Privacy policy

Last updated: June 12, 2026.

This Privacy Policy explains how LeanProjax (“LeanProjax”, “we”, “us”) collects, uses, shares, and protects your information when you use our websites, the LeanProjax web application, and the LeanProjax iOS app (together, the “Service”). It applies to both our public/marketing pages and the signed-in product. By using the Service you agree to this policy and to our Terms of Service.

1. Who we are

LeanProjax provides a multi-tenant Six Sigma / DMAIC project workspace. For data submitted by an organisation's members, that organisation is the data controller and LeanProjax acts as a processor; for account and usage data we describe below, LeanProjax is the controller. Privacy questions: privacy@leanprojax.co.

2. Information we collect

• Account data — your name, email address, the sign-in method you use (Apple, Google, or email + password), and, for password sign-in, a salted hash of your password (never the plaintext).
• Workspace & project content — the projects, charters, process data, measurements, toolkit runs, files you import, and notes you create. We treat this as confidential to your organisation and scope it to your workspace.
• Usage & product analytics— how you navigate and interact with the Service (pages viewed, features and buttons used, and where flows are abandoned), collected via our analytics provider (PostHog) to improve the product. We configure analytics to mask the text you type and your project content. You can opt out (see “Your choices”).
• Diagnostics & error data— when the app errors or crashes, we collect technical diagnostics (error type, stack trace, app version, device/OS, and a coarse request context) via our error-tracking provider (Sentry) to find and fix bugs. We scrub credentials and request bodies and do not enable Sentry's “send default PII” option.
• Log & device data— minimal server request logs (timestamp, path, status code, coarse/anonymised IP, user agent) and, on iOS, standard device identifiers the operating system provides to apps. Retained for a limited period (see “Retention”).
• Cookies & local storage — a session cookie to keep you signed in, and local storage for preferences (e.g. theme, analytics opt-out). We do not use advertising or cross-site tracking cookies.

3. How we use information

• To provide, secure, and operate the Service and keep your data scoped to your org.
• To diagnose, debug, and fix errors, and to monitor reliability and uptime.
• To understand product usage in aggregate so we can improve features and flows.
• To send transactional messages (verification, password resets, magic links, important service notices).
• To prevent abuse, enforce our Terms, and comply with legal obligations.

4. Legal bases (EEA/UK)

Where the GDPR / UK GDPR applies, we rely on: performance of a contract (to provide the Service), legitimate interests (to secure, debug, and improve the Service, and to understand aggregate usage — balanced against your rights, with an opt-out for analytics), and legal obligation where applicable.

5. Analytics, error tracking & your choices

We use PostHog for product analytics and Sentryfor error tracking. Neither is used for advertising and neither tracks you across other companies' apps or websites; on iOS we do not use the device advertising identifier, so no App Tracking Transparency prompt is required.

Opt out of analytics at any time: on the web, use the privacy toggle in Settings; on iOS, use the privacy toggle in Settings. Opting out stops product-analytics collection. Error/diagnostic reporting may continue at a minimal level because it is necessary to operate the Service securely.

6. Sub-processors & sharing

We share data only with vetted providers that help us run the Service:

• Railway — cloud hosting / infrastructure.
• Sentry — error and crash diagnostics.
• PostHog — product analytics (EU data region).
• Better Stack — uptime monitoring.
• Email provider — transactional email delivery.
• Apple and Google — sign-in (SSO) when you choose them; Apple for iOS app distribution and push notifications.

We do notsell, rent, or share your project content for others' advertising, and we do not train AI models on your project content. We may disclose information if required by law or to protect the Service and our users. A current sub-processor list is available on request from privacy@leanprojax.co.

7. International transfers

Our providers may process data in the United States, the European Union, and other regions. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

8. Retention

We keep account and workspace data for as long as your account is active. Server logs and error diagnostics are retained for a limited period (logs ~30 days; error events per our provider's retention, typically 30 days). When you delete your account we delete or anonymise associated personal data within 30 days, except where we must retain it for legal or security reasons.

9. Security

We use encryption in transit (TLS), tenant isolation enforced in the database and application layers, scoped access controls, and credential hashing. No method is perfectly secure, but we work to protect your data and to limit what our providers receive.

10. Your rights

Subject to your jurisdiction (GDPR / UK GDPR / CCPA and others), you may access, correct, export, or delete your data, object to or restrict certain processing, and opt out of analytics. You can export or delete your account from Settings, or contact privacy@leanprojax.co. We respond within 30 days. We do not “sell” or “share” personal information as those terms are defined under California law.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided us information, contact us and we will delete it.

12. Mobile (iOS) specifics

The iOS app collects the same categories described above. Our App Store privacy disclosures reflect the diagnostics and product-analytics data we collect. We do not track you across other companies' apps or websites. You can opt out of product analytics in the app's Settings.

13. Changes

We will post material changes on this page with a new “last updated” date and, where appropriate, notify signed-in users. Continued use after a change constitutes acceptance.

14. Contact

Questions or requests: privacy@leanprojax.co.