Costlens
Legal · Last updated 22 April 2026

Privacy Policy

1. Introduction

CostLens ("we", "our", or "us") is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, and safeguard your information when you use our SaaS subscription management platform.

2. Data Controller

The data controller responsible for your personal data is:

Bytecore
Registered Address: Kilkis 21, Nea Ionia, Athens, Greece
Company Registration Number: EL801476929
Email: [email protected]

3. Information We Collect

We collect only the minimum personal data necessary to provide our service:

3.1 Account Information

  • Full name
  • Email address
  • Password (encrypted)
  • If you sign in with Google, your password is replaced by a Google identifier (google_id) — we never store a usable password for Google-signed-in accounts.

3.2 Subscription Data

  • SaaS subscription details (tool names, costs, renewal dates)
  • Domain registration information
  • Budget settings and preferences
  • Notification preferences

3.3 Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage statistics (pages visited, features used)

3.4 Attribution Data

When you first arrive on our site we record the marketing source that brought you here and attach it to your account on registration. This lets us understand which channels actually work.

  • UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) if present in the landing URL
  • The URL you landed on and the referring website
  • The timestamp of your first visit

This data is stored on your user record after registration. It is never sold or shared with third parties, and you may request its deletion at any time under Section 8.

3.4 Cookies

We use essential cookies for authentication and site functionality. See Section 9 for details.

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

  • Contract Performance (Article 6(1)(b)): Processing is necessary to provide our SaaS platform services to you, including account management, subscription tracking, and billing.
  • Legitimate Interest (Article 6(1)(f)): We process data to improve our service, prevent fraud, and ensure platform security. We have assessed that these interests do not override your rights.
  • Consent (Article 6(1)(a)): For marketing communications and non-essential cookies, we obtain your explicit consent which you may withdraw at any time.
  • Legal Obligation (Article 6(1)(c)): To comply with EU tax and accounting regulations.

5. How We Use Your Information

We use your personal data for the following purposes only:

  • Providing and maintaining our SaaS platform
  • Processing subscription renewals and payments
  • Sending service-related notifications (renewal reminders, budget alerts)
  • Providing customer support
  • Improving and optimizing our service
  • Preventing fraud and ensuring security
  • Complying with legal obligations

6. Data Sharing and Third Parties

We do not sell your personal data. We only share data with the following categories of recipients:

6.1 Service Providers

  • Hosting: Hetzner Online GmbH (Falkenstein, Germany — EU)
  • Identity provider (optional): Google LLC — if you choose to sign in with Google, we receive your name, email address, and a Google-specific identifier. We never receive your Google password or other account data.
  • Transactional email: Resend, Inc. (United States) — sends welcome, verification, renewal reminders, and billing receipts
  • Payment processing: Stripe Payments Europe Ltd (Ireland) for EU customers / Stripe, Inc. (United States) — handles Pro subscription billing via Stripe Checkout
  • Analytics (consent-gated): Google LLC (Google Analytics 4) — measures page views, sign-ups, and Pro conversions
  • Advertising measurement (consent-gated): Meta Platforms Ireland Ltd (Meta Pixel) — measures ad performance and builds retargeting audiences for future Facebook/Instagram campaigns

6.2 Legal Requirements

We may disclose your data if required by law, court order, or to protect our legal rights, but only to the minimum extent necessary.

6.3 Data Processing Agreements

All third-party processors are bound by GDPR-compliant Data Processing Agreements.

7. International Data Transfers

Your core application data (account, subscription records, domains, budgets) is stored on Hetzner servers in Falkenstein, Germany, inside the European Union. Some of our processors — Resend, Stripe, Google, Meta — are US-based, meaning limited personal data (email address, IP, cookie identifiers) flows to the United States. We rely on the following safeguards for those transfers:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules (where applicable)

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Article 15): Request a copy of your personal data
  • Right to Rectification (Article 16): Correct inaccurate data
  • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Article 18): Limit how we use your data
  • Right to Data Portability (Article 20): Receive your data in machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing or cookies at any time

8.1 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected].

