Legal
Last updated · October 20, 2018

Privacy Notice

Effective Date: June 17, 2026

Version 1.6 | Lean Solutions LLC (dba Lean AI)

At a Glance

We keep screenshots and working context to run the service. You can request deletion at any time (subject to the deletion process and any legal hold described below), and they are also removed after account closure. We also keep simple records of what you approved and what actions occurred (without your document contents) for 4 years, so both you and we can establish the facts if anything is ever disputed. We do NOT sell your data. We do NOT train AI models on your content unless you explicitly opt in, it's off by default. Full details below.

1. Who We Are

Lean Solutions LLC, doing business as Lean AI ("Lean AI," "we," "us," "our") is the controller of your personal information under this Privacy Notice. We operate the Lean AI assistant platform (the "Service").

Privacy contact: support@theleansolutions.com

Mailing address: 2261 Market Street STE 62942, San Francisco, CA 94114

2. Scope

This Notice covers personal information collected when you use the Lean AI application and our website at https://www.theleansolutions.com, both information you provide and information generated as the assistant works on your behalf. It does not cover third-party applications the assistant interacts with at your instruction; those have their own privacy policies.

3. Information We Collect

3.1 Information You Provide

  • Account information: name, email address, password (hashed), billing information
  • Payment details: processed by our payment provider; we do not store full card numbers
  • Support communications and bug reports, including session data you explicitly authorize us to review
  • Documents and files you explicitly upload

3.2 Information Generated by the Service

As the assistant works, the Service generates three kinds of records. We separate them because they differ in sensitivity and in how long we keep them:

Approval Records

  • Your instructions (what you asked the assistant to do)
  • What the assistant proposed and whether you approved it
  • The confirmation settings you chose for each task
  • In-product acknowledgments (such as irreversible-action confirmations)
  • Timestamps and account identity for each of the above

Activity Records (no document content)

A factual description of each action, without the contents of your documents:

  • The type of action (such as click, type, send, save, delete, submit, navigate)
  • The application and window involved at the time
  • File names and folder paths involved
  • Recipient email domains (e.g., "@acmecorp.com"), not message bodies
  • Subject lines of messages the assistant sends
  • Website addresses for web actions
  • Outcome (success/failure), errors, and timestamps

A note in the spirit of transparency: file names, window titles, and subject lines can themselves reveal something about your work. We record them because they are essential to documenting what the assistant did and where, which protects you as much as it protects us. If this concerns you for specific tasks, contact support@theleansolutions.com about sensitive-task options.

Session Content

  • Screenshots captured during sessions, transmitted to our servers and stored encrypted, so the assistant can interpret your screen and resume work across sessions
  • Working context the assistant retains about your applications and tasks to provide continuity

An honest note: screenshots necessarily capture whatever is visible on your screen, which can include the contents of documents, messages, and applications. We hold this information as careful custodians, encrypted in transit and at rest, protected by access controls, and stowed away from unauthorized access. Processing is automated; no person reads your Session Content in the ordinary course. A person reviews it only when: you ask us to (an inquiry or request from you); you submit a bug report and authorize review; our automated systems flag suspected misuse or a security issue, in which case personnel review only what is necessary and may contact you about the activity; or disclosure is required in legal proceedings. When you report a bug, the related Session Content may be preserved for as long as needed to diagnose and fix the issue you reported.

Session Content is the most sensitive category and has the shortest retention (Section 9). Approval and Activity Records are kept longer because they are what both you and we rely on to establish what was authorized and what occurred, without exposing your document contents.

How We Obtain Your Consent to Capture Your Screen

We capture your screen only with your consent, obtained before any recording begins. First, your operating system requires you to grant screen-recording permission to the Lean AI application. Second, within the app, you affirmatively start each task before the assistant begins viewing or recording, capture is tied to tasks you initiate, not continuous background monitoring. A visible indicator shows when a session is active, and you can stop it at any time. We do not record your screen outside of sessions you start.

3.3 Technical and Usage Data (Anonymized)

  • Anonymized performance signals: task outcomes, completion times, error rates, no content
  • Crash reports and system error logs
  • Aggregate feature usage patterns

Collected by default; you may opt out in account settings without affecting your access.

3.4 From Third Parties

  • If you sign in with a third-party provider (such as Google), we receive your name and email from them
  • We do not buy data from data brokers or advertising networks

4. How We Use Information

4.1 To Provide the Service

Session Content is essential to how the assistant works: interpreting your screen, executing your tasks, and resuming sessions.

4.2 Abuse Detection and Security

We use records and account activity to detect fraud, security incidents, and policy violations. Detection is automated; if our systems flag suspected misuse or non-approved activity, personnel review only what is necessary and may reach out to you about it. This safety function applies regardless of telemetry opt-out.

4.3 Bug Reports You Consent To

When you submit a bug report and authorize access to the related session, we use that data solely to diagnose and fix the issue. Consent is per-submission.

