dbt Labs Privacy Policy

Last updated: July 11, 2024

This privacy policy for dbt Labs, Inc. (together with our affiliates, “dbt Labs”, “we”, “our”, or “us”) discloses how we collect, store, process, transfer, share, hold, and use data that identifies or is associated with visitors (“personal information”) to our public website at https://www.getdbt.com (“website”) and any other personal information you otherwise provide to us as further described below. For the purposes of this privacy policy, “you” and “your” means you as the Visitor.

This privacy policy does not cover information submitted to us as part of your use of dbt Cloud™ including, but not limited, to information about a client’s customers or authorized users. This privacy policy also does not cover information of people whose only contact with us is visiting our dbt Community Slack. Aside from these circumstances, dbt Labs is the data controller of the personal information we hold about you. Our website provides valuable information meant to enable efficiency, accuracy and best practices in your data transformations. Before accessing or using our website or otherwise providing us your personal information, please ensure that you have read and understood our collection, storage, use and sharing of personal information about you as described in this privacy policy. If you do not want information about you used as described in this privacy policy, then please do not provide your personal information to us.

We are a company established under Delaware State law in the United States with a registered office at 915 Spring Garden St, Suite 500, Philadelphia, PA 19123, and for the purposes of General Data Protection Regulation (“GDPR”) and the GDPR as implemented in the UK (together referred to as the “EU and UK Data Protection Laws”), we are the data controller.

This privacy policy does not cover information submitted to us as part of your use of dbt Cloud™ including, but not limited, to information about a client’s customers or authorized users. This privacy policy also does not cover information of people whose only contact with us is visiting our dbt Community Slack. Aside from these circumstances, dbt Labs is the data controller of the personal information we hold about you. Our website provides valuable information meant to enable efficiency, accuracy and best practices in your data transformations. Before accessing or using our website or otherwise providing us your personal information, please ensure that you have read and understood our collection, storage, use and sharing of personal information about you as described in this privacy policy. If you do not want information about you used as described in this privacy policy, then please do not provide your personal information to us.

1. PERSONAL INFORMATION WE COLLECT ABOUT YOU AND HOW WE USE AND SHARE IT

Information you give to us

  • We collect personal information when you voluntarily submit such information directly to us. This can include information you provide to us when you connect with us by filling in a form on our website, corresponding with us by phone, email or otherwise, subscribing to our mailing lists, blogs, newsletters or other forms of marketing communications, visiting our public pages including source code, documentation and repositories, registering for and/or attending, virtually or in-person, one of our many trainings, international meet-ups, booth locations, or our Coalesce Analytics Engineering Conference, responding to a survey, completing an online form, or entering a promotion (“Connections”).

  • The table at Annex 1 further sets out the categories of personal information we collect about you, within the past 12 months, the purpose for collection, and how we use and/or disclose that information. To the extent applicable under EU and UK Data Protection Laws, the table also lists the legal basis which we rely on to process personal information, the categories of recipients that we share personal information with and the criteria that we use to determine applicable retention periods.

Information we collect from third parties

  • This privacy policy governs any personal information we receive from Visitors. We are not responsible or liable for the accuracy of the information provided to us by Visitors and are not subject to any third party’s policies or practices. See Sections 8, 9 and 10, and the Annexes below for more information.

  • The table at Annex 1 sets out the categories of personal information we collect about you and how we use and disclose that information in the past 12 months. To the extent applicable under EU and UK Data Protection Laws, the table also lists the legal basis which we rely on to process the personal information, the categories of recipients that we share personal information with and the criteria that we use to determine applicable retention periods.

Information we collect automatically

  • We also automatically collect personal information about you indirectly about how you access and use the website, such as information about the device you use to access the Connections.

  • The table at Annex 2 sets out the categories of personal information we collect about you automatically and how we use and disclose that information in the past 12 months. To the extent applicable under EU and UK Data Protection Laws, the table also lists the legal basis which we rely on to process the personal information, the categories of recipients that we share your personal information with and the criteria that we use to determine applicable retention periods.

