Privacy Policy

Last updated: April 2026

By using KasLens, you also agree to our Terms of Service, which include important disclaimers, risk warnings, and liability limitations.

Privacy Policy

1. Controller and Contact Information

The controller within the meaning of Art. 4 para. 7 GDPR is:

Marcel Sangals
Am Knill 152
22147 Hamburg
Germany

Email: [email protected]

This privacy policy applies to the website kaspa-lens.com ("Website"), the KasLens mobile application ("App"), and all related services (collectively, the "Services"). It informs you about the nature, scope, and purpose of the collection and use of personal data in accordance with the General Data Protection Regulation (GDPR), the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TTDSG), and the Telemediengesetz (TMG).

2. Overview of Data Processing

We process personal data only to the extent necessary to provide our Services. Below is a summary of the categories of data we process:

Without a user account (anonymous visitors):

  • Technical data required for website delivery (IP address, browser type, device information)
  • A pseudonymous browser identifier for functional purposes (see section 5.1)
  • User preferences (currency, theme, language) stored in a cookie on your device
  • Analytics data (only with your explicit consent, see section 6)

With a user account (registered users):

  • Email address (required for registration)
  • Password (stored as a one-way cryptographic hash — we cannot read your password)
  • Display name (optional)
  • Linked authentication providers (e.g. Google account email, if you choose to link one)

We do not collect:

  • Precise location data (GPS coordinates)
  • Payment or financial information
  • Biometric data
  • Data about your cryptocurrency holdings or transactions

3. User Accounts — Registration and Authentication

3.1. Registration

When you create a KasLens account, we collect:

  • Email address — used for login, email verification, password recovery, and essential service communications
  • Password — stored exclusively as a BCrypt hash; the plaintext password is never stored or logged
  • Display name (optional) — a name shown in the user interface

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract / provision of the service you requested).

3.2. Email Verification

After registration, we send a verification email to confirm ownership of the email address. The verification token expires after 24 hours and is deleted after use.

3.3. Password Recovery

If you request a password reset, we send a reset link to your registered email address. The reset token expires after 1 hour and is deleted after use. For security, the system responds identically whether or not the email address exists in our database (no email enumeration).

3.4. Authentication and Sessions

We use the OAuth 2.0 Authorization Code flow with PKCE for authentication. Upon successful login:

  • A JSON Web Token (JWT) access token (5-minute lifetime) is issued for API authentication
  • An opaque refresh token (30-day lifetime) is issued for session continuity

Both tokens are stored in httpOnly cookies (see section 5.2) and cannot be read by JavaScript on the page. Tokens are rotated on each refresh.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance — authentication is essential to provide the account-based service).

3.5. Transactional Emails

We send the following transactional emails:

EmailPurposeTrigger
Email verificationConfirm email ownershipAccount registration
Password resetProvide a secure reset linkPassword recovery request
WelcomeConfirm successful setupEmail verification completed

Emails are sent from [email protected] via the Resend SMTP service (see section 7.3). We do not send marketing emails or newsletters.

4. Data Retention and Deletion

Data categoryRetention periodBasis
User account dataUntil account deletionArt. 6(1)(b)
Email verification tokens24 hours (auto-deleted)Art. 6(1)(b)
Password reset tokens1 hour (auto-deleted)Art. 6(1)(b)
OAuth2 authorization recordsUntil account deletion or token expiryArt. 6(1)(b)
Analytics data (Google Analytics)14 monthsArt. 6(1)(a)
Error monitoring data (Sentry)90 daysArt. 6(1)(f)
Server access logs30 daysArt. 6(1)(f)
Preference cookie365 daysArt. 6(1)(f)
Consent cookie180 days§ 25 TTDSG

4.1. Account Deletion (Right to Erasure — Art. 17 GDPR)

You can permanently delete your account at any time from the Account page in the application. Account deletion is immediate and irreversible. The following data is erased:

  1. Email verification tokens
  2. Password reset tokens
  3. Linked authentication accounts (e.g. Google)
  4. OAuth2 authorizations and consent grants
  5. The user account itself (email, password hash, display name, avatar URL)

After deletion, no personal data associated with your account remains in our systems.

4.2. Data Export (Right of Access and Data Portability — Art. 15/20 GDPR)

You can download a machine-readable (JSON) export of all personal data we store about you from the Account page. The export includes:

  • Account information (email, display name, verification status, roles, timestamps)
  • Linked authentication providers (provider name, provider email, link date)

Sensitive internal data (password hashes, token values) is excluded from the export for security reasons.

5. Cookies and Similar Technologies

Our website uses cookies to provide essential functionality and, with your consent, analytics. We classify cookies into two categories:

5.1. Strictly Necessary Cookies (No Consent Required)

These cookies are essential for the website to function. They cannot be disabled without breaking core functionality. The legal basis for these cookies is § 25 para. 2 no. 2 TTDSG (strictly necessary) in conjunction with Art. 6 para. 1 lit. b/f GDPR.

CookiePurposehttpOnlyLifetime
kaslens-uaiAnonymous browser identifier (random UUID) for functional purposes such as rate limiting and session correlation in server-side error diagnostics. Does not contain any personal information and is not used for tracking or profiling.Yes365 days
kaslens-prefsUser preferences (currency, theme, locale) — ensures the site renders correctly on first load.No365 days
kaslens-consentRecords your cookie consent choice so you are not asked repeatedly.No180 days
kaslens-access-tokenJWT authentication token for logged-in users.Yes~5 minutes
kaslens-refresh-tokenSession refresh token for logged-in users.Yes30 days
JSESSIONIDServer-side session cookie used briefly during the OAuth2 login flow.YesSession

The kaslens-access-token and kaslens-refresh-token cookies are only set when you are logged in. The JSESSIONID cookie is only set during the login process and is cleared after completion.

5.2. Analytics Cookies (Consent Required)

These cookies are only set after you have given explicit consent through our cookie consent banner. See section 6 for details.

CookiePurposeLifetime
_gaGoogle Analytics client identifier2 years
_ga_<container-id>Google Analytics session state2 years
_gidGoogle Analytics 24-hour user distinction24 hours

If you do not consent to analytics cookies, no analytics scripts are loaded and no analytics data is collected.

6. Google Analytics (GA4) {#google-analytics}

If you have given your consent, our website and mobile applications use Firebase Analytics, which is Google Analytics 4 integrated through the Firebase platform. Firebase Analytics is a web and app analytics service provided by Google LLC. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Unified Analytics: We use Firebase Analytics (Google Analytics 4) in the same manner across both our website and mobile applications. The same privacy protections, data processing agreements, and user rights apply regardless of which platform you use to access our services.

Technical Implementation: Firebase Analytics uses the gtag.js library, which is technically served from Google Tag Manager's infrastructure (googletagmanager.com). This is a technical implementation detail — we are not using Google Tag Manager as a tag management system. All data processing and privacy protections described in this section apply regardless of this technical detail.

Nature and Purpose of the Processing

Google Analytics 4 uses cookies (on the website) and similar tracking technologies (in the mobile app) that enable an analysis of your use of our services. The information collected by means of these technologies about your use of our website and app is generally transferred to a Google server in the USA and stored there.

IP Anonymization: Google Analytics 4 has IP anonymization enabled by default. Due to IP anonymization, your IP address will be shortened by Google within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transferred by your browser or app as part of Google Analytics will not be merged with other Google data.

Data Collected

During your visit, the following data may be recorded:

  • Page views / screen views
  • First visit / first app launch
  • Session starts and duration
  • Pages visited / screens viewed
  • Click path and interactions
  • Scroll depth (90% threshold)
  • Clicks on external links
  • Internal search queries
  • Your approximate location (region)
  • Date and time of your visit
  • Your IP address (shortened form)
  • Technical information about your browser and device (language setting, screen resolution)
  • Your internet service provider
  • The referrer URL

Purposes of the Data Processing

On behalf of the operator, Google will use this information to evaluate your pseudonymous use of the website and app and to compile reports on website and app activity.

Legal Basis

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR and § 25 para. 1 p. 1 TTDSG.

