Privacy Policy | Terms of Service

1. Governing Entity & Jurisdiction

SpearIt Database Query Application is operated by:

The organization that installed and operates this system in their environment

Contact: Through your organizational system administrator

Data Controller: The deploying organization

Governing Law: This agreement shall be governed by and construed in accordance with the laws of Israel, without regard to its conflict of law provisions.

Jurisdiction: Any disputes, claims, or controversies arising from this policy or use of the system shall be subject exclusively to the jurisdiction of the competent courts in Israel.

2. Introduction & Scope

This Privacy Policy governs the collection, processing, storage, use, and deletion of personal information in the SpearIt system, an enterprise database query and business intelligence platform.

Our Commitment: We are committed to protecting your privacy, securing your information, and complying with applicable privacy laws, including:

Israeli Privacy Protection Law (1981)
Privacy Protection Regulations (Data Security), 2017
European General Data Protection Regulation (GDPR) where applicable
California Consumer Privacy Act (CCPA) where applicable
SOX, HIPAA, and other relevant regulatory requirements as applicable

Informed Consent: By using the system, you provide explicit, informed, and voluntary consent to this privacy policy. You may withdraw consent at any time by ceasing use and requesting account deletion.

3. Information Collection

Data Minimization Principle: We collect only information necessary to provide the service and fulfill legal obligations.

3.1 Account & Identity Information

Username and Email Address (required for authentication and communication)
Encrypted Password (stored using one-way hash with salt - bcrypt/PBKDF2)
Access Permissions by role (Admin/User) and specific database connections
Unique User ID (automatically generated)
Account Creation and Update Dates
Last Login Timestamp

3.2 System Activity & Usage (Audit Trail)

Important: For security, audit, and regulatory compliance purposes, the system logs all user activity. This information is securely stored and accessible only to authorized system administrators.

SQL Queries: Every query executed is fully logged including:
- Query content (SQL or natural language)
- Submission and execution timestamps
- Target database connection
- Success/failure status and error messages
- Number of rows returned
- Execution duration
Database Connections: Connection names, authentication attempts, success/failure (connection strings are encrypted and not logged)
Saved Queries: Name, description, SQL, creation/update dates, execution count
Scheduled Queries: Schedule configuration, recipients (email addresses), execution history and timestamps
AI Executive Summaries: Questions, generated summaries, highlights, suggested queries
Write Operations (UPDATE/DELETE): Special logging with approval requirement, including query content, approvals, and justifications

3.3 Technical Information & Metadata

IP Address: To identify access origin and prevent unauthorized use
User Agent: Browser type, operating system, and version
Session Data: Session identifier, open/close times, activity
Technical Cookies: For session management, authentication, and security (see Section 9)
Performance Metrics: Response times, errors, memory usage (anonymized)

3.4 Information from Third-Party Systems

OpenAI API (Artificial Intelligence):
- Natural language queries (for SQL translation)
- Database structure metadata (table and column names only)
- Query results (for AI summary generation)
- NOT sent: Actual table data, connection strings, passwords, sensitive PII
Email Services (SMTP):
- Recipient email addresses for scheduled reports
- Report content (attached files: CSV, Excel, PDF)
- Uses SMTP server configured by your organization
Webhooks (HTTP Notifications):
- External URLs for query completion notifications
- JSON payload with results or status (if configured)

3.5 Information We Do NOT Collect

For Your Protection:

We do NOT collect or store:

Highly sensitive information: Credit card numbers, government IDs (unless they appear in your SQL queries)
Biometric data
Information about minors (intentionally)
Marketing tracking cookies
Social media information (no integration)
Browsing history outside this system

4. Use of Information (Processing Purposes)

Legal Basis: Information processing is based on: (a) your consent; (b) contract performance; (c) legal obligation; (d) legitimate interest.

