Back to Lens

Privacy Policy

Last Updated: February 14, 2026

1. Introduction: The "Lens" Promise

We believe that professional tools should not come at the cost of personal privacy. Lens ("the App") is designed to be "Private by Design" using a "Local-First" architecture. This means that, beyond locally-verified device time, Lens uses specialized Trusted Timestamp provisions to ensure capture integrity and Content Credentials to provide cryptographic provenance for supported photos and videos.

Provenance Persistence (iCloud): To ensure cryptographically-valid Content Credentials persist across app uninstalls, the app prioritizes saving signed "Master Copies" to your iCloud Drive by default. This data resides in your personal Apple storage, not on our servers.

Offline Maps is Opt-In: By default, the app uses Apple Maps which keeps your location viewing private within Apple's ecosystem. If you choose to enable Offline Maps, you'll be asked for explicit consent before any data is shared with Mapbox (a third-party service). You can disable this feature at any time.

We do not sell your data. We do not use your personal content to train public AI models. We do not track you across other apps and websites.

2. The Data Vector Audit: What We Collect & Why

To comply with Apple's App Store transparency requirements, we categorize data based on how it is linked to your identity.

A. Data Linked to You

  • Contact Info (Email/Name): Collected only if you voluntarily contact 'User Support' (e.g., via email or feedback forms). We use this solely to respond to your inquiries.
  • Access Requests (Email): Collected only when you voluntarily submit your email address via the "Request Access" form on our website.
    • Purpose: To notify you when access is granted or to send product updates relevant to your request.
    • Storage: Stored securely in Firebase Firestore.
    • Retention: Retained until you request deletion or unsubscribe.
  • User Feedback (C2PA): Collected only when you voluntarily submit feedback about Content Credentials features via the in-app feedback interface. This includes:
    • Feedback type (positive/negative)
    • Optional text comments
    • Timestamp of submission
    • App version and anonymized device identifier (hashed using SHA256)
    • Privacy Control: Only synced to cloud if "Share Usage Analytics" is enabled in Settings → About → Diagnostics. If analytics is disabled, feedback is stored locally only and never transmitted.
  • General Feedback & Bug Reports: Collected only when you voluntarily submit feedback or report bugs via Settings → Support → Send Feedback or Report Bug. This includes:
    • Feedback text (bug reports or general feedback)
    • Optional image attachments (up to 3 images, 10MB each, 25MB total)
    • Timestamp of submission
    • App version and anonymized device identifier (hashed using SHA256)
    • Privacy Control: Only synced to cloud if "Share Usage Analytics" is enabled. If analytics is disabled, feedback is stored locally only. Bug reports sent via email include attachments directly in the email.
    • Image Attachments: For general feedback, images are uploaded to Firebase Storage and linked in Firestore. For bug reports, images are attached directly to the email. Images are converted to JPEG format (85% quality) before storage/transmission.
  • User Content (Photos/Text): Collected only when you explicitly use our AI Report Generation or Support features.
    • Example: When you generate a report, the selected photos are transiently processed by our AI provider to create descriptions.

B. Data Not Linked to You

  • Usage Data: We collect anonymous aggregate metrics (e.g., "Screen A was viewed 500 times") to understand which features are valuable.
  • Performance & Diagnostics: Crash logs (device state and stack traces, anonymous), launch times, and frame drops to help us fix bugs.
  • Location Data (Precise): Used locally to fetch weather and for your photo metadata.
  • Location Data (Approximate): Our analytics provider uses your IP address to roughly estimate city-level usage (e.g., "5 users in New York"). This is not linked to your GPS coordinates.