Recipients

Recipients of the data are/may be:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor under Art. 28 GDPR)
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Alphabet Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Third Country Transfer

For the USA, the European Commission adopted an adequacy decision on 10 July 2023. Google LLC is certified under the EU-US Data Privacy Framework. Since Google servers are distributed worldwide and a transfer to third countries cannot be completely ruled out, we have also concluded the EU standard contractual clauses with the provider.

We have entered into a Data Processing Agreement (Auftragsverarbeitungsvertrag, AV-Vertrag) with Google Ireland Limited in accordance with Art. 28 GDPR.

Retention Period

The data linked to cookies (website) or similar identifiers (app) are automatically deleted after 14 months. The maximum lifespan of Google Analytics cookies is 2 years. Deletion of data whose retention period has been reached occurs automatically once a month.

Withdrawal of Consent

You can withdraw your consent at any time:

Website: Access the cookie settings through the cookie consent tool in the footer of our website or through the consent banner.

Mobile App: Withdraw consent through the app settings, where you can disable analytics tracking.

You can also prevent the collection of data by Google Analytics by:

  • Not giving your consent to the setting of the cookie
  • Downloading the browser add-on to deactivate Google Analytics here

For more information, visit Google Analytics Terms of Use and Google Privacy Policy.

Additional Technical Measures

  • IP Anonymization on EU Servers: IP addresses are anonymized on EU servers before any data transfer to the United States
  • Consent Mode: Our consent tool uses Google's Consent Mode v2 to ensure that no data is collected before consent is given
  • Automatic Data Deletion: User and event data is automatically deleted after 14 months
  • Data Processing Agreement: We have a legally binding data processing agreement with Google that ensures compliance with GDPR requirements

7. Third-Party Service Providers (Processors)

We use the following third-party service providers to operate our Services. Each provider processes data on our behalf and is bound by a data processing agreement (Art. 28 GDPR) or equivalent contractual safeguards.

7.1. Hosting — Netcup GmbH

Our backend infrastructure is hosted by Netcup GmbH, Daimlerstr. 25, 76185 Karlsruhe, Germany. All servers are located in Germany. Server access logs (IP address, request path, timestamp) are stored for 30 days for security and debugging purposes.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and reliable hosting).

7.2. Error Monitoring — Sentry

We use Sentry (Functional Software, Inc.) for server-side error monitoring and performance tracing. Our Sentry instance uses the EU data region (ingest.de.sentry.io), meaning all error data is stored within the European Union.

Data processed:

  • Stack traces and error messages when an application error occurs
  • Request metadata (URL path, HTTP method, response status)
  • IP address (included in server-side error context)
  • Pseudonymous browser identifier (the kaslens-uai cookie value)

Sentry is used server-side only — no Sentry SDK is shipped to or executed in your browser. Error data is automatically deleted after 90 days.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in identifying and fixing software errors to maintain service quality).

7.3. Email Delivery — Resend

We use Resend (Resend, Inc.) as an SMTP relay service to deliver transactional emails (email verification, password reset, welcome email).

Data processed:

  • Recipient email address
  • Email content (verification/reset links, display name)

Resend processes email data solely for the purpose of delivery and does not use it for marketing or profiling. Resend's servers are located in the USA. The transfer is covered by the EU-US Data Privacy Framework.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance — email delivery is necessary to provide the registration and password recovery functionality you requested).

7.4. Push Notifications — Firebase Cloud Messaging (Mobile App Only)

Our mobile application uses Firebase Cloud Messaging (FCM) by Google to send push notifications. An anonymous device token is generated to deliver messages to your device. This token does not contain any personal identifiers and is not used for tracking or profiling.

Data processed:

  • Anonymous FCM device token
  • Notification content (titles, message bodies)
  • Topic subscriptions (e.g. price alerts, news)

Legal basis: Art. 6 para. 1 lit. a GDPR (consent — you must explicitly allow push notifications on your device).

You can review the privacy policies for Firebase services:

Our website may contain links to third-party platforms such as YouTube. When you click on such a link, you will be redirected to an external website. These third parties may collect personal data such as your IP address or track your activity through cookies — especially if you are logged into their services.

