Privacy Policy

Lensora Ltd ("Lensora", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (lensora.io) and use our platform (the "Service").

Please read this Privacy Policy carefully. If you disagree with its terms, please stop using our Service immediately.

We may revise this Privacy Policy from time to time. The most current version will always be posted at lensora.io/privacy. Continued use of the Service after any changes constitutes your acceptance of the revised Policy.

We collect several types of information:

Account and profile data: When you register, we collect your name, email address, company name, and password (stored as a secure hash).

Website data you submit: URLs and business details you enter into Lensora for analysis. This is used solely to perform the AI visibility analysis you request.

Usage data: Information about how you interact with our Service, including pages visited, features used, query simulations run, and time spent. This helps us improve the product.

Payment data: Billing information is processed by Stripe. We do not store your full card details — only a tokenised reference from Stripe.

Communications: If you contact us, we retain records of that correspondence.

Cookies and tracking: See the Cookies section below.

We use your personal data to:

- Provide, operate, and maintain the Lensora Service - Process your subscription payments - Send transactional emails (reports, alerts, invoices) - Send product updates and marketing emails (with your consent, and you can opt out at any time) - Respond to your support requests - Improve and develop new features through aggregate usage analytics - Detect, prevent, and respond to fraud or security issues - Comply with legal obligations

We do not sell your personal data to third parties. We do not use your submitted website data to train our AI models.

Under UK GDPR, our legal bases for processing your data are:

Contract performance: Processing your account data and running the Service you signed up for.

Legitimate interests: Usage analytics to improve the product; fraud prevention; ensuring security. We balance these interests against your rights.

Consent: Marketing emails and optional cookies. You can withdraw consent at any time.

Legal obligation: Where we are required by law to process data (e.g., financial records for tax purposes).

We share data with a limited number of trusted service providers who help us operate the Service:

- Stripe: Payment processing - Supabase: Database hosting (EU servers) - Vercel: Hosting infrastructure - Resend / Postmark: Transactional email delivery - Anthropic / OpenAI / Google: AI query simulation (only anonymised query content is sent, not your account details) - Analytics providers: Aggregated, anonymised usage data only

All third-party providers are under contractual obligations to protect your data and use it only for the specified purpose. We do not share your data with advertisers.

We retain your personal data for as long as necessary to provide the Service and comply with our legal obligations.

Account data: Retained for the duration of your subscription, plus 90 days after account deletion (to allow recovery) and then permanently deleted.

Usage logs: Aggregated after 12 months; raw logs deleted after 90 days.

Payment records: Retained for 7 years as required by financial regulations.

Communications: Support tickets retained for 3 years.

You can request deletion of your data at any time. See Your Rights below.

We use cookies and similar technologies to operate and improve the Service:

Essential cookies: Required for authentication and session management. Cannot be disabled.

Analytics cookies: Help us understand how the Service is used (e.g., which features are popular). You can opt out.

Preference cookies: Remember your settings (e.g., billing toggle preference). You can opt out.

Marketing cookies: Used only if you explicitly consent. We do not use third-party advertising networks.

You can manage cookie preferences via the cookie banner on your first visit, or by contacting us. Most browsers also allow you to control cookies through their settings.

Under UK GDPR, you have the following rights:

Right of access: Request a copy of the personal data we hold about you.

Right to rectification: Ask us to correct inaccurate or incomplete data.

Right to erasure: Request deletion of your personal data (subject to legal retention requirements).

Right to restriction: Ask us to limit how we process your data in certain circumstances.

Right to data portability: Receive your data in a structured, machine-readable format.

Right to object: Object to processing based on legitimate interests or for direct marketing.

Rights related to automated decision-making: We do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@lensora.io. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We implement appropriate technical and organisational measures to protect your personal data, including:

- TLS encryption for all data in transit - Encryption at rest for sensitive data - Access controls limiting who within Lensora can access personal data - Regular security reviews and penetration testing - SOC 2-aligned security practices

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it responsibly to security@lensora.io.

Our primary servers are located in the UK and EU. Some third-party providers (e.g., AI model APIs) may process data in the United States. Where we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@lensora.io.

For any questions about this Privacy Policy or to exercise your rights, contact:

Lensora Data Controller privacy@lensora.io

Registered address: Värmdö Municipality, Stockholm County, Sweden Company number: 559580-5135