Privacy Policy
Last updated: July 18, 2026
KostLens ("we", "us") is an AI cost observability service operated from Brazil. This policy explains what we collect, why, where it lives, and the rights you have over it. The short version: we collect what the product needs to work, we don't run ads, and we never sell data.
1. What we collect
- Account data — name, email, and a password (stored only as a salted hash; we cannot read it). Organization and project names you create.
- Usage events — when you install the SDK or send events to our
API, we receive metadata about your AI calls: provider, model, token counts,
computed cost, latency, status, and the tags you choose to attach (such as
featureorendUserId). We never receive prompts or completions — the SDK does not capture message content, only counts. - Provider admin keys — if you connect a provider account for usage import, the key is encrypted at rest (AES-256-GCM), is never displayed again, and is used only to read usage reports.
- Billing data — payments are processed by Stripe. We never see or store card numbers; we keep only subscription status and invoices metadata.
- Cookies — a session cookie to keep you signed in. No advertising or cross-site tracking cookies.
2. End-user identifiers you send us
Tags like endUserId exist so you can see cost per customer. You are the
controller of that data and we process it on your behalf. Send pseudonymous
identifiers (an ID, not an email address) whenever possible, and do not put
personal or sensitive information in tag values.
3. What we use data for
To provide the service (dashboards, alerts, budgets, projections), to secure it (rate limiting, abuse prevention), to bill paid plans, and to answer support requests. That's the whole list. We do not sell data, share it with advertisers, or use your usage data to train AI models.
4. Where data lives
Application servers and database are hosted in the United States (Contabo). DNS and email routing run on Cloudflare. Transactional email is sent via Resend. Payments run on Stripe. Each of these processors only receives what it needs to perform its function.
5. Retention
Raw usage events are kept for the retention window of your plan; aggregated daily statistics are kept for as long as your account exists. Encrypted database backups are kept for 7 days and then age out automatically.
6. Deletion and your rights
Under the LGPD (Brazil) and GDPR (EU) you can access, correct, export, or delete your data. Deleting your account removes your data from the live database within 30 days, and from backups within a further 7 days as they rotate. To exercise any of these rights, email privacy@kostlens.com — we answer within 15 days.
7. Changes
If this policy changes in a way that matters, we'll email account holders before the change takes effect. The "last updated" date above always reflects the current version.
Contact
Privacy: privacy@kostlens.com · Everything else: support@kostlens.com