Last updated: May 18, 2026
CostLens
Email: privacy@costlens.dev
Website: costlens.dev
Data Protection Officer: dpo@costlens.dev
Legal Basis for Processing: Contract performance (Article 6(1)(b) GDPR), Legitimate interests (Article 6(1)(f) GDPR), and Consent (Article 6(1)(a) GDPR) where applicable.
When you connect GitHub (for AI Efficiency Score or productivity reports), we collect:
We never access: code content, diffs, commit messages, issue bodies, private conversations, or repository source code.
Retention: GitHub data is deleted immediately when you disconnect. For active connections, PR metadata is retained for the duration of your subscription.
Deletion: Go to Settings → GitHub → Disconnect to delete all GitHub and commit data immediately. No waiting period.
Legal basis: Consent (Article 6(1)(a) GDPR) — you explicitly connect GitHub via OAuth.
If you opt in to git hooks (via npx @costlens/mcp-server hooks), we collect:
We never access: file contents, diffs, or full commit history.
Opt-in only: Hooks are never installed automatically. You must run the hooks command explicitly.
Uninstall: Remove .git/hooks/post-commit from your repository.
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Service delivery | Contract performance (Art. 6(1)(b)) | Email, usage data, API keys |
| Billing & payments | Contract performance (Art. 6(1)(b)) | Email, billing data |
| Customer support | Legitimate interests (Art. 6(1)(f)) | Email, account data |
| Analytics & improvements | Consent (Art. 6(1)(a)) | Usage patterns, feedback |
| Security & fraud prevention | Legitimate interests (Art. 6(1)(f)) | IP address, audit logs |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Billing records, audit logs |
| Data Type | Retention Period |
|---|---|
| Account data | Until deletion request |
| Usage logs | 90 days |
| Audit logs | 1 year |
| Billing records | 7 years (legal requirement) |
| Cache data | 1 hour |
| Deleted accounts | 30 days (soft delete), then permanent |
We use the following trusted service providers:
| Service | Purpose | Location |
|---|---|---|
| Clerk | Authentication | US (DPF certified) |
| Vercel | Hosting | US/EU |
| Stripe | Payments | US (DPF certified) |
| Upstash | Caching | EU |
| Resend | Email delivery | US |
| Google Analytics | Website analytics (with consent only) | US (DPF certified) |
| Sentry | Error monitoring | US |
All processors have Data Processing Agreements (DPAs) in place and comply with GDPR.
Your data may be transferred to and processed in the United States and other countries. We ensure adequate protection through:
You have the following rights:
To exercise your rights, visit your account settings or email privacy@costlens.dev
We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.
Our service is not intended for users under 16 years old (EU) or 13 years old (US). We do not knowingly collect data from children.
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the service.
For privacy questions or to exercise your rights:
Email: privacy@costlens.dev
Response time: Within 30 days
If you are in the European Union and have concerns about our data practices, you may contact your local supervisory authority.