Privacy Policy

Account information

When you create a TerraBog Analytics account, we collect your name, email address, company name, job title, and billing information. If you authenticate via a third-party identity provider (Google OAuth, GitHub OAuth, Azure AD, or Okta SSO), we receive your profile information from that provider. This information is necessary to provision your tenant, assign roles, and manage your subscription.

Usage data

We automatically collect information about how you interact with the TerraBog platform, including dashboard views, insight queries, pipeline executions, connector configurations, data uploads, and actions taken within the application. We also collect device type, browser type, IP address, and approximate geographic location. This data helps us improve product quality, detect anomalies, and provide personalized analytics recommendations via our Claude AI integration.

Customer data you ingest

TerraBog processes the data you upload or connect to our platform through any of our 27 supported data connectors (including Shopify, WooCommerce, Amazon Seller Central, Stripe, QuickBooks, Google Analytics, and others). Uploaded files are stored in Google Cloud Storage (GCS). Structured data is loaded into Google BigQuery for warehousing and analytics. This data is processed solely on your behalf as a data processor under your documented instructions. We do not access, use, or analyze your customer data for any purpose other than delivering the agreed service.

Automatically collected technical data

Our platform collects server-side logs including API request metadata, authentication events, pipeline run statuses, and error traces. These logs are retained for operational monitoring and security incident investigation. All API requests are tagged with a unique request ID for traceability.

Communications

If you contact our support team or submit a request through our contact form, we retain a record of your communications to help resolve issues and improve our service quality.

What are cookies

Cookies are small text files stored on your device by your web browser when you visit a website. They enable the website to remember your actions and preferences over a period of time.

Essential cookies we use

TerraBog uses a single essential cookie (tb_access_token) to maintain your authenticated session after you log in. This cookie contains an encrypted JSON Web Token (JWT), is scoped to our domain only (SameSite=Lax), expires after 7 days of inactivity, and is required for the platform to function. Without this cookie, you would need to re-authenticate on every page visit. We do not use this cookie for tracking or advertising purposes.

Local storage

We use your browser's local storage to remember your cookie consent preference (whether you accepted or declined this notice). This is stored under the key cookie_consent and persists until you clear your browser data. No personal information is stored in local storage.

What we do not use

TerraBog does not use any third-party tracking cookies, advertising cookies, social media pixels, or analytics scripts such as Google Analytics, Facebook Pixel, Segment, Mixpanel, or similar services. We do not engage in cross-site tracking, browser fingerprinting, or behavioral retargeting. Your browsing activity on our platform is never shared with advertising networks.

Managing cookies

You can control and delete cookies through your browser settings. Most browsers allow you to refuse cookies entirely, delete existing cookies, or be notified before a cookie is set. Please note that disabling the essential authentication cookie will prevent you to log in to the platform. For instructions on managing cookies in your specific browser, visit your browser's help documentation.

Contractual necessity

We process your account information, customer-ingested data, and usage data as necessary to perform our contract with you -- that is, to provide the TerraBog Analytics platform, run data pipelines, deliver insights, and maintain your account. Without this processing, we cannot deliver the Service.

Legitimate interest

We process technical logs, security events, and aggregated usage data based on our legitimate interest in maintaining platform security, preventing fraud, improving service quality, and ensuring system reliability. We balance these interests against your privacy rights and apply data minimization principles.

Consent

We rely on your consent for sending marketing communications and for setting non-essential cookies or local storage preferences. You may withdraw consent at any time by unsubscribing from emails, adjusting your cookie preferences, or contacting us at privacy@terrabog.com. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

Legal obligation

We may process certain data to comply with applicable laws, regulations, or enforceable governmental requests, including tax and financial reporting obligations related to billing.

Service delivery

We use your account information and usage data to operate, maintain, and improve the TerraBog platform, including running data pipelines (ingestion, validation, cleaning, canonicalization, dbt transformations, and ML scoring), processing transactions via Stripe, delivering AI-generated insights via Claude AI, and providing technical support.

