Obscure AI

by MyteGroup Inc

Privacy Policy

Last updated: April 2026

1. Introduction and Scope

MyteGroup Inc (“we”, “us”, “Company”) operates Obscure AI, an AI-powered data querying platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service.

By using Obscure AI, you consent to the practices described in this policy. This policy applies to all users of the Service, including visitors, registered users, organization members, and administrators.

We comply with applicable privacy legislation including the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Act 25), and the European Union General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

We collect the following categories of personal information:

Account Information (provided by you):

  • Email address
  • First and last name
  • Organization name
  • Password
  • Terms of Service acceptance timestamp

Usage Data (collected automatically):

  • Natural language queries you submit
  • Conversation history and message content
  • Query results and execution metadata
  • Feedback ratings and comments on query results

Technical Data (collected automatically):

  • IP address
  • Browser user agent string
  • Session timestamps (login, activity, expiry)
  • Last login date and time
  • Failed login attempt counts

Datasource Metadata (provided by you):

  • Database connection configurations (host, port, database name, credentials) - all encrypted at rest with AES-256-GCM
  • Database schema structure - abstracted before any AI model processing
  • Semantic hints and descriptions you provide for your tables
  • For schemaless databases (e.g. MongoDB), schema structure is inferred by briefly sampling a limited number of documents per collection at connection time. Samples are used only for field and type inference, held in memory only, and are not persisted or sent to AI models.

File Uploads (provided by you):

  • CSV and JSON files uploaded as datasources
  • Maximum file size: 100 MB per file
  • Uploaded CSV and JSON files are loaded into a temporary in-memory database at query time for schema inference and SQL execution. File contents are held in memory only, never sent to AI models, and discarded when the connection is closed.

Financial Data:

  • Credit transaction records (amounts, types, timestamps, balance)
  • Subscription tier and billing interval
  • Stripe customer and subscription identifiers
  • We do NOT store payment card numbers, CVVs, or bank account details - all payment card processing is handled directly by Stripe

Audit Data (generated by the Service):

  • Query inputs (hashed)
  • Abstracted SQL queries sent to AI models
  • PII detection results (types found, confidence scores, actions taken)
  • Query execution metadata (row counts, duration, LLM provider/model used)
  • Data export requests and download events

3. How We Collect Information

  • Directly from you: when you register an account, update your profile, connect datasources, submit queries, provide feedback, upload files, or contact support
  • Automatically: when you use the Service, we automatically collect technical data, generate audit logs, and record usage patterns
  • From third parties: our payment processor (Stripe) provides us with subscription status and payment event notifications. We do not receive your full payment card details from Stripe.

4. Legal Basis for Processing (GDPR Article 6)

If you are located in the European Economic Area (EEA) or where GDPR applies, our legal bases for processing your personal data are:

  • Performance of a contract (Article 6(1)(b)): processing necessary to provide the Service you have signed up for - account management, query execution, result delivery, credit tracking
  • Legitimate interests (Article 6(1)(f)): security monitoring, fraud prevention, service improvement, and maintaining audit logs. We balance our interests against your rights and do not process data where your interests override ours.
  • Legal obligation (Article 6(1)(c)): maintaining audit logs as required by applicable regulations, responding to lawful data access requests
  • Consent (Article 6(1)(a)): where required, we obtain your explicit consent before processing. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. How We Use Your Information

We use your personal information to:

  • Operate and provide the Service, including executing queries, returning results, and managing your account
  • Process natural language queries through structural schema abstraction
  • Detect and redact personally identifiable information in query results according to your configured policies
  • Maintain comprehensive audit trails for compliance and security purposes
  • Process payments and manage subscriptions through Stripe
  • Send transactional communications: account verification codes, password reset links, organization invitations, credit balance alerts, and data export notifications
  • Protect against unauthorized access, fraud, and abuse
  • Respond to your support requests and communications
  • Improve the Service's functionality, reliability, and performance
  • Comply with applicable legal obligations

6. Data Protection Measures

We implement industry-standard and enhanced security measures to protect your data:

Encryption at Rest:

  • All personally identifiable information is encrypted using AES-256-GCM before database storage
  • Datasource connection credentials are encrypted with AES-256-GCM
  • Query content, executed SQL, and result metadata in messages are encrypted at rest
  • Audit log sensitive fields are encrypted at rest
  • Data export files are stored in encrypted form

Encryption in Transit:

  • All communications between your browser and our servers use TLS/HTTPS
  • All communications between our servers and third-party services use encrypted channels

7. Data Sharing and Third-Party Processors

We share personal data with the following categories of third-party processors, solely as necessary to operate the Service:

AI Model Providers (e.g. OpenAI):

  • Receive ONLY abstracted schema identifiers and your natural language query text
  • We do not permit AI providers to use your data for model training
  • AI model responses are translated back to real queries on our infrastructure

Stripe (Payment Processing):

  • Processes all subscription payments and one-time credit purchases
  • Stripe handles payment card information directly - we only receive and store Stripe customer identifiers and subscription identifiers

We do not:

  • Sell your personal information to anyone
  • Share your data with advertisers
  • Use your data for targeted advertising
  • Provide your data to data brokers
  • Use your connected database content for AI model training

8. Data Retention

We retain your information for the following periods:

Data TypeRetention Period
Active user accountsDuration of account
Self-deleted accounts30-day deactivation period, then permanent PII anonymization
Admin-deleted accountsImmediate PII anonymization
Audit logsRetained for the period required by applicable law (all sensitive fields encrypted)
Query result exportsAutomatically deleted after 60 minutes
GDPR data exportsAutomatically deleted after 7 days
Uploaded files (CSV/JSON)Retained while associated datasource exists

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right to Access (GDPR Article 15, PIPEDA Principle 9):

View your personal data through your account Settings. Request a comprehensive data summary by contacting us.

Right to Rectification (GDPR Article 16):

Update your profile information (name) through Settings > Profile. Contact us for corrections to other data.

Right to Erasure / Right to be Forgotten (GDPR Article 17):

Delete your account through Settings > Profile. After a 30-day deactivation period, your personal data is permanently anonymized. You may also request immediate deletion by contacting us.

Right to Data Portability (GDPR Article 20):

Export all your personal data as a JSON file in a ZIP archive through Settings > Data Export. Organization administrators can export organization-wide data. Export delivery is secured with OTP email verification.

Right to Restriction of Processing (GDPR Article 18):

Contact us to request restriction of processing of your personal data.

Right to Object (GDPR Article 21):

Contact us to object to processing of your personal data based on legitimate interests.

Right to Withdraw Consent (GDPR Article 7):

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint:

You have the right to file a complaint with your local data protection authority. In Canada, you may contact the Office of the Privacy Commissioner of Canada. In Quebec, you may contact the Commission d'accès à l'information du Québec. In the EU, you may contact your local supervisory authority.

Exercising Your Rights:

To exercise any of these rights, contact us at support@myteobscure.com. We will respond to verified requests within thirty (30) days, or sooner where required by law.

Identity Verification: To protect your privacy, we verify your identity before fulfilling data subject requests. Verification is performed by confirming ownership of the email address associated with your account, either through a one-time passcode (OTP) sent to your registered email or by submitting the request while authenticated in your account session.

10. International Data Transfers

  • MyteGroup Inc is based in Montreal, Quebec, Canada.
  • Your data may be processed in Canada and in other jurisdictions where our service providers operate.
  • Canada has been recognized by the European Commission as providing an adequate level of data protection under GDPR Article 45.
  • For transfers to jurisdictions without adequacy decisions, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under GDPR Article 46.
  • Our privacy practices comply with PIPEDA and Quebec's Act 25 (Act Respecting the Protection of Personal Information in the Private Sector).

