Privacy Policy
Dataloom is operated by Tech Mage (Pty) Ltd, a company registered in South Africa ("Dataloom", "we", "us", or "our"). We are the data controller for the account and usage data described below. This Privacy Policy explains what personal data we process, why, the legal bases we rely on, and the rights you have under the EU/UK General Data Protection Regulation (GDPR) and similar data-protection laws.
1. Data Protection & GDPR
We are committed to processing personal data in accordance with the GDPR and applicable data-protection law. We process personal data lawfully, fairly and transparently, collect only what we need, keep it only as long as necessary, and protect it with appropriate security measures.
Controller vs. processor. We are the controller of your account and usage data (described in section 2). For data you connect to Dataloom — your databases and the records served through the APIs you build — you are the controller and Dataloom acts as your processor, handling that data only on your instructions under the Data Processing terms in our Terms of Service.
2. Information We Collect
- Account data: your name and email address, and — depending on how you sign up — a hashed password (email/password registration) or your profile image and provider account ID (Google, Microsoft or GitHub sign-in).
- Workspace & configuration data: workspaces, APIs, endpoints and data-source connection settings you create. Database credentials are encrypted at rest.
- Usage & log data: when an API you publish is called, we log request metadata (timestamp, method, path, status, response time). The client IP address is stored in anonymised form and sensitive query-parameter values are redacted. We do not store the body of successful responses.
- Billing data: subscription and payment identifiers handled by our payment processor (we do not store full card details).
- Communications: newsletter subscription status (opt-in) and emails you send us.
- Cookies & analytics: see section 4.
3. How We Use Your Information & Legal Bases
- To provide the service (create your account, run your APIs, process billing) — legal basis: performance of a contract.
- To secure and improve the platform (abuse prevention, debugging, rate limiting) — legal basis: legitimate interests.
- Analytics cookies and the newsletter — legal basis: your consent, which you may withdraw at any time.
- To meet legal obligations (e.g. retaining tax and billing records) — legal basis: legal obligation.
4. Cookies & Analytics
We use essential cookies that are strictly necessary for sign-in, sessions and security; these do not require consent. With your consent we also use analytics cookies (Microsoft Application Insights) to understand how the site is used so we can improve it. Analytics are disabled until you opt in, and you can change or withdraw your choice at any time via .
5. Data Storage, Security & International Transfers
Your data is stored securely using industry-standard encryption, and we apply appropriate technical and organisational measures to protect it. Passwords are hashed and database credentials are encrypted at rest.
Our infrastructure is hosted on Microsoft Azure in the South Africa North region. If you access Dataloom from the European Economic Area or the United Kingdom, your personal data is transferred outside that area. Where such transfers require safeguards under Chapter V of the GDPR, we are putting appropriate measures in place — such as the Standard Contractual Clauses incorporated into our sub-processors' data processing agreements. For more information about these safeguards, contact us at hello@dataloom.cloud.
6. Sub-processors & Third-Party Services
We rely on the following processors to operate Dataloom. Each processes personal data on our behalf under appropriate data-protection terms:
- Microsoft Azure — cloud hosting and application analytics (Application Insights).
- Paddle — payment processing and subscription management.
- Resend — newsletter delivery and contact management.
- Azure Communication Services / our SMTP provider — transactional email (verification, password reset, notifications).
- Google and Microsoft — authentication, and the Google Sheets / Microsoft Excel Online data-source connectors when you choose to use them.
7. Data Retention
We retain your account data for as long as your account is active. Upon account deletion, your data is permanently removed within 30 days. API request logs are retained according to your subscription plan (7 days for Free, 30 days for Starter, 90 days for Pro) and pruned automatically. Expired team invitations are deleted automatically.
8. Your Rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- rectify inaccurate or incomplete data;
- erase your data ("right to be forgotten");
- restrict or object to processing;
- data portability (receive your data in a structured, machine-readable format);
- withdraw consent at any time, without affecting prior processing; and
- lodge a complaint with a data-protection supervisory authority.
9. How to Exercise Your Rights
You can exercise several rights directly in the app: download a copy of your data from Settings → Your data & privacy, permanently delete your account from Billing → Danger Zone, and manage cookie consent via . For any other request, email us at hello@dataloom.cloud and we will respond within the timeframes required by law (normally one month).
10. AI Assistant Connectors (MCP)
Dataloom optionally integrates with AI assistants such as Claude through the Model Context Protocol (MCP). When you enable MCP for a workspace and authorize an AI assistant via our OAuth flow, that assistant can call your published Dataloom endpoints on your behalf, scoped to the specific workspace you select during authorization.
What data leaves Dataloom: the response payload of any endpoint the assistant calls — including the actual rows of data returned by that endpoint — is sent to the AI assistant's provider (for example, Anthropic) and becomes part of your conversation with the assistant. That provider processes it under its own privacy policy and terms.
What Dataloom receives from the assistant: the parameters the assistant supplies when calling an endpoint (for example, a record identifier or a value to write). We process these the same way as any other authenticated gateway call and log the request according to your plan's retention policy (see section 7).
What we do not do: Dataloom does not train any AI model on data flowing through MCP, does not share MCP traffic with any third party other than the AI assistant provider you authorized, and does not retain MCP request payloads beyond the standard gateway request log.
You can revoke an assistant's access at any time from Settings → MCP, which immediately invalidates that assistant's OAuth token. Rotating the connector key from the same page invalidates every active assistant connection for the workspace.
11. Data Breaches
In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it where required, and will inform affected users without undue delay where the breach is likely to result in a high risk.
12. EU/UK Representative
Tech Mage (Pty) Ltd is established outside the EEA and the UK. Where Article 27 GDPR (or its UK equivalent) requires us to designate a representative, we are in the process of appointing one. Until that appointment is published here, individuals in the EEA or UK may contact us about data-protection matters at hello@dataloom.cloud.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes via email or through the service.
14. Contact Us
For questions about this Privacy Policy or to exercise your rights, please contact us at hello@dataloom.cloud.
Last updated: June 2026