Privacy Policy

Last Updated on February 28, 2025

To see update history, click here.

PingCAP (US), Inc. and its affiliates (hereinafter referred to as “PingCAP”, “we”, “our” or “us”) understand that privacy is important to visitors to our websites (our “Sites”) and users of our products and services (including without limitation TiDB and TiDB Cloud; hereinafter referred as our “Products”). Unless otherwise agreed between our customers and us, this Privacy Policy explains how we collect, use, and share your personal information as we provide our Products and Services to our customers. For visitors to our web site, please refer to our Cookie Policy.

Click on the links below to jump to each section:

1. PERSONAL INFORMATION WE COLLECT
2. INTERNATIONAL DATA TRANSFER
3. YOUR RIGHTS
   1. HOW TO CONTROL COLLECTION OF TIDB TELEMETRY DATA
   2. EUROPEAN DATA PROTECTION RIGHTS
   3. CALIFORNIA PRIVACY RIGHTS
4. CHANGES TO OUR PRIVACY POLICY
5. HOW TO CONTACT US

PERSONAL INFORMATION WE COLLECT

Unless otherwise agreed between parties, we collect, use, and store personal information that you directly provide us (1) when using our Cloud Services, as per our Data Processing Agreement, and (2) when using our TiBD Enterprise (self-hosed), as per our Schedule A.

Additionally, when you use TiDB Products, we may also collect certain TiDB telemetry data and other data about your usage, including your pseudonymized IP address and other unique identifiers in combination with information about the version of our software you are running and how it is configured, to collect and aggregate certain diagnostic and analytics information, provided that you turn this feature on for versions of TiDB released after February 20, 2023 (for clarity, the default setting is off). We may combine this information with information you provide when you download our TiDB Products or provide to customer support, including the name of your organization or company.

We employ technical and organizational measures to prevent the reconstitution of IP addresses or reversal of pseudonymization that would allow attribution of the data to a specific individual, including segregating or not collecting any additional information that may be used for attribution. We store the pseudonymized data for 2 years.

The resulting pseudonymized data is used by us on behalf of our customers to (i) maintain and improve TiDB Products, and (ii) inform users whether they are running the latest version of TiDB Products.

For clarity, we collect the following TiDB telemetry data:

• TiDB Products cluster related hardware information
• TiDB Products cluster topology information
• TiDB Products cluster software version information
• TiDB Products cluster configuration information (only the config items, config values are excluded)
• TiDB Products cluster components information
• TiDB Products cluster maintenance operation consumed time
• TiDB Products cluster usage and runtime metrics

PingCAP Clinic. When you use PingCAP Clinic, PingCAP Clinic may generate clinic data as below and store such clinic data in your device.

• TiDB Products cluster related operation system and hardware information
• TiDB Products cluster topology information (including node IP and type)
• TiDB Products cluster software version information (including UUID and version)
• TiDB Products cluster configuration information (both config items and values)
• TiDB Products cluster logs (including logs, error logs and slow query logs)
• TiDB Products cluster monitoring metrics and alerts information
• TiDB Products cluster database system variables

Once you agree to upload the clinic data to PingCAP, you acknowledge and agree that PingCAP and its employee(s) and vendor(s) may transmit, store, copy and process the clinic data uploaded by you for the purpose of diagnosis and improvement of TiDB.

TiDB Cloud operational data (for TiDB Cloud only). When you use TiDB Cloud, we may automatically collect and store non-anonymized information and data about your operation of TiDB Cloud, including logs, metrics, and the service tickets submitted to TiDB Cloud. Although the operational data usually does not involve personal information, it may be linked to your account and include the following information, data and metadata:

• Technical information obtained from APIs, software or system hosting TiDB Cloud and your computer or device, and log files generated during your operation of TiDB Cloud;
• Data and metadata about you, such as your account, email, IP address, computer or other device, browser, and software; and
• Data and metadata about your activities and behavior within TiDB Cloud.

Inferences. We infer new information about you and your company from data we collect, including using automated means to generate information about your likely preferences, your service and product needs or other characteristics. For example, we infer your city, state, and country location based on your IP address.

We may share aggregated or deidentified data with third parties (subject to applicable laws).

INTERNATIONAL DATA TRANSFER

PingCAP complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. PingCAP has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. PingCAP has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

PingCAP is responsible for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. PingCAP complies with the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over PingCAP’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, PingCAP may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, PingCAP commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

When we transfer personal information from the European Economic Area (including the United Kingdom) and Switzerland to other countries that have not been determined by the European Commission to have laws that provide an adequate level of data protection, we use legal mechanisms, including contracts, designed to help ensure your rights and protections. Specifically, our website servers are located in the United States and our affiliates, partners, third parties and service providers operate in the United States, European Economic Area, Canada, China, and Australia. This means when we collect your personal information, we may process it in any of these countries. However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy. The safeguard PingCAP primarily relies upon is the European Commission-approved standard contractual data protection clauses. For more information about these mechanisms, please contact us using the contact details provided in the “How to contact us” section below.

YOUR RIGHTS

As a general principle, if you wish to request access, correction, or deletion of any of your personal information held by us or a change in the way we use your information (for which we reserve the right to charge you a fee, as permitted by applicable law), please submit your request here or by email to legal@pingcap.com. However, we may decline requests that are unreasonable, prohibited by law, or are not required to be honored by applicable law.

