Skip to main content

Privacy policy

Last updated April 2026

Who we are

DebtLens is operated by Strauven Jean-Marc, based in Belgium. For the personal data described here, we act as data controller within the meaning of the GDPR (Regulation (EU) 2016/679). Contact: hello@debtlens.tech.

This policy covers personal data processed on the DebtLens website and hub. For the technical breakdown of what the CLI sends and what stays on your machine, see our data policy.

What personal data we collect

  • Email address — to issue your license, send magic-link authentication, invoicing, and service notices.
  • License key and plan — to authorize the CLI and render your account page.
  • Machine hash — a SHA-256 hash of your hostname and username, used to enforce the per-machine quota. We cannot reverse it back to your hostname.
  • Aggregated report data — scores, counts, and repository metadata as listed in the data policy. This does not include source code, file names, author names, or commit messages.
  • Billing data — your name, billing address, and tax ID if you provide them, held by our payment processor Lemon Squeezy. We receive a payment confirmation and an invoice reference.
  • Server logs — IP address, user agent, timestamps, requested paths. Kept for up to 30 days for security and troubleshooting.

Why we process it (legal basis)

  • Performance of the contract (GDPR art. 6(1)(b)) — issuing licenses, authenticating you, running the hub, generating your reports and PDFs.
  • Legal obligation (GDPR art. 6(1)(c)) — keeping invoicing data for the period required by Belgian tax law.
  • Legitimate interest (GDPR art. 6(1)(f)) — security logging, fraud prevention, enforcing the per-machine quota.

We do not rely on consent for any of the above, because none of it is optional tracking. We do not run advertising cookies, analytics profiling, or third-party trackers.

Where the data is hosted

The hub runs on servers located in the European Union. The primary database is PostgreSQL, also in the EU. Backups are encrypted and stored in the EU.

Sub-processors

We share personal data only with the following sub-processors, strictly for the purposes listed:

  • Lemon Squeezy (Merchant of Record) — processes your payment, handles VAT, issues your invoice.
  • Hetzner (EU, Germany) — hosts the hub's servers. Server provisioning and deployment are managed through Laravel Forge.
  • Anthropic — generates the executive narrative when you request an AI-written summary. Only the aggregated scores and counts are sent (no code, no identifiers you can tie back to a person). Anthropic does not train on data submitted via the API.
  • Brevo — transactional email provider, sends magic links and service notices.

We do not sell personal data. We do not share it with third parties for their marketing.

International transfers

Anthropic processes data in the United States. We rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses for that transfer. Only aggregated scores are involved — no source code, no named identifiers.

How long we keep it

  • Account and license — while your subscription is active, plus up to 90 days after cancellation so you can reactivate without losing history.
  • Aggregated reports — same as the account, deleted 90 days after cancellation unless you delete them earlier.
  • Invoicing data — 7 years, as required by Belgian tax law.
  • Server logs — up to 30 days.

Your rights

Under the GDPR, you can:

  • Access a copy of your personal data.
  • Ask us to correct inaccurate data.
  • Ask us to delete your data (right to erasure), subject to our legal obligation to keep invoicing records.
  • Restrict or object to processing based on legitimate interest.
  • Export your data in a portable format.
  • Lodge a complaint with the Belgian Data Protection Authority (autoriteprotectiondonnees.be) or your local supervisory authority.

To exercise any of these rights, email hello@debtlens.tech from the address associated with your account. We respond within 30 days.

Cookies

The site uses a small number of strictly necessary cookies for login sessions and CSRF protection. We do not use analytics, advertising, or tracking cookies, so we do not display a cookie banner.

Children

DebtLens is not directed at children under 16 and we do not knowingly collect data from them.

Changes to this policy

Material changes will be announced by email. The "Last updated" date at the top reflects the most recent revision.

Contact

Any question about this policy or about your data: hello@debtlens.tech.