[Sightlabs]
MENU

THEME

Sign inGet started →

Sightlabs / Legal

Privacy Policy

Effective date: 2026-05-13

Plain-Language Summary

Who we areSightlabs - a brand monitoring SaaS. Contact: privacy@sightlabs.com
What we collectYour account info, search queries, usage data, plus public social posts that mention tracked entities
WhyTo deliver the monitoring service, keep the platform secure, and comply with legal obligations
Who we share withSupabase (database), Polar.sh (billing), Resend (email), Vercel (hosting), an LLM provider (sentiment analysis)
How longAccount data while active plus 90 days. Scraped mentions up to 24 months. Billing records 7 years
Your rightsAccess, correct, erase, object, or port your data. Contact privacy@sightlabs.com
CookiesEssential cookies only by default. Analytics cookies require your consent if you are in the EU or UK
ChildrenService is for business users 18+. We do not knowingly process data from anyone under 16

1. Controller Identity

The data controller for all personal data processed through the Sightlabs service is Sightlabs Inc. (or the applicable operating entity, referred to here as “Sightlabs”, “we”, or “us”). You can reach our privacy team at privacy@sightlabs.com.

1.1 EU and UK Inquiries

Sightlabs does not currently maintain an establishment in the European Union or the United Kingdom. Where GDPR Article 27 or UK GDPR Article 27 applies to our processing, we will appoint an Article 27 representative through a qualified service provider. In the meantime, EU and UK data subjects may direct all privacy inquiries to privacy@sightlabs.com and we will respond within statutory timeframes.

2. Categories of Personal Data

We process personal data in two distinct tracks, each with different transparency obligations under GDPR Articles 13 and 14.

2.1 Track A: Customer-Provided Data

Data you provide directly when creating and using your account:

  • Account information. Name, work email address, job title, company name.
  • Search queries and configurations. Brand names, competitor names, public figure handles, and keywords you enter into the platform. Where these refer to identifiable individuals, they constitute personal data.
  • Billing information. Subscription tier and payment events are processed by Polar.sh as merchant of record. Sightlabs retains only transaction confirmation records, not raw card data.
  • Usage data. Session logs, feature interaction events, API call metadata, and error reports generated during your use of the service.
  • Support communications. Any correspondence you send us.

2.2 Track B: Scraped and Ingested Data

Data obtained from third-party public sources as part of the monitoring service:

  • Public social media posts. Posts, comments, and threads from Reddit, X (formerly Twitter), LinkedIn, and YouTube that mention the keywords your account is tracking. This includes the post text, post URL, and timestamp.
  • Google News article snippets. Headline and excerpt text from publicly indexed news articles referencing tracked entities.
  • LLM-generated outputs. Text from ChatGPT and Perplexity responses referencing tracked brand names or keywords, as returned by those platforms.
  • Author metadata. Public usernames, handles, and display names of post authors associated with the above content.
  • Derived data. Sentiment scores and action-item extractions generated by our LLM provider based on the above content. This derived data is personal data when the source post is attributable to an identifiable individual.

Sensitive personal information may appear incidentally in scraped content (for example, a public post discussing health or political topics). We do not target or specifically collect sensitive categories; however, where such content appears in monitored mentions, it is processed under the same legitimate interest basis described in Section 4, subject to enhanced care and the minimisation commitments in Section 7.

3. Sources of Personal Data

  • Directly from you during registration, use of the platform, and support interactions (Track A).
  • Automatically from your browser and device as you use the service (session logs, IP address, browser type).
  • Third-party public platforms.Reddit, X (formerly Twitter), LinkedIn, YouTube, and Google News, scraped server-side (Track B). Note that Sightlabs's ability to access these platforms may change at any time due to platform policy changes.
  • LLM API providers. ChatGPT (OpenAI) and Perplexity, whose outputs are collected via API as part of the AI response monitoring feature.
  • Polar.sh. Billing confirmation events passed back to Sightlabs on subscription purchase or renewal.

As required by GDPR Article 14(2)(f), we disclose these source categories because Track B data is not obtained directly from the individuals concerned.

4. Purposes and Legal Bases

The table below maps each processing purpose to its legal basis under GDPR Article 6. For non-EU/UK jurisdictions, equivalent bases apply: contractual necessity (Canada PIPEDA, Brazil LGPD Article 7(V)), legitimate interest (Singapore PDPA LIE, Australia APP 6), and legal obligation (all regimes).

PurposeLegal Basis
Account creation and managementArt. 6(1)(b) - contract performance
Subscription billing (via Polar.sh)Art. 6(1)(b) - contract performance
Delivering mention tracking results to the customerArt. 6(1)(b) - contract performance
Scraping public posts to populate the mention databaseArt. 6(1)(f) - legitimate interest (see balancing test below)
LLM sentiment scoring and action-item extractionArt. 6(1)(f) - legitimate interest
Security, fraud prevention, abuse detectionArt. 6(1)(f) - legitimate interest
Transactional email via ResendArt. 6(1)(b) - contract performance
Marketing emails to prospectsArt. 6(1)(a) - consent (or soft opt-in for existing customers under ePrivacy rules)
Aggregated, anonymised analytics for product improvementArt. 6(1)(f) - legitimate interest (provided data is genuinely anonymised, it falls outside GDPR scope)
Compliance with legal obligations (tax, law enforcement requests)Art. 6(1)(c) - legal obligation

4.1 Legitimate Interest Balancing Test for Scraping

EDPB Guidelines 1/2024 and the CNIL January 2026 focus sheet on web scraping require a three-part test before relying on legitimate interest for scraping public content.

Purpose test. Sightlabs provides brand and keyword monitoring analytics to paying B2B customers (marketing, PR, and communications professionals). Enabling businesses to understand public conversation about their brand is a recognised commercial purpose.

Necessity test. Sightlabs relies on server-side scraping of publicly accessible content where no adequate official API exists, is cost-prohibitive, or does not provide the breadth of coverage required by the service. We document this necessity assessment internally and limit collection to content that is publicly accessible without authentication.

Balancing test. The interests of data subjects are weighed against the legitimate business interest. Mitigating factors we apply: we scrape only publicly accessible content; we do not create profiles on private individuals as a primary product function; we respect robots.txt restrictions where applicable; we retain scraped content for no more than 24 months; we provide a clear erasure mechanism for non-customer data subjects (see Section 14); and we do not scrape platforms or sections of platforms used primarily by minors.

5. Recipients and Subprocessors

We disclose personal data to the following categories of subprocessors, each under a data processing agreement that requires equivalent protection. A full list is maintained at /subprocessors (updated with 30 days advance notice of any changes).

SubprocessorCountryPurposeSafeguard
Supabase, Inc.USA (EU region available)Database, authentication, file storageEU SCCs; DPA available; EU region recommended for EU data
Polar Software, Inc. (Polar.sh)USABilling, subscription management, tax collection as merchant of recordPolar DPA
Resend, Inc.USATransactional email deliveryDPA / EU SCCs
Vercel, Inc.USA (edge globally)Application hosting, CDN, serverless functionsVercel DPA with EU SCCs
OpenRouter, Inc.USASentiment scoring, action-item extraction from scraped mentionsProvider DPA; data processing terms prohibit training on customer data

We have confirmed that our LLM provider does not use submitted content to train its models by default. We maintain a data processing agreement with each provider listed above.

6. International Transfers

6.1 EU/EEA to Third Countries

Personal data of EU/EEA residents may be transferred to the United States (where our subprocessors are headquartered). These transfers are governed by EU Standard Contractual Clauses (2021 SCCs, Commission Decision C(2021)3972). Where Supabase's EU region is selected, data is stored within the EU; Supabase uses AWS infrastructure and customers should verify their region configuration.

