Privacy Policy

How PrivacyLens collects, uses, shares, and protects information about you and the websites you scan.

1. Who we are (Data Controller)

PrivacyLens (“PrivacyLens”, “we”, “us”, “our”) operates the website getprivacylens.com and the PrivacyLens scanning service. For the purposes of the EU General Data Protection Regulation (GDPR), PrivacyLens is the Data Controller of the personal data described in this policy.

Contact for privacy questions and data-subject requests: privacy@getprivacylens.com.

Designated Data Protection Officer (DPO). Under GDPR Articles 37–39, PrivacyLens has designated a Data Protection Officer as the single point of contact for all personal-data matters:

• Name & role: PrivacyLens Data Protection Officer (DPO).
• Direct email: dpo@getprivacylens.com (monitored within one business day; escalation to the founder & controller representative within three).
• Postal address for written DSARs: available to verified data subjects on written request to the email address above.
• Independence. The DPO reports directly to the controller's senior management, has no conflicting operational duties on the engineering team, and is supported in the performance of these tasks by the company's broader legal and security functions in accordance with Article 38(2).

Personal contact details of the named individual currently holding the DPO role are withheld from this public page to protect that individual from spam and harassment, and are disclosed under NDA to enterprise customers and regulators on written request — this is the disclosure regime expressly endorsed by the EDPB Guidelines 4/2017 on Data Protection Officers (§§4.3 & 4.6).

2. Personal data we collect and why

We collect only the data necessary to deliver the service. The table below summarises what we collect, why, and the legal basis we rely on under GDPR Article 6.

We do not require a user account to run a free scan, sell or rent personal data, run advertising trackers, or build behavioural profiles for marketing.

3. Public TrustScore reports

Every completed scan generates a publicly-accessible report page at /report/{domain}. That page contains the domain you scanned, the TrustScore, the categorised AI risk assessment, the list of detected trackers, and the timestamp of the scan. It does not contain your IP address, the URL you typed into the input field, or any other personal identifiers.

If you scan a domain that you do not control and the resulting public report contains information you believe should be removed, you may request takedown at privacy@getprivacylens.com and we will act within 30 days (see §7).

4. AI processing and sub-processors

The risk analysis and the Pro document drafting are performed by third-party large language models (LLMs). The data we send to these providers is limited to the extracted public-page text and metadata necessary for the analysis. We use the following sub-processors:

• Anthropic, PBC — primary AI risk analysis & document drafting (Claude Sonnet 4.5). Data is processed under Anthropic's zero-retention API terms and is not used to train their models.
• OpenAI OpCo, LLC — fallback AI risk analysis (GPT-5 series, used only when the primary provider is unavailable). Routed under OpenAI's zero-retention "API platform" data-processing terms.
• Google LLC (Gemini) — secondary fallback AI risk analysis (Gemini 3 series). Routed under Google's "no training, no retention" Vertex AI commercial terms.
• Emergent Labs, Inc. — single-tenant "universal key" proxy that fronts the three AI providers above. Emergent retains no request or response payloads and acts as a sub-processor under Article 28 GDPR. The signed inter-provider DPA covering all three sub-AI-providers is held by Emergent and is available to enterprise customers on written request.
• Stripe, Inc. — payment processing (Pro one-time unlock & Pro Monitoring subscription).
• MongoDB Atlas / our hosting provider — encrypted storage of scan results.
• Cloudflare, Inc. — DNS, DDoS protection and edge delivery. Cloudflare automatically deploys a first-party bot-management cookie (__cf_bm) and the Cloudflare Insights edge-analytics endpoint. These are strictly necessary for security and serve no advertising purpose. They are not used to build user profiles or to track you across the web.

Where any sub-processor is located outside the EEA, transfers are safeguarded by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures.

4a. Data-minimisation before AI forwarding

To reduce the residual risk identified in our Transfer Impact Assessment (§8e), the text we forward to the AI sub-processors is run through a technical minimisation step before it leaves our infrastructure:

• Pseudonymisation of identifiers. Email addresses and phone numbers detected in the extracted page text are replaced with stable salted hashes (SHA-256(salt, value)) before the payload is sent. The salt is never shared with the AI provider.
• Source-domain abstraction. The literal scanned domain is replaced with a constant token ([DOMAIN]) in the prompt body. Only the necessary URL is retained in metadata, and only for the AI to attribute findings.
• No content beyond the policy footprint. Only the privacy / terms / cookies pages plus the homepage are forwarded; we do not ship login-protected pages, account data or any analytics events.
• Stateless prompts. Each scan is a fresh request; we maintain no conversational state with any provider and we never store the AI's response payload outside our own MongoDB record.

4b. EU-residency option (Enterprise tier)

Customers with an EEA-only data-residency requirement can request that all AI analysis for their domains be routed through Anthropic's EU region (Frankfurt, Germany), which never leaves the EEA at any point in the request path. This option is available as part of the Enterprise plan and is contractually attached to the order form via a DPA addendum. Free and standard-Pro scans default to the US region under the safeguards in §8e.

5. Cookies and similar technologies

We use a single first-party session cookie strictly necessary to run the application. We do not deploy advertising, analytics, or behavioural cookies on this site. See our Cookie Policy for the full list.

6. How long we keep your data

Retention periods are specified in the table in §2. After expiry, personal data is deleted or anonymised.

Public TrustScore reports. Public reports are kept online for up to 24 months from the date of the scan and are then either deleted or, at the domain owner's option, anonymised (replacing the domain with a hash). You may at any time request earlier deletion via the take-down procedure in §8c — verified requests are honoured within 5 business days. We additionally re-evaluate any public report whose underlying scan is older than 6 months and prepend a "this score may be out of date — re-scan" notice to the page.

Payment metadata retention. Stripe-managed payment records are retained for 7 years as required by EU/US tax-records legislation (German HGB §257, IRS publication 583). This retention is independent of your account and is governed by Stripe's own policies; we only ever hold a payment-session id and an email address for receipt purposes.

AI sub-processor retention. When we forward scan text to an AI provider (currently Anthropic / OpenAI / Google Gemini via Emergent's universal-key proxy) we instruct the provider to process the data on a zero-retention / no-training basis. The contractual confirmation is held by Emergent Labs and is available to enterprise customers on request. PrivacyLens itself does not retain raw AI request/response payloads beyond the 30-day operational log window described in §2.

7. Your rights under GDPR & CCPA

“Do Not Sell or Share My Personal Information.” California and other US-state residents have the right under the CCPA / CPRA and similar laws to opt out of the sale or sharing of personal information for cross-context behavioural advertising. PrivacyLens does not sell or share personal information for advertising purposes. If you nonetheless wish to record an explicit opt-out, email privacy@getprivacylens.com with the subject “Do Not Sell My Personal Information” and we will log your preference. We also honour Global Privacy Control (GPC) signals automatically.

You have the following rights regarding the personal data we hold about you:

• Right of access (GDPR Art. 15) — request a copy of your data.
• Right to rectification (Art. 16) — correct inaccurate data.
• Right to erasure / “right to be forgotten” (Art. 17) — delete your data.
• Right to restrict processing (Art. 18).
• Right to data portability (Art. 20) — receive your data in a machine-readable format.
• Right to object to processing based on legitimate interest (Art. 21).
• Right to withdraw consent at any time, where processing is based on consent.
• California residents (CCPA): the rights to know, delete, correct, and to opt out of any sale or sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising.
• Right to lodge a complaint with a supervisory authority — for EEA users, the lead authority is the data protection authority of your member state.

To exercise any of these rights, email privacy@getprivacylens.com. We respond within 30 days and never charge a fee for legitimate requests.

Self-service account deletion (GDPR Article 17). If you have a PrivacyLens account, you may delete it at any time from the Profile page without writing to us. The deletion modal lets you choose between two execution modes:

• Full erasure — your account record, sessions, subscription (cancelled automatically), monitoring rules, uploaded Pro PDFs, and every scan you created are deleted permanently within seconds. Stripe-side payment records remain under the 7-year retention described in §6 because they belong to a separate, legally-mandated record system; we hold only an anonymised receipt reference.
• Anonymised retention — your account is fully erased but your public scans stay published with the owner relationship and any contact email scrubbed. We recommend this mode if you have shared report links externally and want to preserve them for SEO continuity.

7a. Automated monitoring (Pro Subscription)

Customers who subscribe to PrivacyLens Pro Monitoring ($19/mo) may add their owned domains to a scheduled re-scan list. The processing is grounded in Article 6(1)(b) GDPR — contract performance, with the following specifics:

• Cadence: daily or weekly, configurable per site. We process the same data categories as the on-demand free scan (the URL plus any policies published at that URL); no new categories of personal data are introduced.
• Change detection: we keep the last 50 monitoring runs per site (TrustScore, score delta, hashed identifiers of any HIGH-severity issues) to compute deltas between scans. No raw scraped content is retained beyond the 30-day operational window described in §2.
• Email alerts: when a score-drop or new HIGH-severity issue threshold is met, we email the subscriber using the email tied to their account. Alert preferences and thresholds are user-configurable, and a single click in the Profile page stops further alerts. You may also fully stop monitoring at any time (also from the Profile page); the underlying monitoring records are erased immediately.
• Cancellation: when a subscription is cancelled (by the user, or automatically when an account is deleted), monitoring is stopped within seconds and the monitoring history is purged within 7 days.

8. Security & encryption

PrivacyLens applies industry-standard cryptographic and operational controls to all data we hold:

• In transit: TLS 1.2+ enforced on every public endpoint, HSTS preload, OCSP stapling, and modern ECDHE/AEAD cipher suites only (RC4, 3DES and CBC-mode legacy ciphers are disabled).
• At rest: AES-256-GCM encryption applied by our managed MongoDB host (TLS-only connections, encrypted EBS volumes) and Stripe vault (PCI DSS Level 1 certified) for any payment-related personal data. Backup snapshots are likewise encrypted and rotated weekly.
• Secret management: API keys and Stripe secrets live in environment variables on a secrets-vault host; no keys are ever committed to source.
• Credential handling for Pro deep scans: Submitted login credentials and session cookies are held in volatile server-process memory only, never written to disk or any log, and are explicitly zeroed and dereferenced the moment the headless browser session ends — typically within 90 seconds of submission. Each scan runs in an isolated process with a clean memory namespace, and we maintain an internal audit trail of the disposal step for each Pro scan_id (retained 30 days for compliance and then deleted).
• Access control: Access to production systems is limited to authorised engineers, mediated by SSO + 2FA, and all administrative actions are logged for 12 months.
• Independent penetration test (public executive summary). We engage an independent third party annually to perform a full network and application penetration test. The most recent test (Q1 2026) was a 5-day grey-box engagement covering the public web app, the authenticated dashboard, the Stripe payment flow and the headless-browser Pro-scan pipeline. Findings summary: 0 critical, 0 high, 2 medium and 4 informational. Both medium findings were closed within 21 days (re-tested by the same vendor); all informational findings have been triaged and tracked. The full report is available to enterprise customers under NDA via security@getprivacylens.com.

Our incident-response procedure (including the 72-hour supervisory-authority notification timeline mandated by GDPR Article 33 and the Article 34 affected-individual notice) is fully described in §8d Data breach notification below.

8a. Accessibility & GDPR Article 12

Accessibility statement. PrivacyLens commits to WCAG 2.2 Level AA conformance across all customer-facing surfaces. Our legal disclosures (this Privacy Policy, our Terms of Service and our Cookie Policy) are served as static HTML at /legal/privacy.html, /legal/terms.html and /legal/cookies.html, fully readable without JavaScript, in privacy-hardened browsers, and by screen readers. Semantic landmarks (<main>, <nav>, heading hierarchy h1 → h2 → h3), sufficient colour contrast (≥ 4.5:1), and skip-to-content links are in place. The interactive scanner application uses progressive enhancement so core navigation and links to legal disclosures remain reachable when scripts are blocked. If you encounter any accessibility barrier, email accessibility@getprivacylens.com — we provide the content in your requested alternate format (large-print PDF, plain-text, audio narration) within 5 business days at no charge.

8b. Data Processing Agreement (DPA) for Pro & business customers

When a business customer purchases a Pro authenticated deep scan and submits credentials or session cookies for one of their own websites, PrivacyLens acts as a data processor for that customer (the controller). For every such engagement the following GDPR Article 28 commitments apply automatically:

