Privacy

Your data stays yours.

Draft: to be reviewed by counsel before publication.MongoQUI never reads the contents of your databases. This policy explains the limited personal data we do process, why, and the rights you have over it.

Effective
2026-04-19
Updated
2026-04-19
Law
UAE (draft)

Draft legal copy: to be reviewed by qualified counsel before publication. Do not treat as final.

01 · IntroductionIntroduction

This Privacy Policy explains how MongoQUI ("MongoQUI", "we", "our", "us") processes Personal Data in connection with the MongoQUI desktop application, the MongoQUI web application at app.mongoqui.com, the license and billing portal at license.mongoqui.com, the shared report viewer, the documentation portal, the marketing website at mongoqui.com, and any related services (together, the "Services").

MongoQUI is a MongoDB workspace. Our central design principle is that your database contents never leave your machine unless you explicitly enable a cloud feature (for example, shared team connections or cloud-hosted reports). The Services consist of a native desktop application (a Tauri shell that embeds a local Python sidecar for all MongoDB I/O) and a cloud control plane that manages identity, billing, collaboration, and shareable reports.

This policy applies to Personal Data we process as a Controller (for example, your account details, billing records, telemetry, and support correspondence). Where we process Personal Data on behalf of a paying Customer (for example, when an organisation administrator invites team members or stores shared connection metadata) we act as a Processor under that Customer's instructions, and the Customer's privacy notice governs that data in addition to this policy.

The legal entity publishing this policy is the MongoQUI operating entity registered in the United Arab Emirates. The exact legal entity name and registered address are to be confirmed by counsel before publication.

Counsel to confirm: legal entity name, registered address, commercial licence number, whether a UK representative or EU Article 27 representative is required, and whether a separate Data Processing Addendum ("DPA") is offered to Customers.

02 · DefinitionsDefinitions

The following terms have the meanings assigned below when capitalised in this policy.

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and the United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL").
  • "Usage Data" means data about how you interact with the Services, including IP address, browser and device identifiers, operating-system version, session duration, error reports, and feature usage counters.
  • "Cookies" means small text files stored on your device by your browser; see our Cookie Policy for the full list and controls.
  • "Data Subject" means the natural person to whom Personal Data relates.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means the entity that processes Personal Data on behalf of a Controller.
  • "Services" has the meaning given in Section 1.
  • "Customer" means an organisation or individual that enters into a paid or trial subscription to the Services.
  • "Authorised User" means an employee, contractor, or agent of a Customer authorised to access the Services on the Customer's behalf.
  • "Sub-processor" means a third party engaged by MongoQUI to process Personal Data on our behalf.
Counsel to confirm: whether additional local definitions are required for the UAE PDPL and any other jurisdiction-specific statutes (e.g. Brazil's LGPD, Canada's PIPEDA, Singapore's PDPA) before launch.

03 · Data we collectData we collect

We have grouped the Personal Data we process by source.

3.1 Data you provide directly

When you create an account, make a purchase, contact support, or fill in a form on our websites, we collect information you choose to give us, including:

  • Identity and contact data: full name, work email address, job title or role, company or organisation name.
  • Authentication data: hashed password (bcrypt/scrypt at rest; we never see your plaintext password) and, if you enable two-factor authentication, the TOTP seed is stored encrypted in our authentication database.
  • Billing data: billing address, VAT or tax identifier, Stripe customer reference, and invoice history. We do not store full payment card numbers. Card details are collected and tokenised by our payment processor Stripe, Inc.; we receive only a masked reference and billing status from Stripe.
  • Support correspondence: the content of messages you send to support@mongoqui.com, including any attachments or screenshots, and the metadata of those messages (subject, timestamps, message IDs).
  • User-generated content you choose to cloud-sync: saved query names, report definitions, shared-connection metadata (connection name, host, port, database name; never the credentials in plaintext; credentials are encrypted at rest using AES-256 and are only decrypted inside your desktop app).

