Data handling
This page describes what TuneStack sees, stores, and sends — for the free /explain tool today and for the continuous-monitoring collector shipping in Phase 2. Short version: the customer's database data never leaves the customer's network. Only normalized plan + query-shape telemetry crosses the boundary.
Free /explain tool (available now)
- We receive only the text you paste into the
EXPLAINbox, plus (optionally) the query SQL you choose to include. Nothing else is inspected or uploaded. - The pasted text is sent to Anthropic's Claude API for analysis. Anthropic's commercial terms prohibit training on API inputs.
- The resulting analysis is saved to
Cloudflare R2under a random UUID key so it can be shared via/s/<uuid>. Retention is 180 days, then auto-deleted by bucket lifecycle. - We store only a SHA-256 hash of your IP (with a rotating pepper) for rate limiting and idempotency — not the raw IP. Optional email addresses submitted via the post-result form are stored in our waitlist table with the source tag
explain_share.
Phase 2 continuous-monitoring collector
The collector is a small Go binary you run inside your own network. It reads from your database with a read-only role and ships normalized telemetry to our SaaS for AI analysis.
What the collector sends
- Normalized query shapes (literals stripped; bind-parameter placeholders preserved).
- Query plans from
auto_explainandpg_stat_statements— structure + timing + buffer counts. Literal filter values are scrubbed before egress. - Schema metadata: table/column/index names, types, approximate row counts, sizes. No rows.
- PostgreSQL-level metrics: locks, long-running queries, buffer stats, WAL activity.
What the collector does NOT send
- Row data — at all, ever. Not as samples, not as counts.
- Query literals. A
WHERE email = '[email protected]'is normalized toWHERE email = $1before anything leaves the collector. - Log lines outside of the
auto_explainplan blocks. - Authentication credentials, secrets, or anything from
pg_hba.conf.
Where the data lives
- App DB (US): Postgres on Fly.io, region
iad. Stores agent-run metadata, normalized telemetry, organization data. - Share storage (US): Cloudflare R2, auto region. Stores JSON blobs of completed analyses.
- EU region: available on request for Phase 2 — pins app DB and R2 to EU-only for GDPR-sensitive customers.
- LLM: Anthropic, US endpoints. Tokens in/out logged to our telemetry for cost tracking; prompts are not retained.
Access control
- Phase 2 customers provide a read-only PostgreSQL role to the collector. We publish the exact GRANTs required; fewer privileges is better.
- Inside TuneStack, customer data is scoped to their organization id. No employee has ad-hoc access to customer plan data; audited break-glass access for incident response only.
Compliance
- SOC 2 Type 1: in progress, target Q4 2026.
- GDPR: EU region option (see above); data-processing agreement available on request for Phase 2 customers.
- HIPAA: not in scope for Phase 1 or Phase 2. If your workload involves PHI, use the self-hosted option (Phase 3; contact sales).
Reporting issues
Security disclosures: [email protected]. We respond within 2 business days and credit reporters in our release notes unless you prefer anonymity.