6.2 UK to Third Countries

Transfers from the UK are covered by the UK International Data Transfer Agreement (IDTA, in force March 2022) or EU SCCs with the UK Addendum. The UK adequacy decision for EU-UK data flows was renewed in December 2025 and remains valid.

6.3 Brazil (LGPD)

Transfers of personal data concerning Brazilian residents comply with ANPD Resolution 19/2024, using standard contractual clauses adapted for LGPD requirements.

6.4 Other Jurisdictions

For transfers involving Australian, Canadian, Singaporean, and South African resident data, we rely on contractual safeguards and, where applicable, adequacy assessments. Canada (PIPEDA-covered organisations) and the UK benefit from EU adequacy decisions. Australia, Brazil, and Singapore do not have EU adequacy decisions; SCCs or equivalent contractual safeguards apply.

7. Retention Periods

Data CategoryRetentionBasis
Customer account dataDuration of active account, plus 90 days after terminationGDPR Art. 5(1)(e); contractual necessity
Search query logs12 months rolling (or as configured by the customer)Data minimisation; GDPR Art. 5(1)(e)
Scraped mentions (raw text, author handle, metadata)24 months rollingMinimisation; trend analysis necessity; ROPA documentation
LLM-derived sentiment scoresSame as the underlying mention from which they were derivedDerived data; same status as source
Billing records and transaction logs7 yearsTax and accounting obligations (varies by jurisdiction)
Audit and security logs12 monthsSecurity monitoring; regulatory guidance
Erasure request records5 yearsGDPR Art. 5(2) accountability obligation

As required by California Civil Code Section 1798.100(a)(3), we state the criteria for determining retention: we retain data for as long as it is necessary to deliver the service and fulfill the purpose for which it was collected, plus any legally mandated minimum period.

8. Data Subject Rights

If you are in the EU, UK, or another jurisdiction with applicable privacy rights, you may exercise the following rights by contacting privacy@sightlabs.com. We respond within 30 days (extendable to 90 days with notice for complex requests).

  • Access (GDPR Art. 15). Request a copy of personal data we hold about you, how it is used, who it is shared with, and how long it is retained.
  • Rectification (GDPR Art. 16). Request correction of inaccurate personal data.
  • Erasure (GDPR Art. 17). Request deletion of your personal data where processing is no longer necessary, where you withdraw consent, or where you object under Art. 21. For scraped public content, see Section 14.
  • Data portability (GDPR Art. 20). Receive a machine-readable copy of data you provided directly to us (Track A). This right does not apply to scraped third-party content about you (Track B).
  • Restriction (GDPR Art. 18). Request that we pause processing of your data while a dispute is resolved.
  • Object (GDPR Art. 21). Object to processing based on legitimate interest, including the scraping of public content. We will cease processing unless we can demonstrate compelling legitimate grounds. This right is particularly material for Track B data.
  • Automated decision-making (GDPR Art. 22). If LLM-derived sentiment scores are used in a way that produces legal or similarly significant effects on you as an individual, you have the right to request human review. Our service is designed for B2B analytics and does not make automated decisions about individuals as a primary function; however, we will assess any specific concern raised.
  • Withdraw consent. Where we rely on consent as a legal basis (for example, marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

8.1 Brazil (LGPD) Additional Rights

Brazilian residents also have the right to: confirmation of the existence of processing; anonymisation, blocking, or elimination of unnecessary data (Art. 18(VI)); portability to another service provider; information about third parties with whom data is shared; and review of automated decisions (Art. 20).

8.2 Quebec (Law 25) Additional Rights

Quebec residents have the right to an explanation of any automated decision-making (Art. 12.1 of An Act Respecting the Protection of Personal Information in the Private Sector) where a decision based on automated processing affects them significantly.

