Privacy Policy

1. Introduction

This Privacy Policy explains how Anna Moore (sole trader) trading as PageLens AI (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the PageLens AI service (pagelensai.com).

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU GDPR (where applicable), and the Data Protection Act 2018.

2. What Data We Collect

2.1 Account Information

When you create an account we collect:

• Email address
• Display name (from your OAuth provider, if used)
• Profile image URL (from your OAuth provider, if used)
• Account creation date and last sign-in date

Authentication is handled via passwordless magic links (email), Google OAuth, or GitHub OAuth. We do not store passwords.

2.2 Scan Data (websites you submit)

When you submit a URL or route list for scanning, our automated worker accesses the pages you ask us to scan. This may include authenticated application routes where you create an auth profile for a verified domain and provide a dedicated test account. Scans run from Amazon Web Services (AWS) infrastructure in the scan region selected at submission time. The default scan region is AWS London (eu-west-2).

• Page URLs, titles, paths, and HTTP status codes
• Truncated rendered HTML (sent to the AI for analysis)
• HTTP response headers (for security-headers analysis)
• Page screenshots (stored privately and accessed only via a server-side proxy — never exposed publicly)
• AI-generated findings, severities and remediation suggestions
• Synthetic performance metrics such as load timings, Core Web Vitals-style lab measurements, page weight, request counts, and DOM size

For authenticated scans, we also store the auth profile label, login URL, allowed route scope, username preview, and encrypted references to the username and password. The raw password is not returned through normal customer APIs. Authenticated scan reports, screenshots, page text, HTML, metrics, summaries, and exports may contain private application data.

2.3 Payment Information

Payment processing is handled by Stripe. We do not store your full credit card details. We only store:

• Stripe customer ID
• Stripe checkout session ID and payment intent ID
• Tier purchased, amount, currency and timestamp
• Refund status (if applicable)

2.4 Feedback and Testimonials

If you choose to leave feedback (NPS, sentiment, written comments), we store it against your account. If you opt in, we may publish your testimonial on our website with a display name and company you provide. You can revoke this consent at any time by emailing privacy@pagelensai.com.

2.5 Usage Data

We automatically collect:

• IP address (anonymised in analytics)
• Browser type and version, device type, operating system
• Pages visited, time spent, referring website
• Session identifiers and authentication tokens
• Server logs (request URLs, status codes, timestamps)

2.6 Cookies and Analytics

We use strictly-necessary cookies for authentication and session management. With your consent we also use Google Analytics for aggregate usage analysis (with IP anonymisation enabled), PostHog for product analytics such as page views, feature usage, and basic funnel diagnostics, and Reddit Ads measurement to understand whether Reddit campaigns lead to visits and conversions. See our Cookie Policy for full details and to manage your preferences.

3. Why We Collect Your Data (Legal Basis)

3.1 Contract Performance

We process your account data, scan submissions, and payment data to deliver the Service you signed up for. This is necessary for the performance of our contract with you.

3.2 Legitimate Interests

We process usage data to:

• Maintain, secure, and improve the Service
• Detect and prevent abuse, fraud, and harmful activity
• Diagnose technical issues
• Provide customer support

3.3 Legal Obligation

We may process data where required by law (e.g. responding to lawful requests from authorities, retaining tax records).

3.4 Consent

For non-essential cookies, analytics, marketing emails, and public display of testimonials, we rely on your explicit, freely-given consent. You can withdraw consent at any time without affecting services that depend on contract or legitimate interest.

3.5 Follow-up and marketing emails

When you submit a free trial scan, we may send you a single follow-up email with additional insights from your scan results. This email is sent under legitimate interest to help you get full value from the service you initiated. You can opt out of these emails at any time using the unsubscribe link in the email footer or via your account settings.

You may separately opt in to our newsletter for web quality tips, vibe coding guides, and product updates. We will only send marketing newsletters if you have explicitly opted in. You can manage this preference in your account settings or unsubscribe via the link in any newsletter email.

