Skip to main content
Legal

Privacy Policy

Last updated: 18 March 2026

1. Who We Are

CompanyLens (“we”, “us”, “our”) operates the website at companylens.io and provides a cross-jurisdiction company registry API. This privacy policy explains how we collect, use, and protect your personal data when you use our website and services.

For privacy enquiries, contact us at .

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name and email address via our authentication provider (Clerk). We do not store passwords — authentication is handled entirely by Clerk.

2.2 API Usage Data

When you use the CompanyLens API, we log the following for rate limiting, billing, and service improvement:

  • API endpoint called, HTTP method, and response status code
  • Response time
  • Timestamp
  • API key used (prefix only, never the full key)

We do not log the content of your search queries in usage records.

2.3 Payment Data

Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full card details. Stripe provides us with a customer ID, subscription status, and last four digits of your card for display purposes. See Stripe's privacy policy.

2.4 Website Analytics

We use privacy-friendly analytics that do not use cookies and do not track individual users. No personal data is collected through analytics.

2.5 Server Logs

Our servers automatically log IP addresses, user agents, and request URLs for security and debugging purposes. These logs are retained for up to 30 days and then deleted.

3. How We Use Your Data

We use your personal data to:

  • Provide and maintain your account and API access
  • Process payments and manage subscriptions
  • Enforce rate limits and usage quotas
  • Respond to support requests
  • Detect and prevent abuse, fraud, and security incidents

We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties for marketing purposes.

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract: Processing necessary to provide the service you signed up for (account management, API access, billing).
  • Legitimate interest: Security monitoring, abuse prevention, and service improvement.
  • Legal obligation: Where required by law (e.g. tax records for payments).

5. Third-Party Processors

We use the following third-party services that process data on our behalf:

  • Authentication and user management provider
  • Payment processing provider
  • Server hosting provider (EU)
  • Offsite encrypted database backup provider (EU)

All processors are bound by data processing agreements and process data only on our instructions.

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • API usage logs: Retained for 90 days for billing and analytics, then aggregated and anonymised.
  • Payment records: Retained for 7 years as required by UK tax law.
  • Server logs: Retained for 30 days.
  • Audit logs: Retained for a minimum of 1 year in an immutable store, as required for security and compliance purposes.

7. Your Rights (GDPR)

If you are in the UK or EEA, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data (subject to legal retention requirements).
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request restricted processing while a complaint is resolved.

To exercise any of these rights, email . We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO).

8. Cookies

CompanyLens uses only strictly necessary cookies for authentication session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required.

9. Data Security

We protect your data with:

  • Encryption in transit (TLS/HTTPS on all connections)
  • API keys stored as SHA-256 hashes (we never store plaintext keys)
  • Server-level firewalls and intrusion detection
  • Automated security patches
  • Access restricted to authorised personnel only

10. International Transfers

Our servers are hosted in the EU. Some third-party processors may process data in the United States under appropriate safeguards (Standard Contractual Clauses or equivalent).

11. Company Registry Data

The company, officer, and beneficial ownership data served through our API is sourced from public government registries. Where this data includes personal information (such as officer names, addresses, and dates of birth), our lawful basis for processing is legitimate interest under GDPR Article 6(1)(f) — specifically, providing a business intelligence service based on publicly available records.

If you are named in company registry data and wish to exercise your right to erasure, please contact . We will assess your request in accordance with GDPR Article 17, noting that public record data may be exempt from erasure under Article 17(3)(d). Data source attributions and licences are detailed on our Terms of Service page.

12. Children

CompanyLens is a business service not directed at children. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes by email. The “last updated” date at the top of this page indicates the most recent revision.