3.2 Data we collect automatically

When you use the Services, we (and our Sub-processors) automatically collect:

  • Device and connection data: IP address, approximate location derived from IP (country or region only, never precise geolocation), user-agent string, browser and operating-system version, screen resolution, device type, and language preference.
  • Usage telemetry: which screens were viewed, which features were used, how long a session lasted, aggregate performance metrics (page-load times, API response times), and crash or error reports generated by the desktop app's sidecar process.
  • Security-event logs: sign-in attempts, sign-in successes and failures, password-reset requests, two-factor verification events, device registrations and revocations, and audit-log entries for administrative actions inside your organisation.
  • Cookies and similar technologies: see the Cookie Policy for names, purposes, and retention.

3.3 Data we collect through integrations

Where you enable an optional integration or cloud feature, we process data flowing through that integration:

  • Stripe (billing): billing status, subscription state, invoice events, and tax-relevant country information. Stripe's own privacy notice applies to its processing of payment-card data.
  • OAuth identity providers (where enabled): when you sign in using a third-party identity provider, we receive the profile fields that provider releases to us (typically name, email, subject identifier, and avatar URL).
  • Email service (transactional email): the email address of the recipient, message content, delivery status, bounce and spam-complaint events. We send mail from noreply@cz.mongoqui.com.
  • Cloud platform (CDN, WAF, edge compute): standard edge-network metadata including IP address, request path, response code, and rate-limit counters. Acts as our Sub-processor across its CDN, database, object storage, serverless functions, and AI inference products.
  • Serverless analytics with in-memory SQL engine (reports): when a report is executed or re-run, the Parquet dataset the report operates on is processed in a serverless function. The function has access only to the specific Parquet object identified by the report and returns aggregated results; it does not retain source data beyond the request lifetime.
  • AI providers (optional): when you use the AI query assistant or AI report assistant without supplying your own API key ("bring-your-own-key" or "BYOK"), the natural-language prompt you type and a redacted schema context are sent to our default provider: OpenAI (gpt-3.5-turbo), Anthropic (claude-3-opus-20240229), or Google Gemini (gemini-pro) for completion. We do not send your document data or query results to AI providers. When AI report suggestions are generated, we use AI inference (Llama 3.3 70B) in our cloud. If you configure BYOK, prompts are sent directly from the Service to the provider you configured, under your account; MongoQUI does not store those prompts.
  • GitHub Releases (auto-update): the desktop app periodically checks GitHub for a newer release. GitHub receives your IP address and user-agent as part of that check; GitHub's privacy notice applies.

3.4 Data we explicitly do NOT collect

We want to be unambiguous about what leaves your machine:

  • The contents of your MongoDB documents. Document payloads, field values, and query results stay inside the local Python sidecar bundled with the desktop app and are never transmitted to MongoQUI servers during normal desktop use.
  • The results of your queries. Aggregation outputs, find results, and $explain plans are rendered locally.
  • Your MongoDB connection credentials in plaintext. For local (desktop-only) connections, credentials are stored in your operating system's keychain, encrypted at rest with your Argon2id master password. For shared team connections, credentials are encrypted with AES-256 before leaving your device.
  • Precise geolocation. We derive only country- or region-level geography from IP.
  • Special category data. The Services are not intended for the processing of special categories of Personal Data under GDPR Article 9.

The two narrow exceptions (where some user-typed content does leave your machine) are the AI assistant (when used without BYOK) and cloud-hosted reports (when you choose to publish a report). Both are opt-in and labelled in the UI.

Counsel to confirm: whether the description of "content never leaves your machine" requires additional carve-outs, and whether the AI data-flow description should be repeated inside a Data Processing Addendum.

04 · How we use dataHow we use data

We use Personal Data for the following purposes.

4.1 To provide and operate the Services

  • Authenticate you and your devices, maintain your session, and keep you signed in.
  • Sync your saved queries, report definitions, and team resources across devices where you have chosen to enable cloud sync.
  • Route requests across our cloud control plane (mqui-gateway, mqui-auth, mqui-mongocor, mqui-ai, mqui-email, mqui-file-reports, mqui-py-backend, mqui-report-suggestions).
  • Deliver the Report Builder, including re-run, shareable links with expiry, and password-protected shares.
  • Deliver the shared-report viewer at the chosen URL.

4.2 To administer accounts and billing

  • Process trial activation, seat assignments, subscription upgrades, downgrades, renewals, and cancellations.
  • Generate invoices and receipts via Stripe.
  • Send service-critical transactional email (sign-in verification, security alerts, billing confirmations, password resets, invite acceptance) via email service.

4.3 To provide support

  • Respond to your questions, troubleshoot reported issues, and reproduce bugs using the information you voluntarily share.
  • Escalate bugs internally using redacted error reports and logs.

4.4 To monitor security and prevent abuse

  • Detect credential stuffing, rate-limit violations, and suspicious sign-in patterns.
  • Operate our Web Application Firewall and per-endpoint rate limits.
  • Investigate audit-log events and revoke compromised device sessions.
  • Enforce our Acceptable Use policy under the Terms of Service.

4.5 To measure and improve the Services

  • Analyse aggregated usage patterns to prioritise roadmap decisions.
  • Compute product metrics (daily active accounts, feature adoption, error rates) in aggregate form.
  • Perform debugging on anonymised crash reports.

4.6 To communicate with you (only with your consent where required)

  • Send you product updates, release notes, and company announcements where you have opted in.
  • Run occasional user research (for example, interviews, surveys, or beta programme invitations) on an opt-in basis.

4.7 To comply with legal obligations

  • Retain tax-relevant billing records for the period required by applicable tax law.
  • Respond to lawful requests from competent authorities where we are legally required to do so.
  • Defend ourselves in legal proceedings.
Counsel to confirm: that the described purposes align with the lawful-basis matrix in Section 5 and that no purpose drifts beyond "necessary, specified, and explicit" under GDPR Article 5.

For Data Subjects within the European Economic Area, the United Kingdom, and other jurisdictions that require a specific lawful basis, we rely on the following bases under GDPR Article 6 (and equivalent provisions of UK GDPR and UAE PDPL):

  • Performance of a contract (Art. 6(1)(b)): processing that is necessary to deliver the Services you have signed up for: account creation, authentication, sync, report delivery, billing, support.
  • Legitimate interests (Art. 6(1)(f)): operating security monitoring, preventing abuse, maintaining product analytics in aggregate form, improving and securing the Services, and enforcing our Terms. Where we rely on this basis, we have conducted a balancing test and offer you an opt-out where reasonably possible.
  • Consent (Art. 6(1)(a)): non-essential cookies (performance, functional), marketing email, voluntary participation in research and beta programmes. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): retention of tax, accounting, and anti-money-laundering records; responding to lawful authority requests.
  • Vital interests (Art. 6(1)(d)): not routinely relied on; reserved for genuine emergencies.
  • Public interest / official authority (Art. 6(1)(e)): not relied on.

For Data Subjects in the United Kingdom, we rely on the equivalent bases under the UK GDPR and the Data Protection Act 2018. For Data Subjects in the United Arab Emirates, we rely on the equivalent bases under the UAE PDPL. For Data Subjects in California, we do not sell or share Personal Data within the meaning of the CCPA/CPRA; see Section 9 for your specific rights.

Counsel to confirm: legitimate-interest balancing tests for telemetry, security monitoring, and aggregate analytics; whether an appointed EU Article 27 representative is required; and the correct lawful-basis framing for UAE PDPL.

06 · Sharing and sub-processorsSharing and sub-processors

We do not sell Personal Data. We share it only with the parties below, each engaged under a written contract containing appropriate confidentiality and data-protection obligations (drawn from our canonical architecture; see the overview document, 4.1 and 5).

6.1 Sub-processor table

Sub-processorPurposeRegion(s)Transfer mechanism
Cloud platform providerCDN, WAF, edge compute, database, object storage, rate-limit store, serverless functions, AI inference (Llama 3.3 70B)Global edge with primary metadata residency as configured in our accountStandard Contractual Clauses (SCCs) and/or UK International Data Transfer Addendum ("IDTA"), as applicable
Analytics platform providerServerless analytics for report execution against Parquet objects stored in object storage (accessed via S3-compatible API)AP-South (Mumbai) and US regions (counsel to confirm final selection)SCCs / IDTA
Email service providerTransactional email delivery (sign-in, verification, receipts, notifications) from noreply@cz.mongoqui.comGlobalSCCs / IDTA
Stripe, Inc. and Stripe Payments Europe, Ltd.Payment processing, subscription billing, invoice generation, tax handlingIreland and United StatesSCCs / IDTA
OpenAI, L.L.C.Optional AI query assistance (gpt-3.5-turbo) when user has not configured BYOKUnited StatesSCCs
Anthropic, PBCOptional AI query assistance (claude-3-opus-20240229) when user has not configured BYOKUnited StatesSCCs
Google LLC (Gemini API)Optional AI query assistance (gemini-pro) when user has not configured BYOKUnited StatesSCCs
GitHub, Inc.Auto-update metadata delivery for the desktop app via GitHub ReleasesUnited StatesSCCs

An up-to-date list of Sub-processors is maintained and will be made available at security.mongoqui.com/subprocessors once that portal is live. Customers with a signed Data Processing Addendum will receive notice of material changes to this list in accordance with the notice mechanism set out in the DPA.

6.2 Other disclosures

Beyond the Sub-processors listed above, we may disclose Personal Data:

  • To professional advisers (lawyers, auditors, accountants, insurers) under obligations of confidentiality.
  • In connection with a corporate transaction: a merger, acquisition, or sale of assets. In such a case we will notify affected Data Subjects and, where required, provide a mechanism to object.
  • To competent authorities, only where compelled by a valid legal instrument and after reviewing the instrument for scope and lawfulness. Where we are permitted to do so, we will notify the affected Data Subject before disclosing.
  • To protect rights and safety: to investigate suspected fraud or abuse, to enforce our Terms, or to protect the rights, property, or safety of MongoQUI, our users, or the public.
Counsel to confirm: the final Sub-processor list (particularly AWS region selection and whether any OAuth identity providers should be listed), the correct transfer mechanism for each jurisdiction, and whether a public trust portal at security.mongoqui.com is operational before launch.

07 · International data transfersInternational data transfers

Because our Sub-processors operate globally, your Personal Data may be transferred to, stored in, and processed in countries other than your own, including the United States, the United Kingdom, the European Union, India, and the United Arab Emirates.

Where Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on one or more of the following safeguards:

  • European Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers originating in the EEA.
  • UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers originating in the United Kingdom.
  • Supplementary measures including encryption in transit (TLS 1.3) and at rest, access controls, short retention windows, and documented transfer-impact assessments where appropriate.

For Personal Data subject to the UAE PDPL, cross-border transfers are made either to jurisdictions recognised by the UAE Data Office as providing an adequate level of protection or under appropriate safeguards as permitted by the PDPL.

We do not rely on the EU–US Privacy Shield framework. The Privacy Shield was invalidated by the Court of Justice of the European Union in the Schrems II decision (Case C-311/18, 16 July 2020). References to Privacy Shield that appeared on prior versions of our website are being removed as part of this content rebuild.

You may request a copy of the relevant transfer mechanism or its summary by writing to privacy@mongoqui.com.

Counsel to confirm: the final transfer-mechanism inventory, whether a Transfer Impact Assessment ("TIA") is appropriate to publish in summary form, and whether EU–US Data Privacy Framework certification (of the provider, not MongoQUI) should be separately referenced.

08 · Data retentionData retention

We retain Personal Data only as long as necessary for the purposes set out in this policy, or as required by applicable law.

