Last updated · 3 July 2026

Privacy policy

This policy explains what personal data we collect through the Lente Studio website (lentestudio.io) and application, why we collect it, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Who we are

The data controller is [legal entity name — to be established], [registered address], [company / VAT number]. For anything in this policy, write to [privacy contact email].

2. Data we collect and why

Access requests

When you use the request-access form we collect your name, agency name, email address and anything you write in the message field. We use it to reply to you and to set up your account if you become a customer. Legal basis: the steps you ask us to take before entering a contract (Art. 6(1)(b) GDPR).

Customer accounts

If your agency uses Lente Studio, we store your name, email address, a hashed password, and your role in the agency. Legal basis: performance of the contract.

Content you upload

Calendars, posts, captions and media your agency uploads are stored to provide the service. Where that content includes personal data about your own clients, your agency is the controller for it and we act as processor on your instructions.

Review links

People who approve posts through a review link can leave a name and, optionally, an email address for notifications. We use these only to attribute approvals and comments and to send the notifications the reviewer asked for.

Transactional email

We send emails you'd expect: review digests, invitations, replies to your access request. We do not send marketing email and there is no newsletter.

Logs and security

Our servers keep short-lived technical logs (including IP addresses) for security, error diagnosis and rate limiting. Legal basis: our legitimate interest in keeping the service secure.

3. Analytics

The website uses Umami, a privacy-focused, self-hosted analytics tool that works without cookies and without tracking you across sites. It gives us aggregate page counts, not profiles of people. This is why the site has no cookie banner: there is nothing to consent to.

4. Processors we use

  • Resend — sends our transactional email. Your address passes through their systems when we email you.
  • Umami — cookie-less website analytics, self-hosted on our own EU server (no third party receives your data).
  • Hosting — the application and database run on a server operated by [hosting provider, location] in the EU.

We do not sell personal data, and we do not share it with anyone beyond these processors.

5. Retention

Access requests are kept for up to 12 months, then deleted. Customer account data and content are kept for as long as the contract runs and deleted within 90 days of termination, unless the law requires us to keep specific records longer.

6. Your rights

You can ask us for access to your data, correction, deletion, a portable copy, or to restrict or object to processing. Write to [privacy contact email] and we will answer within one month. You can also complain to your local supervisory authority; in Italy that is the Garante per la protezione dei dati personali.

7. Changes

If this policy changes in a way that matters, we will say so on this page and, for customers, by email. The date at the top always reflects the current version.