4.4 Service Improvement (Anonymized Only)

We use anonymized, aggregated performance signals to improve the Service. We do not use your Session Content, uploaded documents, or task contents for this.

4.5 Legal Compliance and Defense

We may use and retain information to comply with law, respond to lawful process, enforce our Terms, and establish or defend legal claims.

4.6 Billing and Account Management

We use account and billing information to process payments, manage subscriptions, and send service communications.

5. What We Do Not Do

We do NOT:

  • Sell your personal information
  • Share your data for advertising or cross-context behavioral targeting
  • Use your Session Content, interactions, or uploaded documents to train AI models, unless you explicitly opt in (off by default)
  • Let our service providers use your data for their own purposes
  • Profile you for advertising
  • Access your session data except as described in Section 4

If any of these commitments changes, we will give at least 60 days' advance written notice and require your explicit opt-in first. Changes will not apply retroactively.

6. AI Model Training

6.1 Off by Default

By default, we do not use your Session Content, your interactions with the assistant, your uploaded documents, or any other content data to train, fine-tune, or evaluate AI models. Our improvement work relies on anonymized performance signals, synthetic data created in controlled test environments, and evaluation against verifiable task outcomes. Training participation is strictly opt-in: nothing changes unless you turn it on in your account settings.

6.2 If You Choose to Opt In

If you opt in to training participation, your contributed data helps improve the assistant for everyone. Before any contributed data is used, we apply automated filtering designed to remove identifying and sensitive information, such as names, contact details, account numbers, credentials, financial information, and health-related content.

We want to be candid about this filtering: it is automated and probabilistic, not perfect. What counts as "sensitive" also varies from person to person, information one person considers harmless, another may consider private, and no automated system can reliably make that judgment for everyone. So while we apply these protections as best we can, we cannot guarantee that every piece of identifying or sensitive information will be removed. If your work regularly involves highly confidential material, we recommend not opting in.

6.3 Your Control

  • Opt in or out anytime in account settings; opting out stops future use of your data for training from that point forward
  • You can request deletion of your contributed data; data already incorporated into trained models cannot be extracted, but it will not be used in future training
  • Opting in or out never affects your access to the Service or its features

6.4 Optional Data Contribution Plan (Discounted)

We may offer a discounted membership plan in which you consent to our use of certain non-personal interaction data to improve our models and skill files. Choosing this plan is one way of opting in to training under this Section; it is entirely optional and offered in exchange for a discounted price.

If you choose this plan, you authorize us to use: how the assistant interacted with applications (skill logs), usage and performance telemetry, and the corrections or adjustments you made to the assistant's actions. This plan does not include your screenshots, document contents, or other Session Content, and is not intended to include personal or sensitive information.

Before contributed data is used for training, we sanitize it in two layers: automated filtering designed to remove identifying and sensitive information, and review by a member of our team who works to further sanitize the data. This human review is limited to sanitizing the contributed interaction data described above; it does not extend to reading your Session Content. As noted in Section 6.2, sanitization is not perfect, and we cannot guarantee that every identifying or sensitive detail is removed. If your work regularly involves highly confidential material, we recommend the standard plan instead.

You may leave the plan at any time. Doing so stops future use of your data for training; your current paid term continues at the discounted rate, and your pricing returns to the standard rate at your next renewal. Leaving the plan never affects your access to the Service or its features.

6.5 Financial Incentive Notice (California)

The Optional Data Contribution Plan offers a price discount in exchange for your consent to use the interaction data described in Section 6.4. This is a financial incentive under California law. You may withdraw from the plan at any time as described above. We offer this incentive because the contributed data helps us improve the Service, and we have estimated in good faith that the value of that data to us is reasonably related to the discount offered. The material terms are presented to you when you choose the plan; for more information, contact support@theleansolutions.com.

7. Sharing With Third Parties

7.1 Service Providers

We share data with providers who help us operate the Service, cloud infrastructure and storage, AI processing, and payment processing. They process data only on our behalf, under contracts that prohibit using it for their own purposes, including training their models.

We do not publish the names of specific AI processing providers, which we treat as confidential business information at this stage. We do commit that every provider operates under a data processing agreement consistent with this Notice.

7.2 Legal Disclosure

We may disclose information when required by valid legal process. We evaluate each request, disclose only what is required, and will notify you to the extent permitted by law.

7.3 Business Transfers

If Lean AI is acquired or transfers substantially all assets, your information may transfer as part of that transaction. We will notify you before your information becomes subject to a materially different privacy policy.

7.4 With Your Consent

Any other sharing happens only with your explicit consent at the time.

7.5 No Sale, No Ad-Sharing

We do not sell personal information and do not share it for cross-context behavioral advertising, and have not in the past 12 months. California residents may contact support@theleansolutions.com regarding these rights.

8. Storage and Security

Our role with your information is that of a careful custodian: keeping what you entrust to us confidential, encrypted, and inaccessible to anyone unauthorized.

8.1 Location

Data is stored in the United States with our cloud infrastructure provider. EU/UK readers: see Section 10.3 on international transfers.

