Datalena
Privacy Policy
Last Updated: October 2025
The Datalena Group ("we," "our," "us") operates Datalena, a multi-client SaaS platform that helps clients ("clients") analyze and manage workforce performance data. This Privacy Policy explains how we collect, use, disclose, and protect information within Datalena, its APIs, and related services (collectively, the "Service"). By accessing or using the Service, you agree to this Privacy Policy.
1. Information We Collect
1.1 Account and Identity Information
- Auth0 Login Data: name, email address, and organization identity provided by your SSO provider.
- Client Membership Data: your client key, role, and permissions (stored in Postgres).
- Audit Metadata: login timestamps, invite status, and capability assignments for security and compliance.
1.2 Operational and Analytical Data
- Workforce Data: employee schedules, time-tracking, and budgeted-vs-worked hours supplied by clients.
- Derived Metrics: computed measures (e.g., coverage %, overtime $) produced in Snowflake.
- System Logs: API calls, run diagnostics, and anonymized error traces.
1.3 Usage and Device Data
Browser type, IP address, session duration, and performance metrics are collected for security and reliability monitoring. We do not collect biometric, financial, or consumer behavioral data.
2. How We Use Information
We process data to:
- Authenticate users through Auth0 (OIDC).
- Operate client dashboards and APIs.
- Provide support, uptime, and security monitoring.
- Generate analytics to improve accuracy and performance.
- Comply with legal and contractual obligations.
We never sell or share information for advertising or marketing purposes.
3. Data Storage and Security
| Component | Purpose | Provider | Security |
|---|---|---|---|
| Auth0 | Identity & SSO | Auth0, Inc. | OIDC tokens, JWKS validation |
| Render Postgres | Portal, client, and audit data | Render | TLS encryption in transit |
| Snowflake | Analytics warehouse | Snowflake Inc. | Row-Level Security (RLP_CLIENT), encryption at rest |
| Render | App & API hosting | Render.com | HTTPS enforced; secrets in env vars |
All secrets are stored only in secure environment variables. Data is encrypted in transit (HTTPS / TLS 1.2+) and at rest.
4. Client Isolation
Each client’s data is logically and physically isolated:
- Every warehouse table includes a CLIENT identifier.
- Row-Level Security ensures only data for the active client session is returned.
-
API endpoints enforce client scoping based on JWT claims
(
https://datalena/client_key).
5. Data Retention
| Type | Retention | Notes |
|---|---|---|
| Operational logs | 90 days | Troubleshooting & security |
| Audit logs | 1 year | Compliance trail |
| Client data | Until deleted or contract end | Removal upon written request |
| Backups | ≤ 30 days | Encrypted off-site |
6. Data Sharing and Disclosure
We may share data only with:
- Authorized sub-processors (Auth0, Render for app/API/Postgres, Snowflake) under written data-protection agreements.
- Client-authorized users within your organization.
- Regulatory authorities if required by law.
We do not share data across clients or with unrelated third parties.
7. Your Rights
You may request access, correction, or deletion of your client-owned data by contacting your client administrator or [email protected]. We will assist client administrators in fulfilling valid requests.
8. Cookies and Tracking
We use only essential cookies for:
- Session management (Auth0).
- Security (CSRF protection).
- User preferences (theme, client selection).
No analytics or advertising cookies are used.
9. International Data Transfers
Processing may occur in the United States or other regions where our hosting providers operate. All transfers comply with applicable data-protection and contractual standards.
10. Children’s Privacy
The Service is intended for business use only and not directed to individuals under 16. We do not knowingly collect data from minors.
11. Updates to This Policy
We may update this Policy periodically. The “Last Updated” date reflects the current version. Substantive changes will be announced through Datalena or by email.
12. Contact Us
The Datalena Group
Attn: Privacy & Compliance
Email: [email protected]
Website: https://app.datalena.com
13. California Privacy Rights (CCPA/CPRA Notice)
This section applies only to California residents and only if Datalena Group processes personal information subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA).
At this time, The Datalena Group does not collect or process personal information as defined under the CCPA. Data handled within Datalena is business-to-business operational data supplied by clients and generally excludes personal or consumer data.
If, in the future, The Datalena Group processes personal information about California residents, we will:
- Provide clear notice at or before the point of collection.
- Honor lawful requests to access, correct, or delete such information.
- Never sell or share personal data for cross-context behavioral advertising.
- Maintain technical and organizational safeguards consistent with the CCPA and other applicable U.S. privacy laws.
California residents may contact [email protected] for any privacy-related inquiries.