CategoryRetention (default)Rationale
Active account Personal Data (name, email, role, organisation membership)Retained for the life of the accountNecessary to operate the account
Account Personal Data after subscription cancellationUp to 24 months post cancellation, unless you request earlier deletionSupports reactivation, invoice access, and dispute resolution
Billing and tax records (invoices, subscription events, tax identifiers)7 years after the end of the tax year to which the record relatesTax, accounting, and anti-fraud obligations
Security-event and sign-in logs90 daysSecurity investigation window
Application and error logs90 daysDebugging and incident response
Encrypted database backups30 days (rolling)Disaster recovery
Support-ticket correspondence36 months from case closureService continuity and pattern analysis
Marketing-consent recordsFor the duration of the consent plus a reasonable proof-of-consent windowDemonstrating lawful basis
Aggregated / de-identified analyticsIndefinite, as the data no longer constitutes Personal DataProduct improvement

When a retention period ends, Personal Data is either deleted or irreversibly anonymised. Backups are encrypted, access-controlled, and overwritten on the 30-day rolling cycle.

You may request deletion at any time; see Section 9. Where law requires us to retain a record (for example, a tax record), we will isolate that record from general processing until the statutory retention window expires, and then delete it.

Counsel to confirm: retention periods against the UAE Commercial Transactions Law, UAE VAT Law, EU tax rules where applicable, and any sector-specific obligations. Confirm whether 7 years is the correct minimum for billing records in the UAE.

09 · Your rightsYour rights

Depending on where you live and the applicable law, you have some or all of the rights below. We will not discriminate against you for exercising these rights.

9.1 Rights under GDPR and UK GDPR

  • Right of access (Art. 15): obtain confirmation that we process your Personal Data and a copy of that data.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): ask us to delete your data where one of the statutory grounds applies.
  • Right to restriction (Art. 18): ask us to limit processing in defined circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format, and have it transmitted to another Controller where technically feasible.
  • Right to object (Art. 21): object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent (Art. 7(3)): at any time, without affecting prior lawful processing.
  • Right not to be subject to solely automated decisions (Art. 22): we do not engage in solely automated decision-making that produces legal or similarly significant effects on you.
  • Right to lodge a complaint with a supervisory authority: you have the right to complain to the supervisory authority in your country of residence, your place of work, or the place of the alleged infringement. A directory of EU authorities is available from the European Data Protection Board. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO).

9.2 Rights under UAE PDPL

Data Subjects in the United Arab Emirates have the rights set out in the UAE PDPL, including the right to access, rectify, erase, restrict, object, and file a complaint with the UAE Data Office.

9.3 Rights under CCPA/CPRA (California residents)

  • Right to know what Personal Information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to delete Personal Information we have collected, subject to statutory exceptions.
  • Right to correct inaccurate Personal Information.
  • Right to opt out of sale or sharing of Personal Information. We do not sell or share Personal Information for cross-context behavioural advertising.
  • Right to limit use of sensitive Personal Information . We do not collect sensitive Personal Information for inferring characteristics.
  • Right to non-discrimination for exercising your rights.

9.4 How to exercise your rights

Write to privacy@mongoqui.com from the email address on your MongoQUI account, or submit a request via the in-app "Privacy" panel once it is generally available. We will respond within the statutory timeframe applicable to your jurisdiction (one month under GDPR and UK GDPR, extendable by two further months where permitted; forty-five days under CCPA/CPRA, extendable by a further forty-five days; as applicable under UAE PDPL).

To protect your account, we may need to verify your identity before actioning a request. Where a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to act, and we will explain our reasoning to you in writing.

Counsel to confirm: verification procedure, the appeal/complaint pathway, the fee threshold for "manifestly excessive" requests, and the wording of the California "Notice at Collection".

