Skip to content

Legal

Privacy Policy

Version 1.0 · Last updated: 21 maggio 2026

1. Data Controller

The data controller for personal data collected through the Neural Data Studio service (the "Service") is:

  • CodeLab s.r.l.s.
  • Registered office: Corso Giuseppe Garibaldi 22, 00034 Colleferro (RM), Italia
  • VAT no.: IT17925991006
  • Privacy enquiries: support@neuraldatastudio.ai

CodeLab s.r.l.s. has not appointed a Data Protection Officer (DPO) as it does not fall within the cases of mandatory appointment under Art. 37 GDPR. For any question regarding personal data processing you may always write to the email address indicated above.

2. Categories of data processed

2.1 Registration data

Name, email address, password (stored as a bcrypt hash), optional OAuth provider (Google, Microsoft, GitHub, Apple).

2.2 Profile data

Language, time zone, role within the tenant, interface preferences.

2.3 Service usage data

Query history, prompts sent to the AI model, generated SQL, execution outcome, timestamp, token consumption, active plan. This data is essential to provide the query history feature, the monthly quota and rate limiting.

2.4 Connection credentials for your databases

Connection strings and credentials of the databases you connect to the Service are encrypted at-rest with enterprise-level encryption and keys managed in a dedicated key vault. They are never sent to the AI model or shared with third parties.

2.5 Payment data

Credit card data is processed exclusively by Stripe (see §6). We only store the Stripe customer identifier, the subscribed plan and the invoice history.

2.6 Technical and security logs

IP address, user-agent, API request timestamps, authentication events, audit log of operations performed on data. Used for security, abuse detection and diagnostic analysis.

3. Purposes of processing and legal basis

Purpose Legal basis (GDPR)
Service delivery, account and subscription management Art. 6.1.b – performance of a contract
Tax and legal obligations (invoicing, accounting) Art. 6.1.c – legal obligation
Security, fraud prevention, audit log Art. 6.1.f – legitimate interest
Service communications (transactional emails) Art. 6.1.b – performance of a contract
Newsletter, marketing materials Art. 6.1.a – consent (revocable)

4. Provision of data

The provision of data necessary for registration and contract performance is mandatory: without such data the Service cannot be provided. Provision for commercial purposes is optional and revocable at any time.

5. Processing methods and security

Processing takes place using electronic means for the time strictly necessary for the purposes described. We adopt adequate technical and organisational security measures, including:

  • encryption in transit on all application traffic;
  • encryption at-rest of the configuration database and user credentials;
  • passwords stored only as hashes with brute-force-resistant algorithms;
  • cryptographic keys held in a dedicated key vault with RBAC access controls;
  • short-lived session tokens, revocable refresh tokens and MFA support;
  • immutable audit logs for all sensitive operations;
  • automatic backups and documented disaster recovery procedures;
  • principle of least privilege for authorised personnel.

6. Sub-processors

To deliver the Service we rely on the following providers, who act as data processors under Art. 28 GDPR:

Provider Purpose Location
Microsoft Ireland Operations Ltd. Application infrastructure hosting, database, key vault and AI model inference EU
Stripe Payments Europe, Ltd. Payment processing, invoicing, subscription management Ireland, with possible transfers to Stripe Inc. (USA) under SCC
Resend, Inc. Transactional email delivery (account verification, receipts, quota alerts) USA, under SCC and Data Privacy Framework
Cloudflare, Inc. DNS, abuse protection, zone management Global, under SCC and Data Privacy Framework
Aruba S.p.A. Corporate email accounts (support, sales) Italy

This list is current as of the date of publication of this policy. We may add or replace sub-processors by notifying you via email or through the updated version of this page with at least 30 days' notice to allow for reasoned objections.

7. Extra-EU transfers

When a sub-processor processes data outside the European Economic Area, the transfer takes place exclusively on the basis of Standard Contractual Clauses (SCC) approved by the European Commission and, where applicable, certifications under the EU-US Data Privacy Framework. CodeLab s.r.l.s. periodically verifies the adequacy of such safeguards.

8. Processing of your database data

The databases you connect to the Service contain your data ("Customer Data"). CodeLab s.r.l.s. acts as data processor with respect to such data: it processes them exclusively to execute the queries you initiate, return the results and generate the AI assistant responses.

  • Connection credentials are encrypted at-rest and are never sent to the AI model.
  • The schema of the databases (table names, columns, types) is read and sent to the AI model to generate SQL consistent with your structure.
  • Rows returned by queries remain in your browser and, if the conversation is saved, in our storage; they are never forwarded to the AI model unless you explicitly include them in a subsequent prompt.
  • Queries approved by the user are executed on the connected databases: the user is responsible for their effects.

9. Retention and deletion

  • Active account: data is retained for the duration of the relationship.
  • Account deletion: identifying data and user connections are soft-deleted for 30 days (to allow restoration or export on request) and then permanently deleted from production systems.
  • Aggregated technical and security logs: retained for up to 24 months for security, audit and abuse detection purposes.
  • Tax and accounting data: retained for 10 years under Italian law.
  • Backups: encrypted backups with a maximum 35-day rotation cycle; once the cycle expires, deleted data disappears from backups too.

10. Your rights

At any time you may exercise the following rights, recognised under Arts. 15-22 GDPR:

  • access to your personal data (Art. 15);
  • rectification of inaccurate data (Art. 16);
  • erasure (Art. 17 – "right to be forgotten");
  • restriction of processing (Art. 18);
  • data portability in a structured format (Art. 20);
  • objection to processing based on legitimate interest (Art. 21);
  • not to be subject to automated decisions with significant effects (Art. 22);
  • withdrawal of consent to consent-based processing, without prejudice to the lawfulness of prior processing.

To exercise these rights write to support@neuraldatastudio.ai from the email address associated with the account. We will respond within 30 days, extendable by a further 60 for complex requests.

You always have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (Piazza Venezia 11, 00187 Rome – www.garanteprivacy.it).

11. Cookies and similar technologies

The website and application use exclusively technical and session cookies strictly necessary for the Service to function (authentication, theme preferences, user session). We do not use profiling or third-party advertising cookies.

On first access we display an information banner allowing granular preference choices (essential, always active, and analytics, optional). Currently no analytics providers are active; the category is configured and, if enabled in future, will operate only with your explicit consent. You can review your preferences at any time via the "Cookie preferences" link in the site footer.

Stripe may set technical cookies during the payment flow; such cookies are limited to Stripe's domain and governed by its privacy policy.

12. Automated processing

The Service uses artificial intelligence models to generate SQL/MQL from natural language prompts. These models do not produce decisions with legal or similarly significant effects on you: you always retain final control, manually approving every write or DDL operation before execution.

13. Minors

The Service is not intended for persons under 18 years of age. We do not intentionally collect personal data from minors; should we become aware of an account created by a minor, we will proceed with immediate deletion.

14. Changes to this policy

We may update this Privacy Policy in the event of changes to the Service, applicable law or the list of sub-processors. The date and version number at the top of the page always indicate the latest revision. In the event of material changes we will send a notification to the email address associated with the account.

15. Contact

For any questions about the processing of your personal data write to us at support@neuraldatastudio.ai or at the postal address CodeLab s.r.l.s., Corso Giuseppe Garibaldi 22, 00034 Colleferro (RM), Italia.

Cookie preferences

Manage the cookie categories you allow. Your choices are saved on your device for 12 months.