4. How We Use Your Data

We use your data to:

• Create and manage your account
• Run scans you submit and deliver the resulting reports
• Process payments and issue refunds where applicable
• Send transactional email (sign-in links, scan completion notifications, receipts)
• Provide customer support
• Detect fraud, abuse, and security incidents
• Comply with legal obligations

5. Where We Store Your Data

Your data is stored with the following trusted sub-processors:

• Supabase (PostgreSQL): account data, scan metadata, findings, payments, feedback. Hosted on AWS with EU/UK data centres.
• Vercel Blob storage: page screenshots. Served only via our private proxy at /api/screenshots.
• Vercel: application hosting and serverless compute.
• AWS: scan execution infrastructure. PageLens workers run browser-based scans from AWS in the selected scan region, starting with London (eu-west-2) by default.
• Resend: transactional email delivery (sign-in links, scan notifications).
• Stripe: payment processing (USA-based, GDPR-compliant under SCCs).
• AI/LLM providers:page HTML and screenshots are sent for analysis, including authenticated scan artifacts where you have created an auth profile and requested authenticated scanning. AI requests may be routed through Vercel's AI infrastructure and processed by the AI providers or sub-processors used by that infrastructure. Submitted content is not retained for model training under our provider terms.
• Google Analytics: aggregate usage statistics (only when you have accepted analytics cookies). IP addresses are anonymised before storage.
• PostHog: consent-gated product analytics, including page views, feature usage, device/browser metadata, and product funnel events. We use PostHog to understand and improve the Service; we do not use it for advertising or sell analytics data.
• Reddit Ads:consent-gated advertising measurement for Reddit campaigns. The Reddit Pixel may collect page visit and conversion signals, browser/device metadata, and Reddit's browser identifier cookie so Reddit can attribute ads and avoid counting the same conversion twice when browser and server events are both used.

When data is transferred outside the UK/EU, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

6. Who We Share Your Data With

6.1 Service providers

We share data with the sub-processors listed in section 5, strictly for the purpose of operating the Service.

6.2 Report sharing

Reports are private by default. If you choose to share a report link, anyone with that unique tokenised URL can view it. You can revoke share links from your dashboard at any time.

Authenticated scan reports are treated as private organization data and public share links are disabled by default because they may include private screenshots, page text, and application state.

6.3 Legal requirements

We may disclose data where required by law, court order, or to protect our legal rights.

6.4 Business transfers

If the PageLens AI business is sold or merged, your data may be transferred to the new owner. You will be notified.

7. How Long We Keep Your Data

• Active accounts: data is retained for as long as your account is active.
• Page screenshots (storage limitation): in line with UK GDPR Article 5(1)(e), screenshots are automatically removed from blob storage after 90 days for paid scans, 30 days for free trial scans, and 14 days for failed scans. The audit findings, executive summary, persona reviews, scores, and page metadata all remain in your account indefinitely — only the image files themselves are deleted. Reports continue to render and export to PDF after screenshots have been removed; they simply show a placeholder where the image used to be.
• After account deletion: all account, scan, finding, screenshot, and feedback data is immediately and permanently deleted from our active database.
• Database backups: deleted data may persist in encrypted backups for up to 30 days before being permanently purged.
• Payment records: we are required to retain basic payment records (amount, date, Stripe IDs) for up to 6 years for tax and accounting compliance. Personal identifiers may be anonymised.
• Server logs: retained for 30 days for security and debugging.
• Analytics and ads measurement events: retained by Google Analytics, PostHog, and Reddit Ads according to our configured retention settings and used only where you have accepted analytics cookies.

9. Security

We implement appropriate technical and organisational measures to protect your data:

• All traffic encrypted in transit via TLS 1.2+ (HTTPS)
• Database access restricted to authorised personnel and services
• Authentication via OAuth or signed magic links — no passwords stored
• Strict Content Security Policy (CSP) and security headers (HSTS, X-Frame-Options, etc.) targeting an A+ on securityheaders.com
• Page screenshots served only through a private proxy authenticated against your session or report token
• Auth profile credentials are encrypted at rest and decrypted only for worker-only authenticated scan execution
• Worker-API endpoints protected by a shared bearer secret
• Daily encrypted database backups

However, no system is 100% secure. We cannot guarantee absolute security but we take all reasonable steps to protect your data and will notify affected users within 72 hours of becoming aware of a personal-data breach, in line with UK GDPR Article 33.

10. Children's Privacy

PageLens AI is not intended for use by anyone under the age of 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact privacy@pagelensai.com and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Last updated” date at the top indicates the most recent revision.

12. Complaints

If you believe we have not handled your data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data: