Effective Date: May 6, 2026 | Last Updated: May 6, 2026 | Version 1.0
LensReport ("we", "our", or "us") operates the LensReport mobile application (the "App"), available on iOS and Android. This Privacy Policy explains what information we collect, how we use it, who we share it with, where it is stored, how long we keep it, and the rights you have over it.
By downloading, installing, or using LensReport, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.
LENS-XXXXXX) and share it with the people you want to collaborate with. When
someone enters your code in their own copy of the App, we create a join-request record
containing their user ID, display name, and the email address on their Firebase Auth
record, and we send you a notification so you can approve or decline. Pending requests
expire after 30 days. We do not collect the recipient’s email separately
from you, and we do not send an invitation email to anyone on your behalf.We use the information we collect for these purposes:
LensReport does not sell, rent, lease, or trade your personal data to any third party. We do, however, rely on a small number of trusted service providers ("subprocessors") to operate the service. Each of them acts under a written data-processing agreement and may only use your data to provide the services we ask them to:
| Subprocessor | Purpose | Region |
|---|---|---|
| Google Firebase (Auth, Firestore, Cloud Storage, Cloud Functions, Cloud Messaging, Crashlytics, Analytics, Remote Config, App Check) |
Primary backend: stores your account, reports, entries, and uploaded images; handles sign-in; delivers push notifications; collects crash and analytics data; verifies App Check tokens. | US multi-region (primary), with calls routed to EU or Asia-Pacific regions where applicable. |
| OpenAI (gpt-4.1-mini via the API) | (a) Extracts structured fields from the document images you upload. (b) Powers the optional AI Insights advisor — receives PII-redacted summaries of report data plus your question. | United States. |
| RevenueCat | Processes in-app subscription events forwarded from the App Store and Google Play, maintains entitlement state, and powers restore-purchases. | United States. |
| Postmark (by Wildbit) | Sends transactional email: email verification codes, welcome emails, join-request notifications to team owners, monthly-quota warnings, and account-deletion warnings. Used only for outbound email — no other user data is stored on Postmark. | United States. |
| Apple App Attest / DeviceCheck | Issues attestation tokens that prove your iOS request came from a genuine, unmodified LensReport install. Apple does not see your scan content. | Per Apple’s infrastructure; tokens never carry personal data. |
| Google Play Integrity | Same role as App Attest, for Android requests. | Per Google’s infrastructure; tokens never carry personal data. |
| Apple and Google (as payment processors) | Process the actual in-app purchase and subscription payment. We never see your card details — billing happens entirely inside the App Store or Google Play. | Per the store you purchased through. |
We use OpenAI’s API with zero data retention (ZDR) enabled for LensReport’s account. Under ZDR, OpenAI does not retain your submitted images, prompts, completions, or extracted data after the request completes, and does not use your data to train, improve, or fine-tune their models. This applies to all OpenAI calls we make: document-image extraction and the AI Insights advisor (questions and answers).
If you want to verify this commitment, you can contact us at info@lensreport.app and we will confirm our current ZDR status.
Before the AI Insights advisor (Section 4) sends any text to OpenAI, our backend automatically redacts the following categories from notes, descriptions, and your typed question:
[email-1]);Vendor names, merchant names, and payee names are deliberately preserved because the advisor needs them to answer questions like “how much did I spend at X?”. PII redaction applies to the AI Insights surface; the underlying document-image extraction itself necessarily transmits the visible image content under ZDR.
We do not sell, rent, lease, or trade your personal information to any third party. We do not share your data with any third party for their own marketing, advertising, profiling, or behavioral-advertising purposes.
LensReport offers two optional features that involve calls to OpenAI’s API. Both run under the zero-data-retention agreement described in Section 3.1.
This feature is the core of the App. When you scan or import a document, the image is uploaded to Firebase Cloud Storage, then forwarded to OpenAI to identify the vendor name, date, amounts, line items, and other fields appropriate to the template you chose. The extracted values are written to your report in Firestore. The image is retained alongside the entry until you delete it; the OpenAI request and response are not retained by OpenAI per ZDR.
If you would prefer not to send any image to OpenAI, you can use the App’s manual-entry feature to type the values directly — this still creates a normal entry, just without the AI extraction step.
AI Insights is an optional in-app feature available to paid subscribers on any tier. Free contributors on a paid owner’s shared report do not automatically inherit AI Insights access — they see a paywall when they tap the AI button and must subscribe to use the feature themselves. AI Insights lets you ask questions about a report in natural language and receive answers grounded in your own entries. Some questions are descriptive (“what was my biggest purchase last month?”); others are advisory (“am I spending too much on fuel?”). The advisor is informational only and is not a substitute for professional advice; this is disclosed in-product on every advisory answer.
What we send to OpenAI for an AI Insights query:
What we do NOT send to OpenAI for an AI Insights query:
Audit log. Every AI Insights call is recorded in an append-only audit log
stored at users/{your-id}/aiAudit/{event}. Each audit row contains the operation
type, the outcome (success / hard-refused / crisis-redirect / no-match / etc.), a SHA-256
hash-prefix of your question (never the question text itself), latency, and a timestamp.
No document content and no answer text is written to the audit log. The log is retained for
the lifetime of your account and is removed when you delete your account; we keep it only
for product / abuse-monitoring purposes during the life of the account, on the
legitimate-interest basis under GDPR Article 6(1)(f). It is not used for any other
purpose.
Conversation memory. So that follow-up questions feel coherent
(“and what about last month?”), we keep a per-report conversation history at
users/{owner-id}/reports/{report-id}/aiConversations/{turn}. For most turns we
store the PII-redacted question, the question’s identity hash, a 1–2 sentence
summary of the answer narrative (used to give the LLM continuity context on follow-ups), the
outcome, and the timestamp — never the full answer body, never any document content.
Two exceptions: hard-refused turns (medical / legal / etc.) store only the refusal category,
with no question text and no summary; crisis-redirect turns are never stored at all
so distress signals do not propagate to anyone else with access to the report.
On a shared report, this conversation history is readable by every collaborator with
access to the report: if your teammate asks about Q3 fuel spend yesterday, the AI
knows that context when you ask a follow-up today. The history is retained for 12 months
from the last turn (Firestore TTL), stored under the owner’s namespace, and deleted
when the report is deleted or when the owner’s account is deleted.
Response cache. To keep AI costs predictable and to make repeat questions
feel instant, we cache successful answers for up to 24 hours per (report, question, data
state) tuple at users/{owner-id}/reports/{report-id}/aiCache/{key}. Cached entries
expire automatically and are deleted when the report is deleted.
Daily usage caps. AI Insights is rate-limited per Firebase user account. Free users have no AI Insights quota; every paid tier (Individual, Family, Enterprise) gets a flat 30 queries per day. Each user draws from their own counter — including contributors on a shared report, who must subscribe in their own right to use the feature. Within the daily cap, a short-burst limiter (8 queries per minute) prevents accidental script loops; three burst-limit hits in 10 minutes triggers a 15-minute lockout on the affected account.
Feedback (optional). Every answer has a thumbs-up / thumbs-down control. If
you tap thumbs-down, you can pick a closed-list reason (“wrong about my data”,
“bad recommendation”, “felt judgmental”, “not helpful”,
“other”). The feedback row stores only the question identity hash, your reason
selection, and a timestamp — no free-text comment is collected and no question or answer
text is included. Feedback is stored at users/{your-id}/aiFeedback/{event} and is
used to improve prompts and detect regressions.
Crisis and refusal handling. If your free-text question matches one of our hard-refusal categories (medical / clinical, legal advice, specific investment advice, tax-filing decisions, drastic operational actions, attempts to extract another user’s personal data, or prompt-injection attempts), the request is rejected before we call OpenAI — no tokens are sent. If the question matches our crisis-detector keyword bag (mental-health distress, financial distress, threats of harm to others), we return a card pointing to the appropriate local support resources (suicide-prevention hotline, financial-counselling service, etc.) instead of any AI-generated answer. The crisis card never reaches OpenAI and the crisis turn is not added to the report’s conversation history; only the audit-log entry exists.
Cost monitoring. We run an automated daily summary that aggregates AI usage across all users to detect abuse and runaway cost. The summary contains only counts and totals (e.g. “1,200 calls today, $3.40 spend”) — no per-user or per-query detail is included. If the daily total exceeds an internal threshold, an email alert is sent to our operations address.
AI Insights is opt-in by definition: it only runs when you tap the AI button on a report. If you never tap it, no AI Insights data is processed or stored. To remove an existing conversation history, delete the report (which deletes all associated AI conversation, context, and cache rows under the owner’s namespace) or delete your account (which deletes the same data plus your AI audit log and AI feedback rows).
AI Insights is not available on the free tier. Each user who wants to use the feature must hold a paid subscription in their own right; the owner of a shared report does not pay for a contributor’s AI usage. Owners can remove a contributor from a team at any time from the Collaborate screen, which also revokes the contributor’s read access to the conversation history on every report they previously had access to.
| Data type | Where it lives | How long we keep it |
|---|---|---|
| Scanned document images | Firebase Cloud Storage | For the lifetime of the entry that owns them. Deleting the entry or the whole report deletes the image. Deleting your account deletes every image in your account. |
| Reports, entries, and extracted fields | Firestore | For the lifetime of your account. Deleting a report deletes all its entries. Deleting your account deletes everything. |
| Account profile (email, display name, subscription state, onboarding industry tag) | Firebase Authentication + Firestore | For the lifetime of your account. |
| Entry usage counts (per billing period) | Firestore | For the lifetime of your account. |
| Pending offline scans (images captured while offline) | On-device local storage | Until the next successful upload, or until you delete the report or uninstall the App. |
| Share link snapshots | Firebase Cloud Storage | Until the share link’s expiry (you choose 1 hour / 24 hours / 7 days / 30 days), or until you revoke the link. Revoking the link deletes the snapshot immediately. |
| Data export bundles (Section 7.3) | Firebase Cloud Storage | The signed download URL is valid for 7 days. After 7 days the file is no longer retrievable via the URL. You can request a new export at any time. |
| Outstanding team invitations | Firestore | Until the invitee accepts, the inviter revokes, or the invitation’s expiry date (up to 30 days) passes. |
| AI Insights audit log (Section 4.2) | Firestore (server-only, under your account) | For the lifetime of your account; deleted when you delete your account. Contains only operation type, outcome, question hash-prefix, latency, and timestamp. |
| AI Insights conversation history | Firestore (under report owner’s namespace) | 12 months from the last turn (auto-deleted by Firestore TTL), or sooner if the report or owner’s account is deleted. |
| AI Insights response cache | Firestore (under report owner’s namespace) | Up to 24 hours per cached answer (auto-deleted by Firestore TTL), or sooner if the report or owner’s account is deleted. |
| AI Insights feedback (thumbs up/down + reason) | Firestore | For the lifetime of your account. |
| AI burst-violation lockout state | Firestore | Up to 24 hours; auto-cleared when the lockout expires. |
| Account-level audit log (Section 5.1) | Firestore (server-only) | Retained indefinitely, including after account deletion, for security and compliance purposes. |
| Crash reports (Firebase Crashlytics) | Google Firebase | Up to 90 days per Google’s retention policy. |
| Analytics events (Firebase Analytics) | Google Firebase | Retained in anonymized / aggregated form per Firebase Analytics defaults. |
LensReport maintains a server-only audit log that records account-level operations: account deletion, data export requests, team invitations (created / accepted / rejected), team member removals, and share-link creation and revocation. Each audit entry contains only the actor’s anonymized user ID, the action type, and a timestamp. No document content, no images, no answer text, and no contents of your reports are ever written to the audit log.
