PrivacyLens

Inspiration

It started with a simple question during a late-night study session: "Hey, does TikTok actually listen to your microphone?"

Nobody in the room knew the answer. We all had TikTok. We all used it every day. But none of us had any idea what it was actually doing in the background — what data it collected, who it shared it with, or how it compared to other apps on our phones.

So we tried to find out. We searched online, found fragments of information scattered across Reddit threads, privacy blogs, and 10,000-word legal documents nobody could actually read. The answer was technically out there — but buried so deep that finding it felt like a research project.

That's the problem. Privacy information exists. It's just completely inaccessible to the people who need it most.

We thought about the TikTok congressional hearings of 2024, where lawmakers grilled the CEO for 5 hours about data collection practices. Millions of people watched those hearings. But when it was over, the same users went back to using the app with zero understanding of what had just been debated about their own data. The information gap between what companies know and what users know is enormous — and nobody was building a bridge.

We decided to build one in 24 hours.

What It Does

PrivacyLens is a free privacy audit tool that lets anyone understand exactly what their apps are doing with their personal data — in plain English, in under 30 seconds.

Search any app. Type an app name and instantly see:

A privacy score out of 100 (lower = more dangerous)
Every permission the app holds, with plain-English explanations
Every third-party tracker embedded in the app
A personal, AI-generated summary of what the score means for you
A safer alternative with the exact score improvement you'd get by switching

Scan your entire phone. Upload a screenshot of your home screen. Our AI reads every app icon and audits all of them at once — returning a ranked grid sorted by most dangerous first. A full privacy audit of 37 apps in seconds.

Take action. Every result comes with specific, actionable steps: which permissions to revoke, which trackers to be aware of, and which settings to change.

The scoring algorithm is built on real data. Given $n$ permissions with risk weights $w_i \in {3, 2, 1}$ for high, medium, and low risk respectively, and $t$ trackers, the raw risk is:

$$R = \sum_{i=1}^{n} w_i + 2t$$

The privacy score is then normalized to a 0–100 scale:

$$\text{Score} = \max\left(0,\ 100 - \left(\frac{R}{R_{\max}} \times 100\right)\right)$$

where $R_{\max}$ is calibrated against the worst apps in our database, ensuring the score is always interpretable relative to real-world apps.

How We Built It

We built PrivacyLens on a dual-backend architecture that separates concerns cleanly and lets each service do what it's best at.

Frontend — React with a fully custom dark-mode design system. Every component was built from scratch — no UI libraries. The aesthetic was deliberately designed to feel like a security tool: dark surfaces, red accents, sharp typography. Routes handle search, screenshot scanning, app comparison, and individual app result pages.

Backend Port 8001 (FastAPI / Python) — Handles all app data and scoring. Built a custom app_database.py with 50+ apps, each with real permission data sourced from Exodus Privacy, including risk tier classifications (HIGH, MEDIUM, LOW) and plain-English descriptions for every permission. The scoring algorithm runs here and returns structured JSON including privacy_score, guilt_trip, benchmarking, and alternative.

Backend Port 8000 (Flask / Python) — Handles all AI and media operations. Screenshot uploads hit this server, which passes the image to the Gemini Vision API for app detection. The /api/describe/ endpoint calls Gemini to generate the personalized privacy paragraph for any app. The /api/icon/ endpoint fetches app icons via the iTunes Search API.

AI Layer — Google Gemini 2.5 Flash — Used in two distinct ways:

Vision: Reading home screen screenshots and identifying every app icon
Generation: Writing plain-English privacy summaries tailored to the specific permission and tracker profile of each app, and dynamically generating privacy data for apps not yet in our database

Dynamic Data Generation — For any app not in our hardcoded database, we built a Gemini fallback that generates realistic permission and tracker data on the fly and caches it in memory for the session. This means PrivacyLens works for essentially any app in existence.

The full stack: React · FastAPI · Flask · Google Gemini 2.5 Flash · Exodus Privacy Database · iTunes Search API · Python · JavaScript

Challenges We Ran Into

The dual-backend problem. Splitting services across two ports (8000 and 8001) introduced a subtle bug that cost us over an hour. The frontend was calling the wrong port for screenshot uploads, resulting in 404 errors we couldn't immediately trace. Once we mapped every endpoint to its correct server, everything clicked — but it was a painful lesson in the importance of clear API architecture documentation even in a hackathon.

