Privacy Policy
Last updated: February 26, 2026
LeanZero SRL (“we”, “us”, “our”) is a limited liability company (societate cu răspundere limitată) registered in Romania.
Legal identification:
- Company name: LeanZero SRL
- Registered office: Str. Toamnei 23 G, CAM. 1, Loc. Bragadiru, Jud. Ilfov, Cod 077025, Romania
- Trade register number: J2025012835002
- CUI (Cod Unic de Înregistrare): 51336260
- EUID: ROONRC.J2025012835002
- Contact: office@leanzero.net
This Privacy Policy explains how we collect, use, and protect information when you use our products, services, and website.
This policy covers all LeanZero products, including but not limited to:
- CogniRunner — AI-powered workflow validation for Jira (Atlassian Marketplace)
- LeanZero MCP Doc Processor — open-source document processing tool
- LeanZero website (leanzero.atlascrafted.com)
- Consulting services — Jira/Confluence migrations, AI training, custom Forge app development
1. Data Controller
LeanZero SRL, based in Romania, is the data controller for information processed through our website and services, within the meaning of Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).
For our Atlassian Marketplace apps, LeanZero acts as a data processor on behalf of the customer (the Atlassian instance administrator), who remains the data controller for data processed through our apps. When data is transmitted to OpenAI for AI-powered validation, OpenAI acts as a sub-processor. Processing responsibilities are further described in Section 4.
We have assessed that we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, as our core activities do not involve large-scale regular and systematic monitoring of data subjects or large-scale processing of special categories of data. For any privacy-related inquiries, contact us at office@leanzero.net.
2. What Data We Collect
2.1 Website Visitors
When you visit the LeanZero website, we collect:
- Analytics data via PostHog: page views, referral source, device type, browser, country, session duration, and interactions. PostHog may set cookies to distinguish unique visitors (see Section 7 on Cookies).
- Contact information you voluntarily provide: email address, name, and message content when you contact us via email or forms.
2.2 Marketplace App Users (CogniRunner and future apps)
Our Atlassian Forge apps operate within Atlassian’s infrastructure. When you use our apps:
- Jira issue data is processed during workflow transitions. This includes field values (text, attachments, user names, dates, etc.) as configured by your Jira administrator. This data is processed in-memory during validation and is not stored by LeanZero outside of Atlassian’s Forge platform.
- AI-processed data: when a validation rule is triggered, the field content (and attachments, if configured) is sent to OpenAI’s API for analysis. This may include personal data contained in Jira fields (e.g., names, email addresses, or other information entered by users). See Section 4 for details on AI data processing.
- Validation logs are stored in Atlassian Forge Storage (within your Atlassian tenant). Logs include: issue key, field ID, a truncated excerpt of the validated content (up to 200 characters), the validation prompt (up to 100 characters), the pass/fail result, and the AI’s reasoning. Logs are capped at 50 entries per app instance (oldest entries are automatically removed).
- Configuration data is stored in Atlassian Forge Storage: the field ID, validation prompt, and workflow context for each rule you create.
- License information provided by Atlassian to verify your Marketplace subscription status.
2.3 Consulting and Services Clients
When you engage us for consulting services (migrations, training, custom development):
- Contact and billing information: name, email, company name, and payment details as needed for invoicing.
- Project data: access to your Atlassian instance or other systems as required to deliver the agreed-upon services. Access scope is defined in each engagement.
2.4 Donations (Buy Me a Coffee)
If you support us through Buy Me a Coffee, your transaction is handled entirely by Buy Me a Coffee (buymeacoffee.com). We receive your name/alias and donation amount. We do not receive or store your payment card details.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and operate our Marketplace apps | Performance of contract (Art. 6(1)(b)) |
| Process field content through AI for validation | Performance of contract (Art. 6(1)(b)) — the app’s core function as subscribed to by the customer |
| Store validation logs in Forge Storage | Legitimate interest (Art. 6(1)(f)) — providing an audit trail for administrators |
| Website analytics via PostHog | Consent (Art. 6(1)(a)), obtained via our cookie consent mechanism |
| Respond to your inquiries | Performance of contract or pre-contractual steps (Art. 6(1)(b)) |
| Deliver consulting services | Performance of contract (Art. 6(1)(b)) |
| Send service-related communications | Legitimate interest (Art. 6(1)(f)) — keeping customers informed about the services they use |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data for advertising, profiling, or automated decision-making that produces legal effects on you.
AI-powered validation does not constitute automated decision-making under Article 22 GDPR. Validation results are advisory — they may flag content for review or block a workflow transition pending human action, but no decisions with legal or similarly significant effects are made solely by the AI.
4. Third-Party Sub-Processors
We use the following third-party services that may process data on our behalf:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Atlassian (Forge platform) | Hosts and runs our Marketplace apps | Jira issue data, configuration, logs | Atlassian’s global infrastructure (see Atlassian’s Privacy Policy) |
| OpenAI (OpenAI Ireland Ltd for EEA customers) | AI-powered field validation in CogniRunner | Field content and attachments sent for validation | United States (with EU data residency options) |
| PostHog | Website analytics | Usage data, IP address, cookies | EU (PostHog Cloud EU) |
| Buy Me a Coffee | Donation processing | Name/alias, donation amount | United States |
AI Data Processing (OpenAI)
When CogniRunner validates a field, the field’s content (and attachments, if configured) is sent to OpenAI’s API for processing. This may include personal data contained in the Jira fields being validated.
