Privacy Policy

Last Updated: February 12, 2026

1. Introduction

This Privacy Policy describes how len.sh ("we", "us", or "our") collects, uses, and shares your personal information when you use our screenshot API service at https://len.sh (the "Service").

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

For privacy questions, contact us at [email protected].

2. Information We Collect

A. Information You Provide

  • Account information: name, email address, company name
  • Payment information: processed by Stripe — we do not store credit card details
  • Support communications: emails and messages you send us

B. Information Automatically Collected

  • API usage data: URLs captured, parameters used, timestamps, response times
  • Log data: IP address, user agent, request and response metadata
  • Cookies: authentication and session management cookies (see Section 10)
  • Performance data: error rates, render times, cache hit rates

C. Information from Third Parties

  • Payment processors: Stripe provides transaction confirmation and billing status

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process payments and send invoices
  • Send service-related communications (downtime notifications, security alerts, product updates)
  • Monitor and enforce usage limits and rate limits
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

Legal Basis (GDPR)

For users in the European Economic Area, we process personal data based on:

  • Contract performance: providing the Service you signed up for
  • Legitimate interests: improving our Service, preventing fraud
  • Legal compliance: meeting regulatory requirements
  • Consent: where specifically requested

4. How We Share Your Information

We share information with:

  • Service providers: Cloudflare (hosting and CDN), Stripe (payments), Resend (transactional email)
  • Legal requirements: when required by law, regulation, or legal process
  • Business transfers: in connection with a merger, acquisition, or sale of assets

We do NOT:

  • Sell your personal information
  • Share your data for advertising purposes
  • Share screenshots you capture with third parties

5. Data Retention

  • Account information: retained until account deletion, plus 30 days
  • API usage logs: 90 days
  • Billing records: 7 years (legal requirement)
  • Cached screenshots: per your cache_ttl settings, then automatically deleted

You may request data deletion at any time (see Section 6).

6. Your Rights

GDPR Rights (EU/EEA Users)

  • Access your personal data
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Export your data (data portability)
  • Object to or restrict processing
  • Withdraw consent at any time

CCPA Rights (California Residents)

  • Know what personal information is collected
  • Request deletion of personal information
  • Opt-out of the sale of personal information (we do not sell data)
  • Non-discrimination for exercising your rights

How to Exercise Your Rights

Contact us at [email protected]. We will respond within 30 days.

7. Data Security

We protect your data with:

  • Encryption in transit (TLS/SSL on all connections)
  • Encryption at rest for stored data
  • Hashed API keys (SHA-256) — we never store raw keys
  • Access controls and authentication for all systems
  • Infrastructure hosted on Cloudflare's global edge network

No method of transmission or storage is 100% secure. You are responsible for keeping your API keys confidential.

8. International Data Transfers

Your data is processed on Cloudflare's global network and may be transferred internationally. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.

9. Children's Privacy

The Service is not intended for users under 18. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will delete it promptly.

10. Cookies and Tracking

We use the following cookies:

  • Essential cookies: lensh_session for authentication and session management
  • Admin cookies: lensh_admin for admin dashboard access

We do not use analytics or advertising cookies. You can configure your browser to block cookies, but this may prevent you from using authenticated features.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: