Privacy Policy
Effective date: 2026-04-22
This Privacy Policy describes how Oceancode (“we”, “us”), operator of Spanlens, collects, uses, and protects your personal data. It is drafted to meet the requirements of the Personal Information Protection Act of the Republic of Korea (“PIPA”) and the EU General Data Protection Regulation (“GDPR”).
1. Data controller
- Trade name: Oceancode (오션코드)
- Representative: Jeon Haesung (전해성)
- Business Registration Number: 676-71-00622
- E-commerce Registration Number: 2025-경기광주-2133
- Jurisdiction: Republic of Korea
- Privacy Officer (개인정보보호책임자): Jeon Haesung — support@spanlens.io
2. What data we collect
Account information
- Email address (required)
- Display name / avatar URL (when you sign in via Google OAuth)
- Organization name
- Authentication tokens (managed by our identity provider, Supabase)
Service telemetry (LLM requests routed through our proxy)
- Request and response bodies, truncated to a 10 KB preview — these may contain whatever you or your end users submitted to the LLM, including prompts, file contents, user messages, and retrieved context.
- Model identifier, provider, token counts, latency, HTTP status, and computed USD cost for each request.
- Agent trace identifiers and span metadata when you use
observe()or passx-trace-id/x-span-idheaders. - Prompt version tag when you use
withPromptVersion()or theX-Spanlens-Prompt-Versionheader. - Security flags (PII patterns, prompt-injection patterns) detected in the request body, stored as masked samples of 6 characters — never the raw matched text.
- Authorization headers are stripped from stored request bodies so your provider API keys never appear in logs.
Your third-party LLM provider keys
If you register keys for OpenAI / Anthropic / Gemini, we store them encrypted at rest using AES-256-GCM with a master key held outside the database. Keys are only decrypted in ephemeral process memory when your proxy request needs them, and are never displayed back to you after creation.
Billing metadata
Payment processing is handled by Paddle.com Market Ltd. We do not store your credit card number. We retain the Paddle customer and subscription identifiers, your plan tier, and the current billing period from Paddle's webhooks.
Technical logs
- IP address (briefly, in network-layer logs)
- User agent
- Session cookies set by our authentication provider
- Timestamps of login and usage
3. How we use your data
- Provide, maintain, and improve the Spanlens service
- Authenticate your account and protect it from unauthorized access
- Route LLM requests to the upstream provider you targeted
- Display your request history, traces, costs, and anomalies in the dashboard
- Send transactional emails (invoices, quota warnings, security alerts)
- Process payments and prevent fraud (via Paddle)
- Comply with legal obligations (tax records, dispute evidence)
4. Legal basis (GDPR)
For EU users, we process data on the following legal bases (GDPR Art. 6):
- Performance of a contract (Art. 6(1)(b)) — most service operation falls here, because we process data to fulfill our service obligations to you.
- Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, and service improvement.
- Legal obligation (Art. 6(1)(c)) — tax record retention and legal requests from Korean authorities.
- Consent (Art. 6(1)(a)) — used for optional features; you may withdraw consent at any time.
5. Third parties we share data with (sub-processors)
We engage the following processors to operate Spanlens. Each processes your data only as needed to provide their service, under contractual confidentiality obligations:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage | USA (AWS) |
| Vercel Inc. | Web and API hosting, Edge runtime | USA / EU (Vercel Edge Network) |
| Paddle.com Market Ltd. | Payment processing, Merchant of Record, invoicing | United Kingdom |
| Resend, Inc. | Transactional and alert emails | USA |
| OpenAI, L.L.C. | LLM request forwarding (when you target OpenAI endpoints) | USA |
| Anthropic, PBC | LLM request forwarding (Anthropic endpoints) | USA |
| Google LLC | LLM request forwarding (Gemini endpoints) | USA / EU (Google Cloud) |
| GitHub, Inc. | Code hosting, container registry (for self-host users) | USA |
We do not sell your data and we do not share it with advertising networks or data brokers.
6. International data transfers
Because several of our sub-processors are located outside the Republic of Korea and the EEA, your data may be transferred internationally. For transfers outside the EEA, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards offered by each sub-processor. PIPA-required cross-border disclosure (recipient, purpose, data items, retention, transfer method) is satisfied by the table above.
7. How long we keep your data
| Category | Retention period |
|---|---|
| Account profile (email, name) | Until you delete your account, then 15 days |
| LLM request logs | Per your plan: 7 days (Free) / 30 days (Starter) / 90 days (Team) / 365 days (Enterprise) |
| Encrypted provider keys | Until you revoke them, then purged within 15 days |
| Billing and payment records | 5 years from the transaction (Korean tax law requirement) |
| Records of consumer complaints and dispute resolution | 3 years (Korean e-commerce law) |
| Server logs (IP, user agent) | 30 days |
8. Your rights
Under Korean PIPA
You have the right to:
- Access the personal data we hold about you (열람 요구)
- Correct inaccuracies (정정·삭제 요구)
- Request deletion or processing suspension (삭제·처리정지 요구)
- Withdraw previously given consent at any time
- File a complaint with the Personal Information Protection Commission (개인정보보호위원회, pipc.go.kr) or relevant authority.
Under GDPR (EU users)
You additionally have the rights of:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure / “right to be forgotten” (Art. 17)
- Restriction of processing (Art. 18)
- Data portability — export in machine-readable format (Art. 20)
- Objection to processing based on legitimate interests (Art. 21)
- Lodging a complaint with your national Data Protection Authority
To exercise any of these rights, email support@spanlens.io from the address associated with your account. We respond within 30 days (may extend to 60 days for complex requests, with notice).
9. Children's privacy
Spanlens is not directed at children under 14. Korean law prohibits processing personal data of children under 14 without explicit guardian consent. We do not knowingly collect such data. If you believe a child has provided data to us, contact us and we will delete it.
10. Cookies
We set functional cookies required to maintain your authenticated session. These include the sb-access-token and sb-refresh-tokencookies managed by Supabase. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No consent banner is required for our current cookie usage under the ePrivacy Directive's “strictly necessary” exception.
If we add analytics in the future, we will update this policy and offer an opt-in consent mechanism.
11. Security measures
- Provider API keys encrypted at rest with AES-256-GCM (authenticated encryption)
- HTTPS/TLS 1.2+ enforced on all transport
- Row-Level Security policies on our Postgres database, enforced by Supabase
- Separate service-role and anon keys; service-role is scoped to server-side operations only
- Authorization headers stripped from stored request bodies
- Encryption master key held outside the database, in infrastructure-level secret management
- Access logging and periodic audit of administrator actions
- Principle of least privilege for team access
12. Data breach notification
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Personal Information Protection Commission (Korea) and, where GDPR applies, the relevant supervisory authority within 72 hours, and notify affected users without undue delay.
13. Changes to this policy
We may revise this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 14 days before taking effect. The effective date at the top of this page will always reflect the current version.
14. Contact us
For any privacy-related inquiry, contact our Privacy Officer at support@spanlens.io.
Last updated: 2026-04-22. Previous versions are available on request.