8.3 Singapore (PDPA) Rights

Singapore residents have rights of access to and correction of their personal data held by Sightlabs.

9. California Residents (CCPA/CPRA)

This section supplements Section 8 and applies to California residents under the California Consumer Privacy Act (Cal. Civ. Code Section 1798.100 et seq.) and the California Privacy Rights Act amendments operative January 2023.

9.1 Categories Collected in the Past 12 Months

  • Identifiers (name, email, username, IP address)
  • Commercial information (subscription tier, billing events via Polar.sh)
  • Internet or network activity (usage logs, session data, feature events)
  • Professional or employment-related information (job title, company name)
  • Inferences drawn from the above to create a usage profile
  • Audio, electronic, visual, or similar information (only if voluntarily submitted via support)

Scraped social media content (Track B) may also contain information about California residents who are third parties to the service.

9.2 Your CCPA/CPRA Rights

  • Right to know. Request disclosure of the specific pieces or categories of personal information we have collected about you.
  • Right to delete. Request deletion of your personal information, subject to certain exceptions.
  • Right to correct. Request correction of inaccurate personal information we hold about you.
  • Right to opt out of sale or sharing.We do not sell personal information. We do not share personal information for cross-context behavioral advertising. If this changes, we will provide a “Do Not Sell or Share My Personal Information” mechanism and update this section.
  • Right to limit use of sensitive personal information. Where our processing involves sensitive personal information (such as search queries that may contain health or political keywords), you may request limitation of use to purposes permitted under the CPRA.
  • Right to non-discrimination. We will not discriminate against you for exercising any CCPA right.

9.3 How to Submit a CCPA Request

Submit requests to privacy@sightlabs.com. You do not need to create an account to submit a request. We will verify your identity before responding. We respond within 45 days, extendable to 90 days with notice.

10. Children's Data

Sightlabs is a business-to-business service intended for users aged 18 and over. We do not knowingly collect or process personal data from individuals under 16 years of age. If we become aware that we have collected personal data from someone under 16 without verified parental consent, we will delete it promptly.

Our server-side scraping of platforms including Reddit, YouTube, and X (formerly Twitter) may incidentally capture public posts authored by minors. We take the following steps to address this: we do not scrape platforms or sections of platforms used primarily by users under 13; we implement automated flagging for content patterns indicating a minor author and delete such content immediately on identification; we do not process or display to customers any content identified as authored by a minor. These steps are documented in our Data Protection Impact Assessment.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the service and, where you consent, to improve it.

  • Essential cookies. Required for authentication, session management, and security. These cannot be disabled without breaking the service. No consent required.
  • Analytics cookies. Used to understand how the service is used in aggregate. For EU/UK visitors, we obtain your prior consent before placing analytics cookies, in compliance with the ePrivacy Directive (2002/58/EC). Pre-ticked boxes and cookie walls are not used.
  • Preference cookies. Store your theme (light/dark) setting. No consent required as these serve a functional purpose.

You can manage cookie preferences at any time through our cookie settings panel. Withdrawing consent does not affect the lawfulness of prior cookie use. For CCPA purposes, we do not share cookies or pixel data with advertising networks for cross-context behavioral advertising.

12. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include:

  • Encryption in transit using TLS 1.2 or higher for all data transmitted between your browser and our servers.
  • Encryption at rest for all data stored in Supabase (AES-256 by default).
  • Row-level security in Supabase to enforce multi-tenant data isolation between customer accounts.
  • Role-based access controls and least-privilege principles for all internal access to production systems.
  • Regular security assessments and penetration testing on a defined cadence.
  • Employee training on data protection obligations and incident response procedures.

No method of transmission over the internet is completely secure. We cannot guarantee absolute security, but we commit to promptly notifying affected parties in the event of a confirmed breach (see Section 13).

