The short version: we store what the product needs to score your translations, we sell nothing, we train on nothing. Last updated June 9, 2026.
Polylens ("we") is the controller for personal data processed through polylens.sh. Contact: hello@polylens.sh.
Account data (name, email, salted password hash; with social sign-in: name, email and avatar from Google or GitHub). Legal basis: performance of contract, GDPR Art. 6(1)(b).
Locale files you paste, upload, import from a repo or POST from CI, plus the scores, issues and scan history computed from them. Legal basis: performance of contract, Art. 6(1)(b). We never train on your content and never share it.
Billing data. Payments run entirely through Stripe; we store your Stripe customer id and plan. Your card details never touch our servers. Legal basis: contract and legal obligations, Art. 6(1)(b) and (c).
Operational logs (IP address, timestamp, endpoint) kept briefly for security and debugging. Legal basis: legitimate interest in a secure service, Art. 6(1)(f).
No advertising trackers, no third-party analytics scripts, no selling or renting of data, no profiling, no automated decision-making with legal effect, no AI training on your content. Cookies are limited to the strictly necessary session cookie that keeps you signed in; that is why there is no cookie banner.
We share data only with processors needed to run the service, each bound by a data processing agreement: Stripe (payments), Resend (transactional email such as password resets), our hosting provider (infrastructure), GitHub (only when you sign in with it or connect a repo), Google (only when you sign in with it). Where processing happens outside the EU/EEA, it is protected by EU standard contractual clauses or an adequacy decision.
Scan history is kept according to your plan's history window. Deleting a project deletes its files, scans and issues. Deleting your account removes your personal data and content within 30 days, except where law requires longer retention (e.g. invoices). Backups roll off automatically.
Transport encryption (TLS) everywhere, passwords stored only as salted hashes, project tokens shown once and stored hashed-equivalent, least-privilege access to production, and isolation between customer accounts. No internet service can promise absolute security; we notify affected users and authorities of breaches as the GDPR requires.
Under the GDPR you can request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. Where processing is based on consent, you can withdraw it anytime. You can complain to a supervisory authority; in Germany that is the data protection authority of your state.
The service is for professionals and not directed at children under 16. We do not knowingly collect their data.
We may update this policy; material changes are announced in the app or by email. The current version always lives at polylens.sh/privacy.