These audit entries are retained indefinitely, even after account deletion, because they support our ability to investigate security incidents, respond to legal requests, and comply with anti-fraud obligations. This is the legitimate-interest basis under Article 6(1)(f) of the GDPR.
We implement appropriate technical and organizational measures to protect your data:
No method of transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your data, we cannot guarantee absolute security.
You can delete your account at any time from Settings → Delete Account. Deletion is a two-step confirmation flow and requires fresh re-authentication. Once confirmed, we remove from our systems:
Some data is retained for legitimate-interest reasons even after deletion: the server-side account-level audit log described in Section 5.1 (which contains only action type, timestamp, and an anonymized identifier — no scan content, no question text, no answer text), and subscription records held by the App Store / Google Play / RevenueCat for legal and tax compliance.
Reminder: deleting your LensReport account does not automatically cancel any active subscription billed by the App Store or Google Play. Cancel the subscription separately through your iOS Settings or Google Play Store.
You may use LensReport with anonymous authentication — no name, no email, no social account required. Most features that do not involve collaboration, AI Insights, or export are available anonymously. Creating a real account (by adding email, Google, or Apple sign-in) is required only when you want to subscribe, export a report, use AI Insights, collaborate, or back up your data to the cloud.
You have the right to receive your personal data in a structured, machine-readable format. LensReport offers two complementary export paths:
Every share link you create is listed under Settings → Manage Shared Reports, where you can revoke any link immediately. Revoking a link deletes its Cloud Storage snapshot and prevents further views.
Report owners can remove a contributor from a team at any time via the Collaborate screen. Removal takes effect immediately: the contributor loses access to all shared reports and a 30-day cooldown applies before they can rejoin the same team. If you are a contributor and want to leave a team you no longer wish to be part of, email us at info@lensreport.app and we will process the request within 5 business days.
AI Insights is opt-in by use: it only runs when you tap the AI button on a report. To clear any conversation history that has built up, delete the report (which removes all associated conversation, context, and cache rows under the owner’s namespace) or delete your account (which removes the same data plus your AI feedback rows). The audit log entries remain per Section 4.2.
Team and Enterprise subscribers can generate a personal invite code (in the form
LENS-XXXXXX) and share it with the people they want to collaborate with.
Anyone who knows your code can submit a join request from inside the App; you then approve
or decline it. Approved contributors sign in with their own accounts and consume their
own scan / entry / AI quota — we do not operate a shared-pool model.
LensReport lets owners of a paid plan generate a public share link for a report. The link
points to a read-only snapshot of the report’s verified entries hosted at
share.lensreport.app. The recipient does not need to install the App or sign in
to view it. Optionally, the owner can require a 6-digit PIN to open the link.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and related data-protection laws. We honor these rights regardless of your location.
| Your right | How to exercise it |
|---|---|
| Right of access (Art. 15) | Use Settings → Export my data inside the App, or email info@lensreport.app. |
| Right to rectification (Art. 16) | Edit your profile in Settings → Edit Profile, or edit any report entry inline in the report sheet. |
| Right to erasure (“right to be forgotten”) (Art. 17) | Use Settings → Delete Account. See Section 7.1 for the exact scope of deletion. |
| Right to restrict processing (Art. 18) | Email info@lensreport.app. We will acknowledge within 5 business days. |
| Right to data portability (Art. 20) | Use Settings → Export my data. See Section 7.3. |
| Right to object (Art. 21) | Email info@lensreport.app. You can object to AI Insights processing by simply not using the feature, or by deleting reports whose conversation history you want erased. |
| Rights related to automated decision-making (Art. 22) | The AI Insights advisor produces informational output, not legal or similarly significant decisions; we do not use AI to make decisions about your account, billing, or eligibility. You always remain in control of any action you take based on AI output. |
| Right to withdraw consent | For AI Insights: do not tap the AI button on a report; existing conversation history can be removed by deleting the report or your account. For document-image extraction: use the manual-entry option instead of scanning. For all processing including analytics: delete your account, which stops further data collection. (We do not currently offer a granular in-app analytics opt-out toggle.) |
| Right to lodge a complaint | You may complain to your local data protection authority. For EU residents, that is the DPA of your Member State. For UK residents, the Information Commissioner’s Office (ICO). |
Legal bases for processing. We process your data based on (a) the performance of a contract with you under Article 6(1)(b) — to provide the scanning, extraction, AI Insights, collaboration, and export features you asked for; (b) your consent under Article 6(1)(a) where applicable — for optional analytics, push notifications, and any AI Insights interaction; and (c) our legitimate interests under Article 6(1)(f) — to keep the account-level and AI audit logs and to enforce security rate limits, App Check verification, and anti-fraud controls.
