Back to Lens

Privacy Policy

Last Updated: May 20, 2026

1. Introduction: The "Lens" Promise

We believe that professional tools should not come at the cost of personal privacy. Lens ("the App") is designed to be "Private by Design" using a "Local-First" architecture. This means that most processing stays on your device. For device clock integrity, Lens may make brief HTTPS requests to public time references (see Content Credentials below); those checks do not send your photos, videos, or location to Lens servers. Lens also uses specialized Trusted Timestamp provisions where applicable and Content Credentials to provide cryptographic provenance for supported photos and videos.

Provenance Persistence (iCloud): To ensure cryptographically-valid Content Credentials persist across app uninstalls, the app prioritizes saving signed "Master Copies" to your iCloud Drive by default. This data resides in your personal Apple storage, not on our servers.

Offline Maps is Opt-In: By default, the app uses Apple Maps which keeps your location viewing private within Apple's ecosystem. If you choose to enable Offline Maps, you'll be asked for explicit consent before any data is shared with Mapbox (a third-party service). You can disable this feature at any time.

We do not sell your data. We do not use your personal content to train public AI models. We do not track you across other apps and websites.

2. The Data Vector Audit: What We Collect & Why

To comply with Apple's App Store transparency requirements, we categorize data based on how it is linked to your identity.

A. Data Linked to You

  • Contact Info (Email/Name): Collected only if you voluntarily contact 'User Support' (e.g., via email or feedback forms). We use this solely to respond to your inquiries.
  • Access Requests (Email): Collected only when you voluntarily submit your email address via the "Request Access" form on our website.
    • Purpose: To notify you when access is granted or to send product updates relevant to your request.
    • Storage: Processed per our website and support workflows (see contact channels you use).
    • Retention: Retained until you request deletion or unsubscribe.
  • User Feedback (C2PA) & on-device history: Older Lens builds could store optional general-feedback text on your device for your reference. The app does not automatically sync that history to our servers. You can delete on-device feedback history and diagnostic log files anytime from Settings → Data & Privacy → Clear local support data. Current builds open Mail for new general feedback (see below); Lens does not receive that content until you send the email. Network features unrelated to support (for example C2PA enrollment, AI, or configuration) are described elsewhere in this policy.
  • Support email (feedback & diagnostics): When you send email from Lens (for example Send feedback, questions, or thoughts under Help & Support, which opens Mail via a mailto: link with a prefilled template, or Report Problem from Settings → About → Diagnostics), you choose what to send. This may include:
    • Free-form text
    • Optional diagnostic log attachments (off by default; you opt in at send time in the pre-send flow)
    • Optional images (for example when attaching from the system share sheet)
    • Your email address is visible to us as the sender when you use email. Diagnostic logs are scrubbed of common sensitive fields before attachment; you remain in control of whether anything is sent.
  • User Content (Photos/Text): Collected only when you explicitly use our AI Report Generation or Support features.
    • Example: When you generate a report, the selected photos are transiently processed by our AI provider to create descriptions.

B. Data Not Linked to You

  • Usage / feature analytics: We do not run in-app usage analytics, ad profiling, or similar tracking. We do not collect product-interaction events for marketing analytics.
  • Automatic crash or diagnostics upload: We do not send automatic crash reports or upload diagnostic telemetry to our servers. Optional support email may include attachments only when you explicitly add them.
  • Location Data (Precise): Used locally for weather, address/coordinate lines on the overlay, and capture metadata. Photo and video capture do not start unless Lens has When In Use (or Always) authorization and Precise Location is enabled for the app—Denied, Restricted, or Approximate Location only blocks the shutter and record actions until you fix this in iOS Settings (the app shows in-app guidance). These checks and any coordinates stay on your device; Lens does not send your GPS fixes to our servers to enforce this gate.
  • Location spoofing resistance (on device): For integrity of documentation-grade captures, Lens ignores location updates that iOS marks as simulated by software (for example Xcode / GPX) or produced by an accessory, and invalid readings. That filtering happens locally; it is not a separate upload to us.
  • Location Data (Approximate): If you use opt-in third-party offline maps, approximate location and related data may be processed by that provider under its policy—not for ad analytics from Lens. Approximate-only access for Lens itself is not sufficient for photo/video capture (see above).