We have no influence over the data processing practices of these external platforms. Please refer to their respective privacy policies:

Our website and mobile applications may contain affiliate links. Affiliate links allow us to earn a commission if you make a purchase or take a specific action after clicking on them. This does not affect the price you pay.

Identification: Affiliate links are marked with disclosure notices (e.g. "Affiliate Link" or "Advertisement"), special link parameters, or disclosure statements in the content.

Data processing: When you click an affiliate link, the affiliate partner may receive referral information (e.g. that you came from our website) and may set cookies to track your visit. We do not have access to or control over the data that affiliate partners collect. The affiliate partner is solely responsible for their own data processing.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in generating revenue to support the free service).

You have the right to object to this processing at any time. Clicking on affiliate links is entirely voluntary.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or alteration (Art. 32 GDPR), including:

  • Encryption in transit: All communication between your browser and our servers is encrypted using TLS (HTTPS). HTTP Strict Transport Security (HSTS) is enforced.
  • Password hashing: Passwords are stored using BCrypt, a one-way hashing algorithm. We cannot recover or read your password.
  • httpOnly cookies: Authentication tokens are stored in httpOnly cookies that cannot be accessed by JavaScript, protecting against cross-site scripting (XSS) attacks.
  • Token rotation: Refresh tokens are rotated on each use, limiting the impact of a compromised token.
  • PKCE: The OAuth2 authentication flow uses Proof Key for Code Exchange (PKCE) to prevent authorization code interception.

10. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right to access (Art. 15 GDPR): You can obtain confirmation of whether personal data concerning you is being processed and access that data. You can also download a machine-readable export from the Account page in the application.
  • Right to rectification (Art. 16 GDPR): You can correct inaccurate personal data (e.g. update your display name in the Account page).
  • Right to erasure (Art. 17 GDPR): You can delete your account and all associated data at any time from the Account page. See section 4.1.
  • Right to restrict processing (Art. 18 GDPR): You can request the restriction of processing of your personal data under certain circumstances.
  • Right to data portability (Art. 20 GDPR): You can receive your personal data in a structured, commonly used, and machine-readable format (JSON). See section 4.2.
  • Right to object (Art. 21 GDPR): You can object to the processing of your personal data based on legitimate interests. In particular, you can withdraw analytics consent at any time (see section 6).
  • Right to withdraw consent (Art. 7 GDPR): Where processing is based on your consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
  • Right to lodge a complaint (Art. 77 GDPR): You can lodge a complaint with a supervisory authority. In Germany, the competent authority for Hamburg is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), with the Federal Commissioner for Data Protection (BfDI) as an alternative contact.

Exercising Your Rights: To exercise any of these rights, contact us at [email protected]. We will respond within one month (Art. 12 para. 3 GDPR). Account deletion and data export are available as self-service features in the application.

11. Third Country Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure that appropriate safeguards are in place for any such transfer:

ProviderCountrySafeguard
Google (Analytics, FCM)USAEU-US Data Privacy Framework + Standard Contractual Clauses
Resend (Email)USAEU-US Data Privacy Framework
Sentry (Error Monitoring)EU (de.sentry.io)No third-country transfer (EU data region)

12. Provision of Personal Data

The provision of your email address and password is required to create a user account. Without this data, we cannot provide the account-based service. You may use the website without creating an account; in that case, only the data described in section 2 ("Without a user account") is processed.

All other data processing — including analytics (section 6) and push notifications (section 7.4) — is optional and based on your explicit consent.

13. Automated Decision-Making

We do not engage in automated decision-making or profiling as defined in Art. 22 GDPR. No decisions with legal or similarly significant effects are made solely on the basis of automated processing of your personal data.

14. Minimum Age

Our Services are not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will delete that data promptly.

15. Changes to This Privacy Policy

We may update this privacy policy from time to time. Changes will be published on this page with an updated "Last updated" date. We recommend reviewing this page periodically.

16. Contact

If you have any questions regarding this privacy policy or wish to exercise your rights, please contact us:

Marcel Sangals
Am Knill 152
22147 Hamburg
Germany

Email: [email protected]