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

If you believe a child under 18 has provided us with personal information, please contact us at support@myteobscure.com.

12. Cookies and Session Technology

We use a minimal set of strictly necessary HTTP-only cookies to operate the Service:

  • Session cookie: authenticates your current browser session
  • Refresh cookie: allows seamless session renewal without re-entering credentials
  • CSRF cookie: protects against cross-site request forgery attacks

We do NOT use:

  • Third-party tracking cookies
  • Analytics cookies
  • Advertising or retargeting cookies
  • Social media cookies
  • Any cookies for behavioral profiling

All our cookies are strictly necessary for the operation and security of the Service. No consent banner is required as these cookies are exempt under ePrivacy regulations.

13. Healthcare Data (HIPAA Considerations)

  • Obscure AI does not act as a Business Associate under HIPAA by default.
  • Our structural schema abstraction ensures that Protected Health Information (PHI) identifiers in your database - patient names, medical record numbers, dates of birth, Social Security numbers - are never transmitted to AI model providers.
  • PII detection automatically identifies and can redact health-related identifiers in query results.
  • Users connecting databases containing PHI are responsible for ensuring their use of the Service complies with HIPAA and applicable state health privacy laws.
  • Business Associate Agreements (BAAs) may be available for Enterprise tier customers upon request, subject to review. Contact support@myteobscure.com.
  • We recommend configuring “strict” PII redaction policies for datasources containing PHI.

14. Financial Data (SOX and PCI-DSS Considerations)

  • Every query execution generates a comprehensive, tamper-evident audit trail including: user identity, timestamp, abstracted query, execution metadata, PII detection results, and row counts returned. All sensitive audit fields are encrypted at rest.
  • These audit trails support SOX Section 404 internal control requirements for organizations subject to the Sarbanes-Oxley Act.
  • Payment card information is handled exclusively by Stripe, a PCI-DSS Level 1 certified payment processor. We never store, process, or transmit payment card numbers, CVVs, or bank account details on our infrastructure.
  • Our PII detection system automatically identifies credit card numbers, bank account numbers, and other financial identifiers in query results and applies redaction according to your configured policy.
  • Database connection credentials for financial systems are encrypted with AES-256-GCM at rest and decrypted only in-memory at query execution time.

15. Security Breach Notification

In the event of a security breach that affects your personal data:

  • We will notify affected users without undue delay via your registered email address.
  • We will notify applicable data protection authorities as required by law, including the Commission d'accès à l'information du Québec and relevant supervisory authorities under the GDPR.
  • Notification will include: the nature of the breach, the categories of personal data affected, the likely consequences, and the measures taken or proposed to address the breach.

16. Automated Decision-Making

We do not currently use solely automated processing, including profiling, to make decisions that produce legal or similarly significant effects on you. If we introduce such processing in the future, we will update this policy and provide appropriate notice and safeguards as required by GDPR Article 22 and applicable law.

17. Changes to This Policy

  • We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
  • For material changes, we will provide at least thirty (30) days advance notice via email to your registered email address.
  • Non-material changes (clarifications, formatting) may take effect immediately upon posting.
  • The “Last updated” date at the top of this page indicates when the policy was last revised.
  • Your continued use of the Service after the effective date of changes constitutes acceptance.
  • If you do not agree with an updated policy, you must stop using the Service and may delete your account.

18. Contact and Data Protection

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

  • Email: support@myteobscure.com
  • Company: MyteGroup Inc, Montreal, Quebec, Canada
  • Data Protection Inquiries: For GDPR-related requests, include “Data Protection Request” in your email subject line. We will respond within 30 days.
  • Privacy Officer (Quebec Act 25): John Doe, Privacy Officer, MyteGroup Inc. For inquiries under Quebec Act 25, contact support@myteobscure.com with subject “Quebec Privacy Inquiry”.

For information about the terms governing your use of the Service, please see our Terms of Service.

Back to Home