8.2 Security Measures

  • Encryption at rest (AES-256 server-side encryption)
  • Encryption in transit (TLS 1.2 or higher)
  • Access controls, role-based permissions, and audit logging on production data
  • Network isolation of production environments
  • Personnel access only on your request or inquiry, your authorized bug report, an automated flag of suspected misuse or a security issue, or legal process, never routine browsing

8.3 Incident Notification

If a security breach affects your personal information, we will notify you without undue delay, consistent with applicable law, describing the incident, the data categories affected, and steps being taken.

9. Data Retention

Different categories are kept for different periods, based on what they are for:

Data Category Retention Why
Approval Records (instructions, approvals, settings) 4 years Evidence of what you authorized; matches California's 4-year contract limitations period
Activity Records (action descriptions, no content) 4 years Evidence of what occurred and where; same period
Session Content (screenshots, working context) While account is active + 30 days Service continuity only; you can request deletion at any time
Account and billing records 7 years Tax and contract requirements
Anonymized performance signals 24 months Service improvement
Bug report session data (consented) 2 years Support and legal defense
Safety-flagged events 4 years Policy enforcement and legal defense
Encrypted backups Up to 90 days after primary deletion Backup rotation

9.1 Why Approval and Activity Records Are Kept 4 Years

These records establish what you authorized and what the assistant actually did, in which application, involving which files, to which destinations, without retaining your document contents. We keep them for 4 years because that matches the limitations period for contract claims in California. They work in both directions: they protect you if the assistant ever acted outside your authorization, and they protect us against claims about actions that were approved.

9.2 Why Session Content Is Deleted Sooner

Screenshots and working context contain your actual document content, the most sensitive data we hold. We delete them on a short, uniform schedule because keeping them longer would increase your exposure without real benefit: in nearly every dispute, the questions that matter, what was authorized, what occurred, and where, are answered by Approval and Activity Records. This routine deletion under a consistent policy is ordinary business practice, not destruction of evidence.

9.3 Legal Hold

If a dispute arises or is reasonably anticipated, including an asserted or threatened claim, a chargeback, or legal process, we may pause normal deletion and preserve relevant data, including Session Content, for the duration of the matter, prospectively from when the dispute is anticipated. We will notify affected users where the law permits.

9.4 Deletion Requests

You may request deletion of Session Content and uploaded documents at any time via settings or by emailing support@theleansolutions.com. Active-system deletion occurs within 30 days; backups clear within up to 90 additional days. Approval Records, Activity Records, billing records, and safety-flagged data are retained per the table above even after closure, for the legal reasons stated, unless applicable law requires earlier deletion.

10. Your Privacy Rights

10.1 Everyone

  • Access a copy of your personal information
  • Correct inaccurate information
  • Request deletion of your Session Content and uploaded documents
  • Opt out of anonymized telemetry in settings
  • Receive your data in a portable format
  • No discrimination for exercising rights

10.2 California Residents (CCPA/CPRA)

  • Right to know categories collected, sources, purposes, and third-party categories
  • Right to access specific information collected in the past 12 months
  • Right to delete, subject to legal exceptions
  • Right to correct
  • Right to opt out of sale or sharing (we don't sell or share)
  • Right to limit sensitive personal information use
  • Right to non-discrimination

Contact support@theleansolutions.com; we respond within 45 days (extendable by 45 with notice).

10.3 EU/UK/EEA Residents (GDPR)

Legal Bases

  • Contract performance: account data and Session Content to deliver the service you requested
  • Legitimate interests: Approval Records, Activity Records, and anonymized signals for security, abuse detection, establishing/defending legal claims, and improvement, interests shared by both parties in being able to establish the facts of disputed actions
  • Legal obligation: billing and safety records
  • Consent: bug-report session data and optional telemetry; withdrawable anytime without losing access

Your GDPR Rights

Access, rectification, erasure, restriction, portability, and objection; you may also complain to your local supervisory authority.

International Transfers

Data is processed in the United States under Standard Contractual Clauses or other lawful transfer mechanisms. Contact support@theleansolutions.com for details. We are a small company and do not currently have an EU representative; we respond to all EU privacy inquiries at the same address within 30 days.

10.4 Exercising Rights

Email support@theleansolutions.com with your name, account email, and request. We may verify your identity first, and will respond within 30 days (45 for California requests).

11. Cookies and Local Storage

Our website uses essential cookies (authentication, security) and optional analytics cookies, controlled by a preference banner. The desktop application does not use browser cookies; it stores session state and preferences locally on your device, with no advertising identifiers.

12. Children

The Service is not directed to children under 13 and we do not knowingly collect their information. If you believe a child has provided personal information, contact support@theleansolutions.com and we will delete it promptly.

13. Changes to This Notice

For material changes, new data categories, new uses, or new sharing, we will give at least 30 days' advance notice by email and in-product before they take effect, and they will not apply retroactively.

14. Contact

We take privacy inquiries seriously and respond within 30 days.