Data enrichment

TerraBog enriches your analytics with publicly available data from the Federal Reserve Economic Data (FRED) API, U.S. Census Bureau, Statistics Canada, and other government sources. This enrichment is performed server-side and no customer personal data is shared with these external sources.

Product improvement

Aggregated, anonymized usage data is used to understand feature adoption, identify usability issues, and inform our product roadmap. Individual user behavior is never shared externally. We do not train machine learning models on your customer data.

Security and fraud prevention

We use authentication logs, IP addresses, and behavioral signals to detect unauthorized access, prevent account takeover, enforce IP allowlist policies (Enterprise plans), and trigger security alerts. Our platform includes automated PII detection to identify credit card numbers (Luhn validation), Social Security Numbers, and bank account numbers in uploaded data.

Communications

We use your email address to send essential service notifications (billing receipts, security alerts, pipeline failure alerts, data quality alerts), product updates, and -- with your consent -- marketing materials via Resend. You can opt out of marketing communications at any time via the unsubscribe link in any email or through your account settings.

Legal compliance

We may process your information where required by law, including responding to lawful requests from public authorities.

We never sell your data

TerraBog Analytics does not sell personal information to third parties under any circumstances. Your data is not used for targeted advertising, behavioral profiling, or any purpose unrelated to delivering the Service.

Sub-processors

We share limited information with carefully vetted sub-processors under strict data processing agreements. Our current sub-processors include: Google Cloud Platform (infrastructure -- Cloud Run, BigQuery, Cloud SQL, GCS, all hosted in the us-central1 region), Stripe (payment processing), and Resend (transactional email). We will notify you at least 30 days before adding any new sub-processor, giving you the opportunity to object.

Third-party integrations you configure

If you configure outbound integrations (such as HubSpot CRM sync), data will be transmitted to those third-party services according to your configuration. These transfers are initiated by you and governed by the respective third party's terms and privacy policy.

Business transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity. We will provide at least 30 days advance notice via email and in-product notification, and ensure continued protection of your data under comparable terms.

Legal requirements

We may disclose information where required by law, court order, or government regulation, or where necessary to protect the rights, property, or safety of TerraBog Analytics, our customers, or the public. We will notify affected customers of such disclosures unless prohibited by law.

Where your data is processed

TerraBog Analytics infrastructure is hosted on Google Cloud Platform in the United States (us-central1 region, Council Bluffs, Iowa). All customer data -- including data stored in BigQuery, Cloud SQL, and Google Cloud Storage -- is processed and stored within the United States.

Transfers from the EEA, UK, and Switzerland

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the United States for processing. We rely on the European Commission's Standard Contractual Clauses (SCCs) as adopted under Decision 2021/914 to provide appropriate safeguards for these transfers. Google Cloud's data processing terms incorporate SCCs for transfers of personal data outside the EEA. A copy of the applicable SCCs is available upon request.

Transfers from Canada

For Canadian users, data is transferred and processed in the United States in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). Google Cloud Platform has been recognized by the Office of the Privacy Commissioner of Canada as providing a comparable level of protection for personal data.

Safeguards

Regardless of where your data is processed, we apply the same technical and organizational security measures described in the Data Security section of this policy. We conduct periodic assessments to ensure that the legal framework in the destination country does not materially impair the effectiveness of these safeguards.

Encryption at rest

All data stored in Google BigQuery, Cloud SQL (PostgreSQL), and Google Cloud Storage is encrypted at rest using Google-managed encryption keys (AES-256). Enterprise customers may request Customer-Managed Encryption Keys (CMEK) for additional control.

Encryption in transit

All data transmitted between your browser and our platform, and between internal services, is encrypted using TLS 1.2 or higher. API endpoints enforce HTTPS exclusively.

Authentication and access control

User authentication is handled via JWT tokens with configurable session expiry. We support Google OAuth, GitHub OAuth, Enterprise SSO (Azure AD, Okta), and SCIM 2.0 provisioning for automated user lifecycle management. Multi-factor authentication (TOTP) is available on all plans and enforced by default on Enterprise plans.

