Privacy Policy
This Privacy Policy explains how Subsense OÜ (“LensHub”, “we”, “us”) collects, uses, discloses, and protects personal data in connection with the LensHub product (the “Service”), the lenshub.ai website, and related communications. It is intended to satisfy applicable disclosure requirements under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), and similar laws.
This Privacy Policy applies to personal data we control (such as account data of website visitors and Service administrators). When we process personal data on behalf of a customer (for example, personal data contained in connected source content), we act as a processor under the Data Processing Agreement.
1. Categories of personal data
- Account data: name, email, organisation, role, password hash, MFA device metadata.
- Billing data: billing contact, billing address, tax ID, last four digits and expiry of payment instrument (full card data is handled by our payment processor and never reaches LensHub systems).
- Usage and telemetry: queries issued, contexts retrieved, agent identifiers, timestamps, errors, and approximate device / browser metadata.
- Source content (processor role): documents, tickets, threads, files, and metadata you connect via integrations. We process this on your behalf under the DPA.
- Communications: messages you send to support, sales, security, or other inboxes; meeting recordings only where explicitly disclosed and consented.
- Site analytics: aggregate page-view counts, performance metrics, and diagnostic logs. No third-party advertising trackers are used. See our Cookie Policy.
2. Purposes and lawful bases
We process personal data for the following purposes, on the indicated GDPR lawful bases:
- Providing the Service (contract performance) — authentication, authorisation, retrieval, billing, support.
- Securing and operating the Service (legitimate interest) — abuse prevention, audit logging, capacity planning, debugging.
- Improving the Service (legitimate interest) — aggregate analysis of usage patterns, performance metrics, and de-identified diagnostic data. We do not use customer source content to train general-purpose models.
- Marketing and onboarding (consent or legitimate interest) — sending product updates and onboarding emails to administrators; you can opt out at any time via the unsubscribe link or by contacting us.
- Legal compliance (legal obligation) — tax and accounting, responses to lawful requests, security incident reporting.
We do not sell personal data and do not engage in “sharing” for cross-context behavioural advertising as defined under the CCPA. We do not use customer data for automated decision-making with legal or similarly significant effects on individuals.
3. Aggregated and de-identified data
We may generate aggregated or de-identified data from operation of the Service (for example, “average query latency” or “number of contexts indexed across all customers”) and may use such data for any lawful purpose, including improving the Service, internal analytics, benchmarks, and disclosures, provided it is not reasonably reidentifiable.
4. Where data is stored and processed
Self-hosted deployments process all data within infrastructure that the customer controls; we do not have access to it. Managed deployments process data in the region selected at signup (currently US or EU). Encryption-in-transit and at-rest controls are described on the Security page.
5. Sharing & subprocessors
We share personal data with a small set of subprocessors that help us operate the Service: hosting providers in your selected region, email-delivery services, payment processors, error-monitoring tools, and customer-support tooling. The current subprocessor list is available on request and as an exhibit to the DPA. We require subprocessors to provide contractual protections consistent with applicable law and to undergo periodic review.
We may also disclose personal data: (a) where required by law, court order, or governmental request, with notice to the affected customer where legally permitted; (b) to enforce these terms, the DPA, or our other rights; (c) to protect the safety of any person or the integrity of the Service; (d) in connection with a corporate transaction (merger, acquisition, asset sale, or financing), subject to confidentiality obligations of the recipient.
6. Retention
Account data is retained for the life of the account plus the period required to satisfy legal, accounting, and tax obligations (typically up to seven years from termination, depending on jurisdiction). Source content and audit logs are retained per the connector's configured retention window. On account closure, all customer data is purged from production systems within thirty (30) days, with backups expiring per the documented backup retention schedule. Specific retention periods for individual data categories are available on request.
7. International transfers
Where personal data is transferred outside the EEA, the UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. Transfers from California or other jurisdictions are made consistent with applicable law. Customers may request a copy of the relevant SCCs and supplementary measures by contacting privacy@lenshub.ai.
8. Your rights
Subject to applicable law and to verifying your identity, you have the right to: access your personal data, correct inaccuracies, request deletion, restrict or object to processing, request portability, withdraw consent (where consent is the lawful basis), and lodge a complaint with a supervisory authority. You may exercise these rights by emailing privacy@lenshub.ai. We will respond within thirty (30) days, except where applicable law provides for a longer period.
Where we process personal data as a processor on behalf of a customer (for example, source content connected to the Service), please direct your request to the customer (the controller). We will support the controller in responding.
9. Security
We implement administrative, technical, and physical safeguards designed to protect personal data, as described on the Security page. No system can be made completely secure. We do not warrant that personal data will never be subject to unauthorised access, and we are not liable for security incidents arising from causes outside our reasonable control or from customer misuse, except to the extent required by mandatory law.
10. Children
The Service is a B2B product not directed at children. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided personal data, contact privacy@lenshub.ai and we will take appropriate action.
11. Third-party services
The Service may link to or integrate with third-party services (for example, source-system OAuth providers). LensHub is not responsible for the privacy practices of those third parties. Review their policies before connecting.
12. Changes
We may update this Privacy Policy from time to time. Material changes will be announced with at least thirty (30) days' advance notice via email to account administrators or in-product notice. The “Last updated” date at the top of this page reflects the most recent revision.
13. Contact
Privacy questions or requests: privacy@lenshub.ai. Postal address and EU representative information are available on request.