13. Breach Notification

In the event of a personal data breach, we will notify relevant supervisory authorities and affected individuals as follows:

  • EU (GDPR Art. 33). Notify the competent supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals. Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • UK (UK GDPR).Notify the Information Commissioner's Office (ICO) within 72 hours.
  • Brazil (LGPD). Notify the ANPD promptly, recommended within 2 business days per ANPD Resolution 2/2022.
  • Quebec (Law 25).Notify the Commission d'acces a l'information within 72 hours.
  • Singapore (PDPA). Notify the PDPC within 3 business days if the breach affects 500 or more individuals or is likely to cause significant harm.
  • Australia (Notifiable Data Breaches scheme). Notify the OAIC and affected individuals as soon as practicable.
  • Customer notification. We will notify affected customers within 72 hours of a confirmed breach affecting their account data, regardless of jurisdiction.

14. Erasure Requests for Scraped Public Content

This section addresses a situation specific to a mention-monitoring service: individuals whose public posts have been indexed by Sightlabs but who are not Sightlabs customers may wish to have that content removed.

If you are an individual whose public posts or content have been indexed by our monitoring service, you may submit an erasure or objection request to privacy@sightlabs.com. You do not need to be a Sightlabs customer to exercise this right.

Upon receiving a valid request, we will:

  1. Verify that you are the author of the content in question (for example, by confirming your public handle or a link to the original post).
  2. Search our database for all stored instances of content associated with your handle or username across all scraped sources.
  3. Delete that content from our database and flag your identifier in a re-ingestion blocklist so that future scraping runs exclude your content.
  4. Propagate the deletion to customer-facing dashboards (or anonymise author attribution in aggregated trend data where the individual post is no longer identifiable).
  5. Confirm deletion to you in writing within 30 days of receiving the request (GDPR Article 17 standard). For Brazilian residents, we respond without undue delay per LGPD Article 18(VI).
  6. Log the request and its completion in our erasure records, retained for 5 years for GDPR Article 5(2) accountability purposes.

Limits of erasure.Where your content has been incorporated into genuinely anonymised aggregated trend data (for example, a total mention count where no individual post is retrievable), that aggregate may be retained. The test is whether you remain identifiable in the data. If you are not identifiable, the aggregate is outside the scope of the erasure right. Deletion from Sightlabs's systems does not affect the original post on the platform where it was published.

GDPR legal nuance. The erasure right under Art. 17 for legitimate interest processing is qualified: we may decline if processing is necessary for the establishment, exercise, or defence of legal claims. For a commercial brand monitoring tool, such exceptions are unlikely to apply. Where you object under Art. 21, we will uphold your objection unless we can demonstrate compelling legitimate grounds, as required by EDPB guidance.

15. Contact and Supervisory Authorities

To exercise any right described in this policy, or to raise a concern about our data practices, contact:

Privacy Team
Sightlabs Inc.
privacy@sightlabs.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

  • EU. Your national data protection authority (full list at edpb.europa.eu).
  • UK.Information Commissioner's Office (ICO): ico.org.uk.
  • Brazil. Autoridade Nacional de Protecao de Dados (ANPD): gov.br/anpd.
  • Canada / Quebec.Office of the Privacy Commissioner of Canada: priv.gc.ca. Quebec: Commission d'acces a l'information: cai.gouv.qc.ca.
  • Australia. Office of the Australian Information Commissioner (OAIC): oaic.gov.au.
  • South Africa. Information Regulator: inforegulator.org.za.
  • Singapore. Personal Data Protection Commission (PDPC): pdpc.gov.sg.

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices, legal requirements, or service features. We will provide at least 30 days advance notice of material changes via email and in-product notification before the updated policy takes effect. This notice period satisfies the California CCPA 30-day change notice requirement and aligns with GDPR transparency obligations.

Continued use of the service after the effective date of an updated policy constitutes acceptance of the updated terms. If you do not accept a material change, you may terminate your account before the effective date.

Change History

DateSummary
2026-05-13Initial publication.