Privacy Policy

Lean Dataroom is operated by Capacity Financial Advisors, a company registered in Tunisia. For all privacy matters, you can reach us at contact@leandataroom.com.

For platform users (team members):

• Account data: email, full name, organization affiliation.
• Usage data: actions performed, IP address, user agent, timestamps.
• Content data: documents uploaded, folder structures, chat messages.
• Authentication data: passwords (hashed), session tokens, 2FA codes.

For investors and external recipients (via tokenized links):

• Access logs: IP address, user agent, timestamps when accessing investor links.
• View duration on documents.
• No registration required, no profile data collected.

• Performance of the service contract: account management, document storage, access controls.
• Legitimate interest: security, fraud prevention, service improvement.
• Legal obligation: audit logs for compliance.
• Consent: for optional features such as the Telegram integration.

• All customer data is hosted in the European Union (AWS Ireland).
• Email processing happens in the EU.
• No data is transferred outside the EU for primary storage.

• Account data: as long as the account is active, plus 90 days after deletion. During this 90-day window the account can be restored on request; after the window it is permanently and irreversibly deleted.
• Audit logs: 7 years (for compliance and audit needs typical of financial services).
• Documents: as long as the customer's organization keeps them in the platform; deleted upon explicit request or account closure (subject to the same 90-day grace window).
• Investor access logs: 7 years.
• Sessions: expire after the configured period.

Retention is enforced automatically by a daily scheduled job; expired records are permanently deleted from the database.

We operate on a least-privilege model. By default, only the customer organization that owns a project — and the people they explicitly invite — can read its content. Capacity admins (our internal staff) have a privileged role at the platform layer for support and operations, but their access to your data is governed by the rules below.

• Customer organization: only members the organization explicitly assigns to a project (with editor or viewer permission) can see its documents, folders, chat and audit logs. Membership is revocable at any time by the organization's owners.
• Investors and external parties: only via tokenized share links scoped to specific folders, with revocable access and full audit trail. They never receive direct database access.
• Capacity admins (internal): by default, Capacity admins can access project content for support and debugging — every action is written to an append-only audit log that the customer organization can review.
• Restricted-access mode (customer-controlled): any organization can enable "Restrict Capacity admin access" from its settings. When enabled, Capacity admins can still see organization and project metadata (name, members, dates, status) but cannot read documents, folders, chat threads, audit logs, share links, trackers or any other project content. Restriction is enforced at the database level via Row-Level Security — it is not a UI gate.
• Temporary support access tokens: when restriction is on and the organization needs Capacity to investigate an issue, an organization owner can generate a one-off support access token scoped to a single project. Tokens last 4 hours, expire automatically, can be revoked instantly, and every action taken by Capacity under a token is logged and visible to the customer.
• Subprocessors: listed on the Security page; all are GDPR-aligned and EU-based.

Lean Dataroom offers optional WhatsApp and Telegram bots so investors and team members can interact with a project (ask questions, receive updates) directly from their messaging app. These integrations are opt-in — you only use them if you explicitly connect your number or Telegram account.

No human reads your messages.

• Messages you send to the WhatsApp or Telegram bot are processed by an automated AI assistant (Google Gemini, accessed via a secure AI gateway). No Capacity employee reads them.
• There is no internal dashboard, inbox, or admin UI where Capacity staff can browse client conversations. The product simply does not expose that surface.
• Chat threads are stored in the database under the same Row-Level Security rules as the rest of your project: only members of the project organization that own the thread can read it. Other customers cannot see it. Capacity admins cannot read it when your organization has "Restrict Capacity admin access" enabled (see §07).
• Inbound webhook tables (used to deduplicate messages from WhatsApp / Telegram) store only the provider's message ID and a timestamp — not the message text.
• The WhatsApp and Telegram providers themselves (Meta, Telegram) see the messages in transit, as is technically required for any messaging integration. Their own privacy terms apply to that leg of the transmission.
• You can disconnect the bot at any time; once disconnected, no further messages are processed for your account.

In short: the bot is an automated assistant, not a channel monitored by humans. Conversations are scoped to your project and protected by the same access controls as your documents.

Lean Dataroom offers an optional Google Drive integration so team members can import files and folders from their Google Drive directly into a deal. This integration is opt-in — it is only activated when a user explicitly connects their Google account from the team settings.

What we access:

• OAuth tokens issued by Google (access and refresh tokens), stored encrypted and used only to call the Google Drive API on your behalf.
• File and folder metadata (names, IDs, MIME types, sizes, modification dates) needed to display the picker and run imports.
• File contents you select for import — only files and folders you explicitly pick are downloaded. Google Workspace documents (Docs, Sheets, Slides) are exported to standard formats (DOCX, PDF) for storage in the deal.

What we do not do:

• We do not browse, scan, or index your Drive outside of imports you trigger.
• We do not modify or delete files in your Google Drive.
• We do not share your Drive data with other customers or third parties.
• We do not use Drive data to train AI models. Imported documents are processed by the same AI pipeline as any uploaded document (see §08) and remain scoped to your project under the same Row-Level Security rules.

You can disconnect Google Drive at any time from your account settings. Disconnecting revokes our tokens; files already imported into a deal remain in the deal (they are independent copies) and follow the standard retention rules in §06.

• Right to access your personal data.
• Right to rectification of inaccurate data.
• Right to erasure (right to be forgotten).
• Right to restrict processing.
• Right to data portability.
• Right to object to processing.
• Right to withdraw consent.

To exercise these rights, contact contact@leandataroom.com. We respond within 30 days.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Row-Level Security at the database level.
• Access controls and append-only audit logging.
• See the full security overview.

We only use cookies and equivalent local storage that are strictly necessary to operate the service — these do not require prior consent under GDPR / the ePrivacy Directive. We do not use advertising, marketing, or third-party analytics cookies.

Strictly necessary storage:

• Authentication tokens (stored by the browser to keep you signed in across page reloads). Cleared when you sign out.
• Session preferences (e.g. selected organization scope, sidebar state).

No third-party cookies. No cross-site tracking.

In the event of a data breach affecting personal data, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay if the breach poses a high risk to their rights and freedoms.

We may update this Privacy Policy. The date of last update is shown at the bottom of the page. Significant changes will be communicated via email to active users.

For privacy-related questions or to exercise your rights:

• Email: contact@leandataroom.com.