C. Content Credentials (C2PA)

  • Cryptographic Provenance: If you enable Content Credentials, Lens cryptographically signs your photo and video files using a Hardware-Backed Key stored in your device's Apple Secure Enclave. This feature is built on the C2PA Technical Specification v2.2.
  • Embedded Data & Data Minimization: This process embeds a tamper-evident "Manifest" directly into the image or video file. To protect your privacy, we implement Data Minimization through user-controlled settings:
    • Context: Date, time, device info, and (for photos) capture settings (e.g., ISO, aperture, exposure). Location (GPS) is off by default; users can opt-in via Settings > Content Credentials (or Privacy Controls).
    • Privacy Controls: Users can opt-out of embedding specific metadata (e.g., Location, Device Model, Capture Settings) via Settings. If disabled, those assertions are completely omitted from the manifest (Soft Redaction).
    • Video: Video manifests include device info and optionally location and creation time; capture settings (ISO, aperture, exposure) are not available for video and are omitted from video manifests.
    • Identity: The application identity ("Lens App Signer").
    • Integrity: A hash of the pixel data to prove no pixel-level edits were made.
    • Temporal Integrity (Guided Trust): We perform real-time checks against trusted network time sources (Apple, Cloudflare, Google) to detect device time manipulation.
      • Tampering Protection: If time manipulation is detected, signing is completely blocked to prevent spoofing.
      • Offline Transparency: Captures made without network verification require explicit user content and are cryptographically flagged as "Self-Asserted Time".
  • Hardware-Backed Key Lifecycle (Revocation): Your private signing key is generated inside the Apple Secure Enclave and never leaves your device.
    • Non-Exportable: The key cannot be accessed, backed up, or cloned by us or any third party.
    • Revocation Logic: Because keys are bound to the specific application installation on your device, uninstalling the App or clearing App Data effectively revokes the keys by rendering them permanently inaccessible. A subsequent fresh installation will trigger the generation of a new, unique signing key.
  • Current Trust Status: Preview (Conformance Phase): Lens currently uses a self-signed certificate for Content Credentials while we complete the C2PA Conformance Phase and partnership with a Certificate Authority (CA) such as SSL.com.
    • Cryptographic integrity is fully valid — the signature proves the file has been unaltered since capture on your hardware.
    • C2PA v2.2 compliant — Lens implements all applicable security controls from the C2PA Security Considerations v2.2 specification.
    • ! Third-party verification tools may show "Unrecognized Signer" — this is expected until we complete the formal certification and onboarding to the C2PA Trust List.
    • Doc Compliance Documentation: See our C2PA v2.2 Compliance page for detailed security and UX compliance information regarding our active conformance evaluation.
  • External Transmission: While Content Credentials are generated entirely on your device, signed "Master Copies" are saved to iCloud Drive by default to ensure persistence (Cloud Sync). You can change this to a local-only folder in Settings. No data is sent to our servers for signing.
  • Control: This feature is Opt-In. Enrollment requires your explicit action. You can disable signing at any time in Settings.
  • Storage & Persistence: Signed media is saved as "Master Copies" to your device's Files app. To ensure persistence across app uninstalls, Lens prioritizes iCloud Drive or allows you to select a Custom Folder.
    • Naming Convention: Filenames include a sanitized organizational prefix and a unique 4-character device hash to prevent collisions in shared storage environments.

Terminology: In this policy, "Content Credentials" refers to the provenance data embedded in your media, while "C2PA" refers to the open standard and ecosystem that defines how this data is structured, signed, and verified.

D. Lens Trust Founding Member (Waitlist)

What we collect

  • Purchase status: When you complete the Lens Trust Founding Member Deposit (In-App Purchase), we may record locally on your device that you have reserved a spot (e.g. to show "You're on the list" and to avoid duplicate purchases). No payment details are collected by us; payment is handled by Apple.
  • Optional — founding member count: If we implement a server-side count of founding members (e.g. to display "X of 25 founding members"), we may send an anonymized or hashed identifier (e.g. a one-way hash of the transaction ID or device identifier) to our backend solely to increment the count. We do not link this to your name, email, or Apple ID.

Purpose

  • To manage your reservation and to display your status in the app.
  • If we use a server count: to determine when we have reached the minimum number of founding members to launch Lens Trust.

Legal basis

  • Contract: Fulfilling the reservation and (if we launch) applying the Deposit as credit.
  • Legitimate interest: Counting founding members to decide launch, using minimal data.

Retention

  • Local "reserved" flag: until you delete the app or we clear it (e.g. after refund).
  • Server-side count data (if any): we do not retain personally identifiable information; only aggregate or hashed counts as needed for launch decision.

Your rights

  • You can stop being a "founding member" by requesting a refund through Apple (see Terms, Lens Trust Founding Member). We do not maintain a separate account for the waitlist; no additional deletion request is required beyond refund and app data deletion.

3. Third-Party Service Providers

We limit our partners to those essential for the App's functionality.

