L
Lensvira · LensviraConnect
Lensvira & LensviraConnect
Privacy Policy
Last updated: April 25, 2026 · Effective immediately
This Privacy Policy explains how Code Velora ("we", "us", "our") collects, uses, stores, and shares your information when you use the Lensvira and LensviraConnect mobile and web applications (together, the "Apps"). Both apps share the same backend, the same Firebase authentication, and the same user accounts — so this policy applies to both.
Quick summary: We collect your phone number (to sign you in via OTP), your name and profile data (so others can find and book you), and the project data you create. We don't sell your data. We don't show ads. Files live on Cloudflare R2; user data lives on Cloudflare D1; auth runs on Firebase. You can delete your account anytime from Settings.
1. About us
The Apps are owned and operated by:
This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000.
2. The two apps and what they do
| App | Who it's for | Main features |
|---|
| Lensvira |
Photographers and contractors (business owners hiring photographers) |
Manage projects, hire photographers, upload media, send invoices, accept bookings |
| LensviraConnect |
Clients of contractors and individual photographers |
View shared photos and videos, browse photographers, manage own bookings |
3. What data we collect
3.1 You provide directly
- Phone number — required to sign in via OTP
- Name (display name)
- Profile photo and cover photo (optional)
- Photographer profile (if applicable): bio, city, state, mobile number, UPI ID, per-event rate, available dates, packages, gear, portfolio photos and videos
- Contractor / business profile (if applicable): business name, address, type (registered/unregistered), GSTIN, SAC code, registration number, business phone, state
- Project data you create: client name, address, event location, dates, notes, payment categories
- Media files you upload: photos, videos, documents associated with projects
- App PIN (optional 4-digit second-factor lock — stored as a PBKDF2-SHA256 hash, never plaintext)
- UPI transaction IDs and payment screenshots when you record offline payments
3.2 Collected automatically
- Firebase Cloud Messaging (FCM) device token — to send push notifications
- Device platform (Android / iOS / Web) — for compatibility
- Server logs at our backend (timestamps, request paths, response codes; retained for 90 days for security and debugging)
- Authentication metadata from Firebase (sign-in attempts, sessions)
3.3 What we do NOT collect
- ❌ Your password (we use OTP, not passwords)
- ❌ Your raw OTP code (Firebase handles verification)
- ❌ Payment card or bank account details (UPI IDs are public identifiers, not credentials)
- ❌ Your device contacts, calendar, or location (we don't request these permissions)
- ❌ Microphone or camera audio (we only request camera access for taking photos within the app, never audio)
- ❌ Tracking identifiers for advertising
4. How we use your data
- To run the service — display your profile to others, store and serve your project files, route bookings between contractors and photographers, deliver client-facing media via LensviraConnect.
- To authenticate you — phone OTP via Firebase, JWT-based sessions for backend access.
- To send notifications — booking requests, payment reminders, project updates (via Firebase Cloud Messaging).
- To support compliance — generate GST-compliant invoices when business info is configured.
- For security — verify PINs, prevent fraud, debug errors, audit access.
We do not use your data for advertising, profiling, or sale to third parties.
5. Who we share your data with
5.1 Other users (because that's how the Apps work)
- Your name, profile photo, photographer profile are visible to contractors searching for photographers in Lensvira.
- Your business info appears on invoices you generate for clients.
- Files you upload to a project are visible to the project owner and any team members or clients granted access.
- If you accept a booking, your name and rate appear on the contractor's project record.
5.2 Service providers (sub-processors)
| Provider | What we use them for | Where data lives |
|---|
| Google Firebase |
Phone OTP authentication, Cloud Messaging (push notifications) |
Google data centers (global) |
| Cloudflare Workers |
Backend API hosting |
Cloudflare global edge network |
| Cloudflare D1 |
User database (profile, projects, bookings, payments metadata) |
Cloudflare regional storage |
| Cloudflare R2 |
Storage for photos, videos, avatars, and uploaded files |
Cloudflare regional storage |
| Razorpay (planned, not yet active) |
Online payment processing once we enable subscriptions and online payments |
Razorpay (India) |
5.3 Legal disclosure
We may disclose your data if required by law (court order, lawful subpoena, government request) or to protect our rights, property, or safety.
5.4 What we never do
We never sell your personal data. We never share it with advertisers. We never use it to train AI models for third parties.
6. International transfers
Firebase and Cloudflare may store and process your data in regions outside India. Both providers comply with international data-protection standards (GDPR, ISO 27001). By using the Apps you consent to such transfers as necessary to provide the service.
7. Data retention
- Active account data — kept for as long as your account is active.
- Server logs — 90 days, then auto-deleted.
- After account deletion — most personal data is deleted immediately. The following is retained:
- Booking and payment records — 8 years, as required by Indian GST law.
- Anonymized account row — indefinite (for foreign-key integrity); no personal data remains.
- Files uploaded to other users' projects — retained because they belong to the project owner, not you.
For full details see Account Deletion Instructions.
8. Your rights (DPDP Act 2023)
As a Data Principal, you have the right to:
- Access a summary of your data — email us at the address below.
- Correct or update your data — most fields are directly editable in Settings or your Profile.
- Erase your data — use the "Delete Account" option in Settings.
- Withdraw consent — sign out and request deletion.
- Grievance redressal — contact our grievance officer below.
9. Security
- All traffic uses HTTPS (TLS 1.3).
- App PINs are hashed with PBKDF2-SHA256 (100,000 iterations) plus a per-user salt — never stored in plaintext.
- Backend access is gated by JWT tokens that expire and are refreshed against Firebase.
- Cloudflare and Firebase provide infrastructure-level security (DDoS protection, encryption at rest).
No system is 100% secure. We notify users promptly if a breach affects their data.
10. Children
The Apps are not intended for users under 18. We do not knowingly collect data from anyone under 18. If we discover such data, we delete it.
11. Changes to this policy
We may update this Privacy Policy as the Apps evolve (new features, new sub-processors, legal requirements). Material changes will be communicated via in-app notification or email at least 7 days before they take effect.
12. Grievance officer