Privacy Policy

Effective Date: 2026-05-25

Introduction

Welcome to ChartBrick ("we," "us," or "our"). Your privacy is crucial to us, and we’re committed to safeguarding your personal information. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. It applies to all users who access our Software as a Service (SaaS) through our website: https://chartbrick.com.

Information We Collect

Account Information

- Essential Details: When you create an account, we collect your name, email address, and password. If you sign in with Google, we receive your name, email, and profile picture from your Google account.

User Data

- Integration Data: When you connect a data source (CSV, Excel, JSON, MySQL, PostgreSQL, Google Sheets, Airtable, Notion, or Stackby), we fetch and store a snapshot of that data solely for the purpose of generating charts and dashboards.

Financial Information

- Payment Details: If you use our paid services, payment information is collected and processed by Stripe. We do not store your card details on our servers.

Technical Information

- Error & Performance Data: We collect anonymous technical data (browser, operating system, error reports) to monitor and improve service reliability.

How We Use Your Information

- Service Provision: We use your data solely for creating and displaying charts and dashboards within ChartBrick.

- AI-Powered Features: When you use our AI chart suggestions, we send only the dataset name, column names, column types, and per-column unique-value counts to OpenAI. Your actual data values never leave ChartBrick — no rows, no cell values, no unique values are shared.

- Security: Integration connection credentials (database passwords, API tokens) are stored encrypted.

- Email Communications: We use your email to send transactional messages and essential service updates. We send emails via Mailgun.

Data Storage and Third-Party Services

Your data is stored on secure infrastructure. Data snapshots from your connected sources are stored as files on Backblaze B2 (an S3-compatible object storage service). While we take reasonable measures to protect your data, no method of electronic storage is 100% secure.

Encryption

Dataset snapshots are encrypted at rest with AES-256. Encryption is applied at the file level in object storage and in our local query cache; decryption happens only in memory while a chart is being rendered.

Integration credentials (OAuth tokens, database passwords, API keys) are encrypted at rest in our database with AES-256.

All communication between your browser, ChartBrick servers, third-party data sources, and object storage occurs over HTTPS (TLS 1.2+).

Third-Party Services

We use the following third-party services to operate ChartBrick. Each service only receives the data it needs to perform its function:

- Stripe — Payment processing

Stripe handles your billing and payment information. Stripe Privacy Policy.

- Backblaze B2 — Data storage

Dataset snapshots are stored as encrypted Parquet files on Backblaze B2 (S3-compatible object storage). Backblaze Privacy Policy.

- Cloudflare — CDN, DDoS protection, TLS

All traffic to ChartBrick passes through Cloudflare's edge network for performance, DDoS protection, and TLS termination. Cloudflare processes visitor IP addresses, geo location, and browser metadata, and may cache static assets (JS, CSS, images) at the edge. No application data, datasets, dashboards, or user-generated content is cached or stored by Cloudflare. Cloudflare Privacy Policy · Cloudflare DPA.

When ChartBrick's origin server is unavailable, Cloudflare serves a cached version of public marketing pages from the Internet Archive's Wayback Machine. This applies only to public pages (landing, pricing, help) and never to authenticated areas or user data. Internet Archive Terms.

ChartBrick uses Cloudflare's Web Analytics to measure aggregated performance metrics (Core Web Vitals) and page views from real visitors. No cookies are set and no personally identifiable information is collected. Data is aggregated and used only to monitor and improve site performance.

- PostHog — Product analytics

ChartBrick uses PostHog (EU-hosted) to understand product usage and identify drop-offs in onboarding. For signed-in users, PostHog processes a pseudonymous account identifier and a small set of event types (signup, datasource connection, sharing, subscription). We do not send your email, plan, or workspace name. No cookies, no local storage, no session recordings — and we honor the browser Do Not Track signal. Embedded charts and dashboards are excluded from PostHog entirely. PostHog Privacy Policy · PostHog DPA.

- OpenAI — AI chart suggestions

When you use AI-powered chart suggestions, only the dataset name, column names, column types, and per-column unique-value counts are sent to OpenAI. Your actual data values never leave ChartBrick. OpenAI Privacy Policy.

- Sentry — Error monitoring

Sentry collects error reports and performance data to help us identify and fix issues. This may include your IP address, browser metadata, and a pseudonymous account identifier. Session cookies are stripped before events are sent; session replays are only captured when an error occurs. Sentry Privacy Policy.

