Privacy Policy

Last updated: April 25, 2026

The privacy of your data — and it is your data, not ours — is a big deal to us. In this policy we lay out what we collect and why, when we access your information, the third parties we share it with to run the product, and your rights with respect to your data. We do not sell your personal information. We never have, and we never will.

This policy applies to deallens.fyi and all DealLens products. If you have questions, email privacy@deallens.fyi.

What We Collect and Why

Our guiding principle is to collect only what we need.

Identity and access

When you create an account, we ask for your email address (and optionally a name). That’s so you can sign in and so we can send you essential transactional email — welcome, analysis-complete, billing receipts. If you sign in with Google, we also receive your Google account identifier. We will never sell your personal information to third parties or use your name in marketing without your permission.

Billing information

If you upgrade to Pro, we collect billing details through Stripe. Card numbers go directly to Stripe and never touch DealLens servers. We store a record of the transaction (last 4 digits of the card, billing address, invoice metadata) so we can support your account and comply with tax obligations.

Listing data and analyses

When you submit a listing URL or fill in deal data, we store the listing content, your inputs, and the analysis output (calculated metrics, AI screening memo, red flags, Research Assistant chat history) so you can access them in your dashboard. This content is sent to our AI providers during analysis and chat (see “Subprocessors” below). We retain it as long as your account is active. If you delete your account, we delete the content within 60 days.

Usage and security data

We log basic usage events (page views, feature interactions, errors), IP address at sign-in, and rate-limit metadata for security and fraud prevention. We use this data to operate the product and to improve it — never for ad targeting or sale.

Cookies

We use first-party session cookies for authentication and minimal first-party analytics. We do not use third-party advertising trackers, cross-site cookies, or remarketing pixels.

Voluntary correspondence

When you email us a support question, we keep that correspondence so we have history if you reach out again.

Subprocessors

We use the following third parties to run DealLens. Each one only receives the minimum data needed to do its job, under a written data-processing agreement where applicable.

ProviderWhat it doesData shared
SupabaseAuthentication and Postgres database hosting (US region)Email, account ID, listing data, analyses
VercelApplication hosting and CDNRequest logs, IP address
StripePayment processing for Pro subscriptionsEmail, billing address, card details (Stripe-only)
ResendTransactional email deliveryEmail address, message contents
FirecrawlListing URL extractionListing URLs you submit
OpenRouterAI model gateway for analysis promptsListing data and prompts (relayed to model providers below)
AnthropicLLM inference (Claude — used for the deal memo and Research Assistant)Listing data, your chat questions
Google (Gemini)LLM inference (Gemini — used for listing extraction and red-flag screening)Listing data

About AI providers specifically: when you submit a listing for analysis or ask the Research Assistant a question, the relevant content is sent to Anthropic and/or Google for inference. These providers’ published API terms govern their handling and retention of that content. As of the date above, neither provider trains models on API customer data by default.

When We Access or Disclose Your Information

  • To run the product — we use the subprocessors above to deliver the Services you signed up for.
  • To help with support — if you ask for help and we need to look at your account, we’ll ask for your consent first.
  • To investigate abuse or fraud — accessing an account during an abuse investigation is a measure of last resort.
  • When required by law — we’ll respond to valid legal process from US authorities. Our default is to refuse non-US requests unless they come through a US legal-assistance treaty. Where lawful, we’ll notify you before disclosing your data.
  • Aggregated and de-identified data — we may use aggregate or de-identified data (e.g., “X% of analyses are restaurants”) for marketing and product analytics.

If DealLens is ever acquired by or merged with another company, we’ll notify you well before any personal information is transferred or becomes subject to a different privacy policy.

Your Rights

We apply the same data rights to all customers, regardless of location:

  • Right to know what personal information we collect, how it’s used, and who we share it with — described in this policy.
  • Right of access to a copy of the personal information we hold about you.
  • Right to correction of inaccurate personal information.
  • Right to erasure — we’ll delete your personal information on request, subject to limited legal exceptions. Deleting your account is the simplest way to exercise this.
  • Right to portability — you can export your saved analyses from the dashboard at any time.
  • Right to restrict or object to processing in certain circumstances.
  • Right to non-discrimination — we won’t charge you more or give you worse service for exercising any of these rights.
  • Right to complain to your local data protection authority. EU/UK residents can contact their national authority directly.

To exercise any of these rights, email privacy@deallens.fyi. We may need to verify your identity (typically by confirming the email on the account) before responding.

How We Secure Your Data

  • In transit: all traffic uses TLS 1.2+ between you and our servers.
  • At rest: database storage and backups are encrypted.
  • Access control: every database table enforces row-level security so customers can only access their own data.
  • Webhooks: all incoming webhook requests (Stripe, Supabase) are signature-verified.
  • Rate limiting: on every sensitive endpoint to mitigate abuse.

Report suspected vulnerabilities to security@deallens.fyi.

Data Retention

Saved analyses persist until you delete them or close your account. On account deletion, content becomes inaccessible immediately and is purged from active systems within 30 days and from backups within 60 days. Aggregated and de-identified usage metrics may be retained.

Location of Data

DealLens operates in the United States. If you are in the European Union, UK, or elsewhere outside the US, please be aware that any information you provide is transferred to and stored in the United States. By using the Services you consent to that transfer.

Children

DealLens is not directed to children under 18 and we do not knowingly collect personal information from children. If we learn we have collected personal information from a child under 18, we’ll delete it.

Changes and Questions

We may update this policy as we add features and as regulations evolve. When we make a significant change we’ll refresh the date at the top and email account holders.

Questions, comments, or concerns about this policy or your data? Email privacy@deallens.fyi and we’ll respond.

Portions of this Privacy Policy are adapted from 37signals (Basecamp)’s open-source policies, used under CC BY 4.0. DealLens-specific sections (subprocessor list including AI providers, AI data-handling disclosure, retention specifics) were authored separately. This document is provided in good faith but is not a substitute for legal advice; consult a licensed privacy attorney before relying on it for production commerce in regulated jurisdictions.