Privacy Policy

1. Overview

We take the protection of your personal data seriously. This Privacy Policy explains how we collect, use, and protect your data when you visit our website.

Personal data refers to any information that can identify you directly or indirectly.

2. Controller

The controller responsible for data processing on this website is:

Lean Design GmbH
Widdersdorfer Str. 217b
50825 Cologne
Germany

Phone: +49 221 643066800
Email: hello@wearelean.com

3. How we collect data

We collect personal data in two ways:

a) Data you provide

You may provide personal data when:
submitting a contact form
contacting us via email or phone
subscribing to a newsletter
applying for a job

b) Data collected automatically

When you visit our website, certain technical data is collected automatically. This may include:

IP address
browser type and version
operating system
access time
referrer URL

This data is necessary to ensure the secure and reliable operation of the website.

4. Purpose and legal basis

We process your data for the following purposes:

to provide and operate the website
to respond to inquiries
to analyze and improve user experience
to fulfill contractual obligations
to send newsletters (if subscribed)

The legal basis depends on the context:

Consent (Art. 6(1)(a) GDPR)
Contract performance (Art. 6(1)(b) GDPR)
Legal obligations (Art. 6(1)(c) GDPR)
Legitimate interests (Art. 6(1)(f) GDPR)

Where required, we also rely on § 25 TDDDG for storing or accessing information on your device.

5. Hosting

Our website is hosted by Vercel Inc., 650 California St, San Francisco, CA 94108, USA.

Personal data processed in connection with the website may be stored on Vercel’s servers. This includes technical and usage data necessary for operating the website.

The legal basis is:

Art. 6(1)(b) GDPR (contract-related processing)
Art. 6(1)(f) GDPR (secure and efficient operation)

Data may be transferred to the USA. We rely on appropriate safeguards in accordance with Art. 44 et seq. GDPR, such as standard contractual clauses.

We have entered into a Data Processing Agreement (DPA) with the provider.

6. Data retention

We store personal data only for as long as necessary for the respective purpose.

Data will be deleted when:

the purpose no longer applies
you request deletion
you withdraw consent

Legal retention obligations remain unaffected.

7. Your rights

You have the following rights under the GDPR:

Access to your personal data
Rectification of incorrect data
Deletion of your data
Restriction of processing
Data portability
Withdrawal of consent at any time
Objection to processing (Art. 21 GDPR)
Right to lodge a complaint with a supervisory authority

8. Security

We use SSL/TLS encryption to protect data transmitted via our website.

Please note that data transmission over the internet can have security vulnerabilities. Complete protection is not possible.

9. Data collection on this website

Server Log Files

We automatically collect technical data through server log files. This includes:

browser type
operating system
IP address
time of request

This data is not merged with other data sources.

Legal basis:

Art. 6(1)(f) GDPR.

Contact form

If you contact us via a form, we process your data to handle your request.

Legal basis:

Art. 6(1)(b) GDPR
Art. 6(1)(f) GDPR
Art. 6(1)(a) GDPR (if consent is given)

Contact via email or phone

If you contact us directly, we process your data to respond to your inquiry.

10. Analytics and performance tools

Plausible Analytics

We use Plausible Analytics (Plausible Insights OÜ, Estonia) to analyze website usage.

Processed data includes:

page URLs
referrer
browser and device information
anonymized IP data

Data is processed in a privacy-friendly and aggregated manner. Identification of individuals is not possible.

Legal basis:

Consent (Art. 6(1)(a) GDPR), or
Legitimate interest (Art. 6(1)(f) GDPR)

A Data Processing Agreement (DPA) is in place.

Mux Video

We use Mux Video (Mux, Inc., USA) to deliver and analyze video content.

Processed data may include:

IP address
device and browser information
playback events

Legal basis:

Consent (Art. 6(1)(a) GDPR), or
Legitimate interest (Art. 6(1)(f) GDPR)

Data may be transferred to the USA under appropriate safeguards (Art. 44 GDPR).

A Data Processing Agreement (DPA) is in place.

Vercel Analytics

We use Vercel Analytics (Vercel Inc., USA) to understand how visitors use our website.

Processed data may include:

page views
referrer URLs
browser and device information

Data is processed in aggregated form and cannot be used to identify individuals.

Legal basis:

Consent (Art. 6(1)(a) GDPR), or
Legitimate interest (Art. 6(1)(f) GDPR)

Data may be transferred to the USA under appropriate safeguards.

A Data Processing Agreement (DPA) is in place.

11. Newsletter

If you subscribe to our newsletter, we process your email address and any additional data you provide.

Legal basis:

Consent (Art. 6(1)(a) GDPR)

You can unsubscribe at any time via the link in the newsletter.

We may store your email address in a suppression list to prevent future mailings.

12. Online meetings

We use tools such as Microsoft Teams to communicate with clients and partners.

These tools may process:

contact details
communication content
technical data (e.g. IP address, device info)

Legal basis:

Art. 6(1)(b) GDPR
Art. 6(1)(f) GDPR
Consent (if applicable)

Further details can be found in the provider’s privacy policy.

13. Applicant data

If you apply for a job with us, we process your application data for recruitment purposes.

Legal basis:

§ 26 BDSG
Art. 6(1)(b) GDPR
Consent (if applicable)

If no employment relationship is established, your data will be deleted after a maximum of 6 months, unless longer storage is required.

With your consent, we may retain your data in our applicant pool.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect legal or technical changes.

Status: March, 2026