Privacy Policy

The controller of personal data processed within the LeanTools platform is:

• Name: Piotr Mieczkowski
• Role: Owner, Platform Operator
• Email: contact@leantools.pl
• Location: Gdańsk, Poland
• Website: https://www.leantools.pl

When creating a LeanTools account we collect the following data:

• Contact data: email address, phone number (optional)
• Company data: organisation / company name, user's job title
• Access data: password (encrypted, invisible to the Controller)
• Location data: country, region (optional, for analytics purposes)

We process the following data while you use the platform:

• Operational data: information entered into SQDP, Kamishibai and Kaizen boards (KPIs, audits, improvement suggestions)
• Access log data: login date/time, IP address, browser type, operating system
• Activity data: actions performed in the platform (editing, deletion, data export)
• Analytics data: time spent in the app, most-used features, browser errors

Some data is collected automatically without direct user action:

• Cookies: preference, session and settings information (details in the Cookie Policy)
• IP address: for location identification and attack prevention
• User-Agent: browser and device information
• Analytics data: e.g. from Google Analytics (anonymised)

We process your personal data solely for the following purposes:

We do not process your data for marketing purposes without your explicit consent. Every marketing or newsletter email includes an unsubscribe link.

Processing of personal data is justified by one or more of the following legal bases listed in Art. 6 GDPR:

• Art. 6(1)(a) — Consent (e.g. newsletter, analytics cookies) — you may withdraw consent at any time
• Art. 6(1)(b) — Contract performance (service provision, registration, payments)
• Art. 6(1)(c) — Legal obligation (taxes, audits, court orders)
• Art. 6(1)(f) — Legitimate interest (security, analytics, fraud prevention)

Data may be accessible to:

• Owner / System Administrator — Piotr Mieczkowski (full access)
• Współpracownicy — osoby zaproszące do zespołu w ramach konta (dostęp ograniczony do danych wprowadzonych w aplikacji, nie do danych osobistych)

Data may be transferred to selected service providers acting as Data Processors:

• Supabase (cloud database) — data storage on EU/US servers
  • Headquarters: USA (Supabase)
  • Data: all user data (covered by Standard Contractual Clauses)
  • Privacy Policy Supabase
• Vercel (app hosting) — web application delivery
  • Headquarters: USA (Vercel)
  • Data: access logs (IP, browser)
  • Privacy Policy Vercel
• Google Analytics — usage analytics (anonymised)
  • Data: anonymised behavioural data, IP (no personal identification)
  • Privacy Policy Google
• Payment gateway (e.g. Stripe) — payment processing
  • Data: card data (indirectly, via the gateway — we do not store it)
  • Privacy Policy Stripe
• Email (SMTP server) — sending confirmation and password reset emails
  • Data: email address, message content

We may disclose data upon request from law enforcement agencies, courts or tax authorities in accordance with Polish and EU law. We will always endeavour to notify you of such a request unless prohibited by law.

Transfers outside the EU: Some providers (Supabase, Vercel, Google) are based in the USA. Transfers are protected by Standard Contractual Clauses (SCC) or other GDPR-compliant mechanisms.

Personal data is retained only for as long as necessary to fulfil the purposes of processing. Details below:

After the retention period: Data is automatically deleted or anonymised. Upon request we can accelerate deletion.

As a data subject you have the following rights:

You may request access to all personal data we hold about you. We will respond within 30 days. Data will be provided in JSON, CSV or PDF format.

If your data is inaccurate or incomplete you may request its rectification. In most cases you can do this yourself in your account settings.

You may request deletion of your data ("right to be forgotten"). Exceptions apply when:

• Data is still required for service provision (if the account is active)
• Legal requirement (e.g. fiscal data for 5 years)
• Our legitimate interests (security, fraud prevention)

You may request restriction of processing (e.g. suspension while a complaint is resolved) instead of deletion.

You may request a copy of your data in a structured, commonly used format (JSON, CSV) for transfer to another service. We will provide the data within 30 days.

You may object to processing of your data based on our legitimate interests (e.g. analytics, marketing). Following an objection we will assess whether our interests override yours.

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

We protect your data through:

• Transport encryption (TLS/SSL) — all HTTPS connections are encrypted (256-bit AES)
• Password hashing — passwords are hashed with bcrypt (irreversible, even for us)
• Database access — restricted to authorised systems (not humans)
• Backups — regular backups (daily), stored separately
• Monitoring — alerts for unusual activity and failed login attempts

Data is protected through:

• Access restriction — only authorised persons may view data (principle of least privilege)
• Confidentiality agreements — all providers are bound by confidentiality obligations
• Password policy — we require strong passwords (min. 8 characters)
• Security audits — we regularly check for vulnerabilities

In the event of a data security breach:

• We will notify you within 72 hours (where required by law)
• We will describe the cause, scope and remedial steps
• We will notify the relevant Data Protection Authority if required

The LeanTools platform uses cookies to improve user experience. Details can be found in the Cookie Policy.

Cookie types:

• Strictly necessary cookies — required for operation (session, security) — always active
• Analytics cookies — usage data collection (Google Analytics) — requires consent
• Functional cookies — remembering preferences (language, theme) — requires consent

You can manage cookies in your browser settings or via the cookie banner on our website.

LeanTools is intended for users aged 18 and over. We do not knowingly collect data from minors.

If you are a parent or guardian and learn that your child has provided us with their data, please contact us immediately at contact@leantools.pl. We will delete the child's data within 48 hours.

LeanTools contains links to external websites (e.g. Supabase, Vercel, Google). This policy does not apply to those sites — each has its own privacy policy. We encourage you to read them.

We are not responsible for the privacy practices of third parties.

We may update this policy to reflect changes in our practices or legal requirements. We will notify you of material changes via:

• An email to the address associated with your account
• An in-app notification (banner, popup)
• Publication of a new version on this page (with effective date)

Continued use of the platform after changes constitutes acceptance of the new policy.

For questions about data privacy or GDPR requests:

• Email: contact@leantools.pl
• Subject: "Privacy Question" or "Data Subject Request"
• Response time: 30 days from identity confirmation

If you believe we have violated your rights, you may lodge a complaint with the relevant supervisory authority. In Poland:

• Personal Data Protection Office (UODO)
• ul. Stawki 2, 00-193 Warszawa
• Tel: +48 22 531 03 00
• https://uodo.gov.pl

You may also lodge a complaint with the data protection authority in your country of residence.