10 · SecuritySecurity

We operate a defence-in-depth programme anchored to the controls catalogued in our canonical architecture (overview 4.1). Implemented controls include:

  • Argon2id master password encrypting locally stored credentials on the desktop.
  • JWT with organisation-scoped claims on every API call, bound to the current organisation via an x-organization-id header.
  • TOTP-based two-factor authentication (Pro and Ultimate plans) using otplib in the authentication service.
  • Per-device session tokens backed by a revocable devices table; you can revoke any device from your account settings.
  • Per-endpoint rate limiting using rate limit buckets.
  • AES-256 encryption at rest for shared-connection credentials; credentials never travel in plaintext.
  • TLS 1.3 in transit across our edge and analytics layer.
  • Internal service authentication using an X-Service-Auth secret between our cloud services.
  • Audit log (/api/v1/audit-logs) capturing org-scoped administrative actions.
  • Password-protected share links for reports, with bcrypt-hashed passwords, expiry timestamps, and instant revoke.
  • Elevated-permission gating for sensitive actions (export, delete, re-run).
  • CORS allow-listing per origin, per service.

No system is ever perfectly secure. If you believe you have found a vulnerability, please write to security@mongoqui.com. We do not yet operate a paid bug-bounty programme; responsible disclosures are acknowledged.

Counsel to confirm: whether the security description should be mirrored in a standalone Security page under security.mongoqui.com, whether a formal vulnerability-disclosure policy should be linked, and whether to include a commitment timeline for SOC 2 Type II (which is in progress but not complete; we explicitly do not claim SOC 2 certification).

11 · Children's privacyChildren's privacy

The Services are intended for use by professionals. They are not directed at children under the age of 16 (or the applicable minimum age of digital consent in your jurisdiction). We do not knowingly collect Personal Data from children under that age. If we learn that we have collected such data without verified parental consent where required, we will delete it.

If you believe that a child has provided Personal Data to us, please contact privacy@mongoqui.com so that we can take corrective action.

Counsel to confirm: minimum-age threshold per jurisdiction and any requirement to publish a dedicated children's notice.

12 · Changes to this policyChanges to this policy

We may update this Privacy Policy from time to time to reflect changes to our Services, applicable law, or Sub-processors. When we make a material change, we will:

  1. Update the "Last updated" date at the top of this document.
  2. Post the updated policy at this URL.
  3. Send email notice to the address associated with your account, for material changes that affect your rights or the categories of data we process.
  4. Display an in-app banner for a reasonable period before the change takes effect.

For non-material changes (for example, typographical corrections or clarifications), we will update the "Last updated" date without separate notice.

Archived versions of this policy are available on request from privacy@mongoqui.com.

Counsel to confirm: minimum notice period for material changes (commonly 30 days), and whether the UAE PDPL requires a specific notification channel beyond email.

13 · ContactContact

Questions, requests, or complaints about this policy may be directed to the contacts below.

13.1 Privacy and Data Protection Officer

  • Email: privacy@mongoqui.com
  • This address is monitored by our privacy function. Please do not use any @mongodb.com address. MongoQUI is a separate, independent company, and any legacy mention of privacy@mongodb.com on our websites is an error that is being corrected as part of this content rebuild.

13.2 General

  • Product and sales enquiries: hello@mongoqui.com
  • Customer support: support@mongoqui.com
  • Security disclosures: security@mongoqui.com
  • Abuse reports: abuse@mongoqui.com

13.3 Postal address

  • Registered office: MongoQUI (legal entity name TBC), United Arab Emirates. Full address to be inserted by counsel prior to publication.

13.4 Supervisory authority

  • European Economic Area: the supervisory authority of your EU member state of residence, workplace, or the place of the alleged infringement. A directory is maintained by the European Data Protection Board at https://edpb.europa.eu.
  • United Kingdom: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, https://ico.org.uk.
  • United Arab Emirates: UAE Data Office, https://www.uaedo.gov.ae.
Counsel to confirm: registered legal entity name, registered commercial address, commercial licence number, representative appointments where required (EU Art. 27, UK Rep), and any mandatory DPO registration.