C. Content Credentials (C2PA)

  • Cryptographic Provenance: If you enable Content Credentials, Lens cryptographically signs your photo and video files using a Hardware-Backed Key stored in your device's Apple Secure Enclave. This feature is built on the C2PA Technical Specification v2.2.
  • Embedded Data & Data Minimization: This process embeds a tamper-evident "Manifest" directly into the image or video file. To protect your privacy, we implement Data Minimization through user-controlled settings:
    • Context: Date, time, device info, and (for photos) capture settings (e.g., ISO, aperture, exposure). Location (GPS) is off by default; users can opt-in via Settings > Content Credentials (or Privacy Controls).
    • Privacy Controls: Users can opt-out of embedding specific metadata (e.g., Location, Device Model, Capture Settings) via Settings. If disabled, those assertions are completely omitted from the manifest (Soft Redaction).
    • Video: Video manifests include device info and optionally location and creation time; capture settings (ISO, aperture, exposure) are not available for video and are omitted from video manifests.
    • Identity: The application identity ("Lens App Signer").
    • Integrity: A hash of the pixel data to prove no pixel-level edits were made.
    • Temporal integrity (device clock): Before you start a photo or video capture, and when preparing Content Credentials signing, Lens may run a short HTTPS check against public endpoints (https://www.apple.com, https://www.cloudflare.com, https://www.google.com). The app compares the response Date header with your device clock. No photos, videos, GPS coordinates, or manifest payloads are sent in those requests. Those providers may receive standard HTTP/TLS metadata (for example IP address) as described in their respective privacy policies; Lens does not use this for advertising or cross-app tracking. Verification results are cached briefly on your device to limit repeat requests.
      • Tampering protection: If manipulation between your device clock and trusted network time is confirmed while online, capture may be blocked and Content Credentials signing may be blocked until the device clock is corrected (for example Settings → General → Date & Time → Set Automatically).
      • Offline, timeout, or inconclusive checks: Photo and video capture may still proceed. Content Credentials may still be available depending on your settings, sometimes with lower trust for timestamps—for example when signing cannot obtain a trusted network time check or an RFC 3161 timestamp (verification tools may reflect reduced certainty). Enrollment and in-app status surfaces describe limited-trust flows when they apply.
  • Hardware-Backed Key Lifecycle (Revocation): Your private signing key is generated inside the Apple Secure Enclave and never leaves your device.
    • Non-Exportable: The key cannot be accessed, backed up, or cloned by us or any third party.
    • Revocation Logic: Because keys are bound to the specific application installation on your device, uninstalling the App or clearing App Data effectively revokes the keys by rendering them permanently inaccessible. A subsequent fresh installation will trigger the generation of a new, unique signing key.
  • Current Trust Status: Preview (Conformance Phase): Lens currently uses a self-signed certificate for Content Credentials while we complete the C2PA Conformance Phase and partnership with a Certificate Authority (CA) such as SSL.com.
    • Cryptographic integrity is fully valid — the signature proves the file has been unaltered since capture on your hardware.
    • C2PA v2.2 compliant — Lens implements all applicable security controls from the C2PA Security Considerations v2.2 specification.
    • ! Third-party verification tools may show "Unrecognized Signer" — this is expected until we complete the formal certification and onboarding to the C2PA Trust List.
    • Doc Compliance Documentation: See our C2PA v2.2 Compliance page for detailed security and UX compliance information regarding our active conformance evaluation.
  • External Transmission: Content Credentials signing (manifest creation and media signing) happens on your device. Signed "Master Copies" are saved to iCloud Drive by default to ensure persistence (Cloud Sync). You can change this to a local-only folder in Settings. No photos or videos are uploaded to our servers for signing. If you enroll in CA-signed Content Credentials, the app may send a certificate signing request (CSR) and related enrollment metadata to our signing backend so a certificate chain can be issued—see Lens signing service in Section 3.
  • Control: This feature is Opt-In. Enrollment requires your explicit action. You can disable signing at any time in Settings.
  • Storage & Persistence: Signed media is saved as "Master Copies" to your device's Files app. To ensure persistence across app uninstalls, Lens prioritizes iCloud Drive or allows you to select a Custom Folder.
    • Naming Convention: Filenames include a sanitized organizational prefix and a unique 4-character device hash to prevent collisions in shared storage environments.

Terminology: In this policy, "Content Credentials" refers to the provenance data embedded in your media, while "C2PA" refers to the open standard and ecosystem that defines how this data is structured, signed, and verified.

