Privacy at SERP Lens: What we collect, what we don't, and why

SERP Lens is a browser. That comes with a reasonable question: what happens to my browsing data?

We built SERP Lens because we needed a better tool for SEO work — not because we wanted to watch people browse the internet. This post explains exactly how the app handles your data, what leaves your machine, and what stays on it.

Your browsing data stays on your machine

When you browse in SERP Lens, your tabs, navigation history, and session data are stored in a local SQLite database on your computer. That database lives in your system's app data directory. We don't sync it to our servers. We don't read it. We don't have access to it.

The same applies to your browser settings — device emulation preferences, geolocation configurations, Google search parameters, and network settings. All stored locally in that same database. All yours.

Screenshots and annotations can be saved to your local filesystem. When you choose to save a screenshot to your SERP Lens account then it will be saved securely on our servers for cross-device access, that's an explicit action you control.

Session isolation

Browser tabs in SERP Lens run in an isolated Electron session partition, separate from the app shell. Your browsing cookies, cache, and storage are sandboxed — they don't leak into the app's own authentication layer, and the app's session doesn't leak into your browsing.

You can clear browsing data — cache, cookies, storage — from the browser menu at any time.

Authentication and credentials

Your SERP Lens login credentials are encrypted using your operating system's secure storage (macOS Keychain, Windows Credential Manager, or the equivalent on Linux). We use Electron's safeStorage API for this — tokens are encrypted at rest and never stored in plaintext.

VPN proxy credentials follow the same pattern. They're held in memory during your session and authenticated through Electron's native proxy handler. They don't persist in logs or get written to disk unencrypted.

What we do send to our servers

SERP Lens communicates with our API for account-level features: authentication, project management, keyword tracking, and screenshot storage (when you explicitly save to your account). These are the features that require a server — everything else runs locally.

The API handles what you'd expect from a SaaS product. Your SERP analysis, on-page audits, Core Web Vitals checks, and page rendering all happen locally in the browser process. We're not proxying your browsing through our infrastructure.

Analytics and error tracking

We use two services:

PostHog — product analytics. We track feature usage within the SERP Lens app interface (which panels you open, which tools you use). We don't track the websites you visit. Autocapture is disabled. Sensitive properties (tokens, passwords) are stripped before any event is sent. GeoIP collection is disabled on the server side. We do not send anything related to the pages you are visiting in the browser to PostHog, we only send feature usage information.

Sentry — error reporting. When SERP Lens crashes or encounters an error, we send the stack trace and error context to Sentry so we can fix it. No browsing content is included in error reports.

Geolocation emulation

When you emulate a location in SERP Lens, we route traffic through our VPN infrastructure to provide an IP address from that geography.

The specifics: traffic is encrypted with AES-256 via a protocol that disguises VPN traffic as standard HTTPS. Our network enforces a zero-logging policy — no user activity data is collected, stored, or transferred. It spans 84+ locations with no speed or bandwidth caps.

SERP Lens provisions per-user VPN credentials tied to your subscription. When you select a location and connect, the app routes your browser tab traffic through the VPN. The app shell — your SERP Lens dashboard, settings, and API calls — stays on your direct connection. Only the browser tabs go through the proxy.

When you disconnect, traffic goes direct. No residual routing.

What we don't do

We don't inject tracking scripts into pages you visit. We don't modify page content for data collection. We don't sell browsing data to third parties. We don't build advertising profiles. We don't have a data monetisation model — our revenue comes from subscriptions.

The app's Content Security Policy restricts what can execute in the shell UI. External pages load with their own CSP intact — we don't override it.

The short version

SERP Lens is an SEO tool that happens to be a browser, not a browser that happens to have SEO tools. The browser is the delivery mechanism for features like SERP analysis, location emulation, and on-page auditing. We built it because Chrome with 12 limited extensions wasn't cutting it for client work.

Your browsing data is yours. Your analysis data is yours. We need a server for account management and keyword tracking. Everything else runs on your machine.

If you have specific questions about how we handle data, email sam@serplens.com or brodie@serplens.com.