How DashViz handles account information and Business Data.

• We don't sell your Business Data or personal information.
• We don't share personal information for cross-context behavioral advertising (as defined under CCPA/CPRA).
• We don't use Business Data to train DashViz's own AI models, and we don't provide Business Data to AI providers for the purpose of training those providers' general-purpose models.
• We don't use your data to market to your customers.
• We don't show third-party advertising in DashViz.
• We don't share Business Data with third parties for their independent purposes; Subprocessors only process Business Data to deliver the Service to you.

Account information

Name, email address, phone number (if provided), sign-in identifiers, business name, role, trial status, billing status, support messages, and account preferences.

Business Data

Files, tables, field names, dashboard configurations, prompts, AI responses, alert rules, and other content that a Customer uploads, connects, or creates in DashViz.

Use and device information

Browser or device details, operating system, IP address, approximate location derived from IP, session events, pages viewed, feature usage, click events, errors, diagnostics, cookieless website analytics, and security logs.

Billing information

Plan, invoice, tax, and subscription details if paid billing is enabled. Full payment-card details are handled directly by the payment processor and are not retained by DashViz.

Communications

Email correspondence, support tickets, in-product messages, and (if you opt in) SMS messages, including their metadata.

Service-usage analytics

Aggregated and de-identified product-usage signals DashViz derives to operate, secure, and improve the Service. DashViz does not draw inferences (in the CCPA sense) about individuals to build profiles for marketing, advertising, or scoring.

• Directly from you when you create an account, configure the Service, contact support, or upload or connect data.
• Automatically when you use the Service, including through cookies, local storage, server logs, and similar technologies (see the Cookie Policy).
• From Subprocessors and integrations the Customer chooses to connect (for example, when a Customer connects a third-party data source).
• From third parties such as fraud-detection, anti-abuse, and identity-verification providers where used.

• Create and manage accounts, trials, billing status, sign-in, and access to the Service.
• Import, organize, analyze, display, and summarize Business Data at the Customer's direction.
• Generate dashboards, AI answers, alerts, notifications, product diagnostics, and support responses.
• Operate, secure, monitor, troubleshoot, and improve the Service, including detecting errors, abuse, unauthorized access, and reliability problems.
• Send transactional communications (account, billing, security, and service notices) and, with your consent where required, marketing communications.
• Generate aggregated and de-identified data for analytics, benchmarking, security, and product improvement (this data does not identify a Customer or individual and is not used to train foundation AI models).
• Comply with legal obligations, respond to lawful requests, enforce these Terms and policies, resolve disputes, and protect DashViz, Customers, and other affected parties.

• Performance of a contract — to provide the Service the Customer has signed up for.
• Legitimate interests — to operate, secure, monitor, and improve the Service, prevent abuse and fraud, and develop new features, balanced against the rights and freedoms of data subjects.
• Compliance with legal obligations — to comply with tax, accounting, security-incident, and other applicable laws.
• Consent — where required by law (for example, certain cookies, marketing emails, or SMS messages); you may withdraw consent at any time.

When a Customer uses AI features, DashViz routes prompts, schema metadata, and limited Business Data context through DashViz-controlled servers to AI providers — primarily Anthropic — to produce the requested output. AI providers do not have direct browser access to a Customer account. Under Anthropic's commercial API terms, Business Data sent through the Anthropic API is not used to train Anthropic's models. DashViz does not use Customer Business Data to train its own AI models. DashViz does not authorize AI providers to retain Business Data beyond what is needed to deliver the response and to operate their service consistent with their terms.

DashViz may change or replace AI providers as the Service evolves; specific provider commitments described in this Policy reflect the providers in use as of the effective date and will be updated when material changes occur.

AI outputs may be incomplete, inaccurate, outdated, biased, or unsuitable. They are not financial, accounting, tax, legal, investment, healthcare, or other regulated advice. The Customer is responsible for reviewing outputs against authoritative sources before relying on them.

DashViz relies on Subprocessors to operate the Service. Each Subprocessor receives only the information needed to perform its function and is bound by contractual confidentiality and security obligations. The current list is below; DashViz may add or replace Subprocessors and will update this list when material changes occur. SOC 2 Type 2 attestations referenced below reflect each provider's public documentation as of the effective date and are subject to change at that provider's discretion.

Authentication — Clerk (SOC 2 Type 2)

User sign-up, sign-in, multi-factor authentication, and session management. Clerk holds SOC 2 Type 2 attestation per its public security documentation.

