Privacy Policy

The data controller for LeanPilot is Centro Studi Grassi ("we", "us", "our"), operating the LeanPilot manufacturing intelligence platform at leanpilot.me.

Contact: privacy@leanpilot.me

We collect and process the following categories of personal data:

• Account data: first name, last name, email address, hashed password, role within your organization
• Production data: production runs, workstation events, shift records, OEE metrics attributed to operator accounts
• Quality records: inspection results, non-conformance reports, corrective actions attributed to inspectors and reporters
• Safety data: safety incident reports (reporter name, incident details, injury information if applicable)
• Continuous improvement data: Kaizen ideas, Gemba walk observations, 5S audit scores, A3 reports, SMED analyses
• Maintenance data: CILT checks, maintenance logs attributed to operators and technicians
• Audit logs: system activity logs including user ID, action performed, timestamp, and IP address

We do not collect sensitive personal data (health data, biometric data, political opinions, etc.) beyond what is strictly necessary for safety incident reporting as required by occupational health and safety regulations.

We process personal data under the following legal bases as defined by GDPR Article 6:

• Contract performance (Art. 6(1)(b)): processing necessary to provide the LeanPilot service as agreed with your employer/organization
• Legal obligation (Art. 6(1)(c)): retention of quality records (ISO 9001:2015), safety incident records (ISO 45001:2018), and audit trails as required by applicable regulations
• Legitimate interest (Art. 6(1)(f)): security logging, fraud prevention, and service improvement. We have conducted a balancing test and determined these interests do not override your fundamental rights

Your data is processed exclusively for:

• Providing and operating the LeanPilot platform for your organization
• Authentication and access control
• Lean manufacturing workflow management (5S, Kaizen, Gemba, OEE, TPM, SMED, quality, safety)
• Generating reports and dashboards for your organization
• Maintaining audit trails for ISO 9001 and ISO 45001 compliance
• Ensuring platform security and preventing unauthorized access

We do not use your data for profiling, automated decision-making, advertising, or any purpose other than operating the platform for your organization.

All data is stored on servers operated by Hetzner Online GmbH in Germany (EU). Data never leaves the European Economic Area (EEA). Hetzner is ISO 27001 certified and operates under strict German and EU data protection laws.

Database backups are stored on the same Hetzner infrastructure within the EU. All data is encrypted in transit (TLS 1.2+) and at rest.

We share data with the following third-party processors, all operating within the EU:

• Hetzner Online GmbH (Germany) — server hosting and infrastructure
• SMTP email provider — transactional emails only (password resets, notifications). Only email addresses are shared

We have Data Processing Agreements (DPAs) in place with all sub-processors in accordance with GDPR Article 28. We do not sell, rent, or share your data with any other third party.

We retain data according to the following schedule:

• Active accounts: data is retained for the lifetime of the service agreement with your organization
• Audit logs: retained for a minimum of 2 years from creation, then automatically deleted (ISO 9001 requirement)
• Deactivated/deleted accounts: personal data is anonymized immediately upon GDPR deletion request. Anonymized records are hard-deleted after 30 days
• Database backups: retained for 30 days, then automatically overwritten
• Quality and safety records: retained for the lifetime of the service for regulatory compliance (ISO 9001, ISO 45001). Upon account deletion, these records are anonymized but preserved

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of all personal data we hold about you. You can export your data directly from the platform
• Right to rectification (Art. 16): request correction of inaccurate personal data
• Right to erasure (Art. 17): request deletion of your personal data, subject to legal retention obligations
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON)
• Right to object (Art. 21): object to processing based on legitimate interest
• Right to restriction (Art. 18): request restriction of processing in certain circumstances
• Right to lodge a complaint: you may file a complaint with your national data protection authority

To exercise any of these rights, contact us at privacy@leanpilot.me. We will respond within 30 days as required by GDPR.

LeanPilot does not use cookies for tracking or analytics. We do not use any third-party analytics services (no Google Analytics, no tracking pixels, no fingerprinting).

The only client-side storage used is a JWT authentication token stored in browser memory for session management. This is strictly necessary for the functioning of the service and does not require consent under the ePrivacy Directive.

LeanPilot is a B2B service designed for manufacturing professionals. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this policy indicates when it was last revised.

Our Data Protection Officer can be contacted at:

Data Protection Officer
Centro Studi Grassi
Email: privacy@leanpilot.me