Relens

Privacy Policy

Effective date: February 15, 2026

1. Who We Are

Relens is operated by INIT Labs d.o.o., located at Bukovceva 15, 21000 Split, Croatia (VAT: HR95602550911). For privacy inquiries, contact us at privacy@relens.dev.

INIT Labs d.o.o. is the data controller for the personal data described in this policy.

2. What We Collect

Relens collects two categories of data:

Account data: When you sign in, we receive your name, email address, and profile picture from your OAuth provider (Google or GitHub). We also store hashed API keys and subscription status.

Performance telemetry: When you instrument a React application with the Relens npm package, we receive component names, render durations, effect firing patterns, network request metadata (URLs, status codes, timing), and user interaction events (element selectors, event types). The level of URL detail included in network metadata is configurable via the urlRedaction prop, which can strip hostnames, paths, or replace URLs with opaque hashes before any data leaves the browser. We do not collect source code, DOM content, input values, passwords, cookies, or personal data from your application's end users.

3. How We Collect Data

npm package: The Relens npm package uses React's Profiler API and internal fiber tree inspection to collect performance telemetry from your instrumented React application. Data is exposed via a global object (window.__RELENS__) that the Chrome extension reads.

Chrome extension: The extension's page script reads the global object, forwards data to the background service worker, and stores it locally for the DevTools panel. If you are signed in, the extension pushes data to our server via WebSocket.

OAuth providers: When you sign in, your OAuth provider (Google or GitHub) sends your name, email, and profile picture to us. We do not have access to your password or other account data.

Paddle: Payment processing is handled by Paddle, our merchant of record. Your payment details never touch our servers. We receive only a customer ID and subscription status.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, we process personal data under the following legal bases:

  • Account creation and authentication — performance of contract (Art. 6(1)(b)). We process your OAuth profile data to provide you with an account and the Relens service.
  • Performance telemetry — performance of contract (Art. 6(1)(b)). This is the core service you signed up for.
  • Payment processing — performance of contract (Art. 6(1)(b)). Paddle processes your payment to fulfill your subscription.
  • Service communications — legitimate interest (Art. 6(1)(f)). We may email you about service changes, security issues, or subscription status.
  • Website analytics — legitimate interest (Art. 6(1)(f)). We use cookieless, privacy-preserving analytics to understand aggregate traffic patterns. No personal data is collected by our analytics.

We do not process personal data based on consent alone for any core service functionality. You can withdraw from the service at any time by deleting your account.

5. Third-Party Services

We use the following third-party services to operate Relens:

  • Paddle — Payment processing (merchant of record). Paddle receives your email address, payment details, and billing address directly. We receive only your Paddle customer ID, subscription status, and invoice history. We never see or store your full card number. Location: United Kingdom. Paddle Privacy Policy
  • Google — OAuth authentication. We receive your name, email, and profile picture when you sign in with Google. Location: United States. Google Privacy Policy
  • GitHub — OAuth authentication. We receive your name, email, and profile picture when you sign in with GitHub. Location: United States. GitHub Privacy Statement
  • Hetzner Online GmbH — Server infrastructure (Germany). The hosting provider operates the physical servers. All data in transit is encrypted. The database is accessed over SSL. Hetzner Privacy Policy

We do not sell, rent, or share your data with advertisers, data brokers, or any other third parties.

6. Data Retention

Performance telemetry is stored in server memory only (RAM). It is never written to disk. Data is automatically deleted when your WebSocket session ends or the server restarts. Maximum retention while connected: duration of your session.

Account data (email, OAuth profile, API key hashes, subscription records) is retained as long as your account is active. If you request account deletion, all account data is permanently deleted within 30 days.

Payment records are retained by Paddle according to their retention policy and applicable tax and financial record-keeping requirements (typically 7 years).

Analytics data is processed by our self-hosted Plausible instance. Plausible does not store personal data. Aggregate traffic statistics are retained indefinitely.

You can request deletion of your account and all associated data at any time by emailing contact@relens.dev.

7. International Data Transfers

Our servers are located in Germany (European Union). If you are located in the European Economic Area (EEA), your data remains within the EEA. No cross-border transfer mechanisms are required for server-side processing.