We use collected information solely for the following purposes:

4.1 Service Operations & Functionality

Authentication: Verify user identity and manage role-based access permissions
Query Execution: Run SQL queries on authorized database connections
Natural Language Translation: Convert questions to SQL queries using AI
Report Generation: Create reports in various formats (CSV, Excel, PDF)
Scheduled Reports: Automatic delivery of reports via email
AI Summaries: Generate executive summaries from query results
Preference Storage: Save user settings and frequently used queries

Legal Basis: Contract performance, consent

4.2 Security, Audit & Regulatory Compliance

Complete Audit Trail: Log all activity to prevent unauthorized use and support investigations
Threat Detection: Monitor and alert on suspicious activity or intrusion attempts
Dangerous Query Prevention: Block DROP, mass DELETE operations, and SQL injection
Permission Management: Enforce access policies and prevent unauthorized access
System Isolation: Separate and prevent access to system databases
Regulatory Compliance: Identify and prevent violations of SOX, HIPAA, GDPR (as applicable)
Internal Investigations: Support investigation of incidents, leaks, or policy violations

Legal Basis: Legal obligation, legitimate interest, rights protection

4.3 Improvement, Optimization & Analysis

Pattern Analysis: Identify trends and needs to improve user experience
Optimization: Identify slow, problematic, or inefficient queries
AI Enhancement: Learn and improve natural language to SQL translation accuracy
Issue Prevention: Identify recurring problems and improve system stability
Capacity Planning: Analyze workloads for infrastructure planning

Legal Basis: Legitimate interest, consent

4.4 Communications & Notifications

System Alerts: Important notifications about failures, errors, or unusual activity
Security Updates: Notifications about security updates or system changes
Policy Changes: Notice of changes to privacy policy or terms of service
Approval Requests: Coordinate approvals for write operations (UPDATE/DELETE)
Scheduled Reports: Deliver periodic reports as requested

Legal Basis: Contract performance, legal obligation, consent

Prohibited Uses

We will NEVER use your information for: Direct marketing without explicit consent, sale or rental to third parties, targeted advertising, tracking personal activity outside the system, or any purpose not specified in this policy.

5. Data Storage, Security & Protection

Enterprise-Grade Security

We implement advanced technical and organizational measures to protect information, in accordance with Privacy Protection Regulations (Data Security), 2017 and leading international standards.

5.1 Technical Security Measures

Encryption

Always Encrypted: Connection strings encrypted in SQL Server
HTTPS/TLS 1.2+: All communications encrypted in transit
Password Hashing: One-way encryption (bcrypt/PBKDF2)
At-Rest Encryption: Database encryption at rest

Access Control

RBAC: Role-based permissions (Admin/User)
Database Permissions: Separation by database connections
Session Management: Automatic session expiration
Multi-Factor Ready: MFA support (if configured)

Attack Prevention

SQL Injection: Parameterization and validation of all queries
CSRF Protection: Antiforgery tokens on all forms
XSS Protection: Input and output sanitization
Rate Limiting: Request rate limiting to prevent DDoS

Monitoring & Audit

Audit Logging: Complete logging of all activity
Intrusion Detection: Identify suspicious access attempts
Query Validation: Check queries before execution
Database Isolation: Prevent access to system databases

5.2 Organizational Security Measures

Separation of Duties: Clear distinction between administrators and users, access restricted by "Least Privilege" principle
Write Operation Approvals: All UPDATE/DELETE operations require explicit approval and are logged in audit trail
Backups: Automatic backups of system database (per organizational configuration)
Incident Response Plan: Defined procedures for handling security breaches or data leaks
Security Training: Guidelines and training for users on information security

5.3 Data Location & Control

Full Data Control: The system is installed in your organizational environment (On-Premise, Private Cloud, or Hybrid).

Local Storage: All information (accounts, logs, queries) is stored in a SQL Server database managed by you.

No External Transfer: Except for services detailed in Section 7 (OpenAI, email), we do not transfer information to external servers.

5.4 Additional Security Restrictions

Important Security Notes:

Access to system database (DefaultConnection) is completely blocked from user queries
Cross-database queries attempting to access system database are automatically blocked
Connection strings are encrypted and not accessible to users through the system interface
Every query undergoes validation and filtering before execution

5.5 Security Limitations & Liability

Important Liability Notice

Despite all efforts, no computer system is 100% secure. We commit to employing all reasonable and accepted security measures, but we cannot guarantee absolute security against:

Highly advanced cyber attacks (Zero-Day, APT)
Physical breaches of organizational infrastructure
Malicious actions by authorized users
Unexpected hardware or software failures
Natural disasters, war, or force majeure

User Responsibility: You are responsible for maintaining confidentiality of your login credentials and not sharing them with others. All activity performed under your account will be considered your activity.

6. Data Retention & Deletion Policy

We retain personal information only for as long as necessary for the purposes outlined in this policy or as required by law.

Minimization Principle: We aim to retain information for the minimum required period and delete or anonymize information no longer needed.

6.1 Retention Periods

Information Type	Retention Period	Purpose	Legal Basis
Query Logs	12-24 months (configurable)	Security audit, investigations, optimization	Legal obligation, legitimate interest
Saved Queries	Until manual deletion	Reuse, knowledge management	Consent, contract performance
Scheduled Queries	Until disabled or manually deleted	Periodic report automation	Consent, contract performance
AI Summaries	6-12 months (configurable)	Historical analysis, trend analysis	Legitimate interest, consent
User Account Info	Until account deletion + 30 days	Authentication, access, communication	Contract performance, consent
Write Operation Audit Trail	7 years (regulatory)	Audit, investigations, regulatory compliance	Legal obligation
Technical Cookies	Session end or up to 14 days	Authentication, state management	Technical necessity
Backups	30-90 days (organizational policy)	Recovery in case of failure	Legitimate interest

6.2 Automatic Deletion Policy

The system performs automatic deletion of information according to specified periods:

Logs: Automatic deletion of logs older than 12 months (configurable)
AI Summaries: Archive or delete after 6 months
Expired Sessions: Immediate deletion after 24 hours of inactivity
Inactive Accounts: Automatic deletion policy can be configured (optional)

6.3 Deletion Upon Request

You may request deletion of your information at any time (Right to be Forgotten). Upon receiving a request:

Immediate Deletion (within 30 days): User account, personal saved queries, preferences
Secure Deletion: Use of secure deletion methods (Overwrite/Shred) for sensitive data
Anonymization: Instead of deletion, we may anonymize data for statistical analysis

Exceptions to Deletion

We may retain certain information even after deletion request in the following cases:

Legal obligation to retain information (e.g., SOX Audit Trail for 7 years)
Ongoing legal proceedings or claims
Fraud detection and prevention
Protection of our rights or third-party rights
Automatic backups (will be deleted in next cycle)

7. Third-Party Sharing & Data Processors

Iron-Clad Commitment: We Will NOT Sell Your Information

We will NEVER sell, rent, trade, or transfer your personal information to third parties for commercial purposes. Information sharing occurs only in limited cases detailed below, and in accordance with law.

7.1 Data Processors

OpenAI Corporation - Artificial Intelligence Services

Purpose: Natural language to SQL translation and smart summary generation

What is sent to OpenAI:

Your natural language question
Database structure metadata (table and column names, types - no actual data)
Query results (for summary generation) - filtered and limited

What is NOT sent:

Connection strings
Passwords or security keys
Sensitive PII directly
Credit card or financial data

OpenAI Privacy Policy:

OpenAI Privacy Policy

Important to Know:

OpenAI holds SOC 2 Type II certification and complies with GDPR
Per OpenAI policy, data sent via API is not used for model training (unless explicitly requested)
OpenAI servers are located in USA and Europe
Retention period: 30 days for performance monitoring, then deleted

Email Services (SMTP Server)

Purpose: Sending scheduled reports and system notifications

Information transferred:

Recipient email addresses (as configured by you)
Report content (attached files: CSV, Excel, PDF)
System messages and alerts

SMTP server is configured by your organization. We recommend using only secure SMTP server (TLS/SSL).

