Privacy Policy

1. Who We Are

LenZ (“we,” “us,” or “our”) operates the social media platform available at mylenz.app and any associated mobile applications (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Service.

By creating an account or using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

For questions about this Policy, contact us at: privacy@mylenz.app

2. Information We Collect

2.1 Information You Provide Directly

• Account registration: username, email address, and password (stored as a salted hash — we never store plaintext passwords).
• Profile information: display name, bio, and profile photo that you choose to upload.
• User content: photos, videos, captions, and comments you post through the Service.
• Communications: messages you send to our support team.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, time and frequency of access, and interactions with content (reactions, comments, follows).
• Device and connection data: IP address, browser type and version, operating system, device identifiers, and time zone offset (used solely to calculate your local posting windows).
• Session data: a secure, HTTP-only session cookie (lenz_session) that authenticates your session. This cookie is strictly necessary for the Service to function and expires after 7 days of inactivity.

2.3 Information We Do Not Collect

We do not collect payment information (the Service is currently free). We do not integrate third-party advertising networks, social login providers, or cross-site tracking technologies. We do not use your content to train AI or machine-learning models.

3. How We Use Your Information

We use your information only for the following purposes:

• To create and manage your account and authenticate your sessions.
• To operate core features: posting, viewing wraps, following other users, and receiving notifications.
• To send transactional emails (e.g., password reset links) via our email provider, Resend.
• To calculate your local time zone and determine your applicable posting windows.
• To detect, investigate, and prevent abuse, fraud, and violations of our Terms of Service.
• To improve the reliability and performance of the Service through aggregated, anonymised analytics.
• To comply with applicable legal obligations.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4. How We Share Your Information

4.1 Service Providers (Sub-processors)

We share data with the following trusted providers, each bound by data processing agreements:

4.2 Public Content

Your username, profile photo, and any posts you publish within a Wrap are visible to other registered users of the Service. Do not post information you wish to keep private.

4.3 Legal Disclosures

We may disclose your information if required to do so by applicable law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of LenZ, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.

5. Data Retention

We retain your personal information for as long as your account is active or as necessary to provide the Service. Specifically:

• Account data: retained until you delete your account.
• Posts and media: retained until you delete the post or your account. Archived wraps (older than 24 hours post-unlock) remain accessible to you in the Relive section.
• Session cookies: expire after 7 days of inactivity.
• Backup copies: may persist in encrypted backups for up to 30 days after deletion.

Following account deletion, we will delete or anonymise your personal information within 30 days, except where retention is required by law.

6. Your Rights and Choices

6.1 Rights for All Users

• Access and correction: You may review and update your account information at any time in your profile settings.
• Deletion: You may request deletion of your account and associated data by contacting us at privacy@mylenz.app. We will action your request within 30 days.
• Content removal: You may delete individual posts at any time. Deleted posts are removed from the Service immediately, though copies may persist in encrypted backups for up to 30 days.

6.2 Rights Under GDPR (EEA / UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following additional rights under the General Data Protection Regulation:

• Right to access: obtain a copy of the personal data we hold about you.
• Right to rectification: correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): request deletion of your data where there is no overriding legitimate interest for us to retain it.
• Right to restriction of processing: ask us to halt processing of your data in certain circumstances.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to lodge a complaint: with your local supervisory authority.

Our legal bases for processing are: performance of a contract (to provide the Service), legitimate interests (fraud prevention, security, improving the Service), and compliance with legal obligations.

6.3 Rights Under CCPA (California Users)

If you are a California resident, you have the right to know what personal information we collect and how it is used, the right to delete your personal information, and the right not to be discriminated against for exercising these rights. We do not sell personal information. To exercise your rights, contact privacy@mylenz.app.

7. Cookies

We use one strictly necessary cookie:

• lenz_session — an HTTP-only, Secure, SameSite=Strict cookie that stores your encrypted session token. It is essential for authentication and cannot be disabled without preventing login. It expires 7 days after your last activity.

We do not use advertising cookies, analytics cookies from third-party platforms, or any tracking pixels.

8. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@mylenz.app and we will delete the information promptly.

Users between the ages of 13 and 18 may use the Service only with the consent and supervision of a parent or legal guardian.

9. Data Security

We implement appropriate technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Passwords stored using industry-standard hashing (bcrypt).
• Session tokens signed with HS256 and transmitted only over HTTPS.
• Session cookies flagged as HTTP-only and Secure to prevent client-side access.
• Media files stored in access-controlled Supabase storage buckets.
• Infrastructure hosted on Vercel with automatic TLS/SSL encryption in transit.

No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

10. International Data Transfers

LenZ operates globally, and your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

Where required, we implement appropriate safeguards for international transfers, including standard contractual clauses approved by applicable regulators.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Policy on this page with an updated effective date, and, where required by law, by sending you an email notification. Your continued use of the Service after any change constitutes your acceptance of the new Policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: