Legal
Privacy Policy
Last updated: 9 April 2026
1. Who we are
MegaLens.ai is operated by Outreach Solutions Pty Ltd, an Australian company. We are the data controller for the personal data processed through our platform.
Contact: [email protected]
2. What data we collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email, display name, avatar (via OAuth) | Authentication, account management |
| Query content | Text you submit for analysis | Routed to AI providers for multi-engine analysis |
| API keys (BYOK) | Your OpenRouter API key, encrypted AES-256-GCM | Routing queries through your own API account |
| Billing | Stripe customer ID, transaction history, PAYG balance | Subscription and pay-as-you-go billing |
| Usage logs | Provider, model, token counts, cost, latency per call | Service improvement, cost tracking, abuse prevention |
| Device info (MCP users) | Device fingerprint, platform, app version | License enforcement (max 3 active MCP devices) |
| Chat history | Session metadata, messages, AI responses | Conversation continuity, product improvement |
3. How your data flows through AI providers
MegaLens is a multi-engine AI platform. When you submit a query, your content is sent to 2 to 5 specialist AI engines simultaneously for independent analysis. Their findings are then evaluated by a Council of up to 3 elite judge engines — assessing evidence, filling gaps, and rendering the final verdict. This is the core of our service.
Important: Your queries are processed by third-party AI providers
Each query you submit is sent via OpenRouter (a US-based API gateway) to one or more of the AI providers listed below. These providers process your query content to generate responses. Provider selection may vary by task type, model availability, performance, safety, or cost. While MegaLens requires OpenRouter, as its model-routing provider, to process data under applicable contractual data protection obligations, any downstream model providers operate and manage their own infrastructure independently.
MegaLens may route a request across multiple providers in a single run. The exact model or provider used for a given request may change over time as we update routing, benchmarking, safety controls, and service availability, provided they remain within our declared list of authorized sub-processors (see Section 10).
AI providers we use
| Provider | Headquarters | Role |
|---|---|---|
| DeepSeek | China | Specialist debater |
| Xiaomi (MiMo) | China | Specialist debater |
| Moonshot AI (Kimi) | China | Specialist debater |
| Zhipu AI (GLM) | China | Specialist debater |
| Alibaba (Qwen) | China | Specialist debater |
| MiniMax | China | Specialist debater |
| xAI (Grok) | United States | Specialist debater |
| Mistral (Devstral) | France (EU) | Specialist debater |
| Perplexity | United States | Specialist debater |
| Google (Gemini) | United States | Council judge (assessment + gap-filling) |
| OpenAI (GPT) | United States | Council judge (assessment + gap-filling) |
| Anthropic (Claude) | United States | Council judge (final decision + gap-filling) |
4. Data processing in China
Disclosure: Chinese AI providers
Six of our specialist AI engines are operated by companies headquartered in the People's Republic of China. Under China's National Intelligence Law (2017), Cybersecurity Law (2017), and Data Security Law (2021), these companies may be required to cooperate with Chinese government intelligence operations.
By using MegaLens, you acknowledge that query content routed to these providers may be subject to Chinese law. We route all traffic through OpenRouter (US-based), but this does not prevent downstream providers from processing your data under their local legal obligations.
We recommend that you do not submit personally identifiable information or other highly sensitive content to MegaLens. You must not submit attorney-client privileged materials, trade secrets, export-controlled technical data, classified information, or content subject to ITAR restrictions to the Service.
If you are subject to contractual, regulatory, export-control, or internal security restrictions on external AI processing, you are responsible for determining whether you are permitted to submit the relevant content through the Service.
5. International data transfers
MegaLens is operated from Australia. Your data may be transferred to and processed in:
- United States — Supabase (database hosting), Stripe (payments), OpenRouter (API gateway), xAI, Perplexity, Google, OpenAI, Anthropic
- China — DeepSeek, Xiaomi, Moonshot AI, Zhipu AI, Alibaba, MiniMax
- European Union — Mistral AI (France)
For EU/UK users: Transfers to countries without an EU adequacy decision (including China and the United States) are conducted on the basis of your explicit, informed consent given at account registration. You may withdraw consent at any time by discontinuing use of the service, but this will limit our ability to provide the service.
We are working toward implementing Standard Contractual Clauses (SCCs) with our key sub-processors. Until these are in place, consent is our primary transfer mechanism for non-adequate jurisdictions.
6. API key handling
BYOK (Bring Your Own Key)
If you provide your own OpenRouter API key, it is encrypted using AES-256-GCM before storage. The encryption key is managed server-side and is never exposed to client applications. Only Pro-tier users may store API keys.