D. Lens Trust Founding Member (Waitlist)

What we collect

  • Purchase status: When you complete the Lens Trust Founding Member Deposit (In-App Purchase), we may record locally on your device that you have reserved a spot (e.g. to show "You're on the list" and to avoid duplicate purchases). No payment details are collected by us; payment is handled by Apple.
  • Optional — founding member count: If we implement a server-side count of founding members (e.g. to display "X of 25 founding members"), we may send an anonymized or hashed identifier (e.g. a one-way hash of the transaction ID or device identifier) to our backend solely to increment the count. We do not link this to your name, email, or Apple ID.

Purpose

  • To manage your reservation and to display your status in the app.
  • If we use a server count: to determine when we have reached the minimum number of founding members to launch Lens Trust.

Legal basis

  • Contract: Fulfilling the reservation and (if we launch) applying the Deposit as credit.
  • Legitimate interest: Counting founding members to decide launch, using minimal data.

Retention

  • Local "reserved" flag: until you delete the app or we clear it (e.g. after refund).
  • Server-side count data (if any): we do not retain personally identifiable information; only aggregate or hashed counts as needed for launch decision.

Your rights

  • You can stop being a "founding member" by requesting a refund through Apple (see Terms, Lens Trust Founding Member). We do not maintain a separate account for the waitlist; no additional deletion request is required beyond refund and app data deletion.

E. App trial eligibility (server registry)

When you use Lens's free app trial (before or without a paid subscription), the app may verify eligibility with our lens-signing-backend service. This prevents repeated trials after the trial window has ended on the same device (for example after deleting and reinstalling the app).

What we collect

  • Device integrity token: Lens uses Apple DeviceCheck to obtain a device token. The token is sent to our backend only to validate integrity and derive a one-way hash (SHA-256). We do not store the raw DeviceCheck token.
  • Trial record: We store the hashed device key, trial start and end dates, trial status (for example active or expired), whether the trial was grandfathered from an earlier policy, and a count of AI reports used during the trial (capped in the app).
  • App Check: Requests include a Firebase App Check token so only the genuine Lens app can call trial endpoints.
  • What we do not link: Trial records are tied to the device hash, not to your name, email, or Apple ID. Using a different Apple ID on the same device does not start a new trial after the device trial has expired.

When this applies

  • Our server registry is controlled by Firebase Remote Config (trial_server_registry_enabled). When enabled (including in current production builds), first-time trial access may require a short online setup sync. If you are offline with no prior successful sync, trial features may be unavailable until you connect.
  • If the registry is unavailable, the app may fall back to local-only trial timing until server sync succeeds; once synced, server state governs eligibility.

Purpose

  • To provide the time-limited free trial and included AI report allowance.
  • To enforce one trial per device and trial usage limits (fraud prevention).

Legal basis

  • Contractual necessity: Providing trial access you request.
  • Legitimate interest: Preventing trial abuse with minimal device-level data.

Retention

  • Trial registry records are kept in Google Cloud Firestore for as long as needed to enforce trial and subscription eligibility, resolve disputes, and maintain service integrity, then deleted or anonymized when no longer required.

Your rights

  • Deleting the app removes local trial flags; it does not reset an expired server trial on the same device.
  • Because we do not maintain a named account for trials, contact us at reneboygarcia@field-notes.dev to ask about trial registry data tied to your device. We may need information you provide voluntarily to locate the correct record.

3. Third-Party Service Providers

We limit our partners to those essential for the App's functionality.

