Privacy Policy
This policy describes how TestLens Labs (the "Publisher") processes personal data in connection with the testlens.dev website and the "TestLens" browser extension (together, the "Service"). It is written to comply with Regulation (EU) 2016/679 (the "GDPR") and the California Consumer Privacy Act (the "CCPA").
1. Data controller
The data controller is TestLens Labs, as identified in the legal notice at https://testlens.dev/mentions-legales. Contact: [email protected].
No Data Protection Officer is appointed. Appointing a DPO is not required under GDPR Article 37 given the scale and nature of processing described below. Questions about this policy should be sent to [email protected].
2. Core architecture — why we collect very little
TestLens is a Bring-Your-Own-API-key extension. The Publisher does not operate a backend for the extension. Test-case generation happens via direct calls from the user's browser to the API provider selected by the user (Anthropic or OpenAI), using the user's own API key stored locally in chrome.storage.local.
As a result, the Publisher does not receive, store, or process the pages the user analyses, the user stories the user types, or the test cases that the Service generates. These never transit through any server operated by the Publisher. Exchanges with Anthropic or OpenAI are governed by those providers' own privacy policies.
The only categories of personal data processed by the Publisher are limited to the categories listed in Section 3.
3. Categories of personal data processed
3.1 Support correspondence
When a user sends an email to [email protected], [email protected], or [email protected], the Publisher processes:
- the sender's email address,
- the message content,
- any metadata automatically added by the email infrastructure (timestamps, message IDs).
Purpose: answering the request. Legal basis: Article 6(1)(b) GDPR (performance of a contract or pre-contractual steps) when the message relates to a purchase, or Article 6(1)(f) GDPR (legitimate interest of the Publisher in providing support) otherwise.
3.2 Purchase records (Pro license)
When a user buys a Pro license, the payment is processed by Gumroad, Inc., which acts as an independent data controller and merchant of record. The Publisher accesses the following information through the Gumroad creator dashboard and API:
- the buyer's email address,
- the purchase amount, date, and currency,
- the license key issued to the buyer,
- the country declared for VAT purposes.
Purpose: license verification, VAT / accounting compliance, refund handling. Legal basis: Article 6(1)(b) GDPR (performance of the purchase contract) and Article 6(1)(c) GDPR (legal obligation for accounting and tax records).
3.3 License verification pings from the extension
When the extension verifies a Pro license, it sends the license key (and no other personal data) to the Gumroad API endpoint /v2/licenses/verify. The Publisher does not log or collect these verifications server-side because no server is involved on the Publisher's side.
3.4 Website analytics
The testlens.dev static landing page is served by Cloudflare Pages. The Publisher does not deploy third-party analytics (Google Analytics, Plausible, etc.) on the landing page at launch. Cloudflare automatically collects limited request metadata (IP address, user agent, timestamp) for security and abuse-prevention purposes, under Cloudflare's role as processor. No analytics cookies are set by the Publisher.
3.5 Extension telemetry
The extension does not emit telemetry in v0.1. Should telemetry be added in a future release, it will be opt-in and documented in a revised version of this policy before activation.
4. What we do not collect
For the avoidance of doubt, the Publisher does not collect:
- the content of web pages the user analyses with the extension,
- the user stories typed into the extension,
- the generated test cases,
- the user's API key for Anthropic or OpenAI,
- browsing history or tab activity.
These data items remain on the user's device or are sent directly to the user's chosen LLM provider under that provider's own privacy terms.
5. Retention
The Publisher retains personal data only for as long as necessary for the stated purpose, in line with Article 5(1)(e) GDPR ("storage limitation"). Indicative retention periods:
- Support correspondence: 3 years after the last exchange, in line with CNIL guidance on customer-relations data.
- Purchase records (Gumroad export): 10 years, in line with article L.123-22 of the French Code de commerce for accounting records.
- Cloudflare request logs: retained by Cloudflare under its own retention policy; not retrieved or copied by the Publisher.
