Privacy Policy

Last updated: March 20, 2026

Lensdrop ("we", "us", "our") operates the lensdrop.app platform. This policy explains how we collect, use, and protect your personal data when you use our service. It applies to all users worldwide, including those in the European Economic Area (EEA), United Kingdom (UK), and India.

Data Controller

Lensdrop is the data controller responsible for your personal data. If you have questions about how your data is processed, contact us at hello@lensdrop.app.

Information We Collect

Sign-in with Google

When you sign in with Google, we receive your name, email address, and (optionally) profile picture solely to create and manage your Lensdrop account. We do not access your Gmail messages, Google Drive files, contacts, or any other Google data. You can revoke access at any time from your Google account settings.

Account Information

When you create a studio account, we collect your name, email address, studio name, and phone number. This information is necessary to provide our services.

Photos and Event Data

We store photos you upload, event details you create, and client selection data. This content belongs to you and is stored securely on our servers.

Find My Photos — Selfie Search (Pro Plan)

On galleries where the studio has enabled Find My Photos, guests may upload a selfie to filter the gallery to photos they appear in. This is the only AI-powered feature we offer, and only on the Pro plan.

How the matching works:when a guest uploads a selfie, it is processed in-memory by our self-hosted face recognition service, converted into a numeric fingerprint (a face embedding), and compared against the fingerprints of faces already detected in that event’s photos. Matching photos are returned to the guest. The guest’s selfie is never stored — it exists only in memory for the duration of the search and is discarded immediately afterward. The face fingerprints derived from event photos are stored so that future selfie searches can be matched quickly.

This processing runs on our own infrastructure. We do notperform facial recognition in the identity-verification sense (matching faces to named individuals) — we only compare visual similarity between faces within a single event’s gallery.

Face fingerprint data is automatically deleted when the event is archived or when photos are deleted, following the same retention period as your photos.

Usage Data

We automatically collect basic usage information such as pages visited, features used, browser type, and device information to improve our service. This data is collected in aggregate and is not used to identify individual users.

Legal Basis for Processing (GDPR)

If you are in the EEA or UK, we process your personal data under the following legal bases:

  • Contractual necessity - To provide the Lensdrop service, manage your account, process payments, and deliver photos (Article 6(1)(b) GDPR)
  • Legitimate interest - To improve our service, prevent fraud, and ensure security (Article 6(1)(f) GDPR)
  • Consent - For optional analytics cookies and marketing communications, which you can withdraw at any time (Article 6(1)(a) GDPR)
  • Legal obligation - To comply with applicable laws, such as tax and accounting requirements (Article 6(1)(c) GDPR)

How We Use Your Information

  • To provide and maintain the Lensdrop platform
  • To manage your account and subscriptions
  • To send service-related notifications (event updates, client selections)
  • To improve our product based on aggregated usage patterns
  • To match guest selfies against event photos for the Find My Photos feature (Pro plan, when enabled by the studio)
  • To respond to support requests
  • To comply with legal obligations

Data Storage, Security, and International Transfers

Your data is stored on servers provided by Supabase (India), Vercel (US/Global CDN), and Upstash (US). Photos are stored in encrypted cloud storage. We use industry-standard security practices including encryption in transit (TLS) and at rest, row-level security policies, and regular security reviews.

If you are located in the EEA, UK, or other regions with data transfer restrictions, your personal data may be transferred to and processed in countries outside your jurisdiction (including the United States). We ensure appropriate safeguards are in place for these transfers, including reliance on the service providers' Standard Contractual Clauses (SCCs) and other approved transfer mechanisms.

Sub-processors

We use the following third-party service providers to operate Lensdrop:

  • Supabase - Database, authentication, and file storage (India)
  • Vercel - Application hosting and CDN (US/Global)
  • Upstash - Rate limiting and caching (US)
  • Razorpay - Payment processing (India)
  • Polar - Payment processing (International)
  • Resend - Transactional email delivery (US)
  • Cloudflare - File storage (R2), CDN, and image processing (Global/Asia Pacific)
  • AWS Lightsail - Hosts our self-hosted face-matching service for the Find My Photos feature, Pro plan only (Mumbai ap-south-1)
  • PostHog - Product analytics, opt-in only (EU)

Each provider processes data only as necessary to deliver their service and is bound by their own privacy and security commitments.

Data Sharing

We do not sell, rent, or trade your personal data. We share information only with the sub-processors listed above as necessary to operate the platform, and when required by law or to protect our legal rights.

Data Retention

Photos and event data are retained according to your plan's retention period (14 to 90 days after event archival). Account information is retained as long as your account is active. After account deletion, your personal data is removed immediately, except where we are required by law to retain it (e.g. billing records for tax purposes, which may be retained for up to 7 years).

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access - Request a copy of the personal data we hold about you
  • Rectification - Request correction of inaccurate or incomplete data
  • Erasure- Request deletion of your personal data ("right to be forgotten")
  • Restriction - Request that we limit the processing of your data
  • Portability - Request your data in a structured, machine-readable format
  • Objection - Object to processing based on legitimate interests
  • Withdraw consent - Withdraw consent for optional data processing at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at hello@lensdrop.app. We will respond within 30 days (or within the timeframe required by applicable law).

Right to Lodge a Complaint

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully. If you are in India, you may contact the Data Protection Board of India.

Automated Decision-Making

The Find My Photos feature uses automated face-similarity matching to filter a gallery to photos of the guest who uploaded a selfie. This processing does not make decisions with legal or similarly significant effects — it only narrows the set of photos shown.

Children's Privacy

Lensdrop is not intended for use by individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email and update the "Last updated" date above. Continued use of the service after changes constitutes acceptance, except where consent is required by law.

Contact

For questions about this policy or to exercise your data rights, contact us at hello@lensdrop.app.