ServicePurposeData Shared
Apple Weather (Apple Inc.)To display local temperature and wind speed on your photos/reports.Precise Location (Latitude/Longitude). Weather data is processed by Apple.
Mapbox (Mapbox, Inc.) Privacy PolicyOpt-In Only: To enable offline map downloads (disabled by default).IP Address (retained 30 days), Device Information (OS, model, browser), Approximate Location (tile coordinates revealing geographic area viewed/downloaded), Session ID (rotates every 24 hours), Application ID. Cached map tiles are stored locally on your device. How to Opt-Out: Disable "Offline Maps" in Settings → Offline Maps → Disable. This removes all downloaded maps and stops data sharing with Mapbox.
Google Gemini (Google LLC via Firebase)To generate AI descriptions and reports.User Photos (transiently), Prompts. Note: Zero data retention. We have opted out of human review and model training; your data is not stored for Google's improvement. Privacy Notice
Firebase Remote Config (Google LLC)To deliver configuration (for example feature limits) without ad tracking.Configuration values; not used for ad profiling.
Lens signing service (Google Cloud / Firebase, operated by Field Notes) Google Cloud PrivacyApp trial registry (DeviceCheck-backed eligibility, usage limits) and C2PA certificate enrollment when you opt in to CA-signed Content Credentials.Trial: DeviceCheck token (transient; only SHA-256 hash stored), trial dates/status, AI report count during trial; Firebase App Check on requests. Not linked to your name, email, or Apple ID. Enrollment (opt-in): Certificate signing request (CSR) and enrollment metadata; no photo/video content. Standard HTTPS/TLS metadata may be logged by the cloud provider per its policy.
Apple DeviceCheck (Apple Inc.)To validate device integrity for trial eligibility when the server registry is enabled.DeviceCheck token generated on device; processed by our signing backend as described above. Apple Privacy Policy.
DigiCertTo provide trusted, RFC 3161-compliant timestamps for Content Credentials (C2PA TSA Trust List).Cryptographic Hash only. We send a SHA-256 hash of your media to receive a signed timestamp. Your actual photo/video content is never shared. When the TSA is unreachable we sign without a timestamp.
Public web time references (Apple Inc., Cloudflare, Inc., Google LLC)To compare your device clock to trusted network time before capture and during Content Credentials signing.No photo, video, GPS, or manifest content. Short HTTPS requests to each provider's public homepage; Lens reads standard Date headers only. Standard HTTP/TLS request metadata may be processed by each provider per its policy. Lens does not sell this data or use it for ads.

4. Your Rights (Review & Deletion)

Because we are a "Local-First" app, we do not have a central user database to "search" for your data. You possess the ultimate control:

  • Right to Delete: You can delete all your stored data (Projects, Photos, Settings) by simply deleting the App from your device.
    • Exception (Persistent Storage): If you have enabled Content Credentials and chose to save them in iCloud Drive or a Custom Folder, those files are considered user-owned data and will not be deleted when the app is uninstalled. They must be deleted manually from the Files app.
    • Feedback on device: Local copies of general feedback are removed when you delete the app. Support email is between you and our inbox—retention follows normal email/support practices. You do not need to “disable analytics” to stop automatic cloud feedback sync, because the app does not perform that class of background upload.
  • Revoking Permissions: You can revoke access to the Camera, Microphone, Photo Library, or Location at any time via your iOS Settings. Turning Location off for Lens, or switching Lens to Approximate Location only, blocks new photo and video capture until access is restored to While Using the App (or Always) with Precise Location on—consistent with the capture gate described above.
  • Opt-Out of Third-Party Services:
    • Mapbox (Offline Maps): Go to Settings → Offline Maps → Disable Offline Maps. This immediately stops data sharing and deletes all downloaded map tiles from your device.
    • AI Features: Simply don't use the AI Report Generation feature. No data is sent to Google Gemini unless you explicitly generate a report.
    • Diagnostics in email: Bug reports and support flows that use email may offer an optional diagnostic file attachment, off by default—only attach what you are comfortable sharing.
  • Trial registry: There is no in-app toggle to disable server trial verification while the registry feature is enabled. To stop further trial sync calls, discontinue use of the trial or contact us (Section 9). Paid subscribers with an active StoreKit entitlement are not subject to trial registry checks.

5. Global Compliance (GDPR, CCPA, & PECR)

Jurisdictional Locking: Regardless of where you live, we apply the strictest data protection standards to everyone.

  • Basis for Processing: We process your data based on Contractual Necessity (to provide the App's features) and Legitimate Interest (to fix bugs and improve stability).
  • International Transfers: Our service providers (e.g., Google) may process data in the United States or other jurisdictions. We rely on their Standard Contractual Clauses (SCCs) and Data Privacy Framework certifications to ensure protection.

6. Operational Compliance (Audio/Video)

To support professionals operating in jurisdictions with strict wiretapping laws (e.g., Two-Party Consent states), Lens includes a Hardware-Level Mute feature.

  • Video Mute: You can physically disconnect the microphone input for video recordings via the top settings bar.
  • Verification: This setting persists across sessions, allowing you to operate safely in sensitive environments (e.g., hospitals, secure facilities) without risk of accidental audio capture.

7. Children's Privacy

Lens is a professional utility and is not directed at children under the age of 13. We do not knowingly collect personal information from children.

8. Changes to This Policy

We may update this policy as the App evolves. Significant changes will be communicated via an in-app notification or an update to the "What's New" text on the App Store.

9. Contact Us

For any privacy-related questions, or to exercise your rights, please contact our Data Protection Officer at: reneboygarcia@field-notes.dev