Privacy Policy

This Privacy Policy explains how KOLens (“KOLens”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects information in connection with the website and service at kolens.ai and any feature offered through it (collectively, the “Service”). It also describes the rights you have over your information and how to exercise them. If anything here is unclear, email privacy@kolens.ai.

The data controller for the information described below is KOLens, contactable at kolens.ai. For users in the EEA / UK / Swiss territories, this is also our Data Protection contact; email privacy@kolens.ai.

1. Information we collect

1.1 Account information

When you create an account we store your email address, a hashed password (or your Google account identifier if you sign in with Google), an automatically generated user identifier, your display name (if you provide one), and the date your account was created. We never store your raw password.

1.2 Search activity and credit usage

We log every keyword search, scrape job, and audience-snapshot request you run; the parameters you choose; the number of creators returned; and the number of credits charged. This information is required to operate the credit system, show you your search history, prevent abuse, and answer billing questions.

1.3 Workspace content

Watchlists, KOL lists, alert rules, exports, audience snapshots, and any notes you save inside the app are stored against your account so you can return to them.

1.4 Payment information

Card payments are processed by Stripe. We never see or store your full card number, expiry, or CVC. Stripe returns to us only the last four digits of the card brand for receipts, the country, and the transaction identifier.

1.5 Google user data (if you sign in with Google)

See Section 3 below for the full Google API Services User Data disclosure, including the exact scopes requested and the Limited Use commitment.

1.6 Server and security logs

Our hosting providers (Vercel for the web app, Railway for the API) record standard request metadata — IP address, user agent, request path, response status, and timestamp — for up to thirty (30) days for security, fraud-prevention, and abuse-investigation purposes. These logs are not linked to your account except when we investigate a specific incident.

1.7 Cookies and similar technologies

We use a small number of strictly necessary first-party cookies and equivalent local-storage entries:

• Authentication. Supabase auth cookies keep you signed in across requests. Cleared when you sign out.
• OAuth callback state (PKCE). Short-lived cookies used during Google sign-in to round-trip the OAuth 2.1 / PKCE state. Lifetime: a few minutes.
• Preferences. Your theme choice, filter collapse state, and similar UI preferences are stored in localStorage on your device. Never sent to us.

We do not run third-party advertising cookies, fingerprinting, cross-site tracking, or session-replay tools on the marketing site or inside the app.

2. How we use your information

• To operate, secure, monitor, and improve the Service.
• To bill credits accurately, prevent abuse, and detect fraudulent or automated use.
• To send transactional emails — account confirmation, password reset, billing receipts, security alerts, and important service notices. We do not send marketing email without your separate opt-in consent.
• To deliver alerts you have explicitly configured (e.g. growth alerts, watchlist notifications) to the channels you have chosen (email, webhook).
• To respond to support requests, comply with legal obligations, and enforce our Terms of Service.

3. Google API Services User Data disclosure

If you choose to sign in with Google or to connect Google Sheets / Drive for KOLens exports, we request your consent to specific Google OAuth scopes. We disclose each scope, the user-visible feature it powers, and how the data is handled:

• openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile — used solely to create or sign you into your KOLens account. We store your Google account identifier, primary email, and display name. We never publish or share this information.
• https://www.googleapis.com/auth/spreadsheets — used only when you click “Export to Google Sheets” in the app. We use the scope to create or write to a single spreadsheet you have selected. We do not read or modify any other spreadsheet in your Drive.
• https://www.googleapis.com/auth/drive.file — used only to create the export spreadsheet inside your Drive, or to write to a sheet you have explicitly opened with KOLens via the Drive picker. This scope grants access ONLY to files your app has created or that you have explicitly opened with KOLens — never to your entire Drive.

3.1 Limited Use

KOLens’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, KOLens:

• Does not use Google user data for advertising or to serve advertising of any kind, including remarketing, personalized, or interest-based advertising.
• Does not sell or transfer Google user data to third parties, including data brokers, information resellers, or any party that resells or licenses user data.
• Does not use Google user data to train, develop, improve, or fine-tune any artificial intelligence or machine-learning model, whether ours or any third party’s.
• Does not allow humans to read Google user data except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) when the data is aggregated and used for internal operations and is anonymized.
• Uses Google user data only to provide or improve user-facing features of KOLens that are prominent in the requesting application’s user interface.

3.2 Storage, retention, and deletion of Google user data

Google account identifiers, email addresses, and display names are stored in our Supabase Auth database (encrypted at rest) for as long as your KOLens account is active. OAuth refresh tokens for the Sheets / Drive scopes are stored in a server-side cookie that is httpOnly, Secure, and SameSite=Lax; they expire on Google’s schedule and are not retained after expiry.

You can revoke KOLens’s access to your Google account at any time at myaccount.google.com/permissions. You can also delete your KOLens account from account settings (or by emailing us, see Section 8); all Google user data associated with the account is deleted from our systems within thirty (30) days of account deletion.

4. Meta / Facebook Platform Data

Where KOLens integrates with the Meta / Facebook Platform — including, if enabled in the future, Facebook Login, the Meta Ad Library API, or the Meta Marketing API — this section governs how the related data is handled. Our use of any Meta-supplied data complies with the Meta Platform Terms and the Developer Policies.

4.1 What we collect via Meta

• If you connect a Facebook account (Facebook Login) — we request only the minimal scopes needed for the user-facing feature you enabled. Today the only scopes we may request are email and public_profile; we never request friends lists, photos, posts, messages, or any other person-level data without an explicit, in-product consent dialog that names the scope and the feature.
• If you use Ad Spy or competitor research features — we query the public Meta Ad Library through licensed scraping infrastructure (see Section 6, “Apify”). Only the advertiser handle / brand name / ad creative metadata that Meta itself exposes publicly is fetched. No data about you is sent to Meta as part of this lookup.

4.2 How we use Meta-derived data

• Solely to deliver the user-facing feature you triggered (account authentication, ad-spy results, competitor reports).
• To monitor for abuse and fraud against the KOLens account.
• Never for advertising, ad targeting, remarketing, model training, or sale to third parties.

4.3 Sharing

We do not sell, license, lease, or otherwise share Meta-derived user data with third parties, except for the infrastructure providers in Section 6 (“Subprocessors”) who process data on our behalf under contractual confidentiality and security obligations.

4.4 Retention and deletion

Meta-derived account identifiers are kept for the lifetime of your KOLens account. Public Ad Library data is cached for up to 30 days for performance, after which it is re-fetched on demand.

You can request deletion of your Meta-derived data at any time. The full procedure — including the in-app self-service flow, the privacy-team email, and the Facebook Settings → Apps and Websites path — is documented at meta.kolens.ai/data-deletion. We complete deletion within thirty (30) days of a verified request.

4.5 Limited Use commitment for Meta data

KOLens commits that any Meta Platform data we receive:

• Is not sold or transferred to data brokers, ad networks, or any party that resells or licenses user data.
• Is not used for advertising of any kind, including remarketing, personalised, or interest-based advertising.
• Is not used to train, develop, or fine-tune any artificial-intelligence or machine-learning model, whether ours or any third party’s.
• Is not read by humans except (a) with your explicit consent, (b) for security purposes such as abuse investigation, (c) to comply with applicable law, or (d) when fully aggregated and anonymised for internal operations.

5. What we do not collect

KOLens does not collect data from private TikTok accounts. All creator data shown in search results is information that is publicly visible on TikTok at the time of the search. KOLens itself does not log into TikTok with anyone’s personal credentials, and we do not bypass any access control imposed by TikTok.

We do not sell your personal data. We do not share it with advertisers, data brokers, or marketing-attribution networks.

6. Third-party processors (subprocessors)

We rely on the following processors to deliver KOLens. Each is bound by its own privacy policy and a data-protection agreement; we share only the data necessary for that function.