Our third-party service providers process data in the following locations:

  • Paddle — United Kingdom (adequate protection under UK GDPR)
  • Google OAuth — United States (certified under the EU-US Data Privacy Framework)
  • GitHub OAuth — United States (certified under the EU-US Data Privacy Framework)

8. How We Use Your Data

Account data is used to authenticate you, manage your subscription, and communicate service updates. Performance telemetry is used solely to provide the Relens service — displaying data in the DevTools panel and exposing it via MCP tools to your AI agent.

We do not use your telemetry data for analytics, advertising, model training, or any purpose beyond providing the service to you.

9. Chrome Extension

The Relens Chrome extension collects, stores, and transmits data as follows:

What it collects: React component performance telemetry from the active browser tab — component names, render durations, render phases, prop change detection (which keys changed, not values), effect firing patterns, and component tree depth. When opt-in features are enabled by the developer, it also collects network request metadata (URLs, methods, status codes, timing) and user interaction metadata (event types, element selectors).

How it collects: An injected page script reads from the window.__RELENS__ global object (populated by the Relens npm package in the developer's React app). Data is forwarded via the content script to the extension's background service worker.

Local storage: Telemetry is stored in the extension's background service worker memory for the DevTools panel. Your API key, authentication state, and UI preferences are stored in chrome.storage.local.

Data transmission: When you are signed in, telemetry is pushed to our server (api.relens.dev) via encrypted WebSocket (WSS). If the developer has configured the urlRedaction prop, network URLs are redacted at capture time in the npm package — the extension and server only ever see the redacted form. Data is transmitted solely to provide the Relens performance analysis service to you. No data is transmitted when you are not signed in.

What it does NOT do: The extension does not collect browsing history, read page content or DOM, access cookies or localStorage of visited sites, track you across websites, inject advertisements, or share data with third parties.

The use and transfer to any other product of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

10. Cookies and Storage

relens.dev (marketing site): No cookies. We use a self-hosted, cookieless analytics tool (Plausible Analytics) to measure aggregate page views and referral sources. Plausible does not use cookies, does not collect personal data, and does not track individual visitors across sessions or sites. Your browser's theme preference is stored in localStorage (not a cookie).

portal.relens.dev (dashboard): A session cookie (authjs.session-token) is set for authentication. This is a strictly necessary, first-party, HttpOnly cookie that expires after 1 hour and does not require consent under GDPR or ePrivacy Directive. A CSRF protection cookie is also set during sign-in flows.

Chrome extension: Uses chrome.storage.local to store your API key, authentication state, and UI preferences. This is browser extension storage, not a web cookie, and is not subject to cookie consent requirements.

We do not use any tracking cookies, advertising cookies, or third-party cookies on any Relens property.

11. Security

We implement appropriate technical and organizational measures to protect your data:

  • All data in transit is encrypted via TLS (HTTPS and WSS)
  • API keys are stored as irreversible cryptographic hashes (SHA-256)
  • OAuth tokens are handled by the browser and extension — never stored by our server
  • Performance telemetry is ephemeral (RAM only, never written to disk)
  • Database connections use SSL encryption
  • WebSocket connections require authentication within 5 seconds

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify affected users via email within 72 hours of becoming aware of the breach. We will also notify the relevant Data Protection Authority as required by GDPR Article 33.

13. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know — You can request details about the categories of personal information we collect and how it is used.
  • Right to delete — You can request deletion of your personal information.
  • Right to opt out of sale — We do not sell personal information. We have never sold personal information.
  • Non-discrimination — We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@relens.dev. We will respond within 45 days.

14. Children

Relens is not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect personal data from anyone under 16. If we learn that we have collected data from a child under 16, we will delete it promptly.

15. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and all associated data
  • Export your account data
  • Withdraw consent for data processing at any time
  • Lodge a complaint with your local Data Protection Authority

To exercise any of these rights, contact us at contact@relens.dev.

16. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or through a prominent notice in the service. Continued use of Relens after changes take effect constitutes acceptance of the revised policy.

You can review the current version at any time at https://relens.dev/privacy.

17. Contact

If you have questions about this privacy policy or how we handle your data, contact us at contact@relens.dev.

INIT Labs d.o.o.
Bukovceva 15
21000 Split, Croatia