Privacy Policy
Last Updated: April 2026
This Privacy Policy explains how NLSQL LIMITED ("NLSQL", "we", "us", "our") collects, uses, stores, and protects personal information when you visit our website (nlsql.com) or use any of our products and services, including NLSQL (natural-language-to-SQL platform), NLSQL AI Agent, NLSQL AI Employee, NLSQL Web App Builder AI, NLSQL AI Anomaly Detection, and any other NLSQL product distributed via the Microsoft Azure Marketplace, Microsoft AppSource, or directly by NLSQL (collectively, the "Services").
NLSQL Limited is a company registered in England and Wales (company number 11276867), with its registered office at 120 High Road, East Finchley, N2 9ED, London, United Kingdom. For data protection purposes, NLSQL is the "data controller" for personal data collected through our website and account-management functions, and a "data processor" for Customer Data processed through Services deployed inside customers' own Microsoft Azure tenants.
This Privacy Policy explains how NLSQL LIMITED ("NLSQL", "we", "us", "our") collects, uses, stores, and protects personal information when you visit our website (nlsql.com) or use any of our products and services, including NLSQL (natural-language-to-SQL platform), NLSQL AI Agent, NLSQL AI Employee, NLSQL Web App Builder AI, NLSQL AI Anomaly Detection, and any other NLSQL product distributed via the Microsoft Azure Marketplace, Microsoft AppSource, or directly by NLSQL (collectively, the "Services").
NLSQL Limited is a company registered in England and Wales (company number 11276867), with its registered office at 120 High Road, East Finchley, N2 9ED, London, United Kingdom. For data protection purposes, NLSQL is the "data controller" for personal data collected through our website and account-management functions, and a "data processor" for Customer Data processed through Services deployed inside customers' own Microsoft Azure tenants.
1. Scope and Key Definitions
This Privacy Policy applies to:
- Visitors to the NLSQL website (nlsql.com)
- Account holders and users of NLSQL Services
- Customers and end-users of NLSQL products distributed via Microsoft Azure Marketplace
- Individuals who contact NLSQL through any communication channel
Throughout this policy:
- "Personal Data" means information about an identifiable individual (e.g., name, email, IP address)
- "Customer Data" means data that NLSQL customers process through the Services, including database contents, documents, queries, and AI-generated outputs
- "Customer" means an organization or individual that subscribes to or uses NLSQL Services
- "Data Controller" / "Data Processor" have the meanings given in the UK GDPR and EU GDPR
- Visitors to the NLSQL website (nlsql.com)
- Account holders and users of NLSQL Services
- Customers and end-users of NLSQL products distributed via Microsoft Azure Marketplace
- Individuals who contact NLSQL through any communication channel
Throughout this policy:
- "Personal Data" means information about an identifiable individual (e.g., name, email, IP address)
- "Customer Data" means data that NLSQL customers process through the Services, including database contents, documents, queries, and AI-generated outputs
- "Customer" means an organization or individual that subscribes to or uses NLSQL Services
- "Data Controller" / "Data Processor" have the meanings given in the UK GDPR and EU GDPR
2. Information We Collect
We collect information in the following categories:
2.1 Information you provide directly:
- Name, email address, and company details (for account registration)
- Login credentials
- Billing and payment-related information (processed via the Microsoft Azure Marketplace, our payment processors, or direct invoicing — NLSQL does not directly store full credit card numbers)
- Communications with our support team (email, contact form, chat)
- Optional profile information you choose to provide
2.2 Information collected automatically:
- Cookies and similar tracking technologies
- Usage data (browser type, device, operating system, IP address, pages visited, referring URLs, time spent on pages)
- Aggregated analytics via Google Analytics 4 and Google Ads
2.3 Single Sign-On (SSO) data:
If you log in using a third-party identity provider — including Google OAuth, Microsoft (Azure AD), LinkedIn, or Facebook — we receive only the data the provider's authorization scope permits, typically:
- Account identity (email address, user ID)
- Basic profile information (name, profile image where provided)
- Any additional scopes you explicitly approve during the OAuth consent process
We do not access or store data from these providers without your explicit consent.
2.4 Customer Data (data you process through our Services):
When you use NLSQL Services to query databases, analyze documents, generate web applications, or detect anomalies, the following data is processed:
- Database connections and credentials (used only to execute the queries you authorize)
- Database query content and query results
- Documents you upload or connect (PDFs, Word, Excel, SharePoint content)
- Conversation transcripts with AI Agents
- Code and configurations generated by NLSQL Web App Builder AI
For Services deployed inside the customer's own Azure tenant (the standard deployment model for most NLSQL products), Customer Data does not leave the customer's Azure environment and is not accessed by NLSQL.
