Privacy Policy

Last updated: 13 March 2026

1. Who we are

Madhaus Ltd ("we", "us", "our") is a company registered in England and Wales under company number 11413080. We are the operator of LensDesk (the "Service").

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected].

2. Our role: data controller and data processor

Whether we act as a data controller or a data processor under the UK General Data Protection Regulation (UK GDPR) depends on whose personal data is in question. This distinction matters and is explained below.

2.1 Where we are the data controller

We act as data controller for personal data relating to our own customers — the individuals and organisations that hold LensDesk accounts ("Customers") — and their authorised users. This includes account registration data, billing information, and technical or device data we collect in connection with operating the Service.

This Privacy Policy primarily addresses our practices as data controller for that Customer account data.

2.2 Where we are the data processor

LensDesk Customers use the Service to manage their own business relationships. When a Customer inputs personal data about their own clients, contacts, or end users — for example, the name, email address, or phone number of a photography client — that data is controlled by the Customer, not by us. In this context:

  • The Customer is the data controller, responsible for ensuring they have a lawful basis to process that data and for providing appropriate privacy notices to their own clients.
  • Madhaus Ltd is the data processor, processing the data only on the Customer's documented instructions and solely for the purpose of delivering the Service.

Our obligations as processor are governed by a Data Processing Agreement (DPA) with each relevant Customer, incorporating the requirements of UK GDPR Article 28.

2.3 If you are a client of a LensDesk Customer

If your personal data has been entered into LensDesk by a business that uses our Service — for example, a photography studio managing your booking — you should direct any privacy questions or data subject rights requests to that business directly, not to us. That business is the data controller of your personal data and is responsible for responding to your requests under UK GDPR.

If you are unsure who to contact, you are welcome to email us at [email protected] and we will do our best to point you in the right direction.

3. What laws apply

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) as retained under the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and any successor legislation.

4. What personal data we collect

The categories below apply to personal data for which we act as data controller — that is, data relating to Customers and their authorised users. We do not describe here the personal data that Customers choose to store about their own clients, as that data is under the Customer's control.

4.1 Account data

When you create a LensDesk account or are invited by an account administrator, we collect:

  • Name and display name
  • Email address
  • Role within your organisation (e.g. photographer, editor, manager)

4.2 Billing and payment data

If you subscribe to a paid plan, we collect billing information necessary to process payment. Payment card details are handled directly by our payment processor and are not stored on our systems.

4.3 Device and technical data

  • IP address and approximate location derived from IP
  • Device type, operating system, and browser or app version
  • APNs device tokens (for push notifications on iOS)
  • WebAuthn/passkey credential identifiers (for passwordless authentication)

4.4 Location data

If you use the iOS app and grant location permission, we process your device's GPS coordinates to provide nearby-job alerts and location-based features. Location data is processed on-device and is not stored on our servers beyond what is necessary for the feature to function.

4.5 Cookies and similar technologies

We use strictly necessary session cookies to maintain your authenticated session. We do not use advertising cookies or third-party tracking cookies. See section 11 for more detail.

5. How we use your personal data

We process personal data (as data controller) for the following purposes and on the following legal bases under Article 6(1) UK GDPR:

  • Performance of a contract (Art. 6(1)(b)): To provide, maintain, and improve the Service; to authenticate your identity; to process payments; and to provide customer support.
  • Legitimate interests (Art. 6(1)(f)): To detect and prevent fraud, abuse, or security incidents; to monitor and improve Service performance; to send transactional communications (e.g. OTP codes, password resets); and to maintain audit logs.
  • Consent (Art. 6(1)(a)): To send you marketing communications (where you have opted in); to process location data for nearby-job features on iOS. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): To comply with applicable laws, regulations, or lawful requests from public authorities.

6. Who we share your data with

We do not sell your personal data. We share personal data only in the following circumstances:

  • Your organisation: Data you create within LensDesk is visible to other authorised users within your organisation's workspace, subject to role-based access controls.
  • Sub-processors: We use third-party service providers to help operate the Service, including:
    • Cloud hosting and infrastructure providers (details available on request)
    • S3-compatible object storage providers (details available on request)
    • Error monitoring and reporting services (details available on request)
    • Apple Push Notification service (APNs) for iOS push notifications
    • Postmark for transactional email delivery
    • Xero for accounting integration (only when enabled by your organisation)
  • Legal requirements: We may disclose personal data if required by law, regulation, legal process, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will consult with Customers before any such transfer and will provide an option to export or delete data.

7. International transfers

Some of our sub-processors may process data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR, such as:

  • Transfers to countries with an adequacy decision from the UK Secretary of State
  • International Data Transfer Agreements (IDTAs) or the UK Addendum to EU Standard Contractual Clauses

8. How long we keep your data

We retain personal data for as long as your account or your organisation's subscription is active, and for a reasonable period afterwards to comply with our legal obligations, resolve disputes, and enforce our agreements.

  • Account data: Retained for the duration of your account plus 12 months after deletion, unless a longer period is required by law.
  • Customer-controlled service data: Retained for the duration of the subscription. Upon termination, data is deleted within 90 days unless a data export has been requested.
  • Audit logs: Retained for up to 24 months.
  • Transactional email delivery logs: Retained for up to 45 days by our email provider.

9. Your rights

Under UK GDPR, you have the following rights in relation to personal data for which we are the data controller. If you wish to exercise rights over personal data controlled by one of our Customers (for example, data a photography business holds about you), please contact that Customer directly.

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data in certain circumstances.
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making: We do not make solely automated decisions that produce legal or similarly significant effects on you.

To exercise any of these rights, contact us at [email protected]. We will respond within one month as required by UK GDPR.

10. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS/HTTPS) for all connections
  • Hashed and salted password storage
  • Role-based access controls within the application
  • Regular security reviews of infrastructure and code
  • Session management with secure, HTTP-only, SameSite cookies

11. Cookies

LensDesk uses the following cookies:

  • Session cookie (strictly necessary): Maintains your authenticated session while using the Service. Expires when you close your browser or log out.
  • Remember-me cookie (functional): If you choose to stay signed in, a persistent cookie is set. You can clear this by logging out.

We do not use analytics, advertising, or third-party tracking cookies. Because we use only strictly necessary and functional cookies, consent is not required under PECR Regulation 6.

12. Children's data

LensDesk is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email or an in-app notification.

14. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first at [email protected].

15. Contact us

Madhaus Ltd
Company number: 11413080
Registered in England and Wales
Email: [email protected]