Privacy Policy
Effective 2026-05-05.
The short version
- We never see your application data. The pgblame agent runs in your environment and reads only aggregate query statistics from
pg_stat_statements. It does not, and cannot, read your application's tables. - We collect what's needed to run the service: your email and account, aggregate usage events, billing identity, and the query statistics the agent ships.
- We use named subprocessors (listed below). We don't sell or rent your data to anyone.
- You can export or delete your data anytime by emailing us.
Who we are
pgblame ("we", "us") is operated by Yair Liberzon, based in Israel. Contact: hi@pgblame.com.
What we collect
Account data
- Email address (required to sign in).
- Name, if you provide one.
- Authentication state (managed by our subprocessor Clerk — see below).
- Project names you create.
Operational data from the pgblame agent
The agent ships:
- Aggregate query statistics from
pg_stat_statements: query text (which is automatically parameterized by Postgres — literal values are stripped before we ever see it), call counts, total execution time, mean execution time, row counts, shared buffer hits/reads. - Deploy events you choose to send us: source (Vercel/Railway/etc.), branch/ref, commit SHA, commit message, deploying user. These are public information about your code.
The agent does not ship:
- Application data, rows from your tables, or query results.
- Database credentials or connection strings.
- System metadata (auth, roles, IP addresses of your DB).
We are happy to share the agent's source on request — email us and you can read the literal SQL it runs against your database before installing it.
Connection-test data (transient)
During onboarding we offer a "Test connection" step that connects to your database from our infrastructure to verify configuration. The host you submit is sent to our server, used for a single SELECT-1 + extension check, and not stored. Connection strings are never persisted.
Usage and analytics
We capture funnel events (signup, project_created, first_snapshot_received, upgrade_clicked, subscription_created, etc.) to understand how the product is used and where users get stuck. These events are tied to your account but contain no application data. Analytics is processed by PostHog (see subprocessors).
To find where new users get stuck during onboarding, we also record masked session replays via PostHog. These capture page layout, clicks, and navigation only — all text and form inputs (including connection strings and any query data shown in the dashboard) are masked in your browser before anything is sent, so a replay never contains your application data.
Billing data
Payment processing is handled by Lemon Squeezy as Merchant of Record. We do not see or store your card number. We do see (and store) the subscription status, plan, and your billing email.
Logs
Standard request/error logs (URL, status, response time, IP address, user-agent) are retained for up to 30 days for security and debugging.
How we use it
- To provide the dashboard and alerts you signed up for.
- To bill you, if you're on a paid plan.
- To send transactional email (account, alerts, receipts) via Resend.
- To improve the product (funnel analysis to fix onboarding drop-off, for example).
- To respond to support requests you send us.
We do not use your data to train AI models or sell advertising.
Subprocessors
We use the following third parties to operate the service. Each is bound by their own privacy policy (linked).
| Vendor | What they do | What they see |
|---|---|---|
| Clerk | Authentication | Email, name, login times, IP at login |
| Supabase / Neon | Hosted Postgres for our central DB | Everything we store at rest |
| Vercel | Hosting + CDN | Request logs, IPs |
| Lemon Squeezy | Payments (Merchant of Record) | Card data, billing address, tax ID if applicable |
| Resend | Transactional email | Recipient email, subject, message body |
| PostHog | Product analytics | Funnel events tied to your user id |
| GitHub | Container registry for the agent image | Image pull telemetry |
Where data lives
Our central Postgres is hosted in the United States or European Union, depending on the provider region we configure. Your application data never leaves your environment because the agent never collects it.
How long we keep it
- Query snapshots: 7 days on Free, 30 days on Pro, 90 days on Agency. Older rows are deleted automatically each day.
- Deploy events: 1 year, then auto-deleted.
- Audit log: kept for the lifetime of the account.
- Account data: kept until you delete the account, at which point everything is removed within 30 days (with backups following standard rotation).
Your rights
You can:
- Access the data we hold about you.
- Correct it.
- Export it (machine-readable JSON).
- Delete your account and data.
- Object to specific processing.
Email hi@pgblame.com with the request. We respond within 30 days.
If you're in the EU/UK, the legal bases we rely on are: contract (account/billing), legitimate interest (security, product analytics), and consent (where required for cookies or marketing — none currently sent).
Cookies
We only set strictly-necessary cookies: authentication (Clerk) and Vercel session affinity. PostHog sets no cookies for analytics, and we set no advertising or cross-site tracking cookies. Our masked session replay uses temporary browser session storage (cleared when you close the tab) rather than cookies.
Children
pgblame is not directed at children under 16. If you believe a child has signed up, email us and we'll delete the account.
Changes
We'll update the "Effective" date above when this page changes. For material changes we'll email account holders.