SemiLayerSemiLayer
Privacy Policy

Privacy Policy

Last updated: April 20, 2026 · Effective immediately for new users; existing users notified via email.

The short version: SemiLayer stores only the data you explicitly push to us (embeddings + index metadata). We never read your raw database rows for any purpose other than ingest. We do not sell your data. You own your data entirely.

1. Who We Are

SemiLayer, Inc. (“SemiLayer”, “we”, “us”, “our”) provides an intelligence layer for databases, including semantic search, live streaming, vector indexing, and a generated typed client (“Beam”). Our services are available at api.semilayer.com, console.semilayer.com, and via our CLI and npm packages.

For questions about this policy, contact us at root@semilayer.dev.

2. Information We Collect

2a. Account & Identity Information

When you create an account we collect:

  • Name and email address (from your OIDC provider — Google, GitHub, or any OIDC-compatible IdP)
  • Organization name and slug
  • Payment information (handled by Stripe; we store only the Stripe customer ID and subscription status)

2b. Data You Push to Us

When you configure a Lens and run an ingest job, SemiLayer reads rows from your source database (via the bridge adapter) for the sole purpose of computing and storing vector embeddings. We store:

  • Vector embeddings derived from your selected fields
  • The primary key and any metadata fields you mark as stored: true in your Lens config
  • Ingest run logs (row counts, timing, error messages)

We do not store your raw database rows, passwords, connection strings in plaintext (they are encrypted at rest via your chosen KMS provider), or any fields you have not explicitly included in a Lens.

2c. Usage & Telemetry Data

We automatically collect:

  • API request logs (endpoint, response time, status code) — retained for 90 days
  • Ingest job metrics (rows processed, token usage, duration)
  • Console usage events (page views, feature interactions) — via Google Analytics 4
  • Error and crash reports to improve reliability

SemiLayer uses Google Analytics 4 on semilayer.com, semilayer.dev, and the Console to understand how our product is used in aggregate.

2d. Support Communications

If you contact us via email or submit feedback through the Console, we retain those communications to resolve your request and improve the product.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and improve the SemiLayer platform
  • Process payments and manage subscriptions
  • Send service emails (account confirmation, invoices, quota warnings, security alerts)
  • Respond to support requests and bug reports
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your data or your customers' data to train AI or embedding models, for advertising, or for any purpose beyond operating the service.

4. How We Share Your Information

We share information only in these circumstances:

4a. Service Providers

We use trusted sub-processors to operate SemiLayer. Each is contractually bound to protect your data and use it only to provide their service to us:

  • Cloud infrastructure provider — compute, storage, database, KMS, networking (named in the DPA)
  • Stripe — payment processing and billing
  • OIDC identity provider — single sign-on for SaaS deployments (named in the DPA)
  • Embedding provider — vector representation of the text fields you configure; no raw rows (named in the DPA)
  • Transactional email provider — delivery of service emails (named in the DPA)
  • Google Analytics — aggregate marketing site analytics (anonymized)

4b. Legal Requirements

We may disclose information if required by law, court order, or to protect the rights, property, or safety of SemiLayer, our users, or the public.

4c. Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify affected users before any transfer and before their data becomes subject to a different privacy policy.

We do not sell, rent, or broker your personal data to third parties.

5. Data Retention

  • Account data — retained for the life of your account plus 30 days after deletion, then permanently purged.
  • Vector data & embeddings — deleted immediately when you delete a Lens, Source, or Environment. Deleted when your account is closed.
  • API request logs — retained for 90 days.
  • Billing records — retained for 7 years to comply with financial regulations.
  • Support communications — retained for 3 years from the date of your last interaction.

6. Security

We take security seriously and apply industry-standard protections:

  • All data in transit is encrypted via TLS 1.2+
  • Data at rest is encrypted via AES-256 (Google Cloud KMS, or your own BYO KMS key for Enterprise)
  • Database connection strings and API secrets are stored in Google Secret Manager
  • Access to production infrastructure is controlled via GCP IAM and requires MFA
  • CI/CD deploys authenticate via Workload Identity Federation — no long-lived service-account keys
  • We conduct periodic security reviews and promptly patch vulnerabilities

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to root@semilayer.dev.

