1. Data Controller

CostLens
Email: privacy@costlens.dev
Website: costlens.dev
Data Protection Officer: dpo@costlens.dev

Legal Basis for Processing: Contract performance (Article 6(1)(b) GDPR), Legitimate interests (Article 6(1)(f) GDPR), and Consent (Article 6(1)(a) GDPR) where applicable.

2. Data We Collect

Account Information

Email address: For authentication and communication
Name: For personalization
Password: Hashed and encrypted (via Clerk)

Usage Data

API requests: Model, tokens, cost, latency
API keys: Hashed with bcrypt (never stored in plain text)
Quality feedback: Ratings and comments
Audit logs: Account actions for security

Billing Data

Payment information: Processed by Stripe (we never see card numbers)
Billing history: Invoices and receipts

3. How We Use Your Data

Purpose	Legal Basis	Data Used
Service delivery	Contract performance (Art. 6(1)(b))	Email, usage data, API keys
Billing & payments	Contract performance (Art. 6(1)(b))	Email, billing data
Customer support	Legitimate interests (Art. 6(1)(f))	Email, account data
Analytics & improvements	Consent (Art. 6(1)(a))	Usage patterns, feedback
Security & fraud prevention	Legitimate interests (Art. 6(1)(f))	IP address, audit logs
Legal compliance	Legal obligation (Art. 6(1)(c))	Billing records, audit logs

4. Data Retention

Data Type	Retention Period
Account data	Until deletion request
Usage logs	90 days
Audit logs	1 year
Billing records	7 years (legal requirement)
Cache data	1 hour
Deleted accounts	30 days (soft delete), then permanent

5. Third-Party Processors

We use the following trusted service providers:

Service	Purpose	Location
Clerk	Authentication	US (DPF certified)
Vercel	Hosting	US/EU
Stripe	Payments	US (DPF certified)
Upstash	Caching	EU
Resend	Email delivery	US
OpenAI	Prompt optimization	US

All processors have Data Processing Agreements (DPAs) in place and comply with GDPR.

6. International Data Transfers

Your data may be transferred to and processed in the United States and other countries. We ensure adequate protection through:

Data Privacy Framework (DPF): For US transfers
Standard Contractual Clauses (SCCs): EU-approved contracts
Adequacy decisions: Where available

7. Your Rights (GDPR)

You have the following rights:

Right to access: Request a copy of your data
Right to rectification: Correct inaccurate data
Right to erasure: Delete your account and data
Right to portability: Export your data in JSON format
Right to object: Object to certain processing
Right to restrict: Limit how we use your data
Right to withdraw consent: At any time

To exercise your rights, visit your account settings or email privacy@costlens.dev

We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

8. Security

Encryption: HTTPS for all connections, encrypted database
Hashing: API keys hashed with bcrypt (10 rounds)
Access control: Role-based permissions
Monitoring: 24/7 security monitoring
Auditing: All actions logged

9. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.

10. Children's Privacy

Our service is not intended for users under 16 years old (EU) or 13 years old (US). We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the service.

12. Contact Us

For privacy questions or to exercise your rights:
Email: privacy@costlens.dev
Response time: Within 30 days

EU Representative

If you are in the European Union and have concerns about our data practices, you may contact your local supervisory authority.