Data Privacy Statement: LeanIX Workspace

1. Purpose and scope

The purpose of this Data Privacy Statement (“Statement“) is to provide information to the Users of the LeanIX workspaces as to the type of information the LeanIX software may process on behalf of the controller (i.e. the customer), as well as how such information may be used and the relevant data subject rights.
This Statement explains the following:

  • Who is Data Controller?
  • What is the scope of processing?
  • What are the rights of a User?

2. Data Controller

Data Controller in terms of the LeanIX software is, if you are not an employee or a contractor of LeanIX, the Customer of LeanIX you are employed with or contracted by.

If you have difficulties in finding out who your Data Controller is and, respectively, its Data Protection Officer, please refer to [email protected].

If you are not employed or contracted by any customer of LeanIX, the Data Controller is:

LeanIX GmbH, Friedrich-Ebert-Allee 37-39, 53113 Bonn, Germany

Contact email: [email protected]

Data Protection Officer of LeanIX is Andreas Schmidt, c/o postal address above (refer to Data Protection Officer, personally)

3. Scope of Processing

Data types collected and relevant purpose of processing

  • Personal master data: name, surname, job title, profile picture (optional), user role in the software, subscriptions of objects, e-mail address, individual use case

    • Purpose: user management, functions in the software such as subscriptions of objects
  • Communication data type: e-mail, user activity in the software, browser identification, IP address

    • Purpose: user management, functions in the software such as notifications, error analysis, quality assurance of the operation and the faultlessness of the software, user support and information about news, individual user training



Data from Google Workspace admin directory. The LeanIX SMP Google OAuth client is accessing users from your Google Workspace admin directory in addition, and retrieves usage metrics for individual Google services from usage reports. Usage reports are used by an application to get the last login for the users on Google Workspace. The application is also accessing the metadata of your organization to retrieve required data from your Google Workspace account.

Purpose: functions in the software

Methods of processing

The Data Controller takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.

The Data processing is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, the Data may be accessible to certain types of external parties (such as third-party technical service providers, hosting providers, or IT companies) appointed, if necessary, as Data Processors by the Data Controller. The updated list of these parties may be requested from the Data Controller at any time.

Legal basis of processing

Legal basis is the respective contract between the Data Subject and the Controller (Art. 6 (1)(c) GDPR).

Unless LeanIX is the Data Controller, the data processing occurs in order to fulfill the SaaS contract between the Data Controller and LeanIX.

Places of processing

Hosting - The Data is hosted in the hosting region chosen by the Data Controller as it subscribed for the LeanIX software. To know which data region has been chosen by your Data Controller, please contact your Data Controller. Among others, LeanIX offers as hosting regions

  • Germany
  • Netherlands + Ireland
  • United Kingdom
  • Switzerland
  • Australia
  • USA
  • Canada
  • UAE

Further places of processing - The Data is then accessed and processed at the Data Controller's operating offices and in any other places where the parties involved in the processing are located. That might include LeanIX subprocessors.

Subprocessors - LeanIX relies on subprocessors for processing Data. To learn where such subprocessors are located, what is the purpose of the transfer towards this subprocessors and what are the safeguards that we have put in place to ensure that any data processing is executed in accordance with applicable legislations, please visit

Retention time

Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.

In due course, Personal Data will be deleted 30 days upon expiration or termination of the contract between Data Controller and LeanIX at the latest.

Once the retention period listed above expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.

4. The Rights of Users

Object to processing of their Data

Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.

Access their Data

Users have the right to learn if Data is being processed by the Data Controller, obtain disclosure regarding certain aspects of the processing, and obtain a copy of the Data undergoing processing.

Verify and seek rectification

Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.

Restrict the processing of their Data

Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Data Controller will not process their Data for any purpose other than storing it.

Have their Personal Data deleted or otherwise removed

Users have the right, under certain circumstances, to obtain the erasure of their Data from the Data Controller. To do so, they shall submit a request to LeanIX Customer Support.

Receive their Data and have it transferred to another controller

Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.

Lodge a complaint

Users have the right to bring a claim before their competent data protection authority.

How to exercise these rights

Any requests to exercise User rights can be directed to the Data Controller through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Data Controller as early as possible and always within one month.

5. Additional information about Data collection and processing

Legal action

The User's Personal Data may be used for legal purposes by the Data Controller in court or in the stages leading to possible legal action arising from improper use of this Application or the related Services.

The User declares to be aware that the Data Controller may be required to reveal personal data upon request of public authorities.

Additional Information

More details concerning the collection or processing of Personal Data may be requested at any time. Please see the contact information at the beginning of this document.

Changes to this privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time by giving notice to its Users on this page and possibly within this Application and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Data Controller. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.