How to Control Collection of TiDB Telemetry Data

If you prefer that we do not collect certain TiDB telemetry data, including IP address, through TiDB tools – TiUP, you can manage the collection of this data as follows:

• By using tiup telemetry disable to turn off and disable collecting telemetry data.
• By using tiup telemetry enable to turn on and enable collecting telemetry data.
• By using tiup telemetry reset to reset the collecting function and generate a new unique tracing identifier.
• By using tiup telemetry status to verify the status (on/off) of the collecting function.

EUROPEAN DATA PROTECTION RIGHTS

If the processing of personal data about you is subject to European Union data protection law, you have certain rights with respect to that data:

• You may request access to, and correction or erasure of, personal information. We are not obliged to delete your data if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
• You have the right to restrict our processing where you believe your personal data is inaccurate, our processing is unlawful, or that we no longer need to process such data for a particular purpose (unless we are unable to delete the data due to a legal or other obligation or because you do not wish for us to delete it).
• Where the legal justification for our processing of personal data is our legitimate interest, you have the right to object to processing on grounds relating to your particular situation. If we are processing your personal data on the basis of your consent or to perform a contract with you, you have the right to data portability.
• If the processing of personal information is based on your consent, you have a right to withdraw consent at any time for future processing, without affecting the lawfulness of processing based on consent before its withdrawal. This includes cases where you wish to opt out of marketing messages sent by us.

To make a request to exercise these rights, contact us by email at the address below. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns. Contact details for data protection authorities in the EEA are available here, United Kingdom here and Switzerland here.

CALIFORNIA PRIVACY RIGHTS

The California Consumer Privacy Act (“CCPA”) requires businesses that collect personal information of California residents to make certain additional disclosures. This section applies solely to you if you reside in the State of California.

The categories of personal information we have collected within the last twelve (12) months and the third parties with whom we have shared that personal information for a business purpose are as follows:

Categories of Personal Information	Examples	Third Parties
Identifiers.	Name, address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.	Corporate affiliates, vendors, service providers and third-party business partners (as identified above)
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	Name, address, telephone number, or financial information.	Corporate affiliates, vendors, and service providers and third-party business partners (as identified above)
Protected classification characteristics under California or federal law.	Age, race, or sex (including gender).	Corporate affiliates, vendors and service providers
Commercial information.	Products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Corporate affiliates, vendors, service providers and third-party business partners (as identified above)
Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	Corporate affiliates, vendors and service providers
Geolocation data.	Physical location or movements.	Corporate affiliates, vendors and service providers
Professional or employment-related information.	Current or past job history.	Corporate affiliates, vendors, service providers and third-party business partners (as identified above)
Non-public education information	Degrees and certifications.	Corporate affiliates, vendors and service providers
Inferences drawn from other personal information.	Profile reflecting a person’s preferences or characteristics.	N/A

Right to know. You may request a copy of the personal information we have collected, used, disclosed, and sold about you over the past twelve (12) months. Once we have received your request and confirmed your identity, we will disclose to you:

• The categories of personal information we collected about you,
• The purposes for collection,
• The categories of sources for the personal information we collected about you,
• The categories of third parties with whom we share that personal information,
• If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained, and
• The specific pieces of personal information we collected about you.

Right to delete. You may also request that we delete certain personal information we have collected and retained, subject to certain exceptions (for example, where the information is used by us to detect security incidents, debugging or to comply with a legal obligation). Once we receive your request and confirm your identity, we will review your request to see if an exception allowing us to retain the information applies.

You may “request to know” or “request to delete” your personal information up to two times in any twelve (12)-month period by filling out the Privacy Web Form or contacting us at legal@pingcap.com. Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. Please know that any such request is subject to our ability to verify your identity and any exceptions provided under applicable laws.

Right to opt out. As discussed in this Privacy Policy, our advertising and analytics providers may collect your IP address, cookie ID, and mobile ID when you use our websites, and such vendors may further share your information to provide similar advertising or analytics services to their other customers. However, PingCAP does not sell personal information as the terms “sale” or “sell” are defined under the CCPA.

We will not discriminate against you for exercising any of your rights under the CCPA.

CHANGES TO OUR PRIVACY POLICY

PingCAP may modify or update this Privacy Policy from time to time to reflect the changes in our business and practices, and so you should review this page periodically. If we make any changes to this Privacy Policy, we will notify you by changing the “Last Updated” date above. If we make any material changes, we will provide you with additional notice or obtain consent as may be required by applicable law.

HOW TO CONTACT US

If you have any questions, complaints, or concerns about how your information is handled, please email us at legal@pingcap.com. Our main address is PingCAP (US), Inc., 440 N Wolfe Rd, Sunnyvale, CA 94085, USA.

If you are located in the EEA or the United Kingdom and have questions about your personal data or would like to request to access, update or delete it, you may contact our representative at:

• Bird & Bird GDPR Representative Services SRL
  Avenue Louise 235, 1050 Bruxelles, Belgium
  Email: EUrepresentative.PingCAP@twobirds.com
• Bird & Bird GDPR Representative Services UK
  12, New fetter Lane, London, EC4A 1JP, United Kingdom
  Email: UKrepresentative.PingCAP@twobirds.com

We will make best efforts to:

• provide an initial response to your query or complaint within 15 Business Days, and
• investigate and attempt to resolve your query or complaint within 45 Business Days.