LeanCOO

B2B SaaS

LeanCOO

Get started
PRIVACY

Privacy Policy

This policy explains what personal data LeanCOO processes, why it is processed, how long it is retained, and what rights users can exercise.

Effective May 13, 2026This page explains the operating policy and handling standards for the service.

Overview and controller#

LeanCOO is operated by Kanapp, a registered sole proprietorship in South Korea (Business Registration Number: 148-24-02010). Kanapp is the controller for personal data processed through LeanCOO unless a separate written agreement states otherwise.

This policy applies to LeanCOO websites, account pages, organization workspaces, document drafting, approval flows, client and project management, billing support, support inquiries, and AI-assisted features.

Privacy questions and rights requests can be sent to support@leancoo.com.

Personal data we collect#

Account and login data

  • Email address, name, profile display name, authentication provider identifier, login records, and account status.
  • Organization name, member role, invitation status, permission settings, and workspace membership records.

Service content

  • Client, project, quote, contract, invoice, approval, template, timeline, payment-status, and support data entered by users.
  • Uploaded file names, file types, file sizes, extracted document text, and document content needed for requested service functions.
  • Draft emails, AI prompts, analysis requests, generated drafts, review history, and operational activity metadata.

Technical and support data

  • Essential cookies, session data, IP address, device and browser information, access time, request logs, error logs, security events, and usage records.
  • Names, email addresses, company details, inquiry content, attachments, and follow-up information submitted through support channels.

Purposes and legal bases#

LeanCOO processes personal data to provide accounts, authentication, organization permissions, document workflows, AI assistance, billing support, customer support, security, fraud prevention, service analytics, legal compliance, and dispute handling.

Where GDPR or similar law applies, the legal bases may include performance of a contract, legitimate interests in operating and securing the service, compliance with legal obligations, and consent where a user chooses an optional feature or communication.

Where Korean, Japanese, Spanish, U.S., or other local law imposes mandatory notice, consent, or consumer-right requirements, LeanCOO will apply those requirements to the affected user or processing activity.

AI processing and document data#

AI features are used only when a user requests drafting, analysis, summarization, classification, extraction, or recommendation. The company may process the submitted document text, metadata, and instructions to fulfill that request.

LeanCOO may use trusted infrastructure and AI processing partners to provide the requested feature. Appropriate contractual, technical, and organizational safeguards are applied where required.

User materials are not sold as public datasets. LeanCOO does not disclose user materials arbitrarily without separate consent, except where required by law, requested by the user, or necessary to provide and secure the service.

Retention and deletion#

  • Account and organization data is retained while the account or organization uses LeanCOO, unless a longer period is required by law.
  • User-created business data and uploaded files are retained until the user deletes them, the workspace is closed, or retention is otherwise required for legal, billing, audit, security, or dispute purposes.
  • AI usage records, activity logs, security logs, and billing-related metadata may be retained separately for audit, abuse prevention, incident response, and accounting.
  • Session tokens, invitation tokens, and authentication records are kept until their purpose is complete, they expire, or security needs end.

When retention is no longer necessary, electronic records are deleted or made unrecoverable through reasonable technical means, and printed material is shredded, destroyed, or otherwise disposed of securely.

Processors, sharing, and international transfers#

LeanCOO does not provide personal data to external parties as a general rule. Data may be shared or delegated when the user requests an integration, when disclosure is required by law, or when processing is necessary for hosting, storage, email delivery, authentication, payment, security, analytics, customer support, or AI processing.

Service providers may include cloud infrastructure, authentication providers, email providers, payment providers, analytics and logging tools, and AI processing partners. The company remains responsible for selecting providers that can support appropriate safeguards.

Because LeanCOO operates globally, personal data may be processed in South Korea, the United States, the European Economic Area, Japan, or other regions where service providers operate. Where required, LeanCOO relies on appropriate transfer mechanisms such as adequacy decisions, standard contractual clauses, contractual safeguards, or user consent.

Cookies and local storage#

LeanCOO uses essential cookies and browser storage for login persistence, security checks, organization switching, language preference, and service stability.

The current service prioritizes a minimal cookie footprint and does not rely on behavioral advertising cookies. Users can block cookies through browser settings, but doing so may limit login or workspace functionality.

User rights#

Depending on applicable law, users may request access, correction, deletion, suspension or restriction of processing, portability, objection to certain processing, withdrawal of consent, and account withdrawal.

LeanCOO may verify identity, workspace authority, and legal basis before acting on a request. Organization-level data may be controlled by the organization owner or administrator, so member requests may require administrator coordination.

Where California privacy law applies, LeanCOO does not sell personal information and does not share personal information for cross-context behavioral advertising. California users may request to know, access, correct, delete, and exercise other applicable privacy rights without discrimination.

Users in the European Economic Area, Spain, or the United Kingdom may lodge a complaint with their local data protection authority. Users in Japan or Korea may also contact the relevant national privacy authority or dispute-resolution body.

Security measures#

  • Role-based access controls and least-privilege account permissions.
  • Protection of authentication data and transmission channels.
  • Operational logging, error monitoring, and security-event review.
  • Backup, recovery, incident response, and access-management procedures.
  • Internal limits so only personnel with a business need can access personal data.

Children's privacy#

LeanCOO is a business-to-business software service and is not intended for children. The service is not directed to individuals under 16. If LeanCOO becomes aware that a child's personal data was collected without valid consent, it will take reasonable steps to delete it.

Changes to this policy#

LeanCOO may update this policy when laws, service structure, subprocessors, transfer mechanisms, or data-processing practices change. Material changes affecting user rights or obligations will be announced through reasonable means such as the service UI, notices, or email.

Contact and remedies#

Service or privacy requests: support@leancoo.com.

Korean users may contact the Personal Information Infringement Report Center at 118 or the Personal Information Dispute Mediation Committee at +82-1833-6972. EEA and Spanish users may contact their local supervisory authority, including the Spanish Data Protection Agency (AEPD) where applicable. Japanese users may contact the Personal Information Protection Commission of Japan where applicable.