Managed / Pay-As-You-Go
For PAYG users, we create a per-user OpenRouter API key on your behalf using OpenRouter's Provisioning API. This key is stored AES-256-GCM encrypted. Its spend limit is synchronized with your MegaLens balance — if your balance reaches zero, the key is disabled on OpenRouter to prevent unauthorized charges.
You may request deletion of your stored API keys at any time. BYOK users can always delete their keys regardless of subscription status.
7. Lawful basis for processing (GDPR)
| Processing activity | Lawful basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Query processing through AI providers | Contract + explicit consent for cross-border transfers |
| Billing and payment processing | Contract (Art. 6(1)(b)) |
| Usage analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Device fingerprinting for MCP licensing | Contract (Pro/PAYG service delivery) |
8. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion |
| Chat history (Free users) | 30 days, then auto-deleted |
| Chat history (Pro/PAYG users) | 90 days, then auto-deleted |
| Usage logs (raw) | 90 days, then auto-deleted |
| Usage logs (aggregated, anonymized) | Permanent (for service analytics) |
| Billing records | 7 years (legal requirement) |
| API keys | Until user deletion or account closure |
| Device fingerprints | Until device revocation or account deletion |
You may request early deletion of your data at any time (see Section 9).
9. Your rights
Under GDPR (EU/UK users)
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — for processing based on consent
Under Australian Privacy Act (APP)
- Access (APP 12) — request access to your personal information
- Correction (APP 13) — request correction of inaccurate information
- Complaint — lodge a complaint with the OAIC (oaic.gov.au)
To exercise any right, email [email protected]. We respond within 30 days (GDPR) or 30 days (APP).
Account deletion: Deleting your account purges all chat messages, usage events, API keys, device records, and billing data associated with your user ID. Aggregated, anonymized analytics data is retained.
10. Sub-processors
| Service | Provider | Location | Purpose |
|---|---|---|---|
| Database | Supabase Inc. | US | Data storage, authentication |
| Payments | Stripe Inc. | US | Subscription and PAYG billing |
| API gateway | OpenRouter | US | AI model routing |
| AI models | See Section 3 | US / China / EU | Query processing |
We will notify registered users of sub-processor changes via email at least 30 days before the change takes effect. You may object to a new sub-processor within that period by contacting [email protected].
11. Cookies and tracking
MegaLens uses only strictly necessary cookies for authentication session management. We do not use advertising cookies, tracking pixels, or third-party analytics that track users across sites.
Device fingerprinting for MCP license enforcement is performed only for Pro and PAYG users who have opted into MCP integration. This data is not used for advertising or cross-site tracking.
12. Security measures
- API keys encrypted at rest using AES-256-GCM with per-record initialization vectors
- Row-Level Security (RLS) on all database tables — users can only access their own data
- HTTPS-only transport (TLS 1.2+)
- Stripe webhook signature verification
- Column-level grants hide encrypted key material from client queries
- Atomic billing operations with idempotency guards
13. Data protection impact assessment
We have conducted an internal Data Protection Impact Assessment (DPIA) covering the processing of user query content through multiple third-party AI providers, cross-border data transfers to non-adequate jurisdictions (including China), and device fingerprinting for MCP license enforcement. This assessment is reviewed and updated when we add new AI providers or change data processing practices.
Enterprise customers may request a summary of our DPIA by contacting [email protected].
14. Data breach notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify affected users within 72 hours (GDPR requirement)
- Notify the OAIC as required under Australia's Notifiable Data Breaches scheme
- Provide details of the breach, data affected, and remediation steps
15. Children
MegaLens is a B2B service not directed at individuals under 18. We do not knowingly collect data from children. If you believe a minor has provided us data, contact [email protected].
16. Changes to this policy
We may update this policy to reflect changes in our practices, sub-processors, or legal requirements. Material changes will be notified via email to registered users at least 14 days before taking effect. Your continued use after notification constitutes acceptance.
17. Data processing agreements
Enterprise customers who require a Data Processing Agreement (DPA) for compliance with GDPR, UK GDPR, or other data protection frameworks may request one by contacting [email protected]. Our DPA covers data processing scope, security obligations, sub-processor management, breach notification, and data subject rights assistance.
18. Contact
Outreach Solutions Pty Ltd
Email: [email protected]
Governing law: Laws of New South Wales, Australia
For GDPR complaints, you may also contact your local data protection authority. For Australian complaints, contact the Office of the Australian Information Commissioner.
See also: Terms of Service