Privacy Policy

Last updated: June 11, 2026

1. Introduction

OptiLens ("we," "us," or "our") operates the website optilens.ai and the application at app.optilens.ai (collectively, the "Platform"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered Conversion Rate Optimization (CRO) platform.

By creating an account or using the Platform, you agree to this Privacy Policy. If you do not agree, please do not access the Platform.

2. Information We Collect

Account Information

Full name, email address, company or organization name, and encrypted account credentials.

Billing Information

Payment details are processed by our third-party payment processor, LemonSqueezy. We do not store credit card numbers on our servers.

Usage Information

URLs submitted for CRO audits, audit results and reports generated, feature usage patterns, CRO score history, and session data within our Platform.

Website Crawl Data

When you submit a URL for audit, our system crawls the publicly accessible pages of that website (up to 5 pages per audit) to analyze layout, copy, performance, and SEO factors.

Behavioral Analytics Data

If you install our optional JavaScript tracking snippet on your website, we collect anonymized click coordinates, scroll depth, and viewport dimensions from your website visitors. All form input fields are automatically masked before collection.

Integration Data

If you connect third-party services (Google Analytics 4, Google Search Console), we access data scoped to the permissions you authorize via OAuth. We do not store OAuth credentials in plaintext. All tokens are encrypted at rest using Fernet symmetric encryption.

Technical Information

IP address, browser type and version, device information, and cookies.

3. How We Use Your Information

  • To create and manage your OptiLens account and organization
  • To perform AI-powered CRO audits using our multi-agent analysis pipeline
  • To generate audit reports, CRO scores, and revenue-leak analyses
  • To process payments and manage subscriptions via LemonSqueezy
  • To send transactional emails (audit completions, re-audit notifications, billing receipts) via Resend
  • To provide optional behavioral analytics visualizations for your own website
  • To track CRO score improvement trends over time
  • To monitor errors, debug issues, and improve platform reliability
  • To monitor AI pipeline performance and quality
  • To comply with legal obligations

4. AI Processing Disclosure

OptiLens uses artificial intelligence to deliver its core service. When you submit a URL for audit, the following occurs:

  • Our system crawls up to 5 publicly accessible pages of the submitted website using Playwright
  • The crawled page data (DOM structure, text content, metadata, screenshots) is sent to Anthropic's Claude API for multi-agent analysis
  • Specialized AI agents analyze UX patterns, copy effectiveness, SEO factors, and performance metrics
  • AI-generated outputs include CRO scores, issue lists, and prioritized recommendations

Important: Crawled website data is transmitted to Anthropic (our AI model provider) for processing. Anthropic's data retention and privacy practices apply to data processed through their API. We encourage you to review Anthropic's privacy policy. We do not use your data to train AI models.

5. Data Sharing and Sub-Processors

We do not sell, trade, or rent your personal information. We share data only with the following service providers, all bound by data processing agreements:

Sub-ProcessorPurposeData Shared
SupabaseAuthentication, primary database (PostgreSQL)Account data, audit records, organization data
Anthropic (Claude API)AI-powered CRO analysisCrawled website page data for audit processing
LemonSqueezySubscription billing and payment processingEmail, plan selection, payment information
ResendTransactional email deliveryEmail address, notification content
SentryError monitoring and trackingError logs, anonymized session context
LangfuseLLM observability and pipeline monitoringAI pipeline performance metrics
Google PageSpeed InsightsLighthouse performance scoringSubmitted URLs
Google Analytics 4 (if connected)Revenue and traffic data integrationOAuth-scoped GA4 data
Google Search Console (if connected)Search performance integrationOAuth-scoped GSC data

We may also disclose data when required by law, regulation, or legal process, or in connection with a merger, acquisition, or sale of assets.

6. Cookies and Tracking Technologies

We use cookies and similar technologies. Please see our separate Cookie Policy for full details.

  • Essential Cookies: Required for authentication, session management, and Platform functionality.
  • Analytics Cookies: Help us understand usage patterns to improve the Platform.

You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling essential cookies may impair Platform functionality.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account closure.
  • Audit data: Retained for the duration of your subscription. Deleted within 30 days of cancellation, after the grace period.
  • Behavioral analytics data: Retained for 90 days from collection, then automatically purged.
  • Billing records: Retained for up to 7 years as required by tax and financial regulations.
  • Technical and error logs: Retained for up to 90 days for security and debugging.