6. Recipients and sub-processors
Personal data is shared only with the following recipients. The table below is is the authoritative list for this Service.
| Recipient | Role | Data processed | Location | Transfer framework |
|---|---|---|---|---|
| Cloudflare, Inc. | Processor — hosting of testlens.dev (Pages + DNS, and Email Routing if activated) |
Access logs (IP address, user agent), static landing-page content | United States | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Gumroad, Inc. | Independent controller + merchant of record for purchases; also license-key storage | Buyer email, buyer name, last 4 digits of card, amount, license key | United States | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Fastmail Pty Ltd | Processor — inbound mailbox for @testlens.dev (IMAP/JMAP, MX) |
Support correspondence content and headers | Australia | Standard Contractual Clauses + sectoral EU-Australia adequacy |
| Resend (Resend.com, Inc.) | Processor — outbound transactional email (domain send.testlens.dev) |
Recipient email address, message content at send time | United States | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Anthropic, PBC (Claude API) | Bring-Your-Own-key. The Publisher is not the data controller for this flow — the User contracts directly with Anthropic using the User's own API key. | User-supplied page content, user story, User's Anthropic API key | United States | Contractualised by the User directly with Anthropic |
| OpenAI, L.L.C. (GPT API) | Bring-Your-Own-key. The Publisher is not the data controller for this flow — the User contracts directly with OpenAI using the User's own API key. | User-supplied page content, user story, User's OpenAI API key | United States | Contractualised by the User directly with OpenAI |
No other sub-processor has access to personal data processed by the Publisher. The extension is fully client-side for test-case generation (no intermediate TestLens server); inbound email (Fastmail) and outbound email (Resend) are the only points at which the Publisher is effectively a processor of a third party.
The Publisher does not sell personal data and does not share it with advertising networks.
7. International transfers
Transfers to the United States relied on by the Publisher are covered by the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) where the recipient is self-certified, and in any case by the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914). Transfers to Australia (Fastmail) rely on Standard Contractual Clauses, supplemented by the sectoral adequacy recognition of the Australian Privacy Principles under the Privacy Act 1988. A copy of the applicable clauses can be requested from [email protected].
8. User rights under the GDPR
Users located in the European Economic Area, the United Kingdom or Switzerland may exercise the following rights at any time:
- Right of access (Article 15 GDPR) — obtain confirmation of whether personal data is processed and a copy of it.
- Right to rectification (Article 16 GDPR) — correct inaccurate or incomplete data.
- Right to erasure (Article 17 GDPR) — request deletion, subject to legal retention obligations.
- Right to restriction of processing (Article 18 GDPR).
- Right to data portability (Article 20 GDPR) — receive the data in a structured, commonly used, machine-readable format.
- Right to object (Article 21 GDPR) — including objection to processing based on legitimate interest.
- Right to withdraw consent (Article 7(3) GDPR), without affecting prior lawful processing.
- Right to lodge a complaint with a supervisory authority, in particular the Commission nationale de l'informatique et des libertés (CNIL) in France —
https://www.cnil.fr.
Requests are sent to [email protected]. The Publisher responds within one month (Article 12(3) GDPR), extendable by two further months for complex requests, with prior notice.
9. User rights under the CCPA (California residents)
California residents may request:
- to know what categories of personal information have been collected about them,
- to access specific pieces of personal information collected,
- to delete personal information, subject to statutory exceptions,
- to opt out of the sale or sharing of personal information (the Publisher does not sell or share personal information within the meaning of the CCPA),
- not to be discriminated against for exercising these rights.
Requests are sent to [email protected]. The Publisher responds within 45 days, extendable once by 45 additional days with prior notice, per Cal. Civ. Code § 1798.130.
10. Cookies
The testlens.dev landing page does not set analytics or advertising cookies at launch. The extension uses chrome.storage.local (a browser storage API, not a cookie) to persist the user's settings, including the API key and license key. Any change to the cookie policy will be reflected in a revised version of this policy.
11. Security
Personal data received by the Publisher is stored in the sub-processors listed in Section 6. The Publisher follows the security measures for the extension itself, including scoped permissions (activeTab only), regex-based PII filtering before page content is sent to the user's LLM provider, and service-worker-only access to the user's API key.
12. Minors
The Service is not directed at children under 16. The Publisher does not knowingly collect personal data from children. If a parent or guardian believes that a child has provided personal data, they can contact [email protected] to request deletion.
13. Changes to this policy
The Publisher may update this policy. Material changes will be noted at the top of the page with a new "Last updated" date. The policy in force at the time of an interaction is the one applicable to that interaction.
Last updated: 2026-04-24