2.1 Information you provide directly:
- Name, email address, and company details (for account registration)
- Login credentials
- Billing and payment-related information (processed via the Microsoft Azure Marketplace, our payment processors, or direct invoicing — NLSQL does not directly store full credit card numbers)
- Communications with our support team (email, contact form, chat)
- Optional profile information you choose to provide
2.2 Information collected automatically:
- Cookies and similar tracking technologies
- Usage data (browser type, device, operating system, IP address, pages visited, referring URLs, time spent on pages)
- Aggregated analytics via Google Analytics 4 and Google Ads
2.3 Single Sign-On (SSO) data:
If you log in using a third-party identity provider — including Google OAuth, Microsoft (Azure AD), LinkedIn, or Facebook — we receive only the data the provider's authorization scope permits, typically:
- Account identity (email address, user ID)
- Basic profile information (name, profile image where provided)
- Any additional scopes you explicitly approve during the OAuth consent process
We do not access or store data from these providers without your explicit consent.
2.4 Customer Data (data you process through our Services):
When you use NLSQL Services to query databases, analyze documents, generate web applications, or detect anomalies, the following data is processed:
- Database connections and credentials (used only to execute the queries you authorize)
- Database query content and query results
- Documents you upload or connect (PDFs, Word, Excel, SharePoint content)
- Conversation transcripts with AI Agents
- Code and configurations generated by NLSQL Web App Builder AI
For Services deployed inside the customer's own Azure tenant (the standard deployment model for most NLSQL products), Customer Data does not leave the customer's Azure environment and is not accessed by NLSQL.
3. How We Use Your Information
We use Personal Data only to operate and improve our Services, in accordance with applicable law. Our purposes and legal bases (under UK GDPR / EU GDPR) include:
- Account creation and authentication (legal basis: contract performance)
- Service delivery and personalization (legal basis: contract performance)
- Billing, invoicing, and payment (legal basis: contract performance and legal obligation)
- Customer support (legal basis: contract performance and legitimate interest)
- Service security, fraud prevention, and abuse monitoring (legal basis: legitimate interest)
- Product analytics and improvement (legal basis: legitimate interest)
- Marketing communications (legal basis: consent — you may unsubscribe at any time)
- Compliance with legal, tax, and regulatory obligations (legal basis: legal obligation)
- Account creation and authentication (legal basis: contract performance)
- Service delivery and personalization (legal basis: contract performance)
- Billing, invoicing, and payment (legal basis: contract performance and legal obligation)
- Customer support (legal basis: contract performance and legitimate interest)
- Service security, fraud prevention, and abuse monitoring (legal basis: legitimate interest)
- Product analytics and improvement (legal basis: legitimate interest)
- Marketing communications (legal basis: consent — you may unsubscribe at any time)
- Compliance with legal, tax, and regulatory obligations (legal basis: legal obligation)
4. AI Processing and Customer Data
NLSQL Services use artificial intelligence (AI) and large language models (LLMs) to generate query results, document insights, code, and anomaly reports. We treat Customer Data with strict confidentiality:
- Customer Data is never used to train external AI models. Your databases, documents, queries, and AI conversations are not used to train, fine-tune, or improve any third-party AI models or NLSQL models served to other customers.
- Tenant-resident processing: For NLSQL products deployed inside the customer's Azure tenant (the standard deployment model), Customer Data does not leave the customer's environment. NLSQL has no access to such data.
- AI output validation: AI-generated outputs (SQL queries, document summaries, anomaly explanations, generated code) may contain errors. You are responsible for reviewing AI outputs before relying on them for business decisions.
- Audit logging: The Services maintain audit logs of queries and outputs to support customer compliance reviews. These logs remain inside the customer's environment for tenant-deployed Services.
- Customer Data is never used to train external AI models. Your databases, documents, queries, and AI conversations are not used to train, fine-tune, or improve any third-party AI models or NLSQL models served to other customers.
- Tenant-resident processing: For NLSQL products deployed inside the customer's Azure tenant (the standard deployment model), Customer Data does not leave the customer's environment. NLSQL has no access to such data.
- AI output validation: AI-generated outputs (SQL queries, document summaries, anomaly explanations, generated code) may contain errors. You are responsible for reviewing AI outputs before relying on them for business decisions.
- Audit logging: The Services maintain audit logs of queries and outputs to support customer compliance reviews. These logs remain inside the customer's environment for tenant-deployed Services.
5. How We Use Google User Data
NLSQL complies with the Google API Services User Data Policy, including the Limited Use requirements.
Google user data obtained through OAuth authorization is used only to provide the functionality you requested in our application (such as authenticating your account or accessing data sources you explicitly authorized).
We do NOT:
- Sell Google user data
- Share Google user data with third parties (except essential service providers acting on our behalf under contract)
- Use Google user data for advertising or marketing
- Use Google user data for purposes unrelated to the core functionality you authorized
- Use Google user data to train, develop, or improve generalized AI/ML models
You may revoke access to Google data at any time at:
https://myaccount.google.com/permissions
Google user data obtained through OAuth authorization is used only to provide the functionality you requested in our application (such as authenticating your account or accessing data sources you explicitly authorized).
We do NOT:
- Sell Google user data
- Share Google user data with third parties (except essential service providers acting on our behalf under contract)
- Use Google user data for advertising or marketing
- Use Google user data for purposes unrelated to the core functionality you authorized
- Use Google user data to train, develop, or improve generalized AI/ML models
You may revoke access to Google data at any time at:
https://myaccount.google.com/permissions
6. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
- Strictly necessary cookies — for authentication, security, and core site functionality
- Preference cookies — to remember your language, theme, and settings
- Analytics cookies — Google Analytics 4 (measurement ID: G-0WV9LDLYW3) for site usage analytics
- Advertising cookies — Google Ads (account ID: AW-17887975822) for measuring advertising effectiveness and conversions
You may disable cookies in your browser settings at any time. Note that disabling certain cookies may impair website functionality.
- Strictly necessary cookies — for authentication, security, and core site functionality
- Preference cookies — to remember your language, theme, and settings
- Analytics cookies — Google Analytics 4 (measurement ID: G-0WV9LDLYW3) for site usage analytics
- Advertising cookies — Google Ads (account ID: AW-17887975822) for measuring advertising effectiveness and conversions
You may disable cookies in your browser settings at any time. Note that disabling certain cookies may impair website functionality.
7. Third-Party Services and Sub-Processors
We do not sell or trade your personal information.
We use the following categories of third-party service providers (sub-processors) to operate our Services:
- Cloud infrastructure: Microsoft Azure (hosting and compute)
- Marketplace and billing: Microsoft Azure Marketplace, Microsoft AppSource
- Authentication providers: Google, Microsoft (Azure AD), LinkedIn, Facebook (only when you choose to use them)
- Analytics: Google Analytics 4
- Advertising: Google Ads
- Email and communications: Standard transactional email providers
- AI model providers: Established LLM providers used to power NLSQL AI capabilities (where applicable and only for non-tenant-deployed Services)
All sub-processors are bound by data protection terms consistent with applicable laws. We do not allow third-party behavioral tracking on our website beyond the analytics and advertising cookies described in Section 6.
Enterprise customers may request the current list of sub-processors and a Data Processing Addendum (DPA) by emailing info@nlsql.com.
We use the following categories of third-party service providers (sub-processors) to operate our Services:
- Cloud infrastructure: Microsoft Azure (hosting and compute)
- Marketplace and billing: Microsoft Azure Marketplace, Microsoft AppSource
- Authentication providers: Google, Microsoft (Azure AD), LinkedIn, Facebook (only when you choose to use them)
- Analytics: Google Analytics 4
- Advertising: Google Ads
- Email and communications: Standard transactional email providers
- AI model providers: Established LLM providers used to power NLSQL AI capabilities (where applicable and only for non-tenant-deployed Services)
All sub-processors are bound by data protection terms consistent with applicable laws. We do not allow third-party behavioral tracking on our website beyond the analytics and advertising cookies described in Section 6.
Enterprise customers may request the current list of sub-processors and a Data Processing Addendum (DPA) by emailing info@nlsql.com.
8. Data Retention
We retain Personal Data only for as long as necessary for the purposes set out in this Privacy Policy, or as required by applicable law. Typical retention periods:
- Account data: Retained for the duration of your account, plus up to 12 months after account closure (for legal and tax record-keeping)
- Billing records: Retained for 7 years to comply with UK tax law
- Support communications: Retained for up to 3 years
- Marketing preferences: Retained until you withdraw consent
- Website analytics data: Retained for up to 14 months (Google Analytics default)
- Customer Data inside the customer's Azure tenant: Controlled by the customer; deleted at the customer's discretion
You may request deletion of your Personal Data at any time (see Section 10).
- Account data: Retained for the duration of your account, plus up to 12 months after account closure (for legal and tax record-keeping)
- Billing records: Retained for 7 years to comply with UK tax law
- Support communications: Retained for up to 3 years
- Marketing preferences: Retained until you withdraw consent
- Website analytics data: Retained for up to 14 months (Google Analytics default)
- Customer Data inside the customer's Azure tenant: Controlled by the customer; deleted at the customer's discretion
You may request deletion of your Personal Data at any time (see Section 10).
9. International Data Transfers
NLSQL is based in the United Kingdom. Some of our service providers (e.g., Microsoft Azure, Google) may process data in countries outside the UK and EU/EEA. Where data is transferred outside these regions, we rely on appropriate safeguards required by UK GDPR and EU GDPR, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) where applicable
- Adequacy decisions by the UK government or European Commission
For NLSQL Services deployed in the customer's own Azure tenant, customers select the Azure region — and therefore data residency — that meets their compliance requirements.
