Privacy policy.

This policy describes how DataDam, Inc. ("DataDam") collects, uses, and protects personal data in connection with the public website at mydatadam.com, the customer control plane, and the proxy.

Personal data that flows through the proxy in the course of governing Customer's data sources is processed by DataDam as a Processor under the agreement with Customer. The Data Processing Addendum at mydatadam.com/legal/dpa governs that processing.

From visitors to the public website, we collect the data necessary to operate the site: pages requested, request timestamp, source IP, and user agent. We do not run third-party advertising trackers. The only cookies set on the public site are those required for first-party analytics and language preference.

From customer-account users, we collect: account email address, organization name, role assignment, and authentication metadata (login time, source IP, MFA method, Cognito or SSO subject identifier). Where SSO is configured, we receive the claims asserted by the Customer's identity provider.

From the proxy, we receive policy configuration, contract definitions, and rollup telemetry: aggregated request counts by agent and source, latency percentiles, decision distributions, and audit-rollup hashes. We do not receive query content, row values, or PII from the proxy.

To operate, secure, and improve the service. To bill the account. To respond to support and security inquiries. To comply with applicable law. We do not sell personal data and we do not use personal data to train machine-learning models that we then sell to third parties.

Public-website logs and control-plane data are processed in Amazon Web Services regions in the United States. Customer-deployed proxies process data in whichever region the Customer chooses to run them.

The control-plane database uses encryption at rest (AES-256) and encryption in transit (TLS 1.2+). Session cookies are HttpOnly, encrypted with AES-256-GCM, and cannot be read by JavaScript.

Account-level personal data is retained for the life of the account plus 30 days after termination. Audit data retention is configured by the customer per organization, with defaults aligned to compliance blueprints (one year for SOC 2, six years for HIPAA and FINRA). Public-website request logs are retained for 90 days.

Depending on your jurisdiction, you may have the right to access, correct, delete, or port the personal data we hold about you, to object to processing, or to withdraw consent. To exercise these rights, email privacy@mydatadam.com. Where we process personal data on a Customer's behalf, we will direct your request to that Customer.

We use a small number of subprocessors to operate the control plane and the public website. The current list and a notice mechanism for additions are available on request to privacy@mydatadam.com and will be published in the DPA prior to general availability.

See mydatadam.com/security for the architectural detail. Suspected security issues should be sent to security@mydatadam.com.

We will post material changes to this policy at this URL and notify account administrators by email at least 30 days before they take effect.

DataDam, Inc. Privacy questions: privacy@mydatadam.com.