Sequel

Privacy Policy

Last updated June 9, 2026

1. Information we collect

When you create an account or use Sequel, we collect information you provide directly, such as your name, email address, and workspace details. We also collect usage data — queries you run, databases you connect, and how you interact with the product — to improve our service.

We do not store the contents of your database beyond what is necessary to answer a specific query. Query results are held in memory for the duration of your session and are not persisted to our servers.

2. How we use your information

We use the information we collect to provide, maintain, and improve Sequel, to process transactions, to send you service-related communications, and to respond to your questions and support requests.

We do not sell your personal data to third parties. We may share anonymised, aggregate usage statistics publicly or with partners to demonstrate product value.

3. How we protect your data

Encryption

All data is encrypted both in transit and at rest. We use TLS 1.3 for all network communications, ensuring data transmitted between your browser and our servers is protected. Database credentials and sensitive information are encrypted at rest using AES-256-GCM encryption with regularly rotated keys managed through AWS KMS.

Access controls

We implement strict access controls following the principle of least privilege. Only authorized personnel with a legitimate business need can access production systems, and all access is logged and regularly audited. We use multi-factor authentication (MFA) for all administrative access and role-based access control (RBAC) to limit data exposure.

Infrastructure security

Our infrastructure is hosted on AWS with SOC 2 Type II certified data centers. We use network segmentation, firewalls, and intrusion detection systems to protect against unauthorized access. All systems are regularly patched and undergo security scanning.

Database credentials

Connection credentials you provide are stored in an encrypted vault separate from other application data. They are only decrypted when establishing connections on your behalf and are never logged or shared with third parties. Credentials are automatically purged from memory after each session.

4. Cookies and tracking

We use essential cookies to keep you signed in and to maintain your session. We may also use analytics cookies to understand how users navigate the product. You can disable non-essential cookies through your browser settings, though this may affect some functionality.

5. Data retention and deletion

Retention periods

We retain different types of data for different periods based on legal requirements and business needs:

  • Account data: As long as your account is active
  • Query history: 90 days for debugging and support purposes
  • Session data: 24 hours after session ends
  • Backup data: 30 days in encrypted, isolated storage
  • Audit logs: 1 year for security and compliance

Data deletion

You can request deletion of your data at any time through your account settings or by contacting support. Upon account deletion:

  • Personal data is immediately marked for deletion and removed from production systems within 24 hours
  • Data is permanently deleted from all backups within 30 days
  • Anonymized aggregate data may be retained for analytics
  • We maintain a suppression list of email addresses to prevent re-marketing

Some data may be retained longer if required by law or to resolve disputes.

6. Your rights

Depending on your location, you may have the right to access, correct, or delete the personal data we hold about you, to object to or restrict certain processing, or to request a machine-readable copy of your data. To exercise any of these rights, contact us at musthaq@sequel.sh.

7. Security measures and incident response

Ongoing security practices

We maintain a comprehensive security program that includes:

  • Regular security audits and penetration testing
  • Automated vulnerability scanning and dependency updates
  • Employee security training and background checks
  • Secure software development lifecycle (SSDLC) practices
  • 24/7 monitoring and alerting for security events

Incident response

In the event of a data breach or security incident, we will:

  • Immediately investigate and contain the incident
  • Assess the scope and impact on user data
  • Notify affected users within 72 hours as required by law
  • Provide guidance on protective measures you can take
  • Work with authorities as required

8. Third-party services

Sequel uses trusted third-party services that meet our security standards:

  • AWS: Cloud infrastructure (SOC 2, ISO 27001 certified)
  • Stripe: Payment processing (PCI DSS Level 1 certified)
  • SendGrid: Email delivery (SOC 2 Type II certified)

Each provider is bound by data processing agreements ensuring they handle your data according to our privacy standards. We regularly review third-party security practices and certifications.

9. International data transfers

Our primary data processing occurs in US-based AWS regions. If you access Sequel from outside the United States, your data may be transferred to and processed in the US. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required.

10. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "last updated" date at the top of this page and, for material changes, notify you by email or through an in-product notice.

11. Contact

If you have any questions about this Privacy Policy or how we handle your data, please email us at musthaq@sequel.sh.