Unstructured Data

For non-structured data such as log files, we send a small sample (up to 10 lines) from the beginning of the file to our AI provider solely to detect the log format and parsing pattern. This sample is used only for format detection and is not stored. Once the format is identified, all subsequent parsing and analysis happens entirely within your browser using our WASM parser.

Your actual row-level data, cell values, and file contents are never sent to any external server. All file parsing, SQL execution, and chart rendering happen entirely in your browser using DuckDB-WASM.

5. Reports and Presentations

When you generate reports or PowerPoint presentations:

  • AI generates report sections and presentation slides using only schema metadata and widget descriptions — not your actual data values.
  • Template variables (e.g., total counts, averages) are resolved by running SQL queries locally in your browser against your uploaded data.
  • Report editing, chart rendering, and export (PDF, DOCX, PPTX) all happen entirely in your browser.
  • Generated reports and presentations are never stored on our servers. They exist only in your browser session and exported files.

6. Information We Collect

6.1 Account Information

When you create an account, we collect your email address and, if you use Google sign-in, your name and profile picture. This information is stored securely in our authentication provider (Supabase).

6.2 Usage Data

We track basic usage metrics to improve the Service:

  • Credit balance and usage history
  • Feature usage patterns (which AI features you use)
  • Session duration and page views
  • Error logs for debugging purposes

6.3 Payment Information

When you purchase credits, payment processing is handled by our third-party payment processor. We do not store your credit card number, CVV, or full payment details on our servers. We receive only a transaction confirmation and purchase amount.

6.4 Cookies and Local Storage

We use:

  • Authentication cookies: To maintain your login session.
  • Preference cookies: To remember your theme preference (light/dark mode).
  • IndexedDB: For session persistence — storing your application state, uploaded files, and DuckDB tables locally in your browser. This data is never transmitted to our servers.

We do not use tracking cookies or advertising pixels.

7. Legal Basis for Processing (GDPR / UK GDPR)

We process personal data under the following lawful bases under Article 6 of the GDPR:

  • Contract (Art. 6(1)(b)): Account creation, authentication, credit balance management, and delivery of AI-generated outputs you request.
  • Legal obligation (Art. 6(1)(c)): Tax, accounting, and consumer-protection record-keeping for paid transactions.
  • Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, debugging via error logs, and aggregate product analytics. You have the right to object to processing based on legitimate interests.
  • Consent (Art. 6(1)(a)): Non-essential communications and any future optional features that require consent. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

8. How We Use Your Information

We use collected information to:

  • Provide and maintain the Service
  • Process credit purchases and manage your account
  • Send important service updates (security, terms changes)
  • Improve platform performance and fix bugs
  • Respond to support requests

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not engage in targeted advertising.

9. Data Storage and Security

  • Account data is stored in Supabase (hosted on cloud infrastructure with encryption at rest and in transit).
  • Application hosting uses Cloudflare Workers, which provides DDoS protection and edge security.
  • Your file data never leaves your browser and is never stored on our infrastructure.
  • Browser-side data (IndexedDB) is under your control. We provide tools to clear individual datasets or all persisted data at once.
  • Transport security: all traffic to our services is encrypted in transit via TLS 1.2 or higher.

10. Breach Notification

In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify affected users and, where required, the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.

11. Sub-Processors

We rely on a small, fixed list of sub-processors to operate the Service. Each handles a specific function and is bound by its own data-processing agreement and privacy policy.

  • Supabase Inc. — authentication, account management, credit-balance database. Privacy policy · DPA.
  • Cloudflare, Inc. — application hosting, edge CDN, DDoS protection, and Workers runtime. Privacy policy · DPA.
  • OpenAI, L.L.C. — AI model provider for schema-driven analysis, report generation, and SQL generation. Schema and metadata only; no row-level data. Privacy policy · DPA.
  • Paddle.com Market Ltd — Merchant of Record for credit purchases: processes payments, collects and remits applicable taxes, and issues invoices and receipts. We never see or store your full card details. Privacy policy · DPA.

Changes to this list will be reflected in a revision of this page. Your continued use of the Service after such revision constitutes acceptance of the updated sub-processor list.

12. International Data Transfers

Our infrastructure is globally distributed. Personal data may be processed in the United States, the European Union, the United Kingdom, or elsewhere, depending on sub-processor region. Where personal data leaves the EEA or the UK, transfers are governed by the relevant sub-processor's Standard Contractual Clauses and supplementary safeguards as published in their respective DPAs linked above.

Your file data never leaves your browser, regardless of your location or ours.

13. Your Rights (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, you have the right to:

  • Access the personal information we hold about you (Art. 15).
  • Rectify inaccurate information (Art. 16).
  • Erase your data ("right to be forgotten", Art. 17).
  • Restrict processing (Art. 18).
  • Data portability — export in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time, where consent is the basis (Art. 7).
  • Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email support@duckviz.com. We respond within 30 days in accordance with Article 12.

14. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what categories of personal information we collect and the purposes for which it is used.
  • Access specific pieces of personal information we hold about you.
  • Delete personal information, subject to legal retention exceptions.
  • Correct inaccurate personal information.
  • Opt out of sale or sharing of personal information. DuckViz does not sell or share personal information as those terms are defined by the CCPA/CPRA.
  • Non-discrimination for exercising any of these rights.

To exercise these rights, email support@duckviz.com with the subject line "California Privacy Request". We may need to verify your identity by asking you to confirm details associated with your account.

15. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where retention is required for tax, accounting, or fraud-prevention obligations (typically up to 7 years for financial records). Anonymized usage statistics may be retained indefinitely for analytics purposes. Browser-side data (IndexedDB) is under your control and is not affected by account deletion.

16. Children's Privacy

The Service is not intended for children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the platform. The "Last updated" date at the top reflects the most recent revision.

18. Contact

For privacy questions, data-subject requests, or breach notifications, contact support@duckviz.com. Postal mail: Vikas Awaghade, The Orchid, Ivy Estate Road, Wagholi, Pune 412207, Maharashtra, India.

100% in-browserSchema-only AINo data ever uploaded