  • We may consider personal information collected about you and how many and the types of Connections we have with you in order to predict what products or services may be the best fit for you. This allows us to tailor our marketing efforts and create the best personalised experience. We may use third party tools to assist us and manage our processes. More information about what we collect and how we use the personal information is in the Annexes.

  • We may anonymise and aggregate any of the personal information we collect (so that it does not directly identify you). We may use anonymised information for purposes that include testing our IT systems, research, incorporation of Privacy by Design principles, data analysis, improving our products and services and developing new products and features. We may also share such anonymised information with others.

  • If you choose not to provide personal information, we may not be able to respond to your requests.

Information we collect at events

  • We collect personal information you give us related to registration. This may be shared with event organizers, sponsors, venues, or providers of services for the event for purposes of planning for, hosting, and administering events, and of communicating about products and services and future events. We may also collect personal information related to your attendance, the sessions you attend, your sessions as speaker or facilitator, and your other activities.

  • We may collect and share on our website personal information related to your attendance, speaking, facilitating or participation in discussions/talks/networking that includes records of your image, voice, and commentary for the purpose of documentation of the event, facilitating remote attendance, website accuracy, and for the participation and education of online participants such as those with health, travel or other constraints.

2. MARKETING AND ADVERTISING

From time to time we may contact you with information about our products and services. Most marketing messages we send will be by email. For some marketing messages, we may use personal information we collect about you to help us determine the most relevant marketing information to share with you, and we may tailor advertising to you based on the information we’ve collected in an effort to provide you with information that is the most relevant and useful to you. We may use third party tools as part of our processes, but we share very limited personal information with them, and they are under contractual obligations to only use data we share on our behalf and in compliance with applicable law. We use OneTrust to permit Visitors in certain jurisdictions to opt-in or opt-out of Google analytics, Optimizely analytics, and marketing messages from us in compliance with applicable law, and you may indicate your preferences on forms we use when we first collect your contact details. You can effectuate this by opening the ‘Preference Center’ (click the link in the banner or footer) and making sure all toggles are off (aside from strictly necessary which are always enabled). You can also change your marketing preferences at a later date by clicking on the unsubscribe link at the bottom of our marketing emails.

3. DATA SECURITY

We implement technical and organisational measures designed to protect personal information about you against accidental or unlawful destruction, loss, change or damage. However, please be aware though that, despite our best efforts, no security measures are perfectly secure, error-free, or impenetrable, and we cannot guarantee “perfect security.” Any information you send to us electronically may not be secure when it is transmitted to us. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us. Any information you send us through any means is transmitted at your own risk.

4. INTERNATIONAL TRANSFERS OF YOUR PERSONAL INFORMATION

If you are located in the EU or EEA, UK, or Switzerland, this may mean that your personal information will be stored or processed in the USA. To the extent an EU-US, UK-US and/or Swiss-US adequacy ruling is in place, we maintain the obligations identified in Section 6 below. In the absence of an adequacy ruling and Data Privacy Framework certification, the following obligations apply:

  • When transferring personal information originating from the EEA or the UK to the USA, we seek to comply with applicable EU and UK Data Protection Laws by using (i) the European Commission’s model contracts for the transfer of personal information to third countries (i.e., the standard contractual clauses) (the “Model Clauses”); (ii) the equivalent contract issued by the relevant competent authority of the UK, Switzerland or another country, as relevant; or (iii) appropriate derogations for specific situations pursuant to Article 49(1) of the GDPR and UK GDPR – unless the data transfer is to a country that has been determined by the European Commission and/or the relevant UK or other governmental authorities, as applicable, to provide an adequate level of protection for personal information.

  • If you wish to enquire further about the safeguards we use or to examine a copy of the Model Clauses, please contact us using the contact details set out at the end of this privacy policy.

5. YOUR RIGHTS IN RESPECT OF PERSONAL INFORMATION ABOUT YOU

  • EU/UK. Where applicable, in accordance with applicable EU, Swiss, and UK Data Protection Laws, if you are located in the EEA, Switzerland, or the UK, you may have the following rights in respect of personal information about you that we hold:

    • Transparent Communications. Communications will be concise, transparent, intelligible and easily accessible form, using clear and plain language (Art. 12 of the GDPR).

    • Disclosure upon Collection. The collector of the data will, at the time when personal data are obtained, provide the data subject with information related to the collector including contact details, the purposes for the collection, the legal basis, and the third party and location of any data transfers (Art. 13 of the GDPR).

    • Notice and Access. The right to receive notice that your data is in a data collector’s possession and identify the source of the data (Art. 14 of the GDPR) and to obtain access to your personal information, to understand how we use it, and who we share it with (Art. 15 of the GDPR).

    • Rectification. The right to obtain rectification of your personal information where that personal information is inaccurate or incomplete (Art. 16 of the GDPR) and may request notice be given to data recipients downstream (Art. 19 of the GDPR).

    • Erasure. The right to obtain the erasure of your personal information in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed (Art. 17 of the GDPR) and may request notice be given to data recipients downstream (Art. 19 of the GDPR).

    • Restriction. The right to require us to stop processing the personal information we hold about you, other than for storage purposes, in certain circumstances (Art. 18 of the GDPR).

    • Portability. The right to receive a copy of the personal information we hold about you and to request that we transfer it to a third party, in certain circumstances and with certain exceptions (Art. 20 of the GDPR).

    • Object. The right to object to our processing of your personal information (Art. 21 of the GDPR).

    • Objection to marketing. The right to object to marketing at any time by clicking the unsubscribe button at the bottom of the email (Art. 21 of the GDPR).

    • Withdrawal of Consent. To the extent that we rely on consent to process personal information about you, the right to withdraw this consent at any time by clicking the unsubscribe button at the bottom of the email (Art. 21 of the GDPR).

    • No Profiling. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her without consent (Art. 22 of the GDPR).

This list is not meant to be a complete statement of your rights, does not constitute legal advice, nor is it a guarantee of such rights. The list is subject to change, revision, regulation, court decision, interpretation, or restriction (Art. 23 of the GDPR) by governmental authorities. Please note that a number of these rights only apply in certain jurisdictions or circumstances. The rights are subject to being balanced against other factors or rights, and may be impacted where fulfilling your request would adversely affect other individuals or our trade secrets/ intellectual property, where there are overriding public interests or where we are required by law to retain your personal information.

If you wish to exercise one of these rights, please contact us using the contact details at the end of this privacy policy. To further protect your rights, we may need to request verification of your identity pursuant to the process disclosed under the Identity Verification section below. You may also review and edit the personal information you have submitted to us by logging into your account on our website. 

If you have complaints about how we process personal information about you, please contact us at the details provided at the end of this privacy policy and we will respond to your request as soon as possible. You may also have the right to make a complaint to the relevant Supervisory Authority in the EEA country in which you live or work, or with the UK Information Commissioner’s Office, as applicable to you. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

  • California. Where applicable, if you are a California resident you may have the following rights under the California Consumer Privacy Act of 2018 (the “CCPA”) in relation to “personal information” we have collected about you as defined in the CCPA; these rights are, to the extent required by the CCPA and subject to verification and any applicable exception:

    • Know/Access. You have the right to request that we disclose certain information to you about our collection and use of certain personal information about you as described below:

      • the specific pieces of personal information collected;

      • the categories of personal information collected;

      • the categories of sources from whom the personal information is collected;

      • the purpose for collecting the personal information; and

      • the categories of third parties with whom we have shared the personal information.

    • Delete. You have the right to request that we delete the personal information.

    • Opt Out. You have the right to opt out of the sale or sharing of your personal. We do not sell your personal information or share it, although we may share it with third parties who use it to provide us services and are our service providers.

    • Rectification. You have the right to correct inaccurate information a business has on you.

    • Restriction. You have the right to limit the use and disclosure of sensitive personal information.

    • Freedom from Discrimination. You have the right to be free from unlawful discrimination for exercising any of the rights above.

    • To request your exercise of the rights described above, please submit a request to us by emailing us at privacy@dbtlabs.com. These rights may be subject to exceptions, limitations, interpretations, or modifications by applicable law.

    • To further protect your rights, we may request verification of your identity pursuant to the process disclosed under the Identity Verification section below. You may also review and edit the personal information you have submitted to us by logging into your account on our website.