Tenant isolation

TerraBog enforces strict tenant isolation through tenant_id-based row-level security across all database tables, BigQuery datasets, and GCS storage paths. No tenant can access another tenant's data through any API endpoint or query path.

PII detection and masking

Our data pipeline includes automated PII detection that identifies credit card numbers (via Luhn algorithm validation), Social Security Numbers, and bank account numbers in uploaded data. Detected PII is automatically masked before storage. Quarantined rows with PII findings are available for review in the Data Quality dashboard.

Audit logging

All security-relevant events -- including authentication attempts, role changes, data access, pipeline executions, and administrative actions -- are recorded in append-only audit logs. Audit logs are retained for 12 months by default and up to 7 years on Enterprise plans.

Account data

We retain account data (name, email, company, billing history) for the duration of your subscription and for 90 days following account termination, after which it is permanently deleted unless a longer retention period is required by law or contractual obligation.

Customer-ingested data

Data you have uploaded or connected to TerraBog is retained according to your plan's configured retention policies. Starter plans retain data for 90 days. Growth plans retain data for 1 year. Enterprise customers can configure custom retention periods from 30 days to 7 years. Upon expiration, data is permanently deleted from BigQuery, Cloud SQL, and GCS.

Audit logs

Audit logs are retained for 12 months by default and for up to 7 years on Enterprise plans for regulatory compliance purposes.

Data export

You may export your data at any time through the platform's export functionality or via the API. Upon account termination, a 30-day data export window is provided before permanent deletion begins.

Backup and disaster recovery

Automated backups of Cloud SQL metadata are maintained with a 7-day recovery window. BigQuery data benefits from Google's built-in replication and durability guarantees. Backups are encrypted using the same encryption standards as primary data stores.

Access and portability

You may request a copy of all personal data we hold about you. We will provide this in a structured, machine-readable format (JSON or CSV) within 30 days of a verified request.

Correction

You may update your account information at any time through the Settings panel in the application, or contact us to correct inaccuracies in data we hold.

Deletion

You may request deletion of your personal data. We will complete deletion within 30 days of a verified request, except where retention is required by law, contractual obligation, or legitimate business need (such as fraud prevention or dispute resolution).

GDPR rights (EEA residents)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation including the right to object to processing, the right to restriction of processing, the right to withdraw consent, and the right to lodge a complaint with your local supervisory authority. Our EU representative can be reached at gdpr@terrabog.com.

CCPA / CPRA rights (California residents)

California residents have the right to know what categories of personal information we collect, to request deletion of personal information, to opt out of any sale of personal information (we do not sell personal information), and to receive equal service and pricing regardless of whether they exercise their privacy rights. To submit a request, email privacy@terrabog.com or use the Data Subject Request form in your account settings.

Canadian privacy rights (PIPEDA)

Canadian residents have the right to access, correct, and challenge the accuracy of personal information we hold. Requests can be submitted to privacy@terrabog.com and will be responded to within 30 days.

Age restriction

TerraBog Analytics is a business-to-business platform designed for use by commercial organizations and their authorized personnel. Our Service is not directed to individuals under the age of 16 (or under 13 in jurisdictions where that is the applicable threshold).

No knowing collection

We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child under the applicable age, we will take prompt steps to delete that information. If you believe a child has provided us with personal data, please contact us immediately at privacy@terrabog.com.

How we notify you

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform capabilities. When we make material changes, we will notify you at least 30 days in advance via email to the address associated with your account and through a prominent notice within the platform. Non-material changes (such as clarifications or formatting updates) may be made without advance notice.

Effective date

The "Last updated" date at the top of this policy indicates when the most recent revision took effect. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated terms. If you do not agree with a material change, you may terminate your account before the change takes effect and request deletion of your data.

Prior versions

Prior versions of this Privacy Policy are available upon request by contacting privacy@terrabog.com.

Questions about this policy?

Contact our Data Protection Officer at privacy@terrabog.com, or write to us at TerraBog Analytics, Inc., 535 Mission Street, Floor 14, San Francisco, CA 94105.

For GDPR-related requests, our EU representative can be reached at gdpr@terrabog.com.