Privacy Policy - PBI AI Agent for Power BI

Effective Date: January 1, 2024
Last Updated: October 3, 2025

This Privacy Policy describes how PBI AI Agent ("we," "us," or "our") collects, uses, and protects your personal information when you use our PBI AI Agent for Power BI service ("the Service").

Your Privacy Matters: We are committed to protecting your privacy and being transparent about our data practices. This policy explains what data we collect, why we collect it, and how we use it.

1. Information We Collect

1.1 Personal Information

We collect the following types of personal information:

Data Type	Purpose	Legal Basis
Email Address	License delivery, account management, support	Contract performance
IP Address	Security, fraud prevention, usage analytics	Legitimate interest
Browser Fingerprint	Fraud prevention, usage tracking	Legitimate interest
User Agent	Technical support, compatibility	Legitimate interest
Payment Information	Subscription billing (processed by Stripe)	Contract performance

1.2 Usage Information

We automatically collect information about your use of the Service:

Query usage statistics and frequency
AI model usage (which models you use)
Token usage (input, output, total tokens per query)
Credit transaction history (purchases and usage deductions)
License validation events
System performance metrics
Error logs and debugging information

1.3 Built-In API Service (Optional)

When you choose to use our optional built-in AI API service instead of your own API keys:

Data Processed: Your questions and Power BI data context are temporarily processed through our backend servers
Third-Party Sharing: We transmit your data to AI providers (OpenAI, Anthropic, Google) on your behalf for processing
Token Logging: We log token usage counts and associated costs for billing purposes
Credit Transactions: We store credit purchase and usage records with Stripe payment IDs
No Content Storage: Query content and data context are NOT stored after processing - only metadata (tokens, cost, model used)

1.4 Temporary File Storage (Large Datasets)

When you analyze large datasets (>4MB), we use temporary cloud storage to optimize performance:

Storage Provider: Vercel Blob (backed by Amazon S3)
Data Stored: CSV files containing your Power BI data context
Storage Duration: Files are automatically deleted after 30 minutes via automated cleanup
Access Control: Files use unguessable URLs and are accessible only during processing
Purpose: Bypass API request size limits when transmitting large datasets to AI providers
Security: Data is encrypted in transit and at rest; stored in secure cloud infrastructure
No Persistent Storage: All temporary files are automatically purged every 30 minutes

Temporary Storage Notice: This temporary storage is used only for large datasets and files are automatically deleted within 30 minutes. Small datasets (<4MB) are transmitted directly without any file storage.

1.5 Information We Do NOT Store

Important Data Protection: We do not permanently store:

The content of your questions or queries
Your Power BI data or report content
AI-generated responses
Your API keys (whether yours or ours - stored only in secure environment variables)

Data is processed in memory only and discarded after each request.

2. How We Use Your Information

2.1 Service Provision

We use your information to:

Deliver and maintain the Service
Generate and validate license keys
Process payments and manage subscriptions
Enforce usage limits and prevent abuse
Provide technical support

2.2 Analytics and Improvement

We use aggregated, anonymized data to:

Improve Service performance and reliability
Understand usage patterns and feature adoption
Plan infrastructure and capacity
Develop new features and capabilities

2.3 Legal and Security

We may use your information to:

Comply with legal obligations
Protect against fraud and abuse
Enforce our Terms of Service
Respond to legal requests

3. Information Sharing and Disclosure

3.1 Third-Party Service Providers

We share information with trusted third-party providers:

Stripe: Payment processing and subscription management
Vercel Blob (Amazon S3): Temporary storage for large datasets (auto-deleted after 30 minutes)
Email Service Providers: For sending license keys and notifications
Cloud Infrastructure: For hosting and data storage
Analytics Services: For usage analytics and performance monitoring

3.2 AI Model Providers

With Your Own API Keys: Your query content is processed directly by AI providers (OpenAI, Anthropic, Google). We do not process or access your data in this mode.

With Built-In API Service (Optional): When you enable our built-in API service, we act as an intermediary:

We receive your questions and data context from Power BI
We transmit this data to AI providers (OpenAI, Anthropic, Google) for processing
We receive responses and pass them back to you
We log token usage metadata for billing (not content)
Data is processed in-memory only and not stored

Your Choice: You control which mode to use. The built-in API service is entirely optional and can be enabled/disabled at any time in the visual settings.

3.3 Legal Requirements

We may disclose your information if required by law or to:

Comply with court orders or legal process
Protect our rights and property
Prevent fraud or abuse
Protect the safety of users or the public

4. Data Security

4.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal information:

Encryption of data in transit and at rest
Access controls and authentication
Regular security audits and monitoring
Secure hosting with reputable cloud providers
Employee training on data protection

4.2 Data Retention

We retain your personal information for as long as necessary to:

Provide the Service to you
Comply with legal obligations
Resolve disputes and enforce agreements
Prevent fraud and abuse

Specific Retention Periods:

License Information: Retained while subscription is active, plus 7 years after cancellation for tax/legal compliance
Query Logs: Token usage metadata retained for 12 months for billing verification
Credit Transactions: Retained indefinitely for financial records and tax compliance
Temporary CSV Files: Automatically deleted after 30 minutes via automated cleanup process
Query Content: Not stored - processed in-memory only and immediately discarded

5. Your Rights and Choices

5.1 Access and Correction

You have the right to:

Access your personal information
Correct inaccurate information
Request information about how we use your data
Receive a copy of your data in a portable format

5.2 Deletion and Restriction

You can request to:

Delete your personal information
Restrict processing of your data
Object to processing based on legitimate interests
Withdraw consent where applicable

5.3 Account Deletion

You can cancel your account at any time by:

Canceling your subscription through the customer portal
Contacting us directly

Upon account deletion, we will delete your personal information within 30 days, except where retention is required by law.

6. Cookies and Tracking

6.1 Cookies We Use

We use cookies and similar technologies for:

Session management and authentication
Usage analytics and performance monitoring
Fraud prevention and security
User experience optimization

6.2 Third-Party Cookies

Third-party services may set cookies:

Stripe for payment processing
Analytics providers for usage tracking
Email services for delivery tracking

See our Cookie Notice for detailed information about cookies and how to manage them.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure adequate protection through:

Standard Contractual Clauses (SCCs)
Adequacy decisions by regulatory authorities
Other lawful transfer mechanisms

8. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided personal information, please contact us immediately.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified by:

Email notification to registered users
Prominent notice on our website
In-app notifications

Continued use of the Service after changes indicates acceptance of the updated Privacy Policy.

10. Contact Information

Data Protection Questions?

For questions about this Privacy Policy, data protection, or to exercise your rights, please contact us through our website's contact form or support channel.

Response Time: We respond to all privacy-related inquiries within 2 business days.

Data Subject Rights: If you are in the EU/EEA, you have additional rights under GDPR. Contact us to exercise these rights.

11. Regulatory Compliance

11.1 GDPR Compliance

For users in the European Union, we comply with the General Data Protection Regulation (GDPR). This includes:

Lawful basis for processing personal data
Data subject rights (access, rectification, erasure, etc.)
Data protection by design and default
Regular security assessments

11.2 Other Regulations

We also comply with applicable data protection laws in other jurisdictions, including:

California Consumer Privacy Act (CCPA)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Other applicable local privacy laws