Privacy policy

IvyLens is operated by IvyLens Ltd, a company registered in England and Wales. We are the data controller for the personal data described in this policy. To contact us, email hello@ivylens.app.

• Account data: email, hashed password, plan tier, billing identifiers (Stripe customer / subscription / price ids), and your average placement-fee preference.
• Team data: for Agency / Enterprise plans, the members you invite, when they accepted or were removed, and the owner-to-member relationship.
• Activity data: companies you unlock, audit-log events for tier / membership / fee changes, and staff access records when our team views your account for support.
• Marketing data: name, email, location and referral signals submitted to the waitlist or contact form.
• Cookies: only strictly-necessary cookies for authentication and staff test mode. We do not set tracking or advertising cookies.

We process personal data on the lawful bases of (a) performing the contract with you, (b) our legitimate interests in operating and securing the service, and (c) compliance with our legal obligations. Specifically:

• To authenticate you and gate access to paid features.
• To process subscription payments and unlock purchases via Stripe.
• To deliver Agency / Enterprise team functionality (invites, member management, shared access).
• To detect, prevent and respond to abuse, fraud and security incidents (rate limits, audit logs, bot signals).
• To respond to support requests and contact-form messages.

We don't sell your data. We share with sub-processors strictly for service delivery:

• Supabase (database + authentication; EU region).
• Stripe (payments; customer + subscription identifiers, no card data on our side).
• Resend (transactional email delivery for invites and confirmations).
• Vercel (hosting, edge logs, request metadata).

Account data is retained while your account is active and for up to 12 months after closure for legal / dispute-resolution purposes, then deleted. Audit-log entries are retained for 24 months. Stripe keeps payment records under its own retention policies.

Under UK GDPR you have rights to access, rectify, erase, restrict, object to, and port your personal data, plus the right to lodge a complaint with the Information Commissioner's Office (ICO). Exercise any of these by emailing hello@ivylens.app; we'll respond within one calendar month.

Database access is gated by row-level security policies; sensitive mutations are verified server-side and audit-logged. Webhook handlers are idempotent; Stripe redirects are pinned to our domains; staff access is recorded. No system is impervious; report a suspected vulnerability to hello@ivylens.app.

We'll update this page when our practices change and surface material changes via email or in-portal notice.