Privacy Policy
Last updated: June 12, 2026
What FetchLens Does
FetchLens deploys an AI Lens on your verified domain — an embeddable widget for site visitors and an optional MCP endpoint for AI agents. Visitors and AI clients interact with your Lens to ask questions, run capture flows (pricing, demo, contact), and deliver stated intent to your CRM. FetchLens crawls your public sitemap to ground responses in your site content.
Domain Verification
When you verify a domain, we store your Site Tag (fl_pub_*) and verification timestamp. Verification is completed when your origin sends the Site Tag as an x-api-key header on the first authenticated middleware request — a one-time check.
What Data We Collect
When a request is processed through FetchLens middleware, we collect the following HTTP request metadata:
- User-Agent string (to identify bot type)
- Accept header (to detect AI tool behavior)
- Requested URL path
- Country (derived from CDN headers, not precise geolocation)
- Timestamp of the request
We do not collect:
- IP addresses (in the production middleware)
- Cookies or session data
- Form inputs or page content
- Personal advertising profiles
What Data Lens Collects
When you create a Lens on a verified domain, FetchLens collects and stores additional data beyond bot detection middleware:
- Crawled website content — FetchLens crawls your site via its public sitemap and stores page content as markdown chunks in Cloudflare R2 storage, scoped to your site ID. This content is used solely to answer MCP queries and power widget/Sage responses for your site.
- MCP query metadata — When an AI tool (Cursor, Claude, etc.) or widget user sends a query via your Lens MCP endpoint, we log: query text, tool name (ask/find), timestamp, response token count, and client type. No end-user IP addresses are stored.
- Widget interaction metadata — Widget sessions generate a random session ID (not tied to personal identity), query text, timestamp, and the origin domain. No cookies are set by the widget.
- Lens configuration — Display name, logo URL, brand color, suggested prompts, system prompt override, allowed origins, and visibility setting — all provided by the site owner via the dashboard.
Account and Sign-In Data
When you create a FetchLens account or sign in (via Google, GitHub, or email/password), we collect the following information:
- Email address
- Display name
- Profile picture URL (for social sign-in providers)
This data is stored securely in our database and used solely for authentication, account management, and displaying your profile within the application. Login activity (timestamp, sign-in method) is recorded for security auditing purposes.
Google User Data
FetchLens uses Google Sign-In for authentication purposes only. This section describes how we interact with Google user data in compliance with the Google API Services User Data Policy, including the Limited Use requirements.
- Data Accessed — When you sign in with Google, we receive your email address, display name, and profile picture URL via standard OpenID Connect scopes (
openid,email,profile). We do not request access to any other Google data or services. - Data Usage — This data is used exclusively to create and manage your FetchLens account, authenticate your sessions, and display your name and avatar in the dashboard. We do not use Google user data for advertising, analytics profiling, or AI/ML model training.
- Data Storage — Your Google account information (email, name, profile picture URL) is stored in our secure database and is associated with your FetchLens account.
- Data Sharing — We do not share, sell, or transfer your Google user data to any third parties. Your data is never used for purposes unrelated to providing the FetchLens service.
- Data Retention and Deletion — Your account data is retained for as long as your account is active. You may request deletion of your account and all associated data by contacting us at the email addresses listed below.
Legal Basis
We process request metadata under legitimate interest (GDPR Article 6(1)(f)) for the purpose of security, bot detection, and analytics. The production middleware is designed to detect and log bot traffic only — requests from regular human visitors are not stored.
Data Retention
FetchLens data retention for the Lens product:
- Lens session and interaction logs (widget and MCP conversations, stated intent, flow step data) — retained for 60 days, then automatically deleted.
- CRM delivery records — retained for 60 days, then automatically deleted. Your CRM is the system of record for leads.
- Crawled Lens content — retained while the Lens exists; deleted immediately when you delete the Lens or property.
- Account and domain verification — retained while your account or property is active; removed when you delete the property or account.
- Legacy bot event data — no longer collected for new activity; existing records expire per prior TTL settings.
Data Processor Role
When website owners install FetchLens on their sites, they are the data controller and FetchLens acts as a data processor. Site owners are responsible for disclosing FetchLens in their own privacy policy, similar to disclosing Cloudflare, Google Analytics, or other third-party services.
When a Lens is deployed, FetchLens crawls and stores publicly available website content to power MCP tools and the widget. The site owner controls what is crawled (public sitemap), what is visible (draft/public/private), and can delete all crawled content at any time via the dashboard.
No Data Resale
We do not sell, rent, or share collected data — including crawled website content, bot detection events, and MCP query logs — with third parties. Crawled content is used exclusively to serve MCP and widget responses for the site owner. Anonymized, aggregated query volume data may be used for service improvement.
Cookies and Client Storage
FetchLens middleware does not set any cookies. The middleware operates entirely on server-side request headers. The Lens widget uses localStorage (not cookies) for a random session ID. No personal data is stored client-side by the widget.
Sage Sessions
When Sage voice or text sessions are available, session transcripts are stored per-site and retained per plan tier. Site owners can delete sessions. Voice input is processed in real-time via speech-to-text; permanent voice recordings are not stored.
Contact
For data-related requests or questions, contact us at contact@bubblspace.com.