Privacy Policy
SourceLens Chrome Extension
Last updated: March 1, 2026
Version: 2.0
Effective date: March 1, 2026
1. Who We Are
SourceLens is a product of Highrank B.V., a company registered in the Netherlands.
- Legal entity: Highrank B.V. (trading as SourceLens)
- Address: Koninginneweg 11, 1217 KP Hilversum, The Netherlands
- Chamber of Commerce (KvK): 30273356
- Website: sourcelens.ai
- Privacy contact: privacy@sourcelens.ai
This Privacy Policy explains how we collect, use, store, and protect personal data when you use the SourceLens platform (sourcelens.ai), the SourceLens Chrome Extension, and any related services (collectively, the "Service").
2. What Data We Collect
2.1 Account Data (Our Customers)
When you create a SourceLens account, we collect:
- Full name
- Email address
- Password (encrypted)
- Company name (optional)
- Billing information (processed by Stripe — we do not store credit card numbers)
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
2.2 Candidate Profile Data
When you use SourceLens to analyze LinkedIn profiles, the following data is collected and processed:
- LinkedIn profile URLs (exported via the Chrome Extension)
- Full name as listed on LinkedIn
- Job title(s) and employment history
- Profile photograph
- Employer information (company names, roles, dates)
- Any other publicly available information on the LinkedIn profile
This data is retrieved by a third-party data provider (Apify) based on the profile URLs you export. The data originates from publicly accessible LinkedIn profiles.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — our customers have a legitimate interest in sourcing and evaluating candidates for recruitment purposes using publicly available professional data.
2.3 AI-Generated Analysis Data
SourceLens uses multiple artificial intelligence models to analyze candidate and employer information:
Per candidate (via DeepSeek model, routed through OpenRouter):
- Employer analysis: sector, organization type, client segment, sales model, deal complexity, growth phase (based on company names from work history)
- Career pattern analysis: mobility, tenure, pivots, red flags (based on work experience and employment periods)
- Criteria matching: scores per criterion and total match score (based on full profile + employer context + your criteria)
- AI-generated InMail templates: personalized outreach messages (based on name, company, job title, match score, strengths)
Per project (via OpenAI GPT-4o / GPT-4o-mini):
- Matching criteria generation: suggested criteria based on your job description and company name
- Scoring rule generation: matching rules based on criteria keywords and job description text
Data sent to AI providers:
- Candidate name, job titles, employer history, work experience, education, skills, location, LinkedIn headline
- Job description text and company names (for criteria generation only)
Data NOT sent to AI providers:
- Email addresses or phone numbers
- Profile photographs
- LinkedIn passwords or authentication tokens
This analysis data is stored within your SourceLens account.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
2.4 Chrome Extension Data
The SourceLens Chrome Extension collects:
- LinkedIn profile URLs that you manually export
- Export metadata (count, timestamp, extension version, browser type)
The extension stores locally on your device (not transmitted to our servers):
- Your API key
- Project selection preferences
- Notification preferences
The extension does not scrape profile data from LinkedIn pages. It collects only profile URLs. All profile data is retrieved server-side by authorized data providers.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
2.5 Website Analytics
We use Google Analytics 4 (GA4) on sourcelens.ai to understand how visitors use our website. GA4 collects:
- Pages visited and interactions
- Approximate geographic location (country/region level)
- Device and browser information
- Referral source
Google Analytics uses cookies. See our Cookie Policy for details.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — we have a legitimate interest in understanding website usage to improve our service.
2.6 Data We Do Not Collect
- We do not collect data from minors (under 16)
- We do not collect sensitive/special category data (health, religion, political views, sexual orientation)
- We do not collect browsing history beyond our own website
- We do not collect data from websites other than linkedin.com (Chrome Extension) and sourcelens.ai
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the Service | Account data, candidate profiles, AI analysis | Contract (Art. 6(1)(b)) |
| Process payments | Billing information (via Stripe) | Contract (Art. 6(1)(b)) |
| AI employer and career analysis (via OpenRouter/DeepSeek) | Candidate names, titles, employer history, work experience, education, skills, location | Contract (Art. 6(1)(b)) |
| AI criteria generation (via OpenAI) | Job description text, company names (no candidate personal data) | Contract (Art. 6(1)(b)) |
| Improve our Service | Aggregated usage data, analytics | Legitimate interest (Art. 6(1)(f)) |
| Customer support | Account data, usage logs | Contract (Art. 6(1)(b)) |
| Security and fraud prevention | Technical logs, IP addresses | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | As required by law | Legal obligation (Art. 6(1)(c)) |
We do not use your data for:
- Selling to third parties
- Advertising or marketing by third parties
- Automated decision-making with legal effects on candidates
- Profiling of candidates beyond what you configure in the matching criteria
4. Data Processors and Sub-Processors
We share personal data with the following third-party service providers ("sub-processors") who process data on our behalf:
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | Account data, candidate profiles, AI analysis results | United States* |
| Replit | Application backend hosting | Account data, candidate profiles processed through the application | United States* |
| Apify | LinkedIn profile data retrieval | LinkedIn profile URLs → returns public profile data | European Union / United States |
| OpenRouter | AI model routing (proxy) | Candidate names, job titles, employer history, work experience, education, skills, location (no photos or contact details) | United States |
| DeepSeek | AI employer and career analysis (via OpenRouter) | Same data as OpenRouter — routed through OpenRouter, not sent directly to DeepSeek | China (model provider; data routed via OpenRouter US) |
| OpenAI | AI criteria generation and scoring | Job description text, company names, criteria keywords (no candidate personal data) | United States |
| Stripe | Payment processing | Name, email, billing information (credit card data stored by Stripe only) | United States (EU-US DPF certified) |
| Website analytics (GA4) | Anonymized browsing data, cookies | United States (EU-US DPF certified) |
*Exact data center locations may vary. See Section 5 for international transfer safeguards.
