Privacy policy
Effective 2026-06-03.
This page explains what lensmount (lensmount.hk2.ai) collects when you visit, why, and what we don't do.
What we collect
- Server logs. Our hosting infrastructure records standard HTTP-request metadata: timestamp, requested URL, response code, user-agent string, referrer, and IP address. These logs are used for operational purposes (debugging, abuse mitigation) and are retained no longer than 30 days.
- Local storage.The dark / light mode toggle persists your preference in your browser's
localStorageunder the keylensmount-theme, and your analytics-cookie choice (accept / decline) underlensmount-consent. This data never leaves your device. - Account (only if you sign up). If you create a lensmount account at
/accountwe store the email address you provided, a one-wayscrypthash of your password (the raw password is never stored or logged), the display name you optionally chose, and the creation / last-update timestamps. We also store the saved kits you create — each is a row holding a name and the lens / body mount IDs you selected, keyed to your user ID. No demographic, location, payment, or device-fingerprint fields are collected. - Session cookie. Once you sign in, the auth handler issues a first-party HTTP-only cookie named
better-auth.session_token(prefixed with__Secure-over HTTPS) withSameSite=Laxand a 7-day expiry. The cookie value is a signed reference to a row in our database — no personal data is encoded in the cookie itself, and the cookie is never sent to third-party origins. - Analytics (Google Analytics 4). Only if you accept analytics cookies in the consent banner shown on your first visit, we load Google Analytics 4 (via Firebase, measurement ID
G-X8EB7N5BE0) to understand aggregate traffic — page views, the page that referred you, approximate location derived from your IP (Google resolves a coarse region and does not expose your full IP to us), and basic device / browser information. To recognise a returning browser, Google's tag sets first-party cookies named_gaand_ga_X8EB7N5BE0, and loading the Google tag may cause Google to set its own cookie (such asNID) on thegoogle.comdomain. This data is processed by Google as our analytics provider; we use it only in aggregate and never to identify you by name. To opt out, install Google's Analytics Opt-out Browser Add-on, block these cookies, or enable your browser's tracking-prevention feature. You can also change your choice at any time via the Cookie preferences control in the footer; declining stops the tag from loading and clears the first-party_gacookies we can reach. (Analytics disclosed and consent gate added 2026-06-03.)
What we don't do
- No cross-site fingerprinting, session recording, or behavioural ad-profiling by us. The only third-party scripts we load are Google Analytics (described above) and, where ads are shown, Google AdSense (described below) — both may set their own cookies, which you can refuse in the consent banner (or block in your browser).
- No selling, sharing, or licensing of visitor or account data to third parties.
- No marketing or newsletter emails sent unless you explicitly opt in (today we only send transactional account emails such as a password-reset confirmation, when that flow is triggered).
- No password requirements beyond a length floor (8 to 128 characters) — composition rules push users toward weaker, more memorable patterns, so we don't impose them.
Advertising
lensmount may display contextual display ads served by a third-party ad network (for example, Google AdSense) to fund ongoing maintenance. When ads are served, the ad network may set its own cookies and use device identifiers in accordance with its privacy policy and your browser settings. To opt out of personalised advertising at the network level, visit your ad settings page with the relevant provider, or enable a tracking- prevention feature in your browser. lensmount itself does not receive any personal data from the ad network beyond aggregate revenue reporting.
Your rights
If you hold a lensmount account, you can request access to, correction of, or deletion of the data we hold about you under the GDPR (EU / UK), the CCPA (California), and equivalent regimes in your jurisdiction. Self-service account deletion ships in a follow-up iteration; in the meantime, email privacy@lensmount.hk2.ai from the address on file and we will respond within 30 days.
If you do not hold an account, your visit only generates the short-lived server log described above; there is no user profile to retrieve, correct, or delete. You can still write to the same address if you believe we hold data about you (for example, prior correspondence) and we will action access or deletion under the same timeline.
Changes to this policy
If we materially change what we collect or how we use it, the effective date at the top of this page will be updated, and a note describing the change will be appended to the relevant section. Past versions are recoverable from this site's git history.