Anonymized, aggregated data (for example, industry benchmark statistics) may be retained indefinitely.

8. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in transit using TLS 1.3
  • Integration tokens encrypted at rest using Fernet symmetric encryption
  • Supabase Row-Level Security (RLS) for multi-tenant data isolation
  • LemonSqueezy webhooks verified via HMAC SHA-256 signature
  • Behavioral analytics automatically mask all input fields before collection
  • CORS restricted to allowed origins only
  • Rate limiting on authentication endpoints

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to continuous improvement of our security posture.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data.
  • Portability: Request a machine-readable export of your data.
  • Objection: Object to processing for specific purposes.
  • Restriction: Request restricted processing under certain conditions.
  • Automated Decisions: Request human review of significant decisions made solely by automated processing, including AI-generated audit outputs.

To exercise any of these rights, contact us at legal@optilens.ai. We will respond within 30 days. For GDPR-specific rights, see our GDPR Policy. For CCPA-specific rights, see our CCPA Policy.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. When we transfer personal data internationally, we ensure adequate protection through Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized transfer mechanisms.

11. Children's Privacy

OptiLens is a business-to-business platform not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Shopify App

This section applies when you install OptiLens from the Shopify App Store. For Shopify merchants, OptiLens acts as a data processor on behalf of your store, which is the data controller.

Shopify Data We Access

On install, Shopify issues an offline access token, which we encrypt at rest and never expose outside our systems. Using the scopes you grant, we read:

  • read_content: pages, blog posts, and policy pages, for content and SEO analysis.
  • read_products: product catalog, for catalog and page sampling.
  • read_orders: aggregate order data only (line-item quantity, product, and amount), for store revenue and revenue-per-visitor estimates.
  • read_reports: store analytics, for performance metrics in the report.
  • read_themes: theme files, for the theme audit and fix computation.
  • write_themes: to write approved fixes to a duplicated draft theme only.

We also generate and store screenshots of your storefront pages, audit findings, and audit reports.

Protected Customer Data

We request Level 1 protected customer data (orders) solely to calculate store revenue and a revenue-per-visitor projection for your audit. We read only line-item quantity, product, and order amount. We do not request or access protected customer fields such as customer names, emails, phone numbers, or addresses. This data is used only to generate your audit and is never sold or used for advertising.

Storefront Crawl and Screenshots

During an audit we render your public storefront pages and capture screenshots, the way a shopper, Google, and AI search would see them. Email addresses and phone numbers found in captured page text are redacted before the content leaves our rendering module.

Theme Modifications

When you apply a fix, OptiLens duplicates your live theme into a draft and writes the change to that draft only. We never modify or publish your live theme, and there is no publish step in the app.

Billing

For Shopify App Store installs, all billing is handled by Shopify (Shopify App Pricing). We do not process or store any payment details for Shopify merchants. LemonSqueezy, referenced elsewhere in this policy, applies only to direct optilens.ai web accounts.

No Shopper Tracking

The Shopify app does not inject any tracking snippet into your storefront and does not collect behavioral analytics from your store's visitors.

Mandatory Shopify Compliance Webhooks

We handle all three Shopify-required GDPR webhooks:

  • customers/data_request: acknowledged. We store no customer personal data, so there is nothing to provide.
  • customers/redact: acknowledged. We store no customer personal data, so there is nothing to redact.
  • shop/redact: we delete all data associated with your shop domain within 48 hours of receipt.

Sub-Processors for the Shopify App

Shopify (platform and billing), Anthropic (AI analysis of store content), Supabase (database and storage), Railway (application hosting), Google PageSpeed Insights (performance scoring), Resend (transactional email), and Sentry and Langfuse (error and pipeline monitoring). Google Analytics and Google Search Console apply only if you choose to connect them.

Retention and Deletion

We retain your shop data while the app is installed. When we receive a shop/redact webhook from Shopify, we delete all records tied to your shop domain, including audit findings, reports, and screenshots, within 48 hours. You may request earlier deletion by contacting support@optilens.ai.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-Platform notice at least 14 days before taking effect. The "Last Updated" date at the top will be revised. Continued use of the Platform after the effective date constitutes acceptance.

14. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us.

OptiLens

General: support@optilens.ai

Legal: legal@optilens.ai

Data Protection: dpo@optilens.ai

Website: optilens.ai