Hosting & frontend — Vercel (SOC 2 Type 2)

Static site hosting, edge delivery, and routing for the DashViz web application. Vercel holds SOC 2 Type 2 attestation per its public security documentation.

Backend hosting — Railway

Application server hosting for the DashViz API.

Database & storage — Supabase (SOC 2 Type 2)

Postgres database, file storage, and tenant data isolation. Encrypted at rest by the provider. Supabase holds SOC 2 Type 2 attestation per its public security documentation.

AI processing — Anthropic (SOC 2 Type 2)

Large-language-model inference used for AI chat, classification, and dashboard generation. Under Anthropic's commercial API terms, Business Data sent through the Anthropic API is not used to train Anthropic's models. Anthropic holds SOC 2 Type 2 attestation per its public Trust Center.

Email delivery — Resend

Transactional and notification email delivery.

Error diagnostics — Sentry

Server-side and browser stack traces, breadcrumbs, and limited performance traces for diagnosing reliability issues. Configured cookieless (no Session Replay, no PII captured by default) with explicit before-send scrubbing of authentication headers and secret-shaped values. Sentry's data-processing terms apply.

Website analytics - Plausible

Cookieless website analytics for public marketing pages, including visits, referrers, pages, outbound links, and conversion events. Plausible does not set tracking cookies.

SMS delivery — Telnyx

Text-message alert delivery for Customers who opt in to SMS alerts.

DashViz may also share information with advisers, insurers, legal authorities, and transaction parties for compliance, risk management, claims, investigations, lawful requests, or in connection with financing, merger, acquisition, reorganization, or sale of assets.

Customers requiring a Data Processing Addendum (DPA) for GDPR, UK GDPR, CCPA/CPRA, or similar applicable law can request one by contacting legal@dashviz.ai. Where a signed DPA is in place, the DPA controls over conflicting provisions in this Policy with respect to that Customer's account.

DashViz is based in the United States, and Business Data and account information may be processed in the United States and in other countries where DashViz or its Subprocessors operate. If you access the Service from outside the United States, you understand and consent to the transfer of your information to the United States and to the use of cross-border transfer mechanisms (such as standard contractual clauses) where those mechanisms are required by law and available between DashViz and a Subprocessor.

DashViz does not sell personal information, and does not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and the California Privacy Rights Act (CCPA/CPRA). DashViz does not use Business Data to build third-party advertising profiles. If this changes in the future, DashViz will update this Policy and provide any opt-out mechanism required by law.

DashViz retains personal information and Business Data for as long as needed to provide the Service, comply with legal obligations, maintain backups, prevent abuse, resolve disputes, keep financial records, and enforce agreements. Specific retention windows are:

Active account data

Retained while the account is active and for the period reasonably needed to provide the Service.

Closed or canceled accounts

Following the thirty (30)-day post-termination export window described in the Terms of Use, Business Data is deleted or anonymized within an additional sixty (60) days, subject to backup cycles, legal holds, billing records, and legal obligations.

Database backups

Rolling backups are retained for up to thirty (30) days for service recovery.

Operational, security, and audit logs

Retained for up to twelve (12) months for security, abuse prevention, and reliability investigations.

Billing and tax records

Retained for up to seven (7) years to comply with U.S. tax and accounting obligations.

Communications and support records

Retained for up to thirty-six (36) months to maintain support history and resolve disputes.

When the retention purpose ends, DashViz will delete or de-identify the information, subject to backup cycles, legal holds, and other lawful retention needs.

DashViz uses commercially reasonable safeguards designed for the Service, including separated tenant data, permission checks, controlled access to Business Data, encryption of data in transit (TLS) and at rest (provided by the database platform), restricted operational access, password handling delegated to a specialized authentication provider, and monitoring. See the Security page for more detail.

DashViz is not responsible for unauthorized access, disclosure, loss, or corruption caused by Customer credentials, Customer devices, Customer systems, Customer-authorized users, third-party services outside our control, Customer instructions, or events that defeat reasonable safeguards. Where applicable law requires notice of a security incident, DashViz will provide legally required notice, including, where applicable, under Arizona Revised Statutes § 18-552 and other state and federal breach-notification laws.

