Privacy Policy

1. Introduction

OptiLens ("we," "us," or "our") operates the website optilens.ai and the application at app.optilens.ai (collectively, the "Platform"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered Conversion Rate Optimization (CRO) platform.

By creating an account or using the Platform, you agree to this Privacy Policy. If you do not agree, please do not access the Platform.

2. Information We Collect

3. How We Use Your Information

• To create and manage your OptiLens account and organization
• To perform AI-powered CRO audits using our multi-agent analysis pipeline
• To generate audit reports, CRO scores, and revenue-leak analyses
• To process payments and manage subscriptions via LemonSqueezy
• To send transactional emails (audit completions, re-audit notifications, billing receipts) via Resend
• To provide optional behavioral analytics visualizations for your own website
• To track CRO score improvement trends over time
• To monitor errors, debug issues, and improve platform reliability
• To monitor AI pipeline performance and quality
• To comply with legal obligations

4. AI Processing Disclosure

OptiLens uses artificial intelligence to deliver its core service. When you submit a URL for audit, the following occurs:

• Our system crawls up to 5 publicly accessible pages of the submitted website using Playwright
• The crawled page data (DOM structure, text content, metadata, screenshots) is sent to Anthropic's Claude API for multi-agent analysis
• Specialized AI agents analyze UX patterns, copy effectiveness, SEO factors, and performance metrics
• AI-generated outputs include CRO scores, issue lists, and prioritized recommendations

Important: Crawled website data is transmitted to Anthropic (our AI model provider) for processing. Anthropic's data retention and privacy practices apply to data processed through their API. We encourage you to review Anthropic's privacy policy. We do not use your data to train AI models.

5. Data Sharing and Sub-Processors

We do not sell, trade, or rent your personal information. We share data only with the following service providers, all bound by data processing agreements:

We may also disclose data when required by law, regulation, or legal process, or in connection with a merger, acquisition, or sale of assets.

6. Cookies and Tracking Technologies

We use cookies and similar technologies. Please see our separate Cookie Policy for full details.

• Essential Cookies: Required for authentication, session management, and Platform functionality.
• Analytics Cookies: Help us understand usage patterns to improve the Platform.

You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling essential cookies may impair Platform functionality.

7. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Audit data: Retained for the duration of your subscription. Deleted within 30 days of cancellation, after the grace period.
• Behavioral analytics data: Retained for 90 days from collection, then automatically purged.
• Billing records: Retained for up to 7 years as required by tax and financial regulations.
• Technical and error logs: Retained for up to 90 days for security and debugging.

Anonymized, aggregated data (for example, industry benchmark statistics) may be retained indefinitely.

8. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit using TLS 1.3
• Integration tokens encrypted at rest using Fernet symmetric encryption
• Supabase Row-Level Security (RLS) for multi-tenant data isolation
• LemonSqueezy webhooks verified via HMAC SHA-256 signature
• Behavioral analytics automatically mask all input fields before collection
• CORS restricted to allowed origins only
• Rate limiting on authentication endpoints

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to continuous improvement of our security posture.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data.
• Portability: Request a machine-readable export of your data.
• Objection: Object to processing for specific purposes.
• Restriction: Request restricted processing under certain conditions.
• Automated Decisions: Request human review of significant decisions made solely by automated processing, including AI-generated audit outputs.

To exercise any of these rights, contact us at legal@optilens.ai. We will respond within 30 days. For GDPR-specific rights, see our GDPR Policy. For CCPA-specific rights, see our CCPA Policy.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. When we transfer personal data internationally, we ensure adequate protection through Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized transfer mechanisms.

11. Children's Privacy

OptiLens is a business-to-business platform not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-Platform notice at least 14 days before taking effect. The "Last Updated" date at the top will be revised. Continued use of the Platform after the effective date constitutes acceptance.