Identity verification: To prevent unauthorized access, we verify that requests come from the account holder. For most requests this means confirming the request via the email address on file, or signing in to your account. We will only ask for additional identification if we have reasonable doubts about the identity of the requester, in line with GDPR Article 12(6).

8.2 Response Time

We will respond to your request within 30 days as required by GDPR. In complex cases, we may extend this by an additional 30 days.

8.3 Manifestly Unfounded or Excessive Requests (Article 12(5))

We reserve the right under GDPR Article 12(5) to refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive, particularly when repetitive. We will provide justification for any refusal. All requests are logged and tracked to identify patterns of abuse.

8.4 Right to Lodge a Complaint

If you believe we have not handled your data properly, you have the right to lodge a complaint with your national data protection authority. For Greece, this is:
Hellenic Data Protection Authority (HDPA)
Website: www.dpa.gr
Address: Kifissias Ave. 1-3, 11523 Athens, Greece

9. Cookie Policy

We use cookies to provide essential functionality and improve your experience. By using our service, you consent to our use of cookies as described below.

9.1 Essential Cookies

Required for the service to function (authentication, security, session management). These cannot be disabled.

  • Session cookie: Maintains your login state
  • CSRF token: Prevents cross-site request forgery attacks
  • Cookie consent: Remembers your cookie preferences

9.2 First-Party Attribution Cookie

We set a first-party cookie named costlens_attr on your first visit to remember which marketing source referred you (UTM parameters and referring website). This helps us understand which channels bring in new users so we can invest in the ones that work. It's stored on our own domain, never sold or shared, and expires after 30 days.

Because this cookie contains no personally identifying information and is used purely for our own business analytics — not for ad targeting — we treat it as a legitimate interest under GDPR Article 6(1)(f). You can delete it at any time through your browser settings.

9.3 Analytics and Advertising Cookies (Consent Required)

These load only if you click "Accept all" on the cookie banner:

  • Google Analytics 4 (cookies starting with _ga): measures page views, sign-ups, and conversions. Data is processed by Google LLC in the United States.
  • Meta Pixel (_fbp): measures ad campaign performance and builds retargeting audiences for future Facebook and Instagram ads. Data is processed by Meta Platforms Ireland Ltd.

If you click "Essential only" on our cookie banner, or never interact with it, neither of these load and no data is sent to Google or Meta.

9.4 Managing Cookies

You can change your consent at any time by clearing your browser's local storage for costlens.io — the cookie banner will re-appear on your next visit. You can also manage cookies directly through your browser settings. Note that disabling essential cookies will prevent you from using the service.

10. Data Retention

We retain your personal data only for as long as necessary:

  • Account Data: Until account deletion + 30 days (for recovery)
  • Subscription Data: Until account deletion + 30 days
  • Billing Records: 7 years (legal requirement for tax purposes)
  • Technical Logs: 90 days maximum
  • Support Tickets: 2 years from last interaction

After these periods, data is permanently and securely deleted.

11. Security Measures

We implement industry-standard security measures to protect your data:

  • End-to-end encryption (HTTPS/TLS)
  • Password hashing (bcrypt)
  • Regular security audits
  • Access controls and authentication
  • Secure EU-based data centers
  • Regular backups with encryption

While we take all reasonable precautions, no internet transmission is 100% secure. You are responsible for keeping your account credentials confidential.

12. Children's Privacy

Our service is not intended for individuals under 16 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected such data, contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice on our platform. Your continued use after changes constitutes acceptance.

14. Contact Us

For any questions about this Privacy Policy or how we handle your data, contact us:

Email: [email protected]
Data Protection Enquiries: [email protected]
General Support: [email protected]

15. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the European Union and Greece. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Athens, Greece.

This Privacy Policy is GDPR-compliant and designed to protect both your rights and our legitimate business interests. We are committed to transparency and accountability in all our data processing activities.