FMLens
Start free

Privacy Policy

Last updated: 21 May 2026

1. Who we are

Kudrutech (Christo Alberts, sole proprietor), operating from Hermanus, Western Cape, South Africa. Reach us through our contact page. We are committed to compliance with POPIA (the Protection of Personal Information Act, South Africa) and GDPR where EU data subjects use the Service.

2. What data we collect

  • Account data: name, email address, tenant name, and billing information (the latter handled by Paddle, not stored by us).
  • Customer data: FileMaker DDR / SAX XML exports you upload, configurations you create, and releases you author.
  • Usage data: pages visited, features used, and API calls made, for the purpose of improving the Service and detecting abuse. No third-party trackers; no advertising data.
  • Communication data: emails you send to support and any feedback you submit.

3. How we use your data

  • To provide and operate the Service.
  • To respond to support requests.
  • To send service-related notifications (billing, maintenance, security).
  • To improve the Service (aggregated, anonymous usage patterns only).

We do not use your data for advertising. We do not sell or share your data with third parties except as set out below.

4. Third parties we work with

  • Paddle.com Inc — Merchant of Record for subscription billing. Receives the minimum data needed to process payments. See Paddle's privacy policy.
  • AI providers (Anthropic, OpenAI, Google, and similar) — only when you explicitly use the AI features, and only the specific data the AI query needs. You configure which provider and model. Your tenant can choose Ollama (local-only) for zero data leaving your network.
  • Hosting provider — runs the servers the Service operates on, with industry-standard data-centre security.
  • No others. No advertising networks, no analytics services (during this initial launch), no data brokers.

5. Where your data is stored

Customer data is stored in the European Union and does not leave the EU / South Africa region. Enterprise customers can request on-premise deployment for full data sovereignty.

6. How long we keep your data

  • Account data: for as long as your account is active, plus 30 days after termination.
  • Customer data (uploaded files, configurations): deleted within 30 days of account termination.
  • Billing records: retained for 7 years for tax compliance (statutory requirement).
  • Backups: rotated, with full deletion within 90 days of any deletion event.

7. Your rights

Under POPIA and GDPR, you have the right to access the personal data we hold about you, correct inaccurate data, request deletion ("right to be forgotten") subject to legal retention requirements, object to processing, and request data portability (receive your data in a machine-readable format). To exercise any of these rights, use our contact page. We respond within 30 days.

8. Security

  • All data encrypted in transit (HTTPS / TLS 1.3).
  • All data encrypted at rest (database-level encryption).
  • Sensitive secrets (API keys, credentials) encrypted with authenticated symmetric encryption (Fernet).
  • Role-based access control on all admin functions.
  • Audit logs on all AI calls, all API token usage, and all sign-offs.
  • Backups encrypted before leaving the primary data centre.

9. Cookies

The marketing site (fmlens.com) uses no cookies. The application (lens.fmlens.com) uses session cookies for authentication, marked HttpOnly, Secure, and SameSite=Lax. These are strictly necessary cookies under GDPR and do not require consent.

10. Children's data

The Service is not directed at children under 16. We do not knowingly collect data from anyone under 16.

11. Changes to this Policy

Material changes will be communicated by email 30 days before taking effect.

12. Contact

For privacy questions, use our contact page. Information Officer (POPIA): Christo Alberts.