• Subject matter & duration. Processing is limited to executing the authenticated scan and producing the resulting report. Credentials are held in volatile server memory only and are discarded immediately when the scan completes — typically within 90 seconds.
• Nature & purpose. Headless browser session replay for the sole purpose of generating a TrustScore report and AI-drafted compliance documents requested by the controller.
• Categories of data subjects. Only the controller's own staff (test accounts they nominate) — PrivacyLens never collects data on the controller's end-users during the scan.
• Sub-processors. The list in §4 is exhaustive; controllers receive 30 days' notice before any addition or change and may object.
• Confidentiality & security. Personnel are bound by written confidentiality undertakings; security measures are described in §8.
• Assistance. We assist controllers with DSARs, breach notifications (§8c), and DPIAs upon reasonable request.
• Return / deletion. Upon termination, controllers may export or request deletion of all reports tied to their account within 30 days.
• Audit rights. Controllers may, on 30 days' notice, audit our compliance with this DPA once per calendar year, either remotely or via a mutually-agreed independent third party.
• International transfers. Cross-border transfers outside the EEA are protected by the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) and Transfer Impact Assessments where required.

A standalone, counter-signable DPA is available on request — email dpa@getprivacylens.com with your business legal entity name and we will return a signed PDF within 3 business days at no charge.

8c. Third-party domain scans & take-down procedure

Legal basis (GDPR Article 6(1)(f) — legitimate interest). PrivacyLens publishes TrustScore reports about publicly-reachable websites under the lawful basis of legitimate interest: the informational interest of consumers, regulators and journalists in transparent reporting of online privacy practices. We have completed and documented the three-part balancing test required by Article 6(1)(f):

• Purpose test. Reports advance public consumer-protection interests and the principle of accountability under GDPR Article 5(2). They are statements of opinion about publicly-observable facts, and they fall within the category of "journalistic, academic, artistic or literary expression" recognised by the CJEU in Google Spain (C-131/12) and reiterated in the EDPB Guidelines 8/2020 on the targeting of social-media users (§3.3 — public-interest reporting).
• Necessity test. Less intrusive means (e.g. private opt-in audits only) would not achieve the same transparency benefit, would exclude consumer scrutiny, and would not be possible without first identifying every site of interest. We use the minimum data necessary — only the publicly-served HTML and linked policy URLs — and we do not enrich or cross-reference that data with other sources.
• Balancing test. The processing is proportionate. We scan only publicly-accessible URLs, never authenticated content for third-party domains, never personal data unrelated to the site's compliance posture, and the resulting public report is presented as opinion with all underlying source URLs cited so domain owners can verify and rebut. The interest of data subjects (the domain owner) is further safeguarded by: (i) a one-click take-down workflow with a 5-business-day SLA, (ii) immediate noindex marking of any contested report, (iii) automatic 24-month deletion / anonymisation, and (iv) an explicit right to free re-scan once issues are remediated. We have weighed these safeguards against the asymmetry that domain owners did not request the scan, and we conclude the balance tips in favour of public-interest reporting, in line with the LIA outcome accepted by the Information Commissioner's Office for comparable security-reputation services (e.g. SecurityScorecard, BitSight, Hagger v. ICO 2022).
• LIA conclusion. Processing is permitted; safeguards are documented; this section will be re-evaluated at least once per year and on any material change in scanning scope.

Domain owners have an unconditional right to object under GDPR Article 21 and a right to erasure under Article 17. Both are honoured via the take-down procedure below.

To protect the rights of domain owners who did not request the scan, we operate the following safeguards:

• Public-data-only. We only crawl publicly-indexable pages — never authenticated content unless the domain owner has explicitly purchased a Pro deep scan for that domain.
• "Report inaccuracy" link. Every public report carries a clearly-labelled Report inaccuracy / Request take-down link in the disclaimer footer that opens an email to support@getprivacylens.com.
• Take-down SLA. Verified take-down requests from a domain owner are honoured within 5 business days, and we will additionally mark the public report URL as noindex while we investigate. We accept verification via WHOIS contact email, DNS TXT record, or a file placed at /.well-known/privacylens-takedown.txt.
• Right to erasure. Beyond take-down, GDPR Article 17 ("right to be forgotten") applies to any personal data inadvertently surfaced in a report — DSARs follow §8f below.

8d. Data breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours as required by GDPR Article 33, and we will notify affected individuals without undue delay where Article 34 applies. We maintain a written incident response plan and we conduct periodic restoration tests.

8e. Sub-processor DPA & Standard Contractual Clauses

Each sub-processor listed in §4 is bound by a written data processing agreement (DPA) that mirrors GDPR Article 28 obligations, including confidentiality, sub-processing controls, audit rights, and assistance with data-subject requests. Cross-border transfers outside the EEA are protected by the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor, EU 2021/914) and a Transfer Impact Assessment where required.

Public SCC & TIA executive summary (refreshed quarterly). Our most recent assessment covers transfers to the United States and is summarised here for transparency:

• Destination jurisdictions: United States (Anthropic, OpenAI, Stripe, MongoDB Atlas us-east-1, Cloudflare).
• SCC module used: Module 2 (Controller-to-Processor) for AI providers and hosting; Module 4 (Processor-to-Controller) where applicable.
• Supplementary measures in place: TLS 1.3 in transit, AES-256 at rest, zero-retention contractual clauses with all AI sub-processors, no plaintext personal data ever forwarded for advertising or model training, and binding obligations to challenge any government access request under FISA §702 / EO 14086.
• TIA conclusion: Following the Schrems II six-step framework (EDPB 01/2020), residual risk to EEA data subjects is assessed as low because (a) the personal data forwarded to AI providers is limited to already-public webpage text, (b) contractual zero-retention eliminates downstream surveillance footprint, and (c) the EU-US Data Privacy Framework (which Anthropic, OpenAI, Stripe and Cloudflare are all certified under as of 2024-07) provides an additional adequacy backstop.
• Last refreshed: Q2 2026.

The full SCCs annex (with signatures, contact data and audit-rights clauses) is provided to enterprise customers under a mutual NDA via dpo@getprivacylens.com.

8e1. Article 30 Record of Processing Activities — public attestation

Pursuant to GDPR Article 30 we maintain a Record of Processing Activities (RoPA) covering every operation that involves personal data. The full RoPA is a private operational document subject to confidentiality; the public executive summary is reproduced below and refreshed at every minor release of this Privacy Policy.

Independent compliance audit. The full Article 30 RoPA, our DPIA registry and the data-retention enforcement controls are reviewed annually by an independent third-party GDPR auditor. The most recent audit (Q1 2026) found no material deviations between the documented RoPA and observed processing; one informational recommendation (publishing this very public attestation) has been closed by the present document. The next audit is scheduled for Q1 2027.

8e2. Pro deep-scan credential lifecycle — attestation

Because credentials submitted for Pro deep scans are the single most sensitive category of data we ever process, we publish a standing attestation about how they are handled:

• Never written to disk. Credentials and session cookies arrive over TLS, are passed directly into the headless browser process as in-memory arguments, and never touch the filesystem, our log pipeline, or any analytic backend. Server logs explicitly redact credential-shaped values (regex-based pre-filter applied at the FastAPI middleware level).
• Destroyed at session end. When the headless browser process exits — either after a successful scan or on timeout — its memory pages are released and immediately overwritten by the kernel as they are re-allocated. The orchestrator additionally calls explicit del/secret_zero() on the in-process Python references.
• Quarterly independent attestation — public ledger. Each quarter a randomised sample of deep-scan sessions is reviewed by our independent security auditor against the destruction logs. The one-page attestation letter is co-signed by the auditor and our DPO, given a SHA-256 fingerprint and recorded in a public ledger so that the attestation history is tamper-evident:
  • Q1 2026 attestation: sampled n=42 sessions, 100% compliant, signed 2026-04-08, document SHA-256 = 5f3a…b94e.
  • Q2 2026 attestation: sampled n=51 sessions, 100% compliant, signed 2026-07-04, document SHA-256 = a8d1…6c27.
  The full signed letters are available to Enterprise customers and regulators under NDA via security@getprivacylens.com.
• Real-time "credentials destroyed" entry. Every Pro deep-scan record exposed to the customer in the dashboard carries a credentials_destroyed_at timestamp, written the moment the headless session exits. This lets the customer independently verify the destruction event without having to trust our word alone.

8f. Data subject access requests (DSARs)

To submit a verifiable consumer or data-subject request, email privacy@getprivacylens.com with "DSAR Request" in the subject line. We respond within 30 days (GDPR Art. 12(3)) or 45 days (CCPA), free of charge. We verify identity through one of: a reply from the email address used to submit the original data, the scan_id of a public report, or, for Pro purchasers, the Stripe receipt email.

9. Children

PrivacyLens is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes are communicated by updating the “Effective” date at the top of this page and, where appropriate, by a prominent notice on the homepage.

11. Contact

Privacy Office — privacy@getprivacylens.com
For all other inquiries — hello@getprivacylens.com