Privacy Policy
Effective date: 2026-06-15
This Privacy Policy describes how Oceancode(“we”, “us”), operator of Spanlens, collects, uses, and protects your personal data. It is drafted to meet the requirements of the Personal Information Protection Act of the Republic of Korea (“PIPA”) and the EU General Data Protection Regulation (“GDPR”).
1. Data controller
- Trade name: Oceancode
- Representative: Jeon Haesung
- Business Registration Number: 676-71-00622
- E-commerce Registration Number: 2025-Gyeonggi-Gwangju-2133
- Jurisdiction: Republic of Korea
- Privacy Officer: Jeon Haeseong, support@spanlens.io
- EU/EEA Representative (GDPR Art. 27): Spanlens processes personal data of EU/EEA residents from the Republic of Korea. We are evaluating formal representative designation under Art. 27 in proportion to our EU processing volume. In the interim, EU/EEA residents may direct all GDPR-related inquiries directly to our Privacy Officer at support@spanlens.io; we will respond within 30 days.
2. What data we collect
Account information
- Email address (required)
- Display name / avatar URL (when you sign in via Google OAuth)
- Organization name
- Authentication tokens (managed by our identity provider, Supabase)
Service telemetry (LLM requests routed through our proxy)
- Request and response bodies, truncated to a 10 KB preview, these may contain whatever you or your end users submitted to the LLM, including prompts, file contents, user messages, and retrieved context.
- Model identifier, provider, token counts, latency, HTTP status, and computed USD cost for each request.
- Agent trace identifiers and span metadata when you use
observe()or passx-trace-id/x-span-idheaders. - Prompt version tag when you use
withPromptVersion()or theX-Spanlens-Prompt-Versionheader. - Security flags (PII patterns, prompt-injection patterns) detected in the request body, stored as masked samples of 6 characters, never the raw matched text.
- Authorization headers are stripped from stored request bodies so your provider API keys never appear in logs.
Your third-party LLM provider keys
If you register keys for OpenAI / Anthropic / Gemini, we store them encrypted at rest using AES-256-GCM with a master key held outside the database. Keys are only decrypted in ephemeral process memory when your proxy request needs them, and are never displayed back to you after creation.
Billing metadata
Payment processing is handled by Paddle.com Market Ltd. We do not store your credit card number. We retain the Paddle customer and subscription identifiers, your plan tier, and the current billing period from Paddle's webhooks.
Technical logs
- IP address (retained in server logs for up to 30 days)
- User agent
- Session cookies set by our authentication provider
- Timestamps of login and usage
3. How we use your data
- Provide, maintain, and improve the Spanlens service
- Authenticate your account and protect it from unauthorized access
- Route LLM requests to the upstream provider you targeted
- Display your request history, traces, costs, and anomalies in the dashboard
- Send transactional emails (invoices, quota warnings, security alerts)
- Process payments and prevent fraud (via Paddle)
- Comply with legal obligations (tax records, dispute evidence)
4. Legal basis (GDPR)
For EU users, we process data on the following legal bases (GDPR Art. 6):
- Performance of a contract (Art. 6(1)(b)), most service operation falls here, because we process data to fulfill our service obligations to you.
- Legitimate interests (Art. 6(1)(f)), security monitoring, fraud prevention, and service improvement.
- Legal obligation (Art. 6(1)(c)), tax record retention and legal requests from Korean authorities.
- Consent (Art. 6(1)(a)), used for optional features; you may withdraw consent at any time.
5. Third parties we share data with (sub-processors)
We engage third-party companies (“sub-processors”) to operate Spanlens. Each processes your data only as needed to provide their service, under contractual confidentiality obligations. A current, authoritative list, with processing locations, data categories, and transfer mechanisms, is maintained at spanlens.io/subprocessors.
As of the effective date of this Policy, our infrastructure sub-processors are Vercel Inc. (USA, compute), Supabase Inc. (Republic of Korea, Postgres, authentication), ClickHouse, Inc. (USA, LLM request log store), Upstash, Inc. (USA, rate-limit counters), and Paddle.com Market Ltd. (Ireland, Merchant of Record). Our communications sub-processors are Resend, Inc. (USA, transactional email) and Functional Software, Inc. / Sentry (USA, error monitoring). For B2B customers, the full set of contractual safeguards applicable to these sub-processors is set out in our Data Processing Addendum.
When you route LLM requests through Spanlens, we forward those requests to the upstream LLM provider you target (OpenAI, Anthropic, or Google). Those providers are independent controllers governed by their own terms, not Spanlens sub-processors. See the Subprocessors page for direct links to each provider's terms.
We do not sell your data and we do not share it with advertising networks or data brokers.
6. International data transfers
Because some of our sub-processors are located outside the Republic of Korea and the EEA, your data may be transferred internationally. For transfers outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum where applicable, or equivalent safeguards offered by each sub-processor. Korea has received an EU adequacy decision (2021/1772), which provides an additional basis for transfers to our Supabase (Korea) data store. PIPA-required cross-border disclosure (recipient, purpose, data items, retention, transfer method) is satisfied by the Subprocessors page and the Data Processing Addendum.
7. How long we keep your data
| Category | Retention period |
|---|---|
| Account profile (email, name) | Until you delete your account, then 15 days |
| LLM request logs | Per your plan: 14 days (Free) / 90 days (Pro) / 365 days (Team) / 365 days (Enterprise; extendable by contract) |
| Encrypted provider keys | Until you revoke them, then purged within 15 days |
| Billing and payment records | 5 years from the transaction (Korean tax law requirement) |
| Records of consumer complaints and dispute resolution | 3 years (Korean e-commerce law) |
| Server logs (IP, user agent) | 30 days |
8. Your rights
Under Korean PIPA
You have the right to:
- Access the personal data we hold about you
- Correct inaccuracies
- Request deletion or suspension of processing
- Withdraw previously given consent at any time
- File a complaint with the Personal Information Protection Commission (pipc.go.kr) or relevant authority.
Under GDPR (EU users)
You additionally have the rights of:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure / “right to be forgotten” (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20) — export your request history and traces from the Settings page in your dashboard, or email support@spanlens.io for a full account data export in JSON format.
- Objection to processing based on legitimate interests (Art. 21)
- Lodging a complaint with your national Data Protection Authority
To exercise any of these rights, email support@spanlens.io from the address associated with your account. We respond within 30 days (may extend to 60 days for complex requests, with notice).
Under US state privacy laws
Spanlens does not sell your personal data or share it for cross-context behavioral advertising. California residents and residents of other US states with applicable privacy laws (Virginia, Colorado, Connecticut, etc.) may submit requests to know, correct, delete, or opt out of any applicable data practices by emailing support@spanlens.io from the address associated with your account. We respond within 45 days (extendable by 45 days where reasonably necessary, with notice).
9. Children's privacy
Spanlens is not directed at children under 14 (Korean PIPA minimum age) or under 16 years old — or the minimum age set by your EU Member State, which may be no lower than 13 — (GDPR Art. 8). Korean law prohibits processing personal data of children under 14 without explicit guardian consent; EU law requires verifiable consent from a person holding parental responsibility for children below the applicable national age threshold. We do not knowingly collect such data. If you believe a child has provided data to us, contact us and we will delete it.
10. Cookies
We set strictly necessary cookies required to maintain your authenticated session. These include the sb-access-token and sb-refresh-token cookies managed by Supabase. We do not currently use advertising cookies, tracking pixels, or third-party analytics cookies. No consent banner is required for our current cookie usage under the ePrivacy Directive's “strictly necessary” exception.
The consent infrastructure for any future opt-in analytics is already in place (a consent banner component plus an isAnalyticsAllowed() gate that all non-essential SDKs must check before initializing). Analytics imports are additionally blocked at lint time so a contributor cannot ship a tracker without first wiring up the consent gate. If we add analytics in the future, we will update this policy and the banner will appear by default.
11. Security measures
- Provider API keys encrypted at rest with AES-256-GCM (authenticated encryption)
- HTTPS/TLS 1.2+ enforced on all transport
- Row-Level Security policies on our Postgres database, enforced by Supabase
- Separate service-role and anon keys; service-role is scoped to server-side operations only
- Authorization headers stripped from stored request bodies
- Encryption master key held outside the database, in infrastructure-level secret management
- Access logging and periodic audit of administrator actions
- Principle of least privilege for team access
12. Data breach notification
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Personal Information Protection Commission (Korea) and, where GDPR applies, the relevant supervisory authority within 72 hours, and notify affected users without undue delay.
13. Changes to this policy
We may revise this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 14 days before taking effect. The effective date at the top of this page will always reflect the current version.
14. Contact us
For any privacy-related inquiry, contact our Privacy Officer at support@spanlens.io.
Last updated: 2026-06-15. Previous versions are available on request.