Key facts about this processing:
- It happens only when a workflow transition is triggered and a CogniRunner rule is configured for that transition.
- It is initiated by the Jira administrator’s explicit configuration (choosing which field and what validation criteria to apply).
- The data sent to OpenAI is not stored by LeanZero — it passes through the Forge runtime directly to OpenAI’s API.
- OpenAI does not use API inputs or outputs to train its models. Per OpenAI’s API data usage policy and Data Processing Addendum (DPA), API data may be retained for up to 30 days for abuse monitoring purposes and is then deleted.
- LeanZero has entered into OpenAI’s Data Processing Addendum (available at openai.com/policies/data-processing-addendum) to ensure GDPR-compliant processing.
When the agentic validation flow is active, CogniRunner may also send JQL search results (issue keys, summaries, and field excerpts) to OpenAI for comparison purposes.
International Data Transfers
Data transferred to sub-processors outside the European Economic Area (EEA) is protected by:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated into our agreements with sub-processors including OpenAI.
- Where additionally applicable, the EU-U.S. Data Privacy Framework for U.S.-based sub-processors that are certified under the framework.
We regularly monitor the legal landscape for international data transfers and will update our transfer mechanisms as needed.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Validation logs (Forge Storage) | Rolling 50 entries per app instance; automatically pruned |
| Configuration data (Forge Storage) | Retained while the app is installed; deleted on app uninstallation |
| AI processing data (OpenAI) | Up to 30 days by OpenAI for abuse monitoring, then deleted |
| Website analytics (PostHog) | As configured in our PostHog instance |
| Contact/inquiry emails | As long as necessary to address the inquiry, then deleted |
| Consulting project data | Duration of the engagement plus any contractually agreed retention period |
| Billing records | As required by Romanian tax law (currently 10 years for fiscal documents) |
6. Your Rights Under GDPR
As a data subject, you have the following rights under GDPR:
- Access (Art. 15) — Request a copy of the personal data we hold about you.
- Rectification (Art. 16) — Request correction of inaccurate data.
- Erasure (Art. 17) — Request deletion of your data (“right to be forgotten”), subject to legal retention requirements.
- Restriction (Art. 18) — Request that we limit processing of your data.
- Portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.
- Objection (Art. 21) — Object to processing based on legitimate interest.
- Withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Not be subject to automated decision-making (Art. 22) — Although our AI validation does not constitute automated decision-making as defined under GDPR, you may contact us with any concerns.
To exercise any of these rights, contact us at office@leanzero.net. We will respond within one calendar month of receiving your request. If your request is complex or we receive a high number of requests, we may extend this period by up to two additional months, in which case we will inform you within the initial month.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian supervisory authority:
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania
Website: https://www.dataprotection.ro
7. Cookies
Our website uses cookies as follows:
- Strictly necessary cookies — These are essential for the website to function and cannot be switched off.
- Analytics cookies (PostHog) — These help us understand how visitors use our site by collecting anonymous usage data.
Analytics cookies are only placed after you provide your consent through our cookie consent mechanism. You can withdraw your consent at any time by adjusting your preferences through the cookie settings on our website or through your browser settings. Disabling analytics cookies will not affect the functionality of our website.
Our Atlassian Marketplace apps do not set cookies. They operate within Atlassian’s iframe environment, which has its own cookie policies.
8. Security
We protect your data through:
- All Marketplace apps run on Atlassian’s Forge platform, which provides enterprise-grade security, sandboxing, and data isolation.
- All API communications (to OpenAI, Jira REST API) use HTTPS/TLS encryption.
- We do not operate our own backend servers for Marketplace apps — Forge handles all compute and storage.
- API keys are stored as encrypted Forge environment variables, never in source code.
- Access to production systems is limited to authorized LeanZero personnel.
Despite these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using industry-standard practices.
9. Children
Our products and services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at office@leanzero.net and we will take steps to delete such information.
10. Open-Source Products
Some LeanZero products (CogniRunner, LeanZero MCP Doc Processor) are released under open-source licenses. If you self-host or run a fork of our open-source software, this Privacy Policy does not apply to your instance. You are responsible for your own data processing and privacy compliance.
This Privacy Policy applies only to the versions of our products hosted on Atlassian Forge (via Marketplace installation) and to our website and services.
11. AI Transparency
In accordance with the EU AI Act (Regulation (EU) 2024/1689), we inform you that:
- CogniRunner uses artificial intelligence (provided by OpenAI) to validate Jira workflow fields. Validation results are generated by AI and should be reviewed by humans before acting on them.
- AI outputs are probabilistic, not deterministic — they may contain errors, false positives, or false negatives.
- When agentic validation is enabled, the AI may autonomously construct and execute JQL queries within your Jira project to compare content against existing issues.
- LeanZero is a deployer of a general-purpose AI model provided by OpenAI (the provider). As deployer, we ensure appropriate use, oversight, and transparency.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. For significant changes that materially affect your rights or the way we process your data, we will provide notice through our website or products where feasible.
13. Contact
For any questions about this Privacy Policy or our data practices:
LeanZero SRL
Email: office@leanzero.net
Website: https://leanzero.atlascrafted.com
See also: Terms of Service