Privacy Policy
Effective: 11 June 2026 · Last updated: 11 June 2026
Splitlight Ltd (“Splitlight”, “we”, “us”) provides the Lens platform and operates the splitlight.ai and splitlight.co.uk websites. This policy explains what personal data we collect when you visit our sites or use Lens, why we collect it, who we share it with, and the choices you have.
Summary
- We collect the minimum data needed to run our websites and the Lens product.
- We never sell your data or your clients’ data, and we never use it to train AI models.
- Advertising and analytics data you connect to Lens (LinkedIn Ads, Meta Ads, Google Ads, TikTok Ads, Google Analytics 4, YouTube) is used only to render the dashboards in your own Lens workspace.
- Data is stored in the UK/EU and the US (see Sub-processors).
- You can disconnect any data source at any time, and request deletion at any time.
1. Who we are
- Legal entity: Splitlight Ltd
- Companies House registration: 16318475
- Registered office: Silverstream House, 45 Fitzroy Street, London W1T 6EB, United Kingdom
- ICO registration: Splitlight Ltd is registered with the UK Information Commissioner’s Office as a data controller; our registration reference is available on request.
- Privacy contact: privacy@splitlight.co.uk
2. Data we collect
Website visitors: IP address (briefly, for security/rate-limiting), browser/OS/referrer and pages viewed (analytics), and anything you submit via our contact or demo-request forms (name, email, company, message).
Lens agency users: your name, work email, and authentication metadata (managed by our auth provider Clerk); product usage telemetry used to operate and improve Lens; and billing identifiers (we store a Stripe customer ID only — never card numbers).
Data you connect to Lens: when an agency user connects a client’s advertising or analytics account, we receive an OAuth refresh token, an external account/channel identifier, a display name, and aggregated daily reporting metrics for that account. We do not collect individual end-user, click-level, or audience-segment data.
3. Connected data sources
Each integration uses read-only access and is used solely to display metrics inside your Lens workspace. We do not create, modify, pause, or delete anything in your connected accounts.
- LinkedIn Ads. Using the LinkedIn Marketing Developer Platform
r_adsandr_ads_reportingscopes, we read ad-account metadata (account name, currency, campaign IDs and names) and campaign-level reporting metrics (impressions, clicks, spend, conversions) for the date ranges you select. We do not access LinkedIn Lead Gen Form data, member profile data beyond your own sign-in profile, or any other LinkedIn data outside these scopes. - Meta Ads (Facebook/Instagram). Using
ads_readandbusiness_management, we read your ad accounts and campaign/ad-level performance metrics (impressions, clicks, spend, conversions, revenue). We do not post, manage campaigns, or read personal profile content. - Google Ads. Using the Google Ads API (read-only), we read account, campaign, and ad performance metrics.
- Google Analytics 4. Using
analytics.readonly, we read aggregated site metrics (sessions, users, pageviews, conversions) by date and traffic source. - Google Search Console. Using
webmasters.readonly, we read organic search clicks, impressions, CTR, and average position for your verified sites. - Google Business Profile. Using
business.manage, we read review ratings, counts, and related metrics for your locations. - YouTube. Using
yt-analytics.readonlyandyoutube.readonly, we read channel metadata and aggregated channel analytics (views, watch time, subscribers, likes, comments) for channels you own or manage. - TikTok Ads. Using the TikTok Business API reporting scopes (read-only), we read advertiser metadata and campaign/ad performance metrics.
In every case the data flow is one-way: from the provider → Lens → your client-facing dashboard.
Google user data
Splitlight’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Data accessed through Google APIs — Google Ads, Google Analytics, Google Search Console, Google Business Profile, and YouTube — is used solely to display reporting within your own Lens workspace. We do not sell, rent, or transfer this data to third parties, we do not use it for advertising, and we never use it to train AI or machine-learning models. You can disconnect any Google data source at any time, and request deletion of the imported data at any time.
4. Why we use it (legal basis, UK GDPR Art. 6)
| Data | Purpose | Lawful basis |
|---|---|---|
| Site analytics / IP | Operate, secure, improve the site | Legitimate interest |
| Contact-form submissions | Respond to your enquiry | Legitimate interest |
| Lens account data | Provide Lens to you | Contract |
| Connected ad/analytics data | Render the dashboards you requested | Contract |
| Billing identifiers | Charge you for Lens | Contract |
| Usage telemetry | Improve and debug Lens | Legitimate interest |
| Marketing emails | Tell you about Lens updates | Consent (opt-in only) |
5. How long we keep it
- Website analytics: 14 months.
- Lens account data: for the life of your account, deleted within 30 days of an account-deletion request.
- Connected reporting metrics: a rolling 3-year window, then automatically deleted.
- OAuth tokens: deleted immediately when you disconnect a data source.
- Billing records: 7 years (UK statutory requirement).
6. Who we share it with (sub-processors)
We use the following providers, each under a data-processing agreement:
| Provider | Purpose | Region | Policy |
|---|---|---|---|
| Clerk | Authentication | USA | clerk.com/legal/privacy |
| Convex | Application database, encrypted token storage | USA | convex.dev/privacy |
| Tinybird | Analytics metrics store | EU (London) | tinybird.co/legal/privacy |
| Stripe | Billing | USA / UK | stripe.com/privacy |
| Vercel | Web hosting | USA / global edge | vercel.com/legal/privacy |
| Sentry | Error monitoring | USA | sentry.io/privacy |
| Google (Ads / GA4 / YouTube APIs) | Data sources | USA | policies.google.com/privacy |
| Data source | USA / Ireland | linkedin.com/legal/privacy-policy | |
| Meta Platforms | Data source | USA / Ireland | facebook.com/privacy/policy |
| TikTok / ByteDance | Data source | USA / EU | tiktok.com/legal/privacy-policy |
Data may be transferred between the UK, EU and USA; for those transfers we rely on the UK International Data Transfer Agreement and the EU Standard Contractual Clauses.
7. How we secure it
- OAuth refresh tokens are encrypted at rest (AES-256-GCM) with a per-deployment key; plaintext tokens are never stored.
- All traffic is encrypted in transit (TLS 1.2+).
- Lens enforces row-level access control: an agency can only ever see its own data.
- We do not currently hold SOC 2 / ISO 27001 certification and will update this section if that changes.
8. Cookies
Lens uses strictly-necessary cookies for authentication (set by Clerk) and basic site analytics. We do not use advertising or cross-site tracking cookies. Where required, non-essential cookies are set only with your consent.
9. Your rights
Under UK/EU GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, to withdraw consent where processing is consent-based, and to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk/make-a-complaint). To exercise any right, email privacy@splitlight.co.uk; we respond within 30 days.
10. Children
Lens is a B2B product not directed at anyone under 18, and we do not knowingly collect their data.
11. Changes
We will post any updated policy here with a new “Last updated” date and email registered Lens users at least 14 days before material changes take effect.
12. Contact
privacy@splitlight.co.uk · Splitlight Ltd, Silverstream House, 45 Fitzroy Street, London W1T 6EB, United Kingdom