Gemini's inconsistent JSON. When we asked Gemini to generate app data dynamically, it would sometimes return valid JSON, sometimes wrap it in markdown code fences, and occasionally include explanatory text before the JSON object. We had to build a robust parser that strips fences, handles whitespace, and gracefully falls back to the static database on parse failure.

Score recalculation bug. Early in the project, the frontend was recalculating privacy scores using its own calculateScore() function instead of trusting the backend's privacy_score field. This meant TikTok was showing 28/100 instead of 11/100 — making the app look significantly less alarming than it actually was. Finding this required tracing data through three layers of the stack.

Git merge conflicts at 3am. During a rebase, we hit conflicts in .gitignore and README.md simultaneously. The resolution accidentally duplicated the entire AppResult.jsx file, which broke the frontend with a useState already declared error. We fixed it by deleting everything from line 289 onwards and keeping only the first clean copy.

App detection accuracy. Gemini Vision is impressive but not perfect. On cluttered home screens with small icons or unusual layouts, it would occasionally misidentify apps or miss icons entirely. We improved accuracy by refining the prompt to ask Gemini to be exhaustive and return every visible icon regardless of confidence level, then filtering on the backend.

Accomplishments That We're Proud Of

We're proud that it actually works — end to end, on real data, with a real phone screenshot. Scanning 37 apps from a live home screen and returning accurate privacy scores for all of them in seconds felt genuinely magical the first time it worked.

We're proud of the plain-English summaries. The line "TikTok can listen to your dorm room chats through your microphone, pinpoint your exact location from classes to parties, and build a detailed profile of your habits and routines" — that's generated dynamically by Gemini using the actual permission list. It lands differently than a number. It makes people feel something. That's intentional.

We're proud of the scoring algorithm. It's not arbitrary — it's grounded in real risk weights derived from actual permission danger levels, normalized against real apps, and defensible to anyone who asks how we calculated it.

We're proud that we built a complete, polished product in 24 hours. Not a prototype, not a demo with hardcoded data — a real tool with dynamic data generation, icon fetching, screenshot scanning, app comparison, PDF export, and a design system we're genuinely happy with.

What We Learned

We learned that the user-facing explanation matters more than the data itself. We had all the permission data early. But showing someone "android.permission.RECORD_AUDIO" means nothing. Showing them "This app can listen through your microphone at any time" means everything. The translation layer — Gemini turning raw permissions into human language — is arguably the most important part of the entire product.

We learned that AI as infrastructure, not just a feature, changes what's possible. We didn't use Gemini to add a chatbot. We used it as a core processing layer — for vision, for generation, for data fallback. That architectural decision let us cover essentially the entire app ecosystem without a database of millions of entries.

We learned the hard way that API boundary discipline matters even in hackathons. Every time we moved fast and assumed which port handled what, we created bugs. A five-minute conversation at the start to map every endpoint would have saved hours.

We also learned that privacy anxiety is real and universal. Every person we showed the demo to immediately wanted to scan their own phone. Nobody was indifferent. The problem we picked resonates with everyone — which is either validating or alarming, depending on how you look at it.

What's Next for PrivacyLens

Browser extension. Show privacy scores directly in the App Store and Google Play before users install anything. The moment of installation is when the information matters most — not after.

Live permission monitoring. Instead of a static snapshot, track when apps request new permissions after updates and alert users in real time. Your privacy score shouldn't be a one-time number — it should be a living feed.

School and nonprofit partnerships. We want PrivacyLens in digital literacy classrooms. Privacy education is largely theoretical right now — we can make it viscerally concrete. Show a student their own phone's scan and they understand data privacy in a way no lecture can achieve.

Crowdsourced database. Let users flag when an app's real-world behavior doesn't match its declared permissions. Build a community-verified layer on top of the static data.

Policy pressure at scale. If enough people know that TikTok scores 11/100 and Signal scores 75/100, companies face real reputational pressure to reduce data collection — not just write longer policies. The end goal isn't just awareness. It's accountability.

Built in 24 hours at CheeseHacks 2026 · UW-Madison
Stack: React · FastAPI · Flask · Google Gemini 2.5 Flash · Exodus Privacy · Python · JavaScript