Anomaly AI LogoAnomaly AI

Privacy Policy

Last updated: 10 March, 2026

Mindlake Ltd (Company No. 14894347), trading as Anomaly AI, is registered in England and Wales with its office at Regus Office 206, Fountain Court, Victoria Square, St. Albans AL1 3TF. We are registered with the UK Information Commissioner’s Office (ICO) under reference ZC104879.

Anomaly AI provides a platform that allows users to upload spreadsheets (Excel/CSV) or connect to data warehouses (e.g., Google BigQuery, Snowflake, PostgreSQL) and generate interactive dashboards backed by verifiable SQL queries. By using our Services, you agree to the practices outlined here.

Data Controller

Mindlake Ltd is the data controller for the personal data processed through our Services under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For any data protection queries, contact [email protected].

Lawful Basis for Processing

We process your personal data on the following legal bases under UK GDPR Article 6:

Contract (Art. 6(1)(b))

To provide our Services, process your data, and manage your account.

Consent (Art. 6(1)(a))

For non-essential cookies, analytics, and marketing. Withdraw any time.

Legitimate Interests (Art. 6(1)(f))

For security monitoring, fraud prevention, and improving our Services.

Legal Obligation (Art. 6(1)(c))

To comply with applicable laws and regulations.

Information We Collect

Information You Provide Directly

  • Account Information — name, email address, and authentication credentials via Google OAuth.
  • Uploaded Files — spreadsheets (Excel, CSV) ingested for analysis, including all rows and columns.
  • Database Connections — OAuth tokens or connection credentials stored securely to access your data warehouse.
  • Support Requests — information provided through demos, support channels, or feedback forms.

Information Collected Automatically

  • Usage Data — IP address, browser type, operating system, pages visited, error logs, and session activity.
  • Cookies — essential cookies for authentication and functionality; non-essential cookies for analytics (with your consent). See our Cookie Policy.
  • First-Party Analytics — our own analytics system captures page views, clicks, and navigation patterns. This data is stored on our infrastructure and never shared with third parties.

Information From Third Parties

  • Warehouse Integrations — with your authorisation, we pull schemas, metadata, and rows from BigQuery, Snowflake, or PostgreSQL.
  • Service Providers — diagnostic or analytics data from cloud hosting, monitoring, or billing partners.

How We Use Your Information

Service Delivery

  • Convert uploaded files into structured formats (Parquet/SQL) to enable dashboards.
  • Fetch rows from user-selected datasets using read-only scopes.
  • Execute queries locally against DuckDB or your connected warehouse.
  • Visualise results in interactive charts with full SQL traceability.

Limited Use of AI/LLMs

We do not share your full datasets with external large language models. To generate SQL queries, we may provide table schemas and small row samples (typically 3–5 rows). No complete datasets or sensitive business data are transmitted. None of our LLM vendors (OpenAI, Google, Anthropic, Fireworks AI) train on data sent through their enterprise APIs.

Communication & Compliance

We may contact you about service updates, onboarding, or billing. Marketing communications are optional. We may also process data to comply with laws, detect misuse, and enforce our Terms of Service.

How We Share Your Information

  • Cloud Hosting — data stored in Microsoft Azure (Blob Storage, PostgreSQL) within our secure environment.
  • Service Providers — hosting, error monitoring, billing (Stripe), and customer support (Crisp), under data processing agreements.
  • Legal Obligations — if required by valid legal request, court order, or government authority.
  • Business Transactions — in the case of a merger, acquisition, or transfer of assets.

We do not sell or share your personal data or uploaded datasets with advertisers.

Cookies and Tracking Technologies

We use cookies and similar technologies on our websites. Essential cookies are required for basic functionality (authentication, security). Non-essential cookies (analytics, marketing) are only placed after you give consent via our cookie banner.

For a complete list of cookies, their purposes, and how to manage your preferences, see our Cookie Policy.

Data Security

Encryption

TLS 1.2+ in transit via Cloudflare Enterprise. AES-256 at rest for all files, tokens, and metadata.

Access Controls

Adaptive multi-factor authentication (MFA). OAuth tokens stored securely with strict internal access limits.

Data Isolation

Each customer’s data is isolated in separate Azure storage containers.

Monitoring

Continuous runtime security monitoring with Falco and Microsoft Defender for Cloud.

For a full overview of our security controls, infrastructure, and practices, see our Security page.

Your Rights Under UK GDPR

You have the following rights regarding your personal data. To exercise any of these, contact [email protected]. We will respond within one month.

Right of Access (Art. 15)

Request a copy of the personal data we hold about you.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing (Art. 18)

Limit how we use your data in certain circumstances.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests or direct marketing.

Right to Withdraw Consent

Withdraw consent at any time without affecting prior lawful processing.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

International Data Transfers

Our primary infrastructure is hosted in Microsoft Azure. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO and adequacy decisions where applicable.

Data Retention

Data TypeRetention Period
Uploaded files & warehouse dataWhile actively used — you may delete any time
Account metadataWhile account is active, or as required by law
LLM row samplesTransient — not stored persistently
Analytics dataAggregated up to 24 months; sessions up to 12 months

Children’s Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Privacy Policy

We may update this Policy periodically. Changes will be posted with a revised “Last Updated” date. Significant changes will be communicated via email or in-app notice.

Contact Us

For questions, concerns, or data protection requests:

Mindlake Ltd (trading as Anomaly AI)

Regus Office 206, Fountain Court, Victoria Square, St. Albans AL1 3TF

Email: [email protected]

ICO Registration: ZC104879