• Supabase (United States / European Union) — authentication, application database, file storage.
• Vercel (United States) — web app hosting, edge network, server logs.
• Railway (United States) — API hosting and background-job execution.
• Stripe (United States) — payment processing, receipts, tax records. KOLens never sees your card details.
• SendGrid (Twilio) (United States) — transactional email delivery for account, billing, and alert messages.
• Apify (Czech Republic) — TikTok / Facebook Ads scraping infrastructure. Only the keyword, scrape parameters, and (for audience features) the public target handle are passed; your identity is not.
• Google (United States) — optional sign-in and (when you enable export) writing to your own Google Sheets / Drive, subject to Section 3 above.
• Anthropic (United States) — only if you use the KOLens MCP Custom Connector or audience-insight feature. In those cases your prompts and the audience-summary data are passed to Claude via the Anthropic API to generate the response you see.

7. Data retention

We keep your account and workspace data for as long as your account is active. If you delete your account, we delete your account record, saved lists, watchlists, audience snapshots, alerts, and search history within thirty (30) days; backups are purged on a rolling sixty (60) day cycle. Anonymous aggregate metrics may be retained indefinitely.

Transaction records required to comply with tax, accounting, and anti-money-laundering law (typically seven years) are retained for the period required by the relevant jurisdiction and then deleted.

8. Your rights

Depending on where you live, you have one or more of the following rights over your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data.
• Deletion — ask us to delete your data, subject to legal-retention requirements.
• Portability — receive your data in a structured, machine-readable format.
• Objection / restriction — object to or restrict certain processing, including direct marketing.
• Withdrawal of consent — withdraw consent for any processing based on consent, at any time.
• Complaint — lodge a complaint with your local data protection authority.

EEA / UK / Swiss residents: under GDPR / UK GDPR you have all of the rights above and can complain to a supervisory authority in your country of residence.

California residents: under the CCPA / CPRA you have the right to know what personal information we collect, sell, or share (we do not sell or share); the right to delete; the right to correct; and the right not to be discriminated against for exercising any of these rights.

Residents of the People’s Republic of China: under PIPL you have rights of access, correction, deletion, portability, and the right to revoke consent.

To exercise any right, email privacy@kolens.ai. We will verify your identity using the email associated with your account and respond within thirty (30) days (or the shorter period required by applicable law).

9. Children

KOLens is not intended for, and is not marketed to, anyone under the age of sixteen (16). We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, email us and we will delete it without unreasonable delay.

10. International transfers

Our infrastructure runs in multiple regions, including the European Economic Area and the United States. When personal data is transferred out of the EEA / UK to a country without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (and the UK’s addendum) or an equivalent transfer mechanism. By using KOLens you understand that your information may be processed outside your country of residence.

11. Security

We use industry-standard security practices, including TLS 1.2+ on every connection, password hashing via Supabase Auth (bcrypt / argon2), scoped API keys for every third-party processor, per-user authorization checks on every data access, HttpOnly + Secure cookies, OAuth 2.1 with PKCE for outbound connectors, RFC 7009 token revocation, and least-privilege database roles. We log access to sensitive endpoints for audit.

No system is perfect. If you believe you have found a security issue, please report it to privacy@kolens.ai. We will confirm receipt within seventy-two (72) hours and investigate promptly. We do not pursue legal action against good-faith security researchers who follow responsible-disclosure principles.

12. Data breach notification

If we suffer a data breach that creates a likely risk to your rights or freedoms, we will notify you and the relevant supervisory authority without undue delay and in any case no later than seventy-two (72) hours after we become aware, in line with Article 33 GDPR and equivalent rules in other jurisdictions.

13. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the “Effective” date at the top of this page and, where appropriate, notify you by email or in-app banner at least thirty (30) days before the change takes effect. Continued use of the Service after the change means you accept the revised policy.

14. Contact

Questions about this policy or how we handle your data: privacy@kolens.ai.
General support: hello@kolens.ai.
Postal mail: KOLens, c/o kolens.ai, by email request.

See also: Terms of Service.