Privacy Policy

Marketlens is operated by Paweł Fijałkowski, an individual based in Poland, who acts as the data controller for the purposes of the General Data Protection Regulation (GDPR) and applicable Polish data protection law.

For any questions about this policy or your personal data, contact us at [email protected].

Data you provide

When you sign in via Google OAuth we receive your name, email address, and profile picture. We also store API key names you choose when creating keys and your email notification preference.

Data collected automatically

Each API request is logged with your IP address, HTTP method, request path, response status, and response time. We also track per-key usage metadata: daily request counts, last-used timestamp, and lifetime request total.

Data from third parties

Google provides your profile information (name, email, avatar, Google ID) during the OAuth sign-in flow. Stripe provides subscription status, billing period end date, and a customer identifier when you subscribe to a paid tier.

We process your data under the following legal bases defined in GDPR Article 6:

Contract performance

Account creation and management, API access, authentication, payment processing, and transactional emails (welcome, key created, key revoked, tier changed, account deleted) are necessary to provide the Services you signed up for.

Legitimate interest

Request logging (IP address, path, status) is necessary for security monitoring, abuse prevention, rate limit enforcement, and debugging. Usage aggregates help us understand how the service is used and plan capacity. We have assessed that these interests do not override your rights and freedoms.

Consent

Marketing and non-transactional email notifications are sent only with your consent, which you can withdraw at any time via your Account settings or the unsubscribe link in any email.

Legal obligation

We may process or retain your data where required by applicable law, regulation, or court order.

We use your data to authenticate you, manage your Account, provide API access, and enforce the rate limits associated with your tier. Payments and subscriptions are processed through Stripe using the billing details you provide.

We also use your data to send transactional emails about your Account (and, with your consent, product updates), to monitor for abuse and security threats via request logs, and to generate aggregated, anonymized usage statistics that help us improve the Services. We may also process your data to comply with legal obligations.

We do not sell your personal data. We do not use advertising networks or third-party analytics trackers. We share data only with the following service providers, each of which processes data on our behalf.

Stripe

Handles payment processing. Receives your email and subscription details. Subject to Stripe’s Privacy Policy.

Google

Used for authentication only. The OAuth flow shares your profile data with us; we do not send data back to Google.

Hetzner

Provides infrastructure hosting. Our servers and database are located in Helsinki, Finland (EU). Hetzner processes data as a sub-processor under its Privacy Policy.

SMTP provider

Handles email delivery. Receives recipient email addresses and message content for transactional emails only.

We may also disclose your data if required by law, court order, or to protect our rights, safety, or property.

Our servers are located in Finland (EU). Your data is primarily stored and processed within the European Economic Area.

Some of our service providers (Stripe, Google) are based in the United States. These transfers are protected by Standard Contractual Clauses and, where applicable, adequacy decisions adopted by the European Commission. We do not transfer data to countries without adequate safeguards.

We retain your data only as long as necessary for the purposes described in this policy. Account data (name, email, avatar) is kept until you delete your Account. Request logs, including IP addresses, are rotated on a 30-day cycle. Sent email records are deleted after 30 days; failed email records after 90 days. Refresh tokens expire after 7 days. Usage aggregates (daily request counts per key) are retained for service analytics and anonymized upon account deletion.

Account deletion

When you delete your Account (via settings or by contacting us), we nullify your name, email, and avatar; revoke all API keys and refresh tokens; and cancel any active Stripe subscription. Your Stripe customer ID is retained temporarily to complete the cancellation, then removed. Anonymized usage aggregates may be retained indefinitely.

Under the GDPR, you have the following rights over your personal data:

• Request a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your personal data (subject to legal retention obligations).
• Temporarily restrict how we process your data.
• Receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interest.
• Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, email [email protected]. We will respond within one calendar month. You also have the right to lodge a complaint with the Polish supervisory authority, Urząd Ochrony Danych Osobowych (UODO), at uodo.gov.pl.

Marketlens does not use advertising cookies, analytics cookies, or third-party tracking pixels. We use only essential cookies required for authentication and session management. No cookie consent banner is needed because these cookies are strictly necessary for the Services to function.

We take reasonable measures to protect your data. Passwords are never stored; authentication is handled entirely through Google OAuth. API keys and refresh tokens are stored as SHA-256 hashes; the original values are never retained. All connections use HTTPS. Database access is restricted to the application layer.

No system is perfectly secure. We cannot guarantee absolute protection against unauthorized access. If we become aware of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you without undue delay.

Marketlens is not directed at anyone under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

We may update this policy from time to time. For material changes we will notify you via email or dashboard notification at least 30 days before the changes take effect. The “last updated” date at the top of this page reflects the most recent revision.

Questions about this policy or your personal data? [email protected]