Note on AI data routing: Candidate personal data (name, work experience, education, skills, location) is sent to OpenRouter (US-based proxy) for AI analysis using the DeepSeek model. Data is not sent directly to DeepSeek's servers in China — it is routed through OpenRouter's US-based infrastructure. OpenRouter's data handling practices and whether data is forwarded to DeepSeek servers should be verified through OpenRouter's terms of service and data processing agreement.
OpenAI receives only job description text and criteria keywords for matching criteria generation — no candidate personal data is sent to OpenAI.
We maintain Data Processing Agreements (DPAs) with our sub-processors where required. We evaluate our sub-processors regularly for GDPR compliance.
5. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We currently transfer data to:
5.1 United States
Processors: Supabase, Replit, OpenRouter, OpenAI, Stripe, Google
Safeguards: Where processors are certified under the EU-US Data Privacy Framework (DPF), transfers are covered by the adequacy decision of the European Commission (July 2023). For processors not certified under the DPF, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.
5.2 China (DeepSeek — via OpenRouter)
Model provider: DeepSeek (AI analysis model)
Data routing: SourceLens → OpenRouter (United States) → DeepSeek model
Data transferred: Candidate personal data including names, job titles, employer history, work experience, education, skills, and location is sent to OpenRouter (a US-based AI routing service) for processing by the DeepSeek AI model. Data is not sent directly to DeepSeek's servers in China — it is routed through OpenRouter's US-based infrastructure.
Important: Whether OpenRouter forwards data to DeepSeek servers in China or processes it within its own infrastructure depends on OpenRouter's architecture and terms of service. We treat this transfer as potentially involving China and apply appropriate safeguards accordingly.
Safeguards: We rely on Standard Contractual Clauses (SCCs) with OpenRouter and have assessed that the data transferred consists of publicly available professional information from LinkedIn profiles. No email addresses, phone numbers, photos, or LinkedIn credentials are sent to AI providers. We continuously evaluate this data flow and may migrate to EU-based AI providers as alternatives become available.
Data not sent to AI providers:
- Email addresses
- Phone numbers
- LinkedIn passwords or authentication tokens
- Profile photographs
Your rights: If you have concerns about data transfers involving China, you may contact us at privacy@sourcelens.ai to discuss alternatives or exercise your rights under Section 8.
5.3 Transfer Impact Assessment
We have conducted a Transfer Impact Assessment (TIA) for our international data transfers. Key considerations:
- The data consists primarily of publicly available professional information
- We do not transfer sensitive or special category data
- Sub-processors are contractually bound to data protection obligations
- We implement technical measures (encryption in transit and at rest) to protect data
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while your account is active. Deleted within 30 days of account deletion. |
| Candidate profile data | Retained while your account is active. Deleted within 30 days of account deletion. |
| AI analysis results | Retained while your account is active. Deleted within 30 days of account deletion. |
| Profile photographs | Retained while your account is active. Deleted within 30 days of account deletion. |
| Payment records | Retained for 7 years after the last transaction (Dutch tax law requirement). |
| Chrome Extension local data | Stored on your device until you uninstall the extension. |
| Website analytics | Retained for 14 months (Google Analytics default). |
| Technical/support logs | Retained for 12 months, then anonymized. |
When you delete your account, all personal data including candidate profiles, analysis results, and photographs are permanently deleted within 30 days. Anonymized, aggregated data may be retained for statistical purposes.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
Technical measures:
- All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
- Database access is restricted and authenticated
- The Chrome Extension communicates exclusively over HTTPS
- Passwords are hashed and salted
Organizational measures:
- Access to personal data is limited to authorized personnel
- We maintain internal data handling procedures
- We review our security practices regularly
Chrome Extension security (SAFE MODE):
- The extension extracts only profile URLs — no data is scraped from LinkedIn pages
- No DOM manipulation or automation that could trigger LinkedIn detection
- No access to your LinkedIn credentials, messages, or connections
- Only operates on linkedin.com domains
8. Your Rights Under GDPR
As a data subject in the European Economic Area, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you | Email privacy@sourcelens.ai |
| Rectification (Art. 16) | Request correction of inaccurate data | Via your account or email privacy@sourcelens.ai |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") | Delete your account, or email privacy@sourcelens.ai |
| Restriction (Art. 18) | Request temporary restriction of processing | Email privacy@sourcelens.ai |
| Portability (Art. 20) | Receive your data in a machine-readable format | CSV export (Professional tier) or email privacy@sourcelens.ai |
| Objection (Art. 21) | Object to processing based on legitimate interest | Email privacy@sourcelens.ai |
| Withdraw consent (Art. 7) | Withdraw consent where processing is based on consent | Adjust cookie settings, or email privacy@sourcelens.ai |
Response time: We will respond to your request within 30 days. In complex cases, this may be extended by an additional 60 days, in which case we will inform you.
