GDPR Policy
Last updated: April 6, 2026
This policy supplements our Privacy Policy and provides additional information for individuals in the EEA, UK, and California.
Part A: GDPR Compliance
For individuals in the European Economic Area (EEA) and the United Kingdom.
A1. Data Controller
OptiLens acts as the Data Controller for personal data collected through optilens.ai and app.optilens.ai. Contact our Data Protection Officer at dpo@optilens.ai.
A2. Legal Basis for Processing
- Contractual Necessity (Article 6(1)(b)): Account creation, service delivery, audit processing, and subscription management.
- Legitimate Interest (Article 6(1)(f)): Platform improvement, security monitoring, and fraud prevention. We conduct balancing tests.
- Consent (Article 6(1)(a)): Analytics cookies and marketing communications. You may withdraw consent at any time.
- Legal Obligation (Article 6(1)(c)): Tax regulations and legal proceedings.
A3. Data Categories
| Category | Data Types | Purpose |
|---|---|---|
| Identity | Name, email address | Account management |
| Technical | IP address, browser, device info | Security, analytics |
| Usage | Audit URLs, feature usage, CRO scores | Service delivery |
| Financial | Payment details (via LemonSqueezy) | Billing |
| Website Crawl | DOM content, metadata, screenshots | AI-powered CRO analysis |
| Behavioral Analytics | Anonymized click and scroll coordinates from the optional tracking snippet | Behavioral analytics for your own website |
A4. AI-Specific GDPR Considerations
- Transparency: Users are informed that submitted website data is processed by AI agents via the Anthropic Claude API.
- Human oversight: AI outputs are presented as recommendations, not automated decisions with legal effects.
- Right to explanation: You may request an explanation of how your CRO score was calculated.
- Data minimization: Only the minimum necessary page data (up to 5 pages) is sent for AI processing.
- Impact assessment: We have conducted a Data Protection Impact Assessment (DPIA) for our AI processing pipeline.
A5. Data Retention
- Account data: Retained while active. Deleted within 30 days of account closure.
- Audit data: Retained for subscription duration. Deleted within 30 days of cancellation.
- Behavioral analytics data: 90 days from collection.
- Billing records: Up to 7 years per tax and financial regulations.
- Technical and error logs: Up to 90 days.
A6. Your Rights Under GDPR
- Right of Access (Article 15): Request a copy of all personal data we hold about you.
- Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
- Right to Erasure (Article 17): Request deletion of your personal data.
- Right to Restriction (Article 18): Request restricted processing under specific conditions.
- Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format.
- Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing.
- Right Related to Automated Decisions (Article 22): Request human review of decisions made solely by automated processing, including AI-generated audit outputs. You may contact us to request a manual review of any AI-generated output.
To exercise any of these rights, contact dpo@optilens.ai. We will respond within 30 days.
A7. International Data Transfers
When personal data is transferred outside the EEA, we ensure adequate protection through Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized transfer mechanisms. We conduct Transfer Impact Assessments.
A8. Sub-Processors
All sub-processors are bound by DPAs meeting GDPR standards. See the sub-processor table in our Privacy Policy (Section 5). To be notified of changes, email dpo@optilens.ai.
A9. Data Protection Measures
- Encryption in transit (TLS 1.3) and at rest (Fernet symmetric for tokens)
- Row-Level Security (RLS) for multi-tenant data isolation
- Role-based access controls with the principle of least privilege
- Regular security assessments and vulnerability reviews
- Incident response procedures with 72-hour breach notification to supervisory authorities
A10. Data Breach Notification
In the event of a personal data breach posing a risk to rights and freedoms, we will notify the relevant supervisory authority within 72 hours. If the breach poses high risk, we will also notify affected individuals directly.
A11. Complaints
You have the right to lodge a complaint with your local Data Protection Authority. We encourage contacting us first at dpo@optilens.ai.
Part B: CCPA / CPRA Compliance
For residents of California, United States.
B1. Scope
This section provides additional information for California residents under the CCPA as amended by the CPRA.
B2. Categories of Personal Information Collected
| CCPA Category | Examples | Business Purpose |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Account management, service delivery |
| Commercial Information | Subscription plan, billing history, audit records | Billing, service fulfillment |
| Internet Activity | Feature usage, audit URLs, behavioral analytics data | Service delivery, analytics |
| Professional Information | Company name, job role (if provided) | Account personalization |
| Inferences | CRO scores, AI-generated recommendations | Core service delivery |
B3. We Do Not Sell or Share Personal Information
OptiLens does not sell personal information as defined under the CCPA. We do not share personal information for cross-context behavioral advertising.
B4. Your CCPA Rights
- Right to Know: Request the categories and specific pieces of personal information we have collected.
- Right to Delete: Request deletion of personal information, subject to legal exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out: While we do not sell or share personal information, you may submit an opt-out request.
- Right to Limit Sensitive Data Use: Request limits on sensitive personal information usage.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right.
B5. Automated Decision-Making Disclosure
- We disclose our use of AI in generating audit outputs
- AI-generated outputs are recommendations, not decisions with legal or financial effects on consumers
- You may request information about the logic involved in our AI scoring methodology
B6. How to Submit a CCPA Request
- Email legal@optilens.ai with the subject line "CCPA Request"
- Use the privacy request form at optilens.ai/privacy-request
We verify your identity by matching the request to your account email. We respond within 45 days.
Contact
For questions about regional privacy rights, please contact us.
OptiLens
General: support@optilens.ai
Legal: legal@optilens.ai
Data Protection: dpo@optilens.ai
Website: optilens.ai