Privacy Policy
Effective Date: April 16, 2026
This Privacy Policy describes how GQLens ("we," "us," or "our") collects, uses, and shares information when you use the GQLens platform ("Service"). By using the Service, you agree to the practices described in this policy.
Data Controller
The data controller for the Service is:
Flexmatic Org.nr 8602262415 Vintergatan 7A, 561 30 Huskvarna, Sweden Email: [email protected]
1. Information We Collect
1.1 Account Information
When you register, we collect information which may include:
- Name and email address
- Profile picture
- Organization or team name
- Authentication identifiers
1.2 GraphQL Schema Data
When you connect a GraphQL endpoint, the Service introspects and stores:
- Schema definitions (types, fields, arguments, directives, descriptions)
- Endpoint URLs and connection metadata
- Queries you submit for validation
This data is necessary to provide schema discovery, semantic search, and query validation.
1.3 AI Interaction Data
When you use AI-powered features (semantic search, chat), we process:
- Your search queries and chat messages
- AI-generated responses
- Embeddings generated from your schema data for semantic indexing
1.4 Usage Data
We automatically collect:
- Pages visited and features used
- Browser type and operating system
- IP address
- Timestamps of interactions
1.5 MCP Client Data
When you connect the GQLens MCP server to a development tool (e.g., Cursor, VS Code), we process:
- Tool invocation requests and parameters
- OAuth tokens used to authenticate the connection
2. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service: introspect schemas, run semantic searches, validate queries, and serve MCP tool responses.
- Improve the Service: analyze usage patterns to fix issues and develop new features.
- Communicate with you: send account notifications, respond to support requests, and provide service updates.
- Ensure security: detect and prevent fraud, abuse, and unauthorized access.
- Process payments: manage subscriptions and billing for paid plans.
3. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis |
|---|---|
| Account registration and authentication | Contract performance |
| Schema introspection, search, and validation | Contract performance |
| AI chat and semantic search | Contract performance |
| MCP server tool responses | Contract performance |
| Transactional email (verification, notifications) | Contract performance |
| Payment processing and invoicing | Contract performance and legal obligation |
| Client-side analytics (Google Analytics, PostHog browser tracking) | Consent (via cookie banner) |
| Error monitoring (Sentry) | Consent (via cookie banner) |
| Server-side operational metrics (token usage, request performance) | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Service improvement and feature development | Legitimate interest |
Where processing is based on consent, you may withdraw consent at any time through the cookie preferences on our website. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
4. How We Share Your Information
We do not sell your personal information. We share data only with the following categories of third-party processors, solely to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing and subscription management | Billing information, payment method metadata, transaction history |
| OpenAI | AI-powered search and chat features | Schema excerpts, search queries, chat messages |
| Google Analytics | Website analytics and usage reporting | Usage data, page views, device and browser information, IP address (anonymized) |
| PostHog | Product analytics and feature usage tracking | Usage data, feature interactions, session information |
| Sentry | Error monitoring and performance tracking | Error reports, stack traces, browser and device metadata |
| Qdrant | Vector database for semantic search | Schema embeddings, search query embeddings |
| Resend | Transactional email delivery | Email addresses, email content |
| DigitalOcean | Application and database hosting | All service data (encrypted at rest and in transit) |
These providers process data on our behalf under contractual obligations to protect your information. We will notify you of material changes to our sub-processor list with reasonable advance notice.
We may also share information if required by law, to protect our legal rights, or in connection with a merger, acquisition, or sale of assets (with notice to you).
5. Data Retention
- Account data is retained for as long as your account is active. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law.
- Schema data is deleted when you remove an endpoint or delete your account.
- AI interaction data (chat messages, search queries) is retained for up to 90 days after your last interaction to provide conversation history, then automatically purged.
- Usage data is retained in anonymized or aggregated form for analytics.
6. Data Security
We implement reasonable technical and organizational measures to protect your information, including:
- Encryption in transit (TLS) and at rest
- Access controls and authentication for all internal systems
- Regular security reviews
No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: request a copy of the personal data we hold about you.
- Correction: request correction of inaccurate data.
- Deletion: request deletion of your personal data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing of your data in certain circumstances.
- Restriction: request that we limit processing of your data.
You also have the right to lodge a complaint with your local data protection supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY) — imy.se.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Cookies and Tracking
The Service uses cookies and similar technologies for:
- Essential cookies: session management, authentication state, and security.
- Preference cookies: remembering your settings such as light/dark theme.
- Analytics cookies: Google Analytics and PostHog use cookies and similar technologies to collect usage data that helps us understand how the Service is used and improve it. These tools may assign anonymous identifiers to your browser.
We do not use third-party advertising cookies. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
9. International Data Transfers
Your data may be processed in countries outside your own, including the United States (where some of our third-party providers operate). We ensure that appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.
10. Children's Privacy
The Service is not directed to anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. California Privacy Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:
- We do not sell personal information. We have not sold personal information in the preceding twelve months and have no plans to do so.
- Do Not Track. We do not respond to Do Not Track browser signals. You can control analytics and monitoring cookies through the cookie preferences on our website.
- Right to know and delete. California residents may request access to or deletion of their personal information by contacting us at [email protected].
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Effective Date." Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
13. Contact
If you have questions or concerns about this Privacy Policy or our data practices, contact us at [email protected].