Identification: To protect your privacy, we may ask you to verify your identity before processing your request.
No cost: Exercising your rights is free of charge. In case of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse the request.
9. Rights of Candidates (Data Subjects Whose Profiles Are Analyzed)
SourceLens processes publicly available LinkedIn profile data on behalf of our customers (recruiters). In this context:
- Our customers are the data controllers for candidate data they choose to analyze
- SourceLens (Highrank B.V.) acts as a data processor on behalf of our customers
For candidates:
If your LinkedIn profile has been analyzed through SourceLens and you wish to exercise your GDPR rights:
- Contact the recruiter who analyzed your profile (the data controller) to request access, rectification, or deletion
- Contact us directly at privacy@sourcelens.ai if you wish to:
- Confirm whether your data is processed in our system
- Request deletion of your profile data from all SourceLens accounts
- Object to the processing of your publicly available LinkedIn data
We will respond to candidate requests within 30 days.
Important: SourceLens only processes data that is publicly available on LinkedIn. We do not access private LinkedIn information, messages, or connection data. You can control the visibility of your LinkedIn profile through your LinkedIn privacy settings.
10. Chrome Extension Specific Provisions
10.1 Permissions
The Chrome Extension requests the following browser permissions:
| Permission | Purpose |
|---|---|
storage | Store your API key and project preferences locally |
activeTab | Interact with the active LinkedIn tab to display the SourceLens panel |
notifications | Show export confirmation notifications |
10.2 Host Permissions
The extension only operates on:
*.linkedin.com— to display the export panel and collect profile URLs*.sourcelens.aiand*.sourcelens.nl— to communicate with the SourceLens backend
10.3 What the Extension Does Not Do
- Does not scrape or read profile data from LinkedIn pages
- Does not access your LinkedIn credentials or session
- Does not read your LinkedIn messages or connections
- Does not operate on any website other than linkedin.com
- Does not collect browsing history
- Does not inject tracking scripts or third-party code
11. Cookies
Our website (sourcelens.ai) uses cookies. For detailed information, see our Cookie Policy.
The Chrome Extension does not use cookies.
12. Children's Privacy
SourceLens is a professional recruitment tool intended for business use by adults. We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we have collected data from a person under 16, we will delete it promptly.
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- Within 72 hours: We will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
- Without undue delay: We will notify affected users via email if the breach poses a high risk to their rights and freedoms
14. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Highrank B.V. is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
- Website: autoriteitpersoonsgegevens.nl
- Phone: +31 70 888 8500
- Address: Postbus 93374, 2509 AJ Den Haag, The Netherlands
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify registered users by email
- We will update the "Last updated" date at the top of this policy
- For significant changes, we will provide notice through the Service or Chrome Extension
We encourage you to review this policy periodically.
16. Contact
For any questions about this Privacy Policy or your personal data:
Privacy inquiries:
Email: privacy@sourcelens.ai
Response time: Within 5 business days
GDPR requests (access, deletion, rectification, etc.):
Email: privacy@sourcelens.ai
Subject line: "GDPR Request — [type of request]"
Response time: Within 30 days
Data Protection Contact:
Highrank B.V.
Koninginneweg 11
1217 KP Hilversum
The Netherlands
KvK: 30273356
Version History
| Version | Date | Changes |
|---|---|---|
| 1.0 | January 31, 2026 | Initial version (Chrome Extension only) |
| 2.0 | March 1, 2026 | Complete rewrite covering full platform, updated sub-processors, international transfers, candidate rights |
This Privacy Policy is drafted in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Dutch Implementation Act (UAVG), and the ePrivacy Directive. This document does not constitute legal advice. We recommend consulting with a qualified legal professional for compliance verification.