LensReport is operated from Fiji and does not currently have an appointed representative in the European Union under Article 27 of the GDPR. We are working to close this gap. Until then, EEA / UK / Swiss users who wish to exercise their rights can contact us directly at info@lensreport.app. We will update this section with the representative’s name and contact details as soon as one is appointed.
We aim to acknowledge every request within 5 business days and to complete it within 30 days, in line with the GDPR’s one-month response window. Where a request is unusually complex or we have received a large number of requests, we may extend by up to two further months in accordance with Article 12(3) GDPR, and we will let you know why.
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you the following rights:
Categories of personal information we collect. Identifiers (Firebase UID, email address, display name, device installation ID); commercial information (subscription state, purchase history); internet or other electronic network activity information (entry counts, AI usage counts, anonymized analytics events, crash reports); visual information (document images you choose to scan or import); inferences (the industry tag derived from your onboarding choices, used to suggest templates).
Categories of personal information we disclose for a business purpose. Visual information (document images) is disclosed to our OpenAI subprocessor solely to perform AI extraction, and to our Firebase / Google subprocessor solely for storage. PII-redacted report summaries and your typed AI Insights questions are disclosed to OpenAI solely to generate the requested AI Insights answer. Identifiers and commercial information are disclosed to Firebase, RevenueCat, Apple, and Google solely for the purposes described in Section 3.
LensReport is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. The App is rated for users aged 4+ on the App Store and is not designed for use by children to record their own personal data. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at info@lensreport.app and we will delete it promptly.
Your data is stored and processed in countries other than your country of residence, including the United States (Firebase, OpenAI, RevenueCat, Postmark) and other regions where Firebase operates (EU, Asia-Pacific). When we transfer data to these jurisdictions, we rely on the data-processing and standard-contractual-clauses agreements of our subprocessors to provide an adequate level of protection as required by applicable data protection laws.
This section maps our data practices to the disclosures we make in Apple’s App Privacy Nutrition Labels and Google Play’s Data Safety form, so you can cross-check.
requestTrackingAuthorization, and do not include any
advertising or attribution SDKs.PrivacyInfo.xcprivacy) declares only the Required Reasons we actually use:
UserDefaults (CA92.1, app preferences), file timestamps and disk space (C617.1 / E174.1,
file management), and system boot time (35F9.1, performance measurement). We do not declare
or use any tracking-related Required Reasons.We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy within the App or by other appropriate means, and we will update the “Last Updated” and “Version” fields at the top of this page. Continued use of the App after the effective date of the revised policy constitutes your acceptance of the changes. If you do not agree, please stop using the App and delete your account.
This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Fiji, without regard to its conflict-of-law provisions. Any disputes arising under or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the Republic of Fiji, except where the GDPR, CCPA, or other applicable local law gives you a mandatory right to bring proceedings in your own country.
For any privacy-related request, including access / deletion / portability requests, questions about this policy, or reports of a suspected data incident, please contact:
Email: info@lensreport.app
We aim to acknowledge privacy requests within 5 business days and to resolve them within 30 days.