Privacy Policy

Mailens provides email for Lens Protocol users. Every Lens account gets a handle@mailens.xyz address. This policy explains what data we collect and how we handle it.

What We Collect

• Lens account info — your Lens handle, profile ID, and connected wallet address. Collected during authentication.
• Email content — messages you send and receive, including subject lines, body text, attachments, and metadata (timestamps, sender/recipient addresses, headers).
• Contacts — email addresses you save or that are auto-saved when you send an email.
• Drafts — auto-saved drafts of emails you are composing.
• Settings & preferences — sidebar order, theme, font family, sound preferences, and other UI customizations stored on your user profile.
• Visit data — when you use Mailens we record the page path, country, city (derived from server headers), referrer URL, and user agent. Your IP address is used transiently for rate limiting but is not stored in our database.
• Push notification subscriptions — if you opt in to browser push notifications, we store the push endpoint URL and encryption keys associated with your Lens profile.

How We Use It

We use your data to:

• Deliver, store, and display your emails
• Authenticate you via Lens Protocol wallet signatures or Orb login (QR code / deep link)
• Filter spam using SPF, DKIM, DNSBL checks, and content heuristics
• Send outbound emails on your behalf
• Store and serve attachments
• Provide search, contacts, and drafts functionality
• Index your emails for full-text search (subject, body, and addresses)
• Track visit analytics to understand usage patterns and improve the service
• Send operational notifications to the Mailens team via Discord (see “Operational Notifications” below)
• Enforce rate limits to protect the service from abuse
• Display your public profile page at mailens.xyz/handle
• Fetch your Lens avatar and account information from the Lens Protocol API

We do not sell your data. We do not use your email content for advertising or training AI models.

Operational Notifications

To monitor the health and usage of Mailens, we send automated notifications to a private Discord channel visible only to the Mailens team. These notifications may include:

• New signups — your Lens handle and profile ID
• Login events — your Lens handle and login method (wallet or Orb)
• Emails sent — sender address, recipient address, and subject line. Email body content is never sent to Discord.
• Page visits — page path, country, city, and your Lens handle if logged in
• Server errors — route path and error message (no user content)

These notifications are used solely for operational monitoring and debugging. They are not shared with any third party beyond the Discord platform.

Data Storage

• Database — email content, user profiles, contacts, and drafts are stored in a PostgreSQL database hosted by Supabase. All connections use TLS encryption.
• Attachments — files are stored on Grove (Lens Protocol's decentralized storage layer). Once uploaded, attachments are immutable.
• Inbound mail server — hosted on a dedicated VPS in Helsinki (Hetzner). Supports STARTTLS encryption.

Third-Party Services

• Resend — used to deliver outbound emails. Subject to Resend's privacy policy.
• Supabase — database hosting and realtime subscriptions.
• WalletConnect — wallet connection relay for authentication.
• Upstash — rate limiting via Redis. IP addresses are used as rate limit keys for unauthenticated endpoints and automatically expire within one minute.
• Grove (Lens Protocol) — decentralized file storage for email attachments. Uploaded files are immutable and publicly accessible via their URL.
• Lens Protocol API — used for avatar resolution, account search, handle verification, and ownership checks during authentication.
• Google Fonts — the font picker loads font files from fonts.googleapis.com. Google receives your IP address and user agent when fonts are loaded. See Google Fonts Privacy.
• Lensie.xyz — Lens social feed data is fetched from the Lensie.xyz public API for the contacts side panel.
• Discord — operational notifications are sent to a private Discord channel via webhooks (see “Operational Notifications” above).

Public Profile Pages

Each Lens account has a public profile page at mailens.xyz/handle. This page displays your Lens handle, display name, avatar, and your Mailens email address. Public profile pages are accessible to anyone on the internet and may be indexed by search engines.

Push Notifications

You may opt in to receive browser push notifications for new emails. If you enable this feature, your browser's push subscription endpoint and encryption keys are stored in our database, associated with your Lens profile ID. You can disable push notifications at any time through your browser settings or the Mailens settings page, which will remove the stored subscription.

Your Rights

• Delete your emails — you can trash and permanently delete any email. Trashed emails are auto-deleted after 30 days.
• Delete your contacts — manage and remove contacts from the Address Book at any time.
• Request account deletion — contact us to request full deletion of your account and associated data.

Cookies, Sessions & Local Storage

We use a single httpOnly cookie containing a JWT session token for authentication. We do not use tracking cookies, analytics cookies, or any third-party cookies.

Mailens also stores the following data in your browser's localStorage. This data never leaves your device:

• mailens-wallet — Wagmi wallet connection state
• mailens-sounds-muted / mailens-keyboard-sounds — sound effect preferences
• mailens-font-store — your selected font preference (Zustand persisted store)
• mailens-push-prompt-dismissed — whether you dismissed the push notification prompt
• Lens SDK session state — authentication session data managed by the Lens SDK

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated effective date.

Contact

Questions about this policy? Email us at hello@javitoshi.com.