  • Virginia Residents.As the controllers of personal information you have provided to us, we provide the following privacy notices specific to Virginia residents only:

    • The categories of and purpose for processing personal data are in Annex 1, which also contains the categories of personal data;

    • We may process your personal information in accordance with Section 1.7 which may include targeted advertising to personalize your online experience with subjects of interest to you. To opt-out, please contact us using the contact details at the end of this privacy policy;

    • We will implement and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data and only hold the data for the specific purpose indicated above and for only as long as necessary to achieve the purpose (purpose limitation and data minimization);

    • The categories of personal data we share with third parties and the categories of such third parties are in Annex 1 and Annex 3;

    • You may make a personal data requests of us; and

    • To exercise your consumer rights or appeal a decision with regard to your request, please contact us using the contact details at the end of this privacy policy. These rights may be subject to exceptions, limitations, interpretations, or modifications by applicable law.

    • To further protect your rights, we may request verification of your identity pursuant to the process disclosed under the Identity Verification section below. You may also review and edit the personal information you have submitted to us by logging into your account on our website.

Virginia residents may have the following personal data rights:

  • Know. You have the right to be informed (right to know) of the processing of personal data;

  • Access. You have the right to access their personal information;

  • Rectify. You have the right to correct inaccurate personal data;

  • Opt-Out. You have the right to opt out of the sale of personal data targeted advertising, or profiling; and

  • Deletion. You have the right to deletion of personal data.

Identify Verification. Where applicable law permits us to verify identity:

  • To further protect your rights, we may request verification of your identity including your name, email address, IP Address, country of residence, and/or other contact information, your account identification, and the company brand with which you have or had a relationship related to the applicable account prior to addressing your request, and we may ask for additional information and documents prior to fulfilling your request.

  • You may be entitled, in accordance with applicable law, to submit a request through an authorized agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request, data access request, or other exercise of privacy rights related to personal information collected about you. To designate an authorized agent to exercise your rights and choices on your behalf, please provide your authorized agent with signed, written permission demonstrating that they have been authorized by you to act on your behalf. You may be required to either verify your own identity directly with us; or provide us a copy of the written permission authorizing the agent to submit the request.

  • We may be contractually or legally obligated to provide notice of your request to the company brand with which you have or had a relationship related to the applicable account prior to addressing your request.

  • We may compare personal information submitted as part of the request and/or identity verification process to related account information or information available to us through your logging into your account on our website.

  • If we cannot identify you, we may be obligated to refuse the request.

6. JURISDICTION AND ENFORCEMENT

  • dbt Labs complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), and United Kingdom (and Gibraltar) Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program as set forth by the U.S. Department of Commerce (EU, UK and Swiss collectively, the DPF). dbt Labs has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union and the UK (including Gibralter) in reliance on the EU-U.S. and UK DPFs. dbt Labs has certified or will shortly certify to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, Principles), the applicable Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. The Data Privacy Framework supersedes and replaces the US Privacy Shield.

  • With respect to data transferred pursuant to the the Data Privacy Framework (DPF) program, dbt Labs

    • does not collect sensitive personal information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual).

    • does not use personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.

  • Pursuant to the DPF, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. You may also request access to that data for the purpose of verifying, updating or correcting inaccurate information. Furthermore, you can request erasure of information handled in violation of the DPF Principles. We will provide an individual opt-in for individuals identifiably from the EU, UK and Switzerland before we share your data with third parties (other than our agents).

  • dbt Labs is responsible for the processing of personal data it receives pursuant to the DPF and to the extent it subsequently transfers such data to a third party acting as an agent on its behalf. To the extent any individual’s personal information is disclosed to a third party, such personal information is made only to third parties (i) under contract with dbt Labs, and (ii) acting as agents of dbt Labs, i.e., performing task(s) on behalf of and under the instructions of dbt Labs.

  • dbt Labs complies with the DPF Principles for all onward transfers of personal data from the EU, the United Kingdom, and Switzerland, including applicable onward transfer liability provisions.

