Privacy Policy

1. Data we collect

Users and premium members

• Account and profile: name, email, username, password hash, preferred languages, service interests, and contact details.
• Bookings: pricing snapshots, coupons, tax rate, schedule changes, deliverables, activity logs, IP address, and user agent.
• Payments: Stripe customer IDs, payment intent IDs, transfer IDs, and refund attempts tied to bookings or memberships.
• Premium usage: subscription status, plan type, lifetime payment events, paywall access flags, and upgrade prompts.
• Device and analytics: consent state, GA4 events, cookie identifiers, approximate region, performance metrics, and error logs.

Vendors

• Vendor compliance: legal name, date of birth, business registration details, invoice numbers, verification documents (encrypted, deleted after six months), and availability settings.
• Payout and tax: Stripe Connect account IDs, payout schedules, transfer attempts, tax forms, and bank-country metadata.
• Marketplace activity: booking quotes, schedule responses, deliverable uploads, coupon configuration, and audit logs.

2. How we use data

• Provide bookings, marketplace dashboards, deliverable workflows, and customer support.
• Run payments, coupons, refunds, and Stripe Connect payouts as Merchant of Record.
• Validate vendors and protect the community through audits, logging, and fraud review.
• Operate premium memberships, manage paywalls, and surface upgrade prompts.
• Send transactional emails (bookings, payouts, verification, membership) and optional marketing where permitted.
• Improve the product via consented analytics, performance monitoring, and bug diagnostics.

3. Legal bases

We rely on contract (providing services you request), legitimate interest (security, analytics, support), legal obligations (tax, accounting, consumer law), and consent (analytics cookies, optional marketing, storing sensitive vendor docs).

4. Sharing and transfers

• Payments: Stripe Connect (payment processing, payouts, subscription billing).
• Storage: Cloudinary (media), DigitalOcean (backend hosting), Vercel (frontend hosting).
• Communications: Email and notification providers for transactional messages.
• Analytics: Google Analytics 4 with Consent Mode; data is pseudonymous.
• Compliance: Regulators, tax agencies, or legal counsel when required. We may transfer data internationally under standard protections.

Google user data

• Access: With your explicit consent, we request Google Calendar scopes https://www.googleapis.com/auth/calendar.events and https://www.googleapis.com/auth/calendar.readonly so we can display busy events in LensTokyo and keep your LensTokyo bookings in sync with your Google Calendar.
• Use: We read calendar metadata (calendar name, event start/end, transparency, status) to block availability in LensTokyo and create, update, or remove booking events when your LensTokyo schedule changes. We do not access email content or other Google Workspace data.
• Storage: We store your Google Calendar refresh token encrypted in our database and keep per-event identifiers inside `vendor_availabilities.metadata` to prevent duplicates. We do not store full event bodies beyond the timestamps needed to manage availability.
• Sharing: Google user data is never sold or shared with third parties. It is used only within LensTokyo services running on our infrastructure (DigitalOcean backend, Vercel frontend). Vendors can disconnect Google Calendar at any time to revoke our access, which also deletes imported Google availability rows.
• Deletion: Disconnecting Google Calendar or switching sync modes away from two-way triggers removal of imported Google availability entries and clears stored access tokens. You can also request manual deletion by contacting us.

5. Cookies and consent

Essential cookies (auth, CSRF) always run. EU/UK visitors see our consent banner powered by region detection; analytics cookies load only after acceptance. Everyone can clear cookies via browser settings or reset consent in the banner. See our cookie guide for technical details.

6. Retention

• Verification documents: deleted six months after review.
• Booking and payout snapshots: kept for the statutory period for tax and dispute resolution.
• Activity logs: retained while needed for fraud prevention and product analytics.
• Premium membership records: kept while the account stays open or until required for chargeback defense.

7. Your rights

• Access, correct, or delete your data (subject to legal limits).
• Export booking or membership histories on request.
• Withdraw consent for analytics or marketing.
• Object to processing based on legitimate interest where applicable.
• Lodge a complaint with your local regulator.

8. Security

We encrypt verification files at rest, enforce access controls, monitor suspicious activity, and limit staff access to need-to-know roles. No online system is 100% secure, so report suspected issues promptly.

9. Updates

We will revise this policy when we launch new features or legal rules change. The revision date appears at the top of the page; continued use means you accept the update.