Webhooks (External Endpoints)

Purpose: HTTP notifications on scheduled query completion

Information sent (optional):

Query completion time and status (success/failure)
JSON payload with results (if configured)
Query identifier and technical information

7.2 Legal Disclosure

We may disclose information only in the following cases, and in accordance with law:

Court Order or Legal Requirement

In case of court order, official demand from law enforcement, or other legal obligation

Protection of Rights and Security

When we have good-faith belief that disclosure is necessary to protect our rights, property, or user safety

Investigation of Illegal Activity

In case of suspected criminal activity, fraud, or serious violation of terms of service

Your Explicit Consent

Only if you have given explicit, free, and informed consent to share information with specific third party

Merger, Acquisition, or Asset Sale

In case of merger, acquisition, or asset sale, information may transfer to acquiring entity (advance notice will be provided)

Commitment to Transparency

Where possible, we will notify you in advance of any demand for information disclosure, unless prohibited by law.

7.3 International Transfers

System Location: The system is installed in your organizational environment (Israel or other location per your choice).

International Transfers: May occur in the following cases:

OpenAI API: Servers in USA and Europe (depending on configuration)
Email Servers: Depends on location of configured SMTP server
Webhooks: Depends on location of servers you configured

All international transfers comply with international information protection standards, including GDPR (Standard Contractual Clauses), CCPA, and Israeli Privacy Protection Law.

8. Your Rights (GDPR/CCPA Compliance)

Under applicable privacy regulations, you have the following rights regarding your personal information:

Right to Access

Obtain a copy of all personal information collected about you in the system

Response Time: 30 days

Right to Rectification

Correct or update inaccurate or incomplete information

Response Time: 14 days

Right to Erasure

Request deletion of your information (subject to legal obligations)

Response Time: 30 days

Right to Data Portability

Receive your information in structured, machine-readable format

Format: JSON, CSV, or Excel

Right to Object

Object to specific processing of your information

Scope: Marketing, profiling, automated decisions

Right to Restriction

Request restriction of use of your information in certain conditions

Duration: Until issue resolved

Right to Withdraw Consent

Withdraw your consent at any time (where processing is based on consent)

Effect: Immediate upon request

Right to Lodge a Complaint

File a complaint with your local data protection authority

Israel: Privacy Protection Authority

How to Exercise Your Rights

To exercise any of these rights, please contact your organizational system administrator.

We commit to respond to all privacy requests within 30 days.

Verification Process

To protect your privacy, we will verify your identity before processing rights requests:

Submit request through authenticated system account, OR
Provide identity verification (government-issued ID matching account holder)
Answer security questions related to your account

9. Cookies & Tracking Technologies

The system uses essential technical cookies necessary for proper operation. We do NOT use marketing or tracking cookies.

9.1 Cookies We Use

Cookie Name	Purpose	Duration	Type
`.AspNetCore.Session`	Session state management and user identification	Session end	Essential
`.AspNetCore.Antiforgery`	Protection against CSRF attacks	Session end	Essential
`.AspNetCore.Identity.Application`	User authentication and permissions	Up to 14 days	Essential
`.AspNetCore.Cookies`	Remember login ("Remember Me" feature)	Up to 30 days	Functional

Important Information

These cookies are essential for system operation and cannot be disabled. We do NOT use marketing cookies, analytics cookies (Google Analytics, etc.), or third-party tracking.

9.2 Managing Cookies

Browser Settings: You can configure your browser to:

Block all cookies (this will prevent system login)
Notify you when cookies are set
Delete cookies after each session

Warning: Blocking essential cookies will prevent you from using the system.

10. Children's Privacy

Business Use Only

This system is intended for business use only and is not directed to individuals under 18 years of age.

We do not knowingly collect information from children under 18. If we discover that information from a minor has been inadvertently collected, it will be deleted immediately.

