leanDeals is a CRM platform operated by Apiwave s.r.o., a company incorporated under the laws of the Czech Republic.
| Legal Entity | Apiwave s.r.o. |
|---|---|
| Country | Czech Republic, European Union |
| Privacy Contact | info@lean-deals.com |
| Website | app.lean-deals.com |
For all privacy-related enquiries, requests, or complaints, please contact us at info@lean-deals.com. We will respond within 30 days.
This Privacy Policy explains how leanDeals collects, uses, stores, and shares personal data when you:
This Policy does not cover data that Clients process within the Service about their own customers or contacts β that is addressed in our Data Processing Agreement (DPA), which governs our role as a data processor acting on your instructions.
When we collect and process data about you directly β such as your account registration data, billing information, and usage data β we act as the data controller. This Privacy Policy describes our practices in that capacity.
When you use the Service to store, manage, and process data about your own contacts, customers, or employees (i.e., "Client Data"), we act as a data processor on your behalf. As a processor, we process Client Data solely according to your instructions as set out in our Data Processing Agreement (DPA).
If you are subject to the GDPR as a data controller and use leanDeals to process Personal Data on your behalf, a Data Processing Agreement (DPA) is available upon request. Please contact info@lean-deals.com to obtain the DPA.
| Data | Purpose |
|---|---|
| Full name | Account creation, identification |
| Work email address | Login, notifications, support |
| Company name | Workspace creation, billing |
| Password (hashed) | Authentication |
| Country / region | Tax calculation, compliance |
Payment processing is handled by Paddle as Merchant of Record. We do not store full credit card numbers or bank account details. We receive from Paddle: subscription status, invoice history, billing contact name, and the last four digits of your payment card for display purposes only.
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, geolocation for compliance |
| Browser type and version | Compatibility, error diagnosis |
| Feature usage patterns | Product improvement (anonymised) |
| Error logs | Bug fixing, quality assurance |
| Login timestamps | Security, audit trail |
If you enable the email integration feature, we process email metadata as described in Section 6.
If you contact us via email, chat, or other means, we retain records of those communications to handle your enquiry and improve our support.
We do not intentionally collect special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data). Please do not store such data in the Service.
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Providing and operating the Service | Account data, usage data | Art. 6(1)(b) β Contract performance |
| Processing payments and managing billing | Billing data, account data | Art. 6(1)(b) β Contract performance |
| Sending transactional communications (e.g., account confirmations, invoices, security alerts) | Email address | Art. 6(1)(b) β Contract performance |
| Providing customer support | Account data, communications data | Art. 6(1)(b) β Contract performance |
| Ensuring security and preventing fraud | Technical data, IP address | Art. 6(1)(f) β Legitimate interests |
| Product analytics and improvement (anonymised/aggregated only) | Usage data (anonymised) | Art. 6(1)(f) β Legitimate interests |
| Compliance with legal obligations (e.g., tax records) | Billing data | Art. 6(1)(c) β Legal obligation |
| Sending product updates and marketing (only with your consent) | Email address | Art. 6(1)(a) β Consent |
Where we rely on legitimate interests (Art. 6(1)(f)), we have assessed that our interests are not overridden by your rights and freedoms. You may object to such processing at any time β see Section 10.
The optional email integration feature enables you to connect your Gmail (via Google OAuth 2.0), Microsoft Outlook (via Microsoft OAuth 2.0), or other email accounts (via IMAP/SMTP) to leanDeals to synchronise email activity with your CRM records.
We process the following email metadata when the integration is active:
We do not store full email body content.
The email integration operates under Art. 6(1)(b) (contract performance) for the account holder, and you, as data controller, are responsible for having a valid legal basis to process the email data of third parties (e.g., your contacts) whose email addresses appear in the synced emails.
OAuth access tokens and refresh tokens for Gmail and Outlook are stored in encrypted form in our database. We use these tokens solely to fetch email metadata on your behalf. You can revoke access at any time through your Google or Microsoft account settings, or by disconnecting the integration in leanDeals.
IMAP usernames and passwords are stored in encrypted form. You are responsible for using appropriate app-specific passwords and for reviewing your email provider's policies regarding IMAP access.
leanDeals's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We do not sell your personal data. We share your data only with trusted third-party service providers ("sub-processors") who assist us in delivering the Service, subject to contractual data protection obligations. Our sub-processors fall into the following categories:
| Category | Purpose | Data Transfer Location |
|---|---|---|
| Cloud infrastructure provider | Hosting and server infrastructure for the application | European Union |
| Database-as-a-service provider | Database hosting, authentication, and storage | European Union |
| Payment processor (Merchant of Record) | Subscription billing, invoicing, tax remittance | United Kingdom / EU |
| Transactional email provider | Sending account notifications, system emails | European Union |
| CI/CD and source code hosting | Automated deployment pipelines (no Client Data access) | United States (SCCs in place) |
We may also disclose your data: (i) when required by law, court order, or regulatory authority; (ii) to protect the rights, property, or safety of leanDeals, its users, or the public; (iii) in connection with a business transfer, merger, or acquisition (with notice provided to affected users).
Our primary infrastructure is hosted in the European Union. Where any data transfer occurs outside the EU/EEA (for example, in connection with our CI/CD pipeline provider), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:
You may request more information about the specific safeguards applicable to any international transfer by contacting us at info@lean-deals.com.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account and profile data | Duration of Subscription + 90 days after termination | Service continuity, re-activation option |
| Client Data (CRM records) | Duration of Subscription + 90 days after termination | Data recovery window |
| Billing records | 10 years | Legal obligation (Czech accounting law) |
| Email metadata (if integration enabled) | Duration of Subscription + 90 days after termination | Consistent with Client Data retention |
| Support communications | 3 years from last contact | Legitimate interest (dispute resolution) |
| Security and access logs | 12 months | Security, fraud prevention |
| Anonymised usage analytics | Indefinitely | Product improvement (no personal data) |
After the applicable retention period, data is permanently and securely deleted from our systems, including backups.
If you are located in the European Union or European Economic Area, you have the following rights with respect to your personal data that we process as a data controller:
Request a copy of the personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data ("right to be forgotten") where we no longer have a legal basis for processing it.
Request that we restrict processing of your personal data in certain circumstances.
Receive your personal data in a structured, commonly used, machine-readable format.
Object to processing based on legitimate interests or for direct marketing purposes.
Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Lodge a complaint with your national data protection authority (in Czech Republic: ΓOOΓ).
To exercise any of these rights, please contact us at info@lean-deals.com. We will respond within 30 days (extendable by two additional months for complex requests, with prior notice). We may request identity verification before processing your request.
We use a limited number of cookies strictly necessary to operate the Service:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session cookies | Maintain your authenticated session | Session (deleted on browser close) |
| Authentication token | Keep you logged in between sessions | Up to 30 days |
| Preference cookies | Remember your UI settings (language, theme) | Up to 12 months |
We do not currently use third-party advertising cookies or behavioural tracking technologies within the authenticated Service environment.
You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.
The Service is not intended for, and must not be used by, individuals under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at info@lean-deals.com.
We implement industry-standard technical and organisational measures to protect your personal data, including:
Despite these measures, no system is completely secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR Articles 33 and 34 (within 72 hours of becoming aware, where feasible).
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email or by a prominent notice within the Service at least 30 days before the changes take effect.
The "Effective date" at the top of this document indicates when this version took effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
For any privacy-related questions, please contact us at info@lean-deals.com.