Privacy Policy

Last updated: April 4, 2026

Back to Home

At Riportics, privacy is not an afterthought — it is foundational to how the platform works. This Privacy Policy explains what data we collect, how we use it, and how we protect your information.

1. Our Privacy-First Architecture

Riportics processes your data files entirely inside your browser using DuckDB-WASM. When you upload CSV, Excel, JSON, XML, or log files:

  • Files are parsed, ingested, and queried using an in-browser SQL engine. No file data is uploaded to our servers.
  • Charts, dashboards, data grids, reports, and presentations are rendered locally in your browser.
  • AI-generated dashboards, reports, and presentations are created from schema metadata — your actual data values never leave the browser.

2. Session Persistence and Local Storage

Riportics stores application state in your browser's IndexedDB to enable session recovery across page refreshes:

  • DuckDB tables are exported as Parquet files and stored in IndexedDB.
  • Uploaded files are stored as ArrayBuffers in IndexedDB.
  • Application state (dashboard layouts, widget configurations, insight caches, ingestion progress) is stored as JSON in IndexedDB.

All IndexedDB data stays on your device and is never transmitted to our servers. You can clear all persisted data at any time by choosing "Start fresh" on the upload page. Individual datasets can be removed from the memory management popover.

3. What We Send to AI Providers

When you use AI-powered features (widget recommendations, key insights, report generation, presentation generation, SQL query generation), we send only your data schema and metadata to our AI provider (currently OpenAI). This includes:

  • Column names and data types
  • Table structure and relationships
  • Sample value descriptions (not actual values)
  • Detected data domain and format information
  • SQL dialect information (DuckDB, PostgreSQL, or MySQL)

Log and Unstructured Data

For non-structured data such as log files, we send a small sample (up to 10 lines) from the beginning of the file to our AI provider solely to detect the log format and parsing pattern. This sample is used only for format detection and is not stored. Once the format is identified, all subsequent parsing and analysis happens entirely within your browser using our WASM parser.

Your actual row-level data, cell values, and file contents are never sent to any external server — with the exceptions of the Database Connectivity and API Data Source features described below.

Database Connectivity (Connect to Database)

When you use the "Connect to Database" feature to connect to an external PostgreSQL or MySQL database:

  • Your database credentials (host, port, username, password) are sent to our server and encrypted at rest using AES-256-GCM.
  • SQL queries generated by the AI are executed on our server against your database. Only SELECT statements are permitted — no data modification is possible. Queries are limited to 50,000 rows and a 30-second timeout.
  • Query results pass through our server and are returned to your browser for visualization. We do not store, log, or retain query results.
  • Schema information (table names, column names and types) is sent to our AI provider to generate relevant queries and visualizations. Schema is cached locally in your browser for performance.

You can delete saved connections at any time, which permanently removes encrypted credentials from our storage. For maximum security, we recommend using read-only database users with limited permissions.

API Data Source (Fetch from API)

When you use the "Fetch from API" feature to load data from an external API, the following information is sent to our server to make the request on your behalf:

  • The API URL and query parameters you specify
  • Request headers you provide (which may include authentication tokens or API keys)
  • Request body content (for POST/PUT/PATCH requests)

Our server acts as a proxy — it forwards your request to the specified API and returns the response to your browser. We do not store, log, or retain any of this data (the URL, headers, request body, or the API response). Once the response is delivered to your browser, all processing continues locally as with any other data file. API responses are limited to 10MB and requests timeout after 30 seconds.

Saved API configurations (URLs, headers, parameters) are stored on our server and linked to your account for convenience. You may delete them at any time. We recommend using temporary or scoped API keys rather than long-lived credentials.

4. Reports and Presentations

When you generate reports or PowerPoint presentations:

  • AI generates report sections and presentation slides using only schema metadata and widget descriptions — not your actual data values.
  • Template variables (e.g., total counts, averages) are resolved by running SQL queries locally in your browser (for file data) or through our server (for database connections).
  • Report editing, chart rendering, and export (PDF, DOCX, PPTX) all happen entirely in your browser.
  • Generated reports and presentations are never stored on our servers. They exist only in your browser session and exported files.

5. Information We Collect

5.1 Account Information

When you create an account, we collect your email address and, if you use Google sign-in, your name and profile picture. This information is stored securely in our authentication provider (Supabase).

5.2 Usage Data

We track basic usage metrics to improve the Service:

  • Credit balance and usage history
  • Feature usage patterns (which AI features you use)
  • Session duration and page views
  • Error logs for debugging purposes

5.3 Payment Information

When you purchase credits, payment processing is handled by our third-party payment processor. We do not store your credit card number, CVV, or full payment details on our servers. We receive only a transaction confirmation and purchase amount.

5.4 Cookies and Local Storage

We use:

  • Authentication cookies: To maintain your login session.
  • Preference cookies: To remember your theme preference (light/dark mode).
  • IndexedDB: For session persistence — storing your application state, uploaded files, and DuckDB tables locally in your browser. This data is never transmitted to our servers.

We do not use tracking cookies or advertising pixels.

6. How We Use Your Information

We use collected information to:

  • Provide and maintain the Service
  • Process credit purchases and manage your account
  • Send important service updates (security, terms changes)
  • Improve platform performance and fix bugs
  • Respond to support requests

We do not sell, rent, or share your personal information with third parties for marketing purposes.

7. Data Storage and Security

  • Account data is stored in Supabase (hosted on cloud infrastructure with encryption at rest and in transit).
  • Application hosting uses Cloudflare Workers, which provides DDoS protection and edge security.
  • Your file data never leaves your browser and is never stored on our infrastructure.
  • Database credentials (when using Connect to Database) are encrypted at rest using AES-256-GCM. Query results are not stored or logged.
  • API configurations (when using Fetch from API) are stored linked to your account. API responses are not stored.
  • Browser-side data (IndexedDB) is under your control. We provide tools to clear individual datasets or all persisted data at once.

8. Third-Party Services

We use the following third-party services:

  • OpenAI: AI model provider for generating insights, reports, presentations, and SQL queries. Only schema/metadata is shared — never raw data. Subject to OpenAI's Privacy Policy.
  • Supabase: Authentication, account management, and credit system.
  • Cloudflare: Application hosting, CDN, and edge security.

9. Your Rights

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information in your account.
  • Delete your account and associated data (including saved database connections and API configurations).
  • Export your account information upon request.
  • Opt out of non-essential communications.
  • Clear local data stored in your browser's IndexedDB at any time via the platform interface.

To exercise any of these rights, contact us at support@riportics.com.

10. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, including saved database connections and API configurations. Anonymized usage statistics may be retained for analytics purposes. Browser-side data (IndexedDB) is under your control and is not affected by account deletion.

11. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. International Data Transfers

Our services are hosted on globally distributed infrastructure (Cloudflare). By using the Service, you consent to your account data being processed in the regions where our infrastructure operates. Your file data, however, never leaves your browser regardless of your location.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the platform. The "Last updated" date at the top reflects the most recent revision.

14. Contact

If you have questions or concerns about this Privacy Policy, contact us at support@riportics.com.