Depending on where you live and the nature of the information, you may have rights with respect to personal information that DashViz processes about you. These may include:

• Right to know or access — confirm whether DashViz processes personal information about you and obtain a copy or description.
• Right to correct — request correction of inaccurate personal information.
• Right to delete — request deletion of personal information, subject to exceptions allowed by law.
• Right to portability — request a copy in a portable format where required by law.
• Right to opt out of sale or sharing — DashViz does not sell or share personal information; this right does not currently apply because no such activity is taking place.
• Right to limit use of sensitive personal information — DashViz does not use sensitive personal information for purposes that require this opt-out.
• Right to non-discrimination for exercising rights.
• Right to opt out of certain automated decision-making and profiling, where applicable.
• Right to lodge a complaint with a supervisory authority (for EEA, UK, and Swiss users) or a state attorney general.
• Right to withdraw consent where processing is based on consent.

Some of these rights apply only under specific laws — for example, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and similar laws in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Delaware, and other states; the EU General Data Protection Regulation (GDPR) and UK GDPR; and the Lei Geral de Proteção de Dados (LGPD) in Brazil. The scope of each right depends on the law that applies to you.

To make a privacy request, send an email from the address associated with your DashViz account to privacy@dashviz.ai describing the right you are exercising and the information involved, or use any contact form provided in the Service. DashViz may need to verify your identity using account information or other reasonable means before fulfilling the request, and may decline or limit a request where permitted by law.

You may use an authorized agent to submit a request where allowed by law, provided the agent presents written permission from you and DashViz can verify your identity. DashViz does not currently offer a self-service privacy-rights portal.

If you are an end user of a Customer's business (for example, a Customer's employee or contact) and your data is in the Customer's DashViz account, DashViz processes that data on behalf of the Customer. We will direct your request to the Customer that controls the account, and the Customer is responsible for responding.

If DashViz sends marketing emails, every email will include an unsubscribe link as required by the CAN-SPAM Act, and our commercial email will include our valid postal address. You can opt out of marketing emails at any time without affecting transactional messages required to operate the Service. If you opt in to SMS alerts, you may opt out at any time by replying STOP to a message, disabling SMS in account settings, or contacting support@dashviz.ai. SMS use is governed by the Telephone Consumer Protection Act (TCPA) and related laws.

DashViz uses cookies, local storage, and similar technologies to run the Service, keep sessions secure, remember preferences, and measure reliability, and measure public website traffic through cookieless analytics. See the Cookie Policy for details and for the treatment of Global Privacy Control signals.

DashViz is intended for adult business users. The Service is not directed to children, and DashViz does not knowingly collect personal information from anyone under thirteen (13) (as defined by the U.S. Children's Online Privacy Protection Act, COPPA), or from anyone under sixteen (16) without verified parental consent where required by GDPR or state law. If you believe a child has provided personal information, contact privacy@dashviz.ai and we will take reasonable steps to delete it.

DashViz does not respond to legacy browser "Do Not Track" signals because no industry standard for those signals has been adopted. Where required by applicable law, DashViz treats Global Privacy Control (GPC) signals as a valid request to opt out of sale or sharing of personal information. As stated above, DashViz does not currently sell or share personal information.

The privacy rights and obligations described above apply by jurisdiction. The notices below summarize how those rights apply in specific regions; the rest of this Policy applies in all jurisdictions.

California (CCPA/CPRA)

The categories of personal information DashViz has collected, disclosed for a business purpose, or shared in the preceding twelve (12) months are described in the "Information we collect," "How we use information," and "Subprocessors and providers" sections above. DashViz does not knowingly collect or sell personal information of consumers under 16. California residents have the rights described in the "Your privacy rights" section, including the rights to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and non-discrimination. Contact privacy@dashviz.ai to exercise these rights. You may also designate an authorized agent in writing.

Other U.S. states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Delaware, and other states with comprehensive privacy laws may have rights similar to those described under "Your privacy rights." Contact privacy@dashviz.ai to exercise these rights; identity verification may apply, and the scope of each right depends on the law of your state of residence.

EEA, UK, and Switzerland

DashViz is the controller of personal information described in this Policy unless DashViz processes the data on behalf of a Customer, in which case the Customer is the controller and DashViz is the processor. DashViz does not currently have an EU/UK representative; if Article 27 GDPR or UK GDPR applies in the future, DashViz will appoint and publish a representative as required. You have the right to lodge a complaint with your local data-protection authority.

DashViz may update this Privacy Policy as the Service, providers, law, or business changes. Material updates will be posted in the Service or on the website with an updated effective date and, where required, communicated by email or in-product notice. Continued use of the Service after the effective date of a material change constitutes acceptance of the updated Policy.