Privacy Policy
Effective Date: 2026-04-17 | Last Updated: 2026-04-20
1. Controller Information
SiliconLens ("the Service", "we", "us", "our") is operated by an independent developer based in the Republic of Korea. SiliconLens provides AI-powered semiconductor errata analysis tools for firmware and embedded systems engineers.
Service Availability: SiliconLens is currently available outside the European Economic Area (EEA). Users in the EU/EEA are not able to access the Service at this time. We plan to expand availability to the EU/EEA in the future, at which point this Policy will be updated accordingly with at least 30 days' advance notice.
For all privacy-related inquiries, including requests to exercise your rights under CCPA/CPRA or UK GDPR, contact:
- Privacy Contact: erratahunter@proton.me
- Postal Address: Available upon written request to the email above.
- Jurisdiction of Operator: Republic of Korea
SiliconLens is the Data Controller for Account Data, Usage Data, and User Content as defined in Section 2. Paddle is an independent Data Controller for Payment Data, as described in Section 3.
2. Data We Collect
2.1 Account Data
- Email address (used as login identifier)
- Authentication tokens and password hashes (managed by Supabase Auth)
- Subscription tier (
free/pro) and linked payment processor customer identifier
2.2 Usage Data
- Chat queries, AI responses, and session metadata stored in
chat_sessionsandchat_messages - Credit consumption records and rate-limit counters (Upstash Redis)
- Token usage logs for billing and abuse detection (
token_usage_logs,mcp_usage_logs) - MCP tool invocation logs (for Pro users with IDE integration)
2.3 User Content
- PDF documents you upload to your Private Vault
- Extracted text chunks and embedding vectors derived from those documents
- URLs you submit for errata ingestion
2.4 Payment Data (processed by Paddle, not by SiliconLens)
SiliconLens does not receive, store, or process your payment card details, billing address, or tax identification numbers. We only receive from Paddle: your subscription tier, a Paddle customer identifier, subscription status, and period dates needed to grant access.
2.5 Technical Data
- IP address and user agent (Vercel access logs, retained for security/abuse detection)
- Browser session cookies (Supabase Auth)
- Product analytics events (PostHog, if enabled)
3. Payment Processing — Merchant of Record
SiliconLens uses Paddle as its Merchant of Record (MoR) for all subscription billing. This means:
- Paddle is an independent Data Controller (not a processor) for payment-related personal data, including your name, billing address, payment card details, tax identification numbers, and purchase history.
- SiliconLens does not receive, store, or process your payment card details. All card data is handled directly by Paddle under PCI DSS Level 1.
- Paddle acts as the reseller of record, meaning Paddle (not SiliconLens) is the contractual seller, tax collector, and invoice issuer for your subscription.
The Paddle Controller entities responsible for processing your payment data are:
- Paddle.com Market Limited — Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom (primary)
- Paddle Payments Limited — The Academy, 42 Pearse Street, Dublin 2, D02 HV59, Ireland (Paddle's EU entity; SiliconLens does not currently serve EU/EEA users)
- Paddle.com Inc. — 3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803, USA (for US customers)
- Paddle.com Canada Ltd — 22 Adelaide Street West, Suite 3400, Toronto, Ontario, M5H 4E3, Canada (for Canadian customers)
For questions about how Paddle processes your payment data, refer to Paddle's Privacy Notice at https://www.paddle.com/legal/privacy, or contact privacy@paddle.com or https://preferences.paddle.com.
4. Legal Basis and Purposes of Processing
The following table sets out the purposes for which we process personal data, together with the legal basis under UK GDPR and the equivalent CCPA business purpose for California residents.
| Purpose | Legal Basis (UK GDPR) | CCPA Business Purpose |
|---|---|---|
| Providing the Service (account, chat, RAG search, MCP) | Contract (Art. 6(1)(b)) | Performing services |
| Billing and subscription management | Contract (Art. 6(1)(b)) | Processing transactions |
| Security, fraud, and abuse prevention | Legitimate interest (Art. 6(1)(f)) | Security/integrity |
| Product analytics and service improvement | Legitimate interest (Art. 6(1)(f)) | Quality/safety maintenance |
| Legal compliance (tax, subpoenas) | Legal obligation (Art. 6(1)(c)) | Compliance with law |
We do not process special categories of personal data (UK GDPR Art. 9) and do not sell personal information as defined under CCPA §1798.140(t).
5. Third-Party Processors and Sub-Processors
SiliconLens relies on the following third parties to operate the Service. Each provider is bound by its own DPA and appropriate safeguards.
| Provider | Purpose | Role | Reference |
|---|---|---|---|
| Supabase | PostgreSQL database, authentication, object storage, pgvector | Processor | https://supabase.com/legal/dpa |
| Google (Gemini API, paid tier) | LLM inference for chat, embeddings, document analysis | Processor | https://ai.google.dev/gemini-api/terms |
| Upstash | Redis for credit counters, rate limits, locks | Processor | https://upstash.com/trust/privacy.pdf |
| Vercel | Hosting, edge runtime, access logs | Processor | https://vercel.com/legal/dpa |
| PostHog (if enabled) | Product analytics | Processor | https://posthog.com/privacy |
| Paddle (4 entities, see §3) | Payment processing, tax, invoicing | Independent Controller (MoR) | https://www.paddle.com/legal/privacy |
5.1 Business Transfers
We may share or transfer your personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. In such event, we will use reasonable efforts to notify affected users before their personal information is transferred and becomes subject to a different privacy policy.
6. AI and Automated Processing (Google Gemini)
SiliconLens uses the Google Gemini API on the paid tier for LLM inference, embeddings, and document analysis. According to Google's Gemini API Terms:
- Google does not use your prompts, system instructions, cached content, uploaded files, or model responses to train or improve Google products.
- Google performs short-term logging only for abuse detection, security, and legal compliance.
- Google acts as a Data Processor and the Google Cloud Data Processing Addendum applies.
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Important disclosures about AI output:
- All errata analysis, workarounds, and chat responses are AI-generated and may contain errors, hallucinations, or omissions.
- AI output is provided for informational purposes only and must be independently verified before use in production systems.
- SiliconLens does not make fully automated decisions that produce legal or similarly significant effects about you within the meaning of UK GDPR Article 22.
7. International Data Transfers
SiliconLens is operated from the Republic of Korea. Our sub-processors store and process data primarily in the United States and the European Union. Where personal data of UK users is transferred outside the UK, we rely on:
- UK International Data Transfer Addendum (UK IDTA) where applicable, incorporated into each sub-processor's DPA.
- Adequacy decisions recognized by the UK Secretary of State (e.g., the UK Extension to the EU-US Data Privacy Framework, where the relevant sub-processor is certified).
SiliconLens does not currently serve EU/EEA users. If we expand availability to the EU/EEA in the future, we will update this section to address EU-specific transfer mechanisms (e.g., Standard Contractual Clauses).
You may request a copy of the safeguards in place by emailing erratahunter@proton.me.
8. Data Retention
| Category | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days grace period |
| Chat sessions and messages | Until you delete them, or until account deletion |
| Private Vault documents and embeddings | Until you delete them, or within 30 days of account deletion |
| Usage and billing logs | Up to 5 years (fraud prevention and internal audit; Paddle retains invoicing records per its own policy) |
| Security logs (IP, user agent) | Up to 90 days |
| Backups | Overwritten within 30 days |
9. Your Rights
9.1 Rights Under UK GDPR (United Kingdom Residents)
If you are located in the United Kingdom, you have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing based on legitimate interest, and withdrawal of consent where processing is consent-based. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).
SiliconLens does not currently serve users in the EU/EEA. If we expand availability to the EU/EEA in the future, we will update this section to address EU GDPR-specific rights and supervisory authorities.
9.2 Rights Under CCPA / CPRA (California Residents)
You have the right to: know what personal information we collect and how it is used, delete personal information, correct inaccurate information, opt out of the sale or sharing of personal information (SiliconLens does not sell or share personal information as defined by CCPA), and limit the use of sensitive personal information. You have the right to non-discrimination for exercising these rights.
We do not share personal information with third parties for their direct marketing purposes (California Civil Code §1798.83).
9.3 How to Exercise Your Rights
Submit requests through either of these channels:
- Email: erratahunter@proton.me (include "Privacy Request" in the subject line)
- In-app: Settings → Privacy → Submit Data Request (where available)
We will verify your identity using your account email and respond within 30 days (UK GDPR) or 45 days (CCPA). Requests are free of charge unless manifestly unfounded or excessive.
9.4 Authorized Agents (CCPA)
Under CCPA, you may designate an authorized agent to submit a data request on your behalf. The agent must provide written proof of authorization (e.g., a signed power of attorney or written permission). We may deny a request from an agent that does not submit valid proof of authorization.
9.5 Appeals
If we decline to take action on your privacy request, you may appeal our decision by emailing erratahunter@proton.me with the subject line "Privacy Appeal." We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision, within 45 days. If your appeal is denied, you may submit a complaint to your state attorney general (for US state law rights) or to the relevant supervisory authority.
10. Cookies and Tracking
SiliconLens uses only the following categories of cookies:
- Strictly necessary: Supabase authentication session cookies. Required for the Service to function; cannot be disabled.
- Analytics (if enabled): PostHog cookies for anonymized product analytics. You may opt out via the cookie banner or by setting your browser's Do Not Track flag.
SiliconLens does not use third-party advertising cookies, cross-site tracking, or data brokers.
10A. Do-Not-Track Disclosure
Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.
California law requires us to let you know how we respond to web browser DNT signals. Because there is currently no industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.
11. Children's Privacy
SiliconLens is not intended for and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have inadvertently collected such data, we will delete it promptly. Parents or guardians who believe their child has provided personal data should contact erratahunter@proton.me.
12. Security
We implement technical and organizational measures appropriate to the risk, including: encryption in transit (TLS 1.2+), encryption at rest (Supabase-managed), row-level security (RLS) policies isolating user content, SHA-256 hashing of API keys, rate limiting, and access logging. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
13. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be announced at least 30 days in advance via email to your account address and/or an in-app notice. The "Last Updated" date at the top of this document reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact
For all privacy-related questions, requests, or complaints:
- Email: erratahunter@proton.me
- Subject line: "Privacy Request" (for rights requests) or "Privacy Question" (for general inquiries)
For payment-related privacy questions, contact Paddle directly at privacy@paddle.com or https://preferences.paddle.com.
SiliconLens
Effective Date: 2026-04-17 — Last Updated: 2026-04-20