Privacy Policy | GovLens

Effective date: 2026-05-10 · Last updated: 2026-05-10

This Privacy Policy explains how GovLens ("GovLens", "we", "us", or "our"), operated by Trelvio Technology OÜ, collects, uses, discloses, and safeguards personal data when you use the GovLens website at govlens.eu, our APIs, embeddable widgets, email notifications, and related services (together, the "Service").

We are committed to compliance with Regulation (EU) 2016/679 (the "GDPR"), Directive 2002/58/EC (the "ePrivacy Directive") as transposed in your Member State, and applicable national data-protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Legal entity: Trelvio Technology OÜ
Registered office: Tornimäe tn 5, Kesklinna linnaosa, 10145 Tallinn, Harju County, Estonia
Company registration number: 16827799 (Estonian Commercial Register)
VAT identification: EE102944967
General contact: hello@trelvio.eu
Privacy / Data Protection Officer: privacy@trelvio.eu
Lead supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate, AKI) — Tatari 39, 10134 Tallinn, Estonia, https://www.aki.ee

2. Scope

This Policy applies to:

Visitors to govlens.eu and any subdomain;
Registered users (Free, Pro, Team, Corporate, Enterprise);
API consumers and webhook subscribers;
Recipients of our email alerts and briefings;
Embedded-widget licensees and their end users;
Individuals whose publicly available information appears in the Service (Members of the European Parliament, lobby-register entries, beneficiaries of EU funds — see Section 12).

It does not apply to third-party websites we link to.

3. Personal Data We Collect

3.1 Data you give us directly

Account identity: email address (encrypted with AES-256-GCM at rest), password (bcrypt hash), OAuth provider and subject ID.
Verification: phone number (HMAC-SHA256 hash only), email-verification token, SMS one-time code (hashed), password-reset token.
Profile: display name, organisation, professional role (compliance / policy / lobbyist / journalist / researcher), sectors of interest, country, optional age bracket.
Subscription: plan tier, billing cycle, seat count, Stripe customer ID, Stripe subscription ID, trial-end and renewal dates.
Enterprise onboarding: organisation name, VAT number, country, organisation type, employee count, use-case description, jurisdictions of interest.
Team membership: owner ID, member IDs, invited email addresses, role.
User-generated content: watchlists of EU procedures, saved filter views, alert subscriptions, briefing/digest configurations, recipient lists.
API access: API key, key prefix, owner email, tier, usage logs (endpoint, status code, latency, timestamp).
Webhooks: target URL, subscribed events, encrypted shared secret.
GDPR consent record: timestamp at which you accepted this Policy and the Terms.

3.2 Data we collect automatically

Session cookies: govlens_session(HttpOnly, Secure, SameSite=Lax), 30 days (60 days with "remember me").
Functional cookies: LOCALE_COOKIE, NEXT_INTL_LOCALE — language preference; cf_verified_ui — Cloudflare Turnstile bot challenge.
Local / session storage: govlens-theme, gl-signed-in, gl-pro-tier (UI hints, not authoritative), notification preferences, feedback-widget dismissal.
IP address & request metadata: IP, user-agent, action (sign-up, sign-in, password reset), timestamp.
Product analytics: page views and custom events (e.g., alert_subscribed), error captures via PostHog with sessionStorage persistence.
Error telemetry: JavaScript and server exceptions, stack traces, route, browser/OS, scrubbed IP via Sentry.
API usage logs: endpoint, status code, response time, timestamp keyed to API key.

3.3 Data we do not collect

We do not collect biometric, genetic, or health data; racial or ethnic origin; religious or philosophical beliefs; trade-union membership; or data concerning sex life or sexual orientation. We do not knowingly collect data from children — see Section 11.

4. Purposes and Lawful Bases (GDPR Art. 6)

Provide the Service (account creation, authentication, watchlists, alerts, briefings, search, dashboards) — performance of a contract, Art. 6(1)(b).
Process subscriptions, invoicing and refunds — performance of a contract, Art. 6(1)(b).
Email and SMS verification, two-factor authentication — performance of a contract / consent, Art. 6(1)(b)/(a).
Send transactional notifications (alerts, digests, account events) you have requested — consent, Art. 6(1)(a). You can unsubscribe at any time.
Operate, secure, and improve the Service (logging, fraud prevention, rate-limiting, error tracking, analytics) — legitimate interests, Art. 6(1)(f).
Generate AI-assisted summaries and impact analyses of public legislation (no user PII sent to model providers) — legitimate interests, Art. 6(1)(f).
Comply with legal obligations (accounting, GDPR records, lawful requests) — Art. 6(1)(c).
Publish data about public officials (MEPs, registered lobbyists, fund beneficiaries) acting in a public role — public interest / legitimate interests, Art. 6(1)(e) and (f). See Section 12.

We do not sell your personal data and we do not use it for behavioural advertising.

5. Cookies and Similar Technologies

A detailed cookie inventory is set out in Section 3.2. On your first visit you will be asked to consent to non-essential cookies (analytics, optional product features). Strictly necessary cookies (session, CSRF, language, security challenges) do not require consent under Art. 5(3) of the ePrivacy Directive.

You can withdraw analytics consent at any time via the cookie banner or your browser settings; doing so will not affect your ability to use the Service.

6. Recipients and Sub-processors

We share personal data only with vetted sub-processors bound by data-processing agreements compliant with Art. 28 GDPR:

Stripe Payments Europe Ltd. — payment processing (email, citizen ID, plan, billing metadata). EU / US under SCCs.
Resend — transactional and marketing email (recipient email, message content). EU / US under SCCs.
Sinch (Sinch AB, Sweden) — SMS for two-factor authentication (phone number, one-time code). EU.
PostHog — product analytics (pseudonymous distinct ID, page-view and event metadata). EU region.
Sentry — error monitoring (stack traces, route, scrubbed IP). EU region.
Cloudflare — CDN, DDoS protection, Turnstile (IP, request metadata). Global.
Railway (Railway Corp.) — application and ingestion hosting. EU region (primary).
IBM Cloud Object Storage — public MEP photographs (no personal data of yours). EU (Frankfurt).
OpenRouter / DeepInfra — LLM inference for legislative analysis (public legislative text only — no user PII). EU / US under SCCs.
EU Lobby Register API — read-only ingestion of public registry data. EU.

We may also disclose data when required by law, to enforce our Terms, to protect the rights, property, or safety of GovLens or others, or in connection with a corporate transaction (in which case you will be notified).

7. International Data Transfers

Personal data is primarily processed within the European Economic Area. Where a sub-processor processes data outside the EEA, transfers are protected by:

the European Commission's Standard Contractual Clauses (Decision 2021/914);
supplementary measures (encryption in transit and at rest, pseudonymisation where feasible);
and, where applicable, an adequacy decision (e.g., EU–US Data Privacy Framework).

A copy of the relevant transfer mechanisms is available on request from privacy@trelvio.eu.

8. Retention

Active account records — for the duration of your account, then deleted within 30 days of closure.
Sessions — 30 days from issue (60 days with "remember me"); deleted earlier on sign-out.
Email-verification tokens — up to 24 hours.
SMS one-time codes — 15 minutes.
Password-reset tokens — 1 hour.
IP and security logs — 90 days (longer if needed for an investigation).
Stripe subscription records — duration of subscription plus 7 years for tax and accounting.
API usage logs — 12 months.
Alert and notification logs — 12 months from delivery.
AI analysis outputs and token-cost records — 3 years.
Consent records — 3 years from withdrawal (legal obligation under Art. 7(1) GDPR).

We apply an overall maximum retention of 3 years for active personal data, save where a longer period is required by law.

9. Your Rights under GDPR

You have the right to:

Access — obtain a copy of the personal data we hold about you (Art. 15);
Rectification — correct inaccurate or incomplete data (Art. 16);
Erasure — request deletion ("right to be forgotten", Art. 17);
Restriction — limit processing (Art. 18);
Portability — receive your data in a structured, machine-readable format (Art. 20);
Object — object to processing based on legitimate interests, including profiling (Art. 21);
Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3));
Lodge a complaint with your national supervisory authority. A list is available at edpb.europa.eu.

To exercise these rights, email privacy@trelvio.eu. We will respond within one month (extendable by two further months for complex requests, Art. 12(3)). We may ask you to verify your identity before acting. You can also delete your account directly from your dashboard.

10. Security

We implement appropriate technical and organisational measures, including:

AES-256-GCM encryption of email addresses and webhook secrets at rest;
HMAC-SHA256 hashing of phone numbers and pseudonymisation keys;
bcrypt password hashing;
TLS 1.2+ in transit with HSTS;
Hardened cookies (HttpOnly, Secure, SameSite);
Schema-level separation between authentication and public data;
Cloudflare Turnstile bot mitigation on signup, login, and subscribe;
Rate-limiting on authentication and API endpoints;
Centralised logging with restricted access on a need-to-know basis;
Regular dependency and vulnerability scanning.

No system is perfectly secure. If you discover a vulnerability, please contact security@trelvio.eu under our responsible-disclosure policy.

11. Children

The Service is not directed at children. We do not knowingly process personal data of children under 16 (or the lower age set by your Member State under Art. 8(1) GDPR, which can be as low as 13). If you believe a child has provided us with personal data, please contact privacy@trelvio.eu and we will delete it.

12. Public Figures and Public-Source Data

GovLens publishes information drawn from official EU and national public registers, including:

Names, photographs, party affiliation, attendance, and roll-call votes of MEPs (European Parliament Open Data, EUR-Lex);
Names of registered lobbying organisations and their declared officials, budgets, and policy interests (EU Transparency Register and 12 national registers);
Recipients of EU funds (FTS, CAP, Horizon Europe, ESIF, CORDIS).

This data concerns natural persons acting in a public or professional capacity. We rely on Art. 6(1)(e) (task carried out in the public interest) and Art. 6(1)(f) (legitimate interests of the public in legislative transparency). We do not consider this data to fall within the special categories of Art. 9 GDPR.

If you are an MEP, lobbyist, or beneficiary and believe a record is inaccurate, please contact corrections@trelvio.eu.

13. Automated Decision-Making and AI

GovLens uses large-language-model summarisation (currently DeepInfra-hosted Gemma) to produce explanatory summaries, impact analyses, and highlights of public legislative documents. Outputs are clearly labelled as AI-generated and reviewed against source documents.

We do not use AI to make decisions producing legal effects on you within the meaning of Art. 22 GDPR. AI outputs are not legal advice — see Section 11 of the Terms of Service.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email to registered users at least 14 days before they take effect, and the "Last updated" date above will reflect the change. Continued use after the effective date constitutes acceptance.

15. Contact

General privacy enquiries: privacy@trelvio.eu
Data subject rights requests: privacy@trelvio.eu
Security disclosures: security@trelvio.eu
Public-record corrections: corrections@trelvio.eu
Postal: Trelvio Technology OÜ, Tornimäe tn 5, Kesklinna linnaosa, 10145 Tallinn, Harju County, Estonia

You also have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority is Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate, AKI) — Tatari 39, 10134 Tallinn, Estonia, https://www.aki.ee.

See also: Terms of Service · Back to GovLens