7. Cookies & Tracking

We use a small number of cookies:

  • sl_access (HttpOnly, Secure) — your platform JWT, expires in 15 minutes.
  • sl_refresh (HttpOnly, Secure) — refresh token, expires in 7 days.
  • Google Analytics — on semilayer.com and semilayer.dev only. You can opt out via browser settings or the GA opt-out browser add-on.

We do not use advertising cookies, third-party tracking pixels, or fingerprinting in the authenticated product surfaces.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your data (“right to be forgotten”)
  • Portability — receive your data in a machine-readable format
  • Objection / Restriction — object to or restrict certain processing activities
  • Opt out of marketing emails — use the unsubscribe link in any marketing email or email us

To exercise any of these rights, email root@semilayer.dev. We will respond within 30 days.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, sold, or disclosed, and the right to opt out of the sale of personal information. SemiLayer does not sell personal information.

European / UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR respectively. Our lawful basis for processing is primarily contract performance (to deliver the service you signed up for) and legitimate interests (security, fraud prevention, analytics). Where we rely on consent (e.g., marketing emails), you may withdraw it at any time.

9. Children's Privacy

SemiLayer is not directed at children under 13 (or 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

10. Enterprise & Self-hosted Deployments

If you deploy SemiLayer on your own infrastructure under an Enterprise agreement, you are the data controller for all data processed by that deployment. SemiLayer acts as a data processor. The Data Processing Addendum (DPA) included in your Enterprise agreement governs that relationship.

In self-hosted mode, SemiLayer does not send any user data back to SemiLayer infrastructure. Telemetry and usage reporting are disabled unless explicitly enabled in your deployment config.

11. Agentic Access (Model Context Protocol)

SemiLayer operates a Model Context Protocol (MCP) server at mcp.semilayer.com that lets AI agents (such as Claude Desktop, Cursor, Claude Code, and any MCP-compatible client) call our API on your behalf. Connecting an agent is optional; if you do, the following applies:

11a. Authentication & consent

Each connection requires you to approve a consent screen that names SemiLayer as the target resource and lists the scopes requested (mcp:read, mcp:write, mcp:admin). The same identity provider we use for Console handles this step. Access tokens are short-lived (1 hour); refresh tokens rotate (30 days). Revoking the session in Console → Settings → Sessions invalidates both immediately.

11b. Dynamic client registration

When an agent first connects, it self-registers as an OAuth client via RFC 7591 Dynamic Client Registration. We store the resulting client ID, declared client name (prefixed mcp-), redirect URIs, granted scopes, and client metadata describing the agent software. We do not receive or retain your agent’s local storage, device identifiers, or any content from your conversations with the agent.

11c. What MCP calls can access

MCP tool calls execute with your identity and your existing SemiLayer role. An agent can only read or write what you could read or write through the Console, CLI, or REST API — nothing more. Every tool call is individually authorised; the agent cannot batch, replay, or extract data beyond what a specific tool invocation explicitly returned to it.

11d. What we log from MCP calls

We record the same API request logs described in §2c (endpoint, response time, status code, user ID), plus an audit-log entry for any write-tool commit. We do not receive the prompt that triggered a tool call, the agent’s conversation history, other tools the agent has open, or any data not explicitly part of the tool invocation itself.

12. International Data Transfers

SemiLayer is headquartered in the United States. If you are accessing our services from outside the US, your information may be transferred to, stored, and processed in the US. We rely on Standard Contractual Clauses (SCCs) for transfers of personal data from the EEA/UK to the US. A copy of our SCCs is available upon request at root@semilayer.dev.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and update the “Last updated” date at the top of this page. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For questions, requests, or concerns about this Privacy Policy or your personal data:

For EU/UK data subjects who wish to escalate a complaint, you have the right to lodge a complaint with your local supervisory authority.

Terms of ServiceSLA← Back to home