  • With respect to personal data received or transferred pursuant to DPF , dbt Labs is subject to the regulatory investigative and enforcement powers of the U.S. Federal Trade Commission. In certain situations, dbt Labs may be required to comply with applicable law in disclosing personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

  • In compliance with the EU-US, UK and Swiss-Data Privacy Framework Principles, dbt Labs commits to resolve complaints about your privacy and our collection or use of your personal information. European Union, United Kingdom, or Swiss individuals with DPF inquiries or complaints regarding this privacy policy should first contact dbt Labs using the contact details at the end of this privacy policy.

    • We have further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs, a non-profit alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

    • If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.

7. COOKIES AND SIMILAR TECHNOLOGIES

  • We also automatically collect information including personal information and details including your interaction with the website. To do this, we may use cookies, web beacons/clear gifs, and other similar technologies.

  • We use the following types of cookies:

    • Strictly necessary cookies. These are cookies required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website or make use of e-billing services.

    • Analytical/performance cookies. They allow us to recognise and count visitors moving around our website. This helps us to improve the way our website works, for example, by ensuring that Visitors are finding what they are looking for easily. For example, we may use Mouseflow, HotJar, or other third-party analytics tools, to track page content and click/touch, movement, scroll and keystroke activity. With respect to Hotjar (and any other third-party analytics tools listed in Annex 3), we use it in order to better understand our users’ needs and to optimize our services and user experiences. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to incorporate user feedback and usage patterns into our services. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This may include a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details about Hotjar, please contact Hotjar at https://help.hotjar.com/hc/en-us/requests/new or, to stop Hotjar from collecting your data, please see the Data Privacy page at https://help.hotjar.com/hc/en-us/articles/360002735873-How-to-Stop-Hotjar-From-Collecting-your-Data.

    • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your opt-out or preferred language).

    • Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website, the advertising displayed on it, and the marketing messages we send to you more relevant to your interests. We may also share this information with third parties who provide a service to us for this purpose.

    • Third party cookies. Please be aware that advertisers and other third parties may use their own cookies tags when you click on an advertisement or link on our website. These third parties are responsible for setting out their own cookie and privacy policies.

  • Annex 3 contains more information about the cookies we use and how long they remain on your device. Annex 3 is updated and refreshed monthly.

  • The cookies we use are designed to help you get the most from the website, such as to distinguish you from other Visitors of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website, but if you do not wish to permit cookies, most browsers allow you to change your cookie settings. Please note that if you choose to refuse cookies you may not be able to use the full functionality of our website. These settings will typically be found in the “options” or “preferences” menu of your browser. In order to understand these settings, the following links may be helpful, otherwise you should use the “Help” option in your browser for more details.

  • If you only want to limit third party advertising cookies, you can turn such cookies off by visiting the following links (please bear in mind that there are many more companies listed on these sites than those that drop cookies via our website):

  • Your browser settings may also allow you to transmit a “Do Not Track” signal when you visit various websites. Like many websites, our website is not designed to respond to “Do Not Track” signals received from browsers. To learn more about “Do Not Track” signals, you can visit http://www.allaboutdnt.com/.

8. VISITOR GENERATED CONTENT

The Connections may also share, refer to, or host content created and uploaded by visitors to the dbt Community Slack or the website, which visitors may elect to engage with. Through your participation, you may submit content (“Visitor-Generated Content” or “VGC”). We or others may store, display, reproduce, publish, or otherwise use VGC, and may or may not attribute it to you. Others may also have access to VGC and may have the ability to share it with third parties. If you choose to submit VGC to any Social Feature or public forum such as the website or a conference, your VGC will be considered “public” and will be accessible by anyone, including dbt Labs.

Please note that we do not control who will have access to information that you make available to others, and cannot ensure that parties who access to such information will keep it secure or respect your privacy.  We are not responsible for the privacy or security of any information you make publicly available or what others do with information shared on such platforms.  We are not responsible for the accuracy, use or misuse of any VGC that you disclose or receive from third parties through the forums or email lists.

9. SOCIAL FEATURES

The dbt Community Slack forum permits chats with other data practitioners and lets you ask questions about analytics engineering, and certain features of the website permit you to initiate interactions between the website and third-party services or platforms, such as social networks (“Social Features”). Social Features may include features that allow you to click and access our pages on certain third-party platforms, such as Facebook, LinkedIn, and Twitter, and from there to “like” or “share” our content on those platforms. Use of Social Features may entail a third party’s collection and/or use of your information. If you use Social Features or similar third-party services, information you post or otherwise make accessible may be publicly displayed by the third-party service you are using. Both dbt Labs and the third party may have access to information about you and your use of both the website and the third-party service. For more information on third-party websites, services, and platforms, see the following Section.

10. LINKS TO THIRD PARTY SITES

Our website may, from time to time, contain links to and from third party websites, including those of other Visitors, our partner networks, advertisers, partner merchants, news publications, retailers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we expressly disclaim any responsibility or liability for their policies. Our inclusion of such links does not, by itself, imply any endorsement of the content on or actions of such platforms or of their owners or operators except as disclosed on the website. Please check the individual policies before you submit any information to those websites. Any information submitted by you directly to these third parties is subject to that third party’s privacy policy.

11. NOTICE TO YOU OF CHANGES TO THIS POLICY

We may update this privacy policy from time to time and so you should review this page periodically. When we change this privacy policy in a material way, we will update the “last modified” date at the end of this privacy policy. Changes to this privacy policy are effective when they are posted on this page, or such later date as may be specified in the updated privacy policy. IF YOU DO NOT AGREE TO ANY UPDATES TO THIS PRIVACY POLICY PLEASE DO NOT ACCESS OR CONTINUE TO USE THE CONNECTIONS.

12. CONTACTING US

Questions, comments and requests regarding this privacy policy are welcome and should be sent to privacy@dbtlabs.com. Further information is available from the dbt Labs Manager, Security Compliance (dbt Labs data protection and privacy officer) at privacy@dbtlabs.com.

Last Revised: This privacy policy was last modified on July 10, 2024.

ANNEX 1 - PERSONAL INFORMATION WE COLLECT

Category of personal information

Business or Commercial purpose for collection, use, and sharing

Legal basis for the processing

Contact and profile information. Personal information, such as your name, address, email address and company name.

- Operate, maintain, improve and provide to you the features and functionality of the Service.
- Communicate with you including sending statements and invoices, service-related communications and marketing communications.
- Deal with enquiries and complaints made by or about you relating to the Service.

The processing is necessary for:
- The performance of a contract and/or are necessary steps prior to entering into a contract; and
- Or is pursuant to our legitimate interests in running our business effectively and/or with your opt-in and/or consent.

Comments, chat and opinions. When you contact us directly, e.g. by email, phone or by completing an online form, commenting on our blog, commenting on us publicly, or participating in other online chat(s), we may record your comments and opinions.

- Address your questions, issues and concerns.
- Feedback loop for developing or/or improving our products and services.
- Record your voice or likeness as part of your participation in an event for purposes of accuracy and education of online participants.
- Determine products and services that may be of interest to you.
- Send you sales and/or marketing communications.

The processing is necessary for our legitimate interests in running our business effectively, responding to customer requests or concerns, and providing the best products and services to Visitors and/or may be pursuant to opt-in and/or consent.

Payment and transaction information. Information such as the service level purchased, date and time of your transaction, and payment information, such as your credit card or bank account details.

- Facilitate transactions.
- Detect and prevent fraud.

The processing is necessary for:
- The performance of a contract;
- Or is pursuant to our legitimate interests and/or with your opt-in and/or consent.

Preferences. Preferences set for notifications, marketing communications, how our website is displayed and how you use the Service.

- Provide notifications product and services, banner announcements and other notices and communications to customer,.
- Send marketing communications or other announcements related to new features, trainings, consulting services, or products as a convenience to Visitors looking for the right tools.
- Display our Service in accordance with your choices.

The processing is necessary for:
- Our legitimate interest, namely ensuring the user receives the correct notifications, marketing. other communications; and
- The performance of a contract.
- Or is pursuant to the opt-in or consent of the Visitor.

