Privacy Policy for DataFog, Inc.

Effective May 12, 2025


1. Who We Are

DataFog, Inc. (DataFog, we, our, or us) is a Delaware C-corporation that sells cloud-based software for detecting, anonymizing, and managing sensitive data inside documents. Our business address is 1209 Orange St., Wilmington, DE 19801, USA.

2. Scope

This policy explains how we collect, use, share, and protect information when you:

  • visit datafog.ai or any sub-domain;
  • sign up for an account;
  • upload files or otherwise use our software-as-a-service (SaaS) platform; or
  • interact with us through email, social media, or events.

3. The Information We Collect

CategoryExamplesSource
Account infoName, email, password hash, billing addressYou
ContentDocuments, images, or other files you upload for scanningYou
Usage dataPages visited, features used, click-streams, error logsAutomatic
Device dataBrowser type, IP address, device/OS identifiersAutomatic
Payment dataLast four digits of card, expiry, postal codeStripe, Paddle, or similar processor
Marketing dataNewsletter opt-ins, ad campaign tagsYou / Cookies

We do not knowingly collect data from children under 13.

4. Why We Use Your Data

PurposeLegal basis*
Provide and secure the serviceContract
Perform scans and return resultsContract
Improve features, models, and accuracyLegitimate interest
Detect abuse, fraud, or security incidentsLegitimate interest
Send transactional emails (e.g., password resets)Contract
Send product updates or marketing (you can opt out)Consent / Legitimate interest
Comply with law, subpoenas, or auditsLegal obligation

*If you reside in the European Economic Area (EEA), our legal bases under the GDPR are shown in the right-hand column.

5. Sharing & Disclosure

We share data only when needed:

  • Cloud hosting & edge delivery – Cloudflare (global)
  • Analytics – Plausible (EU) and internal log aggregation
  • Payment processors – Stripe or Paddle (PCI-DSS compliant)
  • Sub-processors for AI inference – GPU providers inside the U.S./EU
  • Corporate events – If we sell, merge, or reorganize, data may transfer
  • Legal – When required by law or to protect rights, safety, or property

We never sell personal information.

6. Cookies & Similar Tech

We use first-party cookies for session management and security. Analytics cookies are cookieless or pseudonymous. You can control cookies through your browser settings.

7. Data Retention

  • Uploaded files – deleted automatically 30 days after processing, unless you choose a shorter window in your dashboard.
  • Account, billing, and log data – kept as long as you hold an account, then archived for up to seven years to meet tax and audit rules.
  • Anonymized aggregates may be kept indefinitely.

8. Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production systems requires MFA and least-privilege roles. We run regular penetration tests and maintain a written incident-response plan.

9. International Transfers

We rely on the EU–US Data Privacy Framework and standard contractual clauses for transfers outside your jurisdiction. Our primary data center is in the United States.

10. Your Rights

JurisdictionRights you can exercise
EEA / UK (GDPR)Access, rectify, erase, restrict, object, data portability, lodge complaint with supervisory authority
California (CPRA)Know, delete, correct, opt-out of "sharing," limit sensitive data, no retaliation
Virginia, Colorado, Connecticut, UtahAccess, correct, delete, opt-out of targeted ads or sale
Texas (TDPSA, July 1 2024) & Delaware (DPDPA, Jan 1 2025)Access, correct, delete, data portability, opt-out of sale/ads, appeal denials
Maryland (Online Data Privacy Act, Oct 1 2025)Similar rights; stricter opt-out signal requirements

You can make a rights request from inside your account or by emailing privacy@datafog.ai. We'll verify your identity and respond within the time limits set by law.

11. Do-Not-Track & Global Privacy Control

Our site honors the Global Privacy Control (GPC) signal where legally required. We do not track users for behavioral advertising.

12. Third-Party Links

Our site may link to other websites. Their privacy practices are their own.

13. Changes to This Policy

We'll post any changes here and update the "Effective" date. Significant changes will be announced by email or in-app.

14. Contact Us

Data Protection Officer

DataFog, Inc.

1209 Orange St., Wilmington, DE 19801, USA

privacy@datafog.ai