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) where applicable
- Adequacy decisions by the UK government or European Commission
For NLSQL Services deployed in the customer's own Azure tenant, customers select the Azure region — and therefore data residency — that meets their compliance requirements.
10. Your Rights (UK GDPR / EU GDPR)
If you are located in the United Kingdom, the European Union, or the European Economic Area, you have the following rights regarding your Personal Data:
- Right of access — to request a copy of the Personal Data we hold about you
- Right to rectification — to correct inaccurate or incomplete data
- Right to erasure ("Right to be Forgotten") — to request deletion of your Personal Data
- Right to restrict processing — to limit how we use your data in certain circumstances
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to object — to object to processing based on legitimate interest, including direct marketing
- Right to withdraw consent — where processing is based on consent
- Right to lodge a complaint — with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk
To exercise any of these rights, email us at info@nlsql.com. We will respond within 30 days as required by law.
- Right of access — to request a copy of the Personal Data we hold about you
- Right to rectification — to correct inaccurate or incomplete data
- Right to erasure ("Right to be Forgotten") — to request deletion of your Personal Data
- Right to restrict processing — to limit how we use your data in certain circumstances
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to object — to object to processing based on legitimate interest, including direct marketing
- Right to withdraw consent — where processing is based on consent
- Right to lodge a complaint — with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk
To exercise any of these rights, email us at info@nlsql.com. We will respond within 30 days as required by law.
11. How We Protect Your Information
We implement industry-standard technical and organizational security measures to protect your data:
- Personal Data is stored on access-restricted systems hosted on Microsoft Azure
- Sensitive information is encrypted in transit (TLS 1.2 or higher) and at rest
- Authentication is enforced via secure passwords, OAuth, and (where supported) multi-factor authentication
- Access to Personal Data is limited to authorized personnel on a need-to-know basis
- Systems are regularly monitored, scanned for vulnerabilities, and patched
- Audit logs are maintained for security-relevant operations
For Services deployed in the customer's Azure tenant, security and access controls are governed by the customer's own Azure configuration, including Azure Active Directory permissions and role-based access controls.
In the event of a personal data breach affecting your data, we will notify you and the relevant supervisory authority (such as the ICO) without undue delay, and within 72 hours where required by law.
- Personal Data is stored on access-restricted systems hosted on Microsoft Azure
- Sensitive information is encrypted in transit (TLS 1.2 or higher) and at rest
- Authentication is enforced via secure passwords, OAuth, and (where supported) multi-factor authentication
- Access to Personal Data is limited to authorized personnel on a need-to-know basis
- Systems are regularly monitored, scanned for vulnerabilities, and patched
- Audit logs are maintained for security-relevant operations
For Services deployed in the customer's Azure tenant, security and access controls are governed by the customer's own Azure configuration, including Azure Active Directory permissions and role-based access controls.
In the event of a personal data breach affecting your data, we will notify you and the relevant supervisory authority (such as the ICO) without undue delay, and within 72 hours where required by law.
12. Children's Privacy
NLSQL Services are intended for business and professional use only. We do not knowingly collect personal information from children under the age of 16 (or under 13 in jurisdictions that follow COPPA). If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe we may have such data, please contact us at info@nlsql.com.
13. Information for Enterprise Customers
For enterprise customers using NLSQL Services to process Personal Data of their own end-users (e.g., employees, customers), NLSQL acts as a "data processor" under the UK GDPR and EU GDPR, and the customer is the "data controller" of that data.
Enterprise customers can:
- Request a Data Processing Addendum (DPA) consistent with Article 28 of the UK GDPR / EU GDPR
- Request the current list of sub-processors NLSQL uses
- Configure data residency by selecting the appropriate Azure region for tenant-deployed Services
To request a DPA or sub-processor list, email info@nlsql.com.
Enterprise customers can:
- Request a Data Processing Addendum (DPA) consistent with Article 28 of the UK GDPR / EU GDPR
- Request the current list of sub-processors NLSQL uses
- Configure data residency by selecting the appropriate Azure region for tenant-deployed Services
To request a DPA or sub-processor list, email info@nlsql.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this policy reflects the most recent revision. Material changes will be notified via the Services or by email where reasonably practicable. Continued use of the Services after changes take effect constitutes acceptance of the revised policy.
15. Contact Information
For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact:
NLSQL LIMITED
Company Number: 11276867
Registered office: 120 High Road, East Finchley, N2 9ED, London, United Kingdom
Email: info@nlsql.com
For UK data protection complaints, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.
NLSQL LIMITED
Company Number: 11276867
Registered office: 120 High Road, East Finchley, N2 9ED, London, United Kingdom
Email: info@nlsql.com
For UK data protection complaints, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.