Privacy Policy
Last updated: January 1, 2026
1. Introduction
Decube, Inc. ("Decube," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Data Context Platform at decube.org, including all related services, APIs, and features (collectively, the "Services"). Please read this policy carefully.
We reserve the right to update this Privacy Policy at any time. We will notify registered users of material changes via email and by updating the "Last updated" date above. Continued use of the Services after the effective date of any change constitutes acceptance of the updated policy.
2. Information We Collect
2.1 Account and Registration Information
When you create a Decube account, we collect: your name, work email address, company name, job title, and password. For team accounts, we also collect billing contact information, company size, and data stack configuration preferences (which warehouse connectors, dbt integrations, and identity providers you configure).
2.2 Platform Usage Data
We collect information about how you use the Decube platform, including: queries you run in the lineage explorer, monitoring rules you configure, glossary terms you create or certify, dashboard views, alert acknowledgments, and other in-product actions. This data is used to improve the platform and understand which features are most valuable to users.
2.3 Data Warehouse Connection Metadata
When you connect a data warehouse to Decube via OAuth, we receive and process: query history metadata (SQL text, execution timestamps, user roles, execution statistics) from your warehouse query log; schema metadata (table names, column names, data types, nullable flags); and table statistics (row counts, freshness timestamps, storage metadata). We do not access or store the actual data values in your warehouse tables — only metadata about structure, queries, and statistics.
Query history SQL text may contain references to column names, table names, and transformation logic that could be considered sensitive business information. We treat all warehouse metadata with the same confidentiality standards as your account information and do not share it with third parties except as described in this policy.
2.4 Identity Provider Data
If you connect an identity provider (LDAP, Okta, Azure AD) for ownership assignment and access control, we receive user directory information including names, email addresses, team memberships, and organizational hierarchy. This data is used exclusively to populate ownership assignments within the platform and is not used for marketing or shared with third parties.
2.5 Automatically Collected Data
We automatically collect: IP addresses, browser type and version, operating system, referring URLs, pages visited, time and date of visits, session duration, and error logs. We also collect device identifiers and general location information derived from IP address. This data is used for security, performance monitoring, and product analytics.
2.6 Communications
We retain records of communications you initiate with us, including support tickets, email correspondence, demo requests, and feedback submissions.
3. How We Use Your Information
Service delivery: To operate the Decube platform; to extract and display lineage graphs from your warehouse query history; to run quality monitors and send alerts; to manage business glossary workflows; to authenticate users and manage access controls.
Product improvement: To analyze usage patterns, identify feature gaps, fix bugs, and develop new capabilities. Product analytics data is aggregated and anonymized where possible.
Communication: To send transactional communications (account alerts, billing notifications, monitor alerts); to send product updates and educational content with your consent; to respond to support requests.
Security and compliance: To detect and prevent unauthorized access, fraud, and abuse; to comply with legal obligations; to enforce our Terms of Service.
4. Data Sharing and Disclosure
Service providers: We share data with third-party service providers who perform services on our behalf: cloud hosting (AWS), payment processing (Stripe), email delivery (SendGrid), product analytics (Mixpanel, Amplitude), customer support (Intercom), and error tracking (Sentry). All service providers are contractually bound to use data only as directed by Decube.
Legal requirements: We may disclose information when required by law, court order, or government process, or when necessary to protect the rights, property, or safety of Decube, our users, or the public.
Business transfers: In connection with a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction with appropriate privacy protections.
No sale of personal data: We do not sell personal information or warehouse metadata to third parties, advertisers, or data brokers.
5. Data Security
Decube implements enterprise-grade security measures appropriate for a platform that processes sensitive data stack metadata:
- All data in transit encrypted with TLS 1.3
- All data at rest encrypted with AES-256
- Warehouse connections use read-only OAuth with minimal required permissions
- Warehouse credentials are stored encrypted and never logged
- Role-based access controls within the platform
- SOC 2 Type II audit in progress (expected completion Q3 2026)
- Regular penetration testing by independent security firms
- Automated dependency scanning and vulnerability management
- Employee background checks and security training
In the event of a security breach affecting personal data, we will notify affected users and relevant authorities as required by applicable law.
6. Data Retention
Account data: Retained for the duration of your subscription and for 3 years after account closure, subject to legal retention requirements.
Warehouse query history: We retain extracted query metadata for up to 13 months to support lineage graph construction and trend analysis. You can request deletion of query metadata for your account at any time.
Quality monitoring data: Monitor results and alert history are retained for 24 months to support trend analysis and postmortem investigations.
Billing records: Transaction records are retained for 7 years for tax and accounting compliance.
Log data: Application and access logs are retained for 12 months, then archived or deleted.
7. Your Privacy Rights
Depending on your location, you have rights including: access to personal information we hold about you; correction of inaccurate information; deletion of personal information (subject to legal retention requirements); portability of your data in a machine-readable format; restriction of processing in certain circumstances; and objection to marketing communications.
For California residents: the CCPA provides rights to know, delete, correct, and opt out of sale (we do not sell personal data). For EEA/UK residents: GDPR provides additional rights including the right to lodge a complaint with your supervisory authority.
To exercise any privacy right, contact privacy@decube.org. We will respond within 30 days.
8. International Data Transfers
Decube is based in the United States. If you access our Services from outside the US, your information may be transferred to and processed in the US. For EEA/UK users, we use standard contractual clauses approved by the European Commission to protect cross-border data transfers.
9. California Consumer Privacy Act (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act: the right to know what personal information we collect about you, the categories of sources, the business purpose, and the categories of third parties we share it with; the right to delete personal information we have collected, subject to certain exceptions; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (we do not sell personal information); and the right to non-discrimination for exercising your CCPA rights.
To submit a CCPA request, email privacy@decube.org with the subject line "California Privacy Request" or call +65 6221 6800. We will verify your identity before processing requests. We will respond within 45 days, with a possible 45-day extension for complex requests. Agents authorized to submit requests on your behalf must provide written authorization or a power of attorney.
10. Nevada Privacy Rights
Nevada residents may opt out of the sale of certain personally identifiable information to third parties. As noted above, we do not sell personal information. However, Nevada residents may still submit opt-out requests by emailing privacy@decube.org with the subject line "Nevada Privacy Opt-Out Request." We will respond within 60 days of receipt.
11. Children's Privacy
Our Services are designed for data engineering and analytics professionals and are not intended for users under 18. We do not knowingly collect information from minors. If we become aware that we have inadvertently collected personal information from a person under 18, we will delete it promptly. If you believe we may have information from a minor, contact privacy@decube.org.
12. Data Security Practices
Decube implements technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include: encryption of data in transit using TLS 1.2 or higher; encryption of data at rest using AES-256; role-based access controls limiting employee access to personal data to those with a legitimate business need; annual security training for all personnel with access to personal data; regular penetration testing by independent security firms; incident response procedures with documented escalation paths; and vendor security assessments for all third-party processors before onboarding.
No security system is impenetrable. In the event of a security incident affecting your personal data, we will notify you as required by applicable law, including within 72 hours for EEA/UK residents under GDPR. Security incident reports should be sent to security@decube.org.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if you have an account) or by displaying a prominent notice on our website at least 14 days before the changes take effect. We will also update the "Last updated" date at the top of this policy. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.
14. Contact
Decube, Inc.
Attn: Privacy Team
1 Raffles Place, #20-61 One Raffles Place
Singapore 048616
Email: privacy@decube.org
Phone: +65 6221 6800
EU Representative: eu-privacy@decube.org