If you are a parent or guardian and believe your child has provided personal information to us, please contact the system administrator immediately.

11. Data Breach Response Procedures

In the event of a security breach or data leak, we will follow these procedures:

Immediate Response (0-24 hours):

Identify and close the breach
Assess extent of damage and affected data
Contain the incident to prevent further exposure
Begin forensic investigation

Authority Notification (within 72 hours):

Notify Privacy Protection Authority (Israel) if required by law
Notify relevant regulatory bodies (depending on data type)
Document incident details for regulatory filing

User Notification (within 72 hours):

System notification to affected users
Email notification with breach details
Information about risk level and recommended actions
Remediation steps and additional security measures

Remediation & Prevention (ongoing):

Implement security patches and fixes
Enhance security measures to prevent recurrence
Conduct security audit and vulnerability assessment
Update incident response procedures
Provide affected users with identity protection resources if applicable

Your Rights After a Breach

If your information is involved in a breach, you have the right to request detailed information about the incident, the data affected, and the steps we're taking. You may also have the right to additional protective services (e.g., credit monitoring) depending on the nature of the breach.

12. Limitation of Liability & Disclaimers

Important Legal Notice - Read Carefully

This section limits our liability and protects both you and us from claims. Please read carefully before using the system.

12.1 General Disclaimer

THE SYSTEM IS PROVIDED "AS IS" AND "AS AVAILABLE" without warranty of any kind, express or implied, including but not limited to:

Merchantability
Fitness for a Particular Purpose
Non-Infringement
Accuracy, completeness, or reliability
Continuous availability or error-free operation

We do not guarantee that the system will be free from errors, viruses, or harmful components, or that defects will always be corrected.

12.2 User Responsibilities

Your Responsibilities

You are fully and solely responsible for:

Account Security: Maintaining confidentiality of username and password, not sharing with others. All activity under your account is considered your activity.
Query Content: Content, accuracy, legality, and results of all queries or operations you perform. We are not responsible for damages from incorrect, dangerous, or illegal queries.
Legal Compliance: Ensuring your use complies with all applicable laws and regulations, including privacy laws, copyright, and information security.
Backups: Performing independent backups of your databases. We are not responsible for data loss from external databases.
Result Verification: Validating and verifying results before making critical business decisions based on them.
Permissions: Ensuring you have appropriate permissions to access and query databases.

12.3 Limitation of Liability for Damages

Maximum Liability Limitation

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

WE SHALL NOT BE LIABLE for any direct, indirect, incidental, special, consequential, or punitive damages, including but not limited to:
- Loss of profits, revenue, or anticipated savings
- Loss of data, files, or information
- Loss of goodwill or reputation damage
- Cost of procurement of substitute products or services
- Business interruption or harm to business
- Any other economic or commercial damage
OUR MAXIMUM LIABILITY for any claim or series of claims arising from system use shall be limited to the greater of:
- The amount you paid (if any) for system use in the last 12 months, or
- $1,000 USD (One Thousand US Dollars)
THESE LIMITATIONS SHALL APPLY even if we were notified of the possibility of such damages, and whether liability is based on contract, tort, negligence, strict liability, or any other legal basis.

Note: Some states or jurisdictions do not allow limitation of liability for certain damages, so the above limitations may not apply to you.

12.4 External Database Disclaimer

The system provides tools to access external databases only.

We are NOT responsible for:

Content, accuracy, completeness, or legality of data in external databases
Availability, performance, or security of external databases
Privacy policies or practices of external database operators
Damages from queries or changes to external databases
Violations of external database terms of service

12.5 Third-Party Service Disclaimer

The system uses third-party services (OpenAI, email, webhooks).

We are NOT responsible for:

Privacy policies, terms of service, or practices of these providers
Availability, performance, accuracy, or reliability of their services
Damages from using these services or relying on their results
Security or privacy breaches by these providers
Changes in policy, pricing, or availability of third-party services

12.6 Force Majeure

We shall not be liable for any failure or delay in performing obligations due to:

Natural disasters (earthquakes, floods, fires, storms)
War, hostilities, terrorism, civil unrest
Pandemics, disease, or government lockdowns
Failures or interruptions in internet, power, or communication infrastructure
Cyber attacks, breaches, or computer system sabotage
Strikes, lockouts, or labor disputes
Legislation, government orders, or regulatory changes
Any other event beyond our reasonable control

12.7 Indemnification

You agree to indemnify, defend, and hold harmless the Company (including its employees, officers, agents, and partners) from any claim, demand, damage, loss, liability, cost, or expense (including reasonable attorney fees) arising from:

Your use of the system or reliance on its results
Violation of these terms of service or privacy policy
Violation of third-party rights, including intellectual property, privacy, or defamation
Illegal or harmful activity performed through the system
Queries, changes, or deletions you performed on databases
Failure to maintain confidentiality of your login credentials

Agreement to Limitations

By using the system, you acknowledge that you have read and understood these liability limitations, and that they are fair and reasonable given the nature of the service provided.

13. Dispute Resolution & Governing Law

13.1 Governing Law

Governing Law: This Privacy Policy and Terms of Service shall be governed by and construed in accordance with the laws of the State of Israel, without regard to its conflict of law provisions.

Jurisdiction: Any disputes, claims, or controversies arising from or related to this policy or use of the system shall be subject exclusively to the jurisdiction of the competent courts in Israel.

13.2 Dispute Resolution Process

In the event of any dispute, we encourage the following resolution process:

Step 1: Informal Resolution (0-30 days)

Contact your system administrator or organizational DPO (Data Protection Officer) to attempt informal resolution. Many disputes can be resolved quickly through direct communication.

Step 2: Mediation (30-60 days)

If informal resolution fails, parties agree to attempt mediation through a mutually agreed-upon mediator before pursuing legal action.

Step 3: Legal Action (60+ days)

If mediation is unsuccessful or declined, either party may pursue legal action in accordance with Section 13.1 above.

13.3 Class Action Waiver

TO THE EXTENT PERMITTED BY LAW, you agree that any dispute resolution proceedings, whether in mediation or court, will be conducted only on an individual basis and not in a class, consolidated, or representative action.

Note: If this class action waiver is found unenforceable, the entire Section 13 dispute resolution provision (except for Section 13.1 Governing Law) shall be null and void.

13.4 Limitation Period

Statute of Limitations: Any claim or cause of action arising from this policy or system use must be filed within one (1) year after the claim arose, or be forever barred, regardless of any statute or law to the contrary.

14. Changes to This Privacy Policy

We reserve the right to update this privacy policy from time to time. In the event of material changes:

Notification Process

Update the "Last Updated" date at the top of this document
Post prominent notice in the system for 30 days
Send email notification to all active users
Changes become effective 30 days after publication (unless urgent security updates)

Your Rights Upon Policy Changes

You have the right to:

Review changes before they take effect
Object to material changes
Request account deletion if you disagree with new terms
Contact us with questions or concerns about changes

Continued use of the system after changes become effective constitutes acceptance of the updated policy. If you do not agree to the changes, you must cease using the system and may request account deletion.

15. Contact Information

Questions or Privacy Requests?

We're here to help. You can contact us through:

System Administrator: Contact your organizational IT or system administrator
Data Protection Officer (DPO): If your organization has designated a DPO
Technical Support: Through your organizational ticket system

Response Time Commitment:

General inquiries: 14 business days
Privacy rights requests: 30 days
Security incidents: 24 hours
Data breach notifications: 72 hours

Regulatory Contacts

If you believe your privacy rights have been violated, you may also contact:

Israel Privacy Protection Authority

gov.il/privacy

EU Data Protection Board (GDPR)

edpb.europa.eu

Privacy Policy & Terms of Service

Important Legal Notice

Table of Contents