ServicePurposeData Shared
Apple Weather (Apple Inc.)To display local temperature and wind speed on your photos/reports.Precise Location (Latitude/Longitude). Weather data is processed by Apple.
Mapbox (Mapbox, Inc.) Privacy PolicyOpt-In Only: To enable offline map downloads (disabled by default).IP Address (retained 30 days), Device Information (OS, model, browser), Approximate Location (tile coordinates revealing geographic area viewed/downloaded), Session ID (rotates every 24 hours), Application ID. Cached map tiles are stored locally on your device. How to Opt-Out: Disable "Offline Maps" in Settings → Offline Maps → Disable. This removes all downloaded maps and stops data sharing with Mapbox.
Google Gemini (Google LLC via Firebase)To generate AI descriptions and reports.User Photos (transiently), Prompts. Note: Zero data retention. We have opted out of human review and model training; your data is not stored for Google's improvement. Privacy Notice
Firebase Crashlytics (Google LLC)To detect and fix app crashes.Device State, Crash Logs (Anonymous).
Firebase Analytics (Google LLC)To understand app usage trends and feature popularity.Anonymous Usage Events (e.g., "Photo Captured", "Report Generated"), Coarse Location (City-level via IP). How to Opt-Out: Disable "Share Usage Analytics" in Settings → About → Diagnostics.
Firebase Performance (Google LLC)To monitor app speed and responsiveness.Launch Time, Screen Rendering Time (Anonymous).
Firebase Firestore (Google LLC)To store and analyze user feedback about Content Credentials features.Feedback type (positive/negative), optional text comments, timestamp, app version, anonymized device identifier (SHA256 hash). How to Opt-Out: Disable "Share Usage Analytics" in Settings → About → Diagnostics. Feedback is stored locally only when analytics is disabled.
DigiCertTo provide trusted, RFC 3161-compliant timestamps for Content Credentials (C2PA TSA Trust List).Cryptographic Hash only. We send a SHA-256 hash of your media to receive a signed timestamp. Your actual photo/video content is never shared. When the TSA is unreachable we sign without a timestamp.

4. Your Rights (Review & Deletion)

Because we are a "Local-First" app, we do not have a central user database to "search" for your data. You possess the ultimate control:

  • Right to Delete: You can delete all your stored data (Projects, Photos, Settings) by simply deleting the App from your device.
    • Exception (Persistent Storage): If you have enabled Content Credentials and chose to save them in iCloud Drive or a Custom Folder, those files are considered user-owned data and will not be deleted when the app is uninstalled. They must be deleted manually from the Files app.
    • Feedback Data: Feedback stored in Firebase Firestore is retained for analysis purposes. To prevent future feedback from being synced, disable "Share Usage Analytics" in Settings. Historical feedback data (including image attachments in Firebase Storage) can be deleted by contacting support (if needed).
  • Revoking Permissions: You can revoke access to the Camera, Microphone, Photo Library, or Location at any time via your iOS Settings.
  • Opt-Out of Third-Party Services:
    • Mapbox (Offline Maps): Go to Settings → Offline Maps → Disable Offline Maps. This immediately stops data sharing and deletes all downloaded map tiles from your device.
    • AI Features: Simply don't use the AI Report Generation feature. No data is sent to Google Gemini unless you explicitly generate a report.
    • Analytics & Crashlytics: Go to Settings → About → Diagnostics. You can independently disable "Share Crash Reports" and "Share Usage Analytics" at any time.

5. Global Compliance (GDPR, CCPA, & PECR)

Jurisdictional Locking: Regardless of where you live, we apply the strictest data protection standards to everyone.

  • Basis for Processing: We process your data based on Contractual Necessity (to provide the App's features) and Legitimate Interest (to fix bugs and improve stability).
  • International Transfers: Our service providers (e.g., Google) may process data in the United States or other jurisdictions. We rely on their Standard Contractual Clauses (SCCs) and Data Privacy Framework certifications to ensure protection.

6. Operational Compliance (Audio/Video)

To support professionals operating in jurisdictions with strict wiretapping laws (e.g., Two-Party Consent states), Lens includes a Hardware-Level Mute feature.

  • Video Mute: You can physically disconnect the microphone input for video recordings via the top settings bar.
  • Verification: This setting persists across sessions, allowing you to operate safely in sensitive environments (e.g., hospitals, secure facilities) without risk of accidental audio capture.

7. Children's Privacy

Lens is a professional utility and is not directed at children under the age of 13. We do not knowingly collect personal information from children.

8. Changes to This Policy

We may update this policy as the App evolves. Significant changes will be communicated via an in-app notification or an update to the "What's New" text on the App Store.

9. Contact Us

For any privacy-related questions, or to exercise your rights, please contact our Data Protection Officer at: lens@field-notes.dev