- Mailgun — Email delivery

Mailgun processes transactional emails (password resets, invitations, email verifications, account notifications). Mailgun Privacy Policy.

- Publitio — Image hosting

Profile avatars and workspace logos that you upload are resized and stored on Publitio. Only the image you upload is sent — no other account data. Publitio Privacy Policy.

- Railway — Hosting and database

Railway hosts the application and the PostgreSQL database that stores user accounts, workspace data, and application state. Railway Privacy Policy.

Google API Services

ChartBrick integrates with Google services in two ways. This section describes what data we access, why, and how it is handled. Google's own data handling is described in the Google Privacy Policy.

Google Sign-In

If you choose to sign in with Google, we request the following scopes:

- userinfo.profile — your name and profile picture

- userinfo.email — your email address

This data is used solely for authentication and displaying your profile within ChartBrick. It is not used for any other purpose.

Google Sheets Integration

If you connect Google Sheets as a data source, we request the following additional scope:

- drive.file — per-file access, limited to the spreadsheets you explicitly pick

We use the Google Picker to let you select specific spreadsheets to import. ChartBrick can only read the files you select through the Picker — we do not have access to the rest of your Google Drive. We also call Google's Drive API once after authorization to read the email associated with the Google account being connected, so we can label the connection in your workspace.

How Google Data Is Stored

- OAuth access tokens and refresh tokens are stored encrypted at rest in our database.

- All communication with Google APIs occurs over HTTPS.

- Spreadsheet data is fetched and stored as an encrypted copy on Backblaze B2 to power your charts. The original data remains in your Google account.

How Google Data Is Not Used

- We do not sell or rent Google user data, and we do not transfer it to third parties for advertising, marketing, or data brokering.

- We do not use Google user data for serving ads, retargeting, or interest-based advertising.

- We do not use Google user data to train general-purpose AI or machine learning models.

- No human reads your Google data unless you explicitly request support that requires it, or it is necessary for security or legal compliance.

Revoking Access

You can disconnect Google Sheets from your ChartBrick workspace at any time. You can also revoke ChartBrick's access to your Google account through your Google Account permissions. When access is revoked, we delete the stored OAuth tokens associated with that connection.

Google API Services Compliance

ChartBrick's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data Retention

- We retain your account data for as long as your account is active.

- Dataset snapshots are retained while the associated data source exists in your workspace.

- When you delete your account, your personal data and associated workspace data are deleted immediately.

Your Rights

- Access: You can request a copy of the personal data we hold about you.

- Correction: You can update your account information at any time through your settings.

- Deletion: You can request deletion of your account and all associated data by contacting us.

- Questions: For any privacy-related concerns, reach out to us at [email protected].

Data Sharing & GDPR Compliance

- No Data Selling: We do not sell or rent your personal data, and we do not share it with third parties for marketing purposes.

- Third-Party Processing: Data is shared with the third-party services listed above only as needed to operate ChartBrick.

For users in the European Economic Area (EEA), we process data in accordance with the General Data Protection Regulation (GDPR). Your rights under GDPR include access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise any of these rights, contact us at [email protected].

International Data Transfers (EEA users)

When personal data of EEA users is transferred outside the European Economic Area, we rely on the following safeguards under Chapter V GDPR:

- The EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) for our DPF-certified US subprocessors: Stripe, Backblaze, Cloudflare, Mailgun, and Sentry.

- The European Commission's Standard Contractual Clauses (Article 46(2)(c) GDPR, Decision 2021/914) for subprocessors not covered by the DPF: OpenAI, Railway, and Publitio.

Copies of the applicable safeguards are available on request at [email protected].

Cookies

ChartBrick uses session cookies strictly for authentication (keeping you signed in). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. The analytics tools we do use (PostHog and Cloudflare Web Analytics) are configured to run cookieless — they do not write cookies, local storage, or other persistent identifiers to your device.

Children

Our Services are intended for general audiences and are not directed at children. We do not knowingly collect personal data from anyone under 13 (or under 16 where local law requires a higher age). If we become aware that we have collected such data without valid parental consent, we will delete it as soon as possible.

Policy Updates

We may update this Privacy Policy from time to time. Changes will be reflected in the "Effective Date" at the top of this page. For significant changes, we will notify you via email. If we ever intend to use your data for a purpose not described in this policy, we will request your consent before doing so.

Contact

If you have questions about this Privacy Policy, contact us at [email protected].

By using ChartBrick, you agree to the terms of this Privacy Policy. If you disagree with any part of this policy, please discontinue use of our services.