Information provided by third parties. From time to time, we may receive information about you from third parties and other Visitors (as above). We may obtain information from third parties that enhances, confirms, or supplements our existing information. We may also collect information about you that is publicly available. We may collect personal information about you from the following categories of sources:
- Data enrichment services;
- Social networking sites (e.g., LinkedIn) and email service providers (e.g., MailChimp), when you choose to link any such third party platforms to your account. This information is used to maintain your account and login information; and
- Social media platforms, for example, Instagram when you post a link to the services, or click a link to access the Services.

- Contact or respond to you.
- Identity verification.
- Provide advertising or promotional materials.
- Personalise our Service, such as pre-populating online forms, offering events in the correct region, supplying applicable surveys, and better understanding the demographics of our Visitors. We may combine this information with the information we collect from you directly to better provide relevant communications with you.

The processing is necessary for our legitimate interests, namely to communicate relevant or requested material to Visitors, tailor our products and services to Visitors and improve our products and services generally.

All personal information set out above.

- We will use all the personal information we collect to operate, maintain and provide you the features and functionality of the Service, to communicate with you, to monitor and improve our Service and business, and to help us develop new products and services.

The processing is necessary for our legitimate interest, namely to administer and improve the Service.

Categories of recipients (for a business purpose)

Retention period

As required in accordance with how we use it, we will share your personal information with the following:

Service providers, agents, and advisors. Third party vendors and other service providers that perform services for us, on our behalf, which may include organizing events, hosting events, sponsoring events, identifying and serving targeted advertisements, providing mailing, survey, email or chat services, tax and accounting services, payment processing, data enhancement services, fraud prevention, web hosting, or providing analytic services.

Purchasers and third parties in connection with a potential change in business ownership. Personal information may be disclosed to third parties in contemplation of or in connection with a potential transaction, such as a merger, sale of assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business.

Law enforcement, regulators and other parties for legal reasons. Third parties as required by law or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) enforce our Terms of Use or to protect the security or integrity of our Service; and/or (c) exercise or protect the rights, property, or personal safety of dbt Labs, our Visitors or others.

For no longer than necessary for the purposes disclosed, and in accordance with our legal obligations and legitimate business interests or until deletion is requested by the individual.

ANNEX 2 - PERSONAL INFORMATION COLLECTED AUTOMATICALLY

Category of personal information

How we use it

Legal basis for the processing

Categories of recipients

Retention period

Information about how you access and use the Service. For example, the website from which you came and the website to which you are going when you leave our website, how frequently you access the Service, the time you access our Service and how long you use it for, the approximate location that you access the Service from, whether you access the Service from multiple devices, and other actions you take on the Service.

Information about your device. We also collect information about the computer, tablet, smartphone or other electronic device you use to connect to our Service. This information can include details about the type of device, unique device identifying numbers, operating systems, browsers and applications connected to our service through the device, your internet service provider or mobile network, your IP address and your device’s telephone number (if it has one).

We use information about how you use and connect to our Service to present our Service to you on your device and to determine the products and services that may be of interest to you for marketing purposes.

We use the information to: - Present our Service to you on your device;
- Determine the products and services that may be of interest to you for marketing purposes; and
- Monitor and improve our Service and business, and to help us develop new products and services.

The processing is necessary for our legitimate interests, namely: to tailor our Service to the user and to improve our Service generally; to monitor and resolve issues; for marketing purposes; to communicate with users; to contact users; and for the detection and prevention of fraud.

As required in accordance with how we use it, we will share your personal information with the following:

Service providers and advisors. Third party vendors and other service providers that perform services for us, on our behalf, which may include identifying and serving targeted advertisements, providing mailing, email or chat services, tax and accounting services, payment processing, data enhancement services, fraud prevention, web hosting, or providing analytic services.

Purchasers and third parties in connection with a business transaction. Personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business.

Law enforcement, regulators and other parties for legal reasons. Third parties as required by law or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) enforce our Terms of Use or to protect the security or integrity of our Service; and/or (c) exercise or protect the rights, property, or personal safety of dbt Labs, our users or others.

For no longer than necessary for the purposes set out and in accordance with our legal obligations and legitimate business interests.

ANNEX 3 - COOKIES