Privacy Policy

Effective date: May 22, 2026 · Last updated: May 22, 2026

CH-UI ("CH-UI", "we", "our", "us") is operated by Caio Ricciuti. This policy explains what data we handle and how. It covers two very different ways of running CH-UI: the managed CH-UI Cloud service, and the open-source software you self-host.

Self-hosted CH-UI

When you run the open-source CH-UI on your own infrastructure:

  • No telemetry, analytics, or usage data is sent to us or any third party.
  • All application state is stored in a local SQLite database on your server.
  • Your queries, governance metadata, and database contents stay on your infrastructure.
  • The only outbound connections are to your ClickHouse, and — only if you enable Brain with your own key — your chosen AI provider.

The rest of this policy describes CH-UI Cloud, the hosted service at console.ch-ui.com.

What CH-UI Cloud stores

  • Account & identity — your email address (we use passwordless magic-link sign-in), display name, and organization membership/roles.
  • Billing — subscription plan and status. Payments are processed by Stripe; we never see or store your full card number.
  • Connection details — the ClickHouse connection settings and credentials you add, encrypted at rest.
  • Workspace content — saved queries, dashboards, pipelines, models, schedules, and Brain chats/messages/SQL artifacts you create.
  • Governance data — see the dedicated section below.
  • Operational logs — audit logs of actions in your org, plus standard server logs for security and reliability.

Your ClickHouse data

CH-UI Cloud connects to your ClickHouse through an outbound-only tunnel and runs queries on demand. We do not bulk-copy your tables' row data into our systems — query results are streamed to your browser to display, and saved only where you explicitly save them (e.g. a Brain artifact result).

The one deliberate exception is Governance, described next — please read it.

Governance data (important)

If you enable Governance (off by default; you turn it on explicitly), CH-UI's background syncers copy the following out of your ClickHouse cluster into CH-UI Cloud's managed PostgreSQL, in your organization's isolated schema:

  • Schema metadata — database, table, and column names and types.
  • Access state — ClickHouse users, roles, and grants (used for the access matrix and over-permission detection).
  • Query log — entries from your cluster's system.query_log, including query text, executing user, and timing (used for lineage and the audit trail).

This data is stored only for your organization, is never shared with third parties, and is included in our encrypted backups. To bound storage, the query log is capped at a rolling 14-day retention and the newest 100,000 rows per connection. You can disable Governance at any time in the app; doing so pauses collection. Deleting your organization deletes this data.

Brain AI

When you use Brain, the messages you send and the schema context you attach are sent to a large-language-model provider to generate responses:

  • Managed AI — we route requests to our model provider (OpenRouter) on your behalf.
  • Bring your own key — requests go to the provider you configure, under your own account and terms.

Brain chats, messages, and artifacts are stored in your org's schema so history survives across sessions.

Subprocessors

CH-UI Cloud relies on the following service providers to operate. Each receives only the data needed for its function:

  • Hetzner (EU) — cloud hosting & the managed PostgreSQL database.
  • Cloudflare — DNS, TLS, and R2 object storage for encrypted off-site backups.
  • Stripe — subscription billing and payment processing.
  • Resend — transactional and alert email delivery.
  • OpenRouter — model inference, only when you use Managed AI (not used if you bring your own key).

Security

  • Connection and AI-provider credentials are encrypted at rest.
  • All traffic is encrypted in transit over TLS; the ClickHouse connector is outbound-only (no inbound ports on your cluster).
  • Each organization's data is isolated in its own database schema.
  • Backups are encrypted and stored off-site.

Your rights & data deletion

  • You can access and export your workspace content from within the app.
  • Deleting your organization removes its data from our systems; residual copies in encrypted backups age out on the backup retention schedule.
  • For access, correction, export, or deletion requests, contact us at the address below.

Contact

Privacy questions or data requests: support@ch-ui.com

Changes

We may update this policy. Material changes will be posted on this page with a new "last updated" date.

View Terms of Service →