Privacy Policy

Lean is operated by NOVA-LUMEN LABS LLP (trading as Lumen Labs), a Limited Liability Partnership incorporated in India. We are the data controller (GDPR) and data fiduciary (India DPDP Act 2023) for personal data processed through Lean.

• App identifier: works.lumenlabs.lean
• LLPIN: ACW-8836
• Registered office: Plot No 10/A, Rail Nagar, Belgaum, Karnataka 590001, India
• General contact: [email protected]
• Grievance Officer (India DPDP Act 2023): the Grievance Officer, NOVA-LUMEN LABS LLP — [email protected]

This policy applies to the Lean mobile application and the information it handles. It works alongside our studio-wide Privacy Policy (which also covers this website); where this app-specific policy and the studio policy differ, this one governs Lean. Links to third-party services are governed by their own policies.

Lean works with the following information, most of which you create by using it:

• Protein and meal logs
• Bodyweight and strength / lift entries
• GLP-1 medication and dose
• Side-effect / symptom notes

What we do not collect:we do not collect your contacts, your precise advertising identifier for ad targeting, or any data we don't need to run a feature you use. We do not build advertising profiles, and we do not track you across other apps or websites.

We use the information above only to:

• provide the app's features to you;
• process and validate your purchases;
• understand, anonymously and with your consent, how the app is used so we can improve it;
• diagnose crashes and fix bugs (with your consent);
• comply with our legal obligations and protect our rights.

Legal bases (GDPR / UK GDPR): we rely on the performance of a contract with you to provide the app and process purchases; on your consent for optional analytics, crash reporting, and (where applicable) notifications, which you can withdraw at any time; and on our legitimate interests in securing and improving the app, balanced against your rights. Under the India DPDP Act 2023 we process personal data on the basis of your consent or for legitimate uses permitted by the Act.

Your protein and meal logs, bodyweight, GLP-1 medication and dose, symptoms, and settings are stored locally on your device (an on-device database). There is no server and no cloud copy of your health data.

Lean Pro can sync your data across your own devices through Apple's iCloud (key-value store), tied to your Apple ID. It is end-to-end within your account — no Lumen Labs server ever sees it.

We use PostHog for opt-in, anonymous product analytics — events such as which screens are opened and which buttons are tapped, tied to a random, app-specific identifier. We never attach your name or email, and your actual content (entries, balances, documents, charts, prayers — whatever the app holds) is never sent. You can turn analytics off at any time in Settings.

If you opt in, we use Sentry to receive anonymous crash diagnostics — a stack trace, device model, OS version, and app version — so we can fix what breaks. Crash reports are stripped of personal content and are not used to identify you.

We request the following permissions, each only for the feature that needs it and only when you use it:

• Notifications (optional next-dose and protein reminders)

You can revoke any of these at any time in your device settings.

Payments are handled by RevenueCat (Apple App Store / Google Play billing). We never see or store your full payment-card details — the relevant app store processes payment and shares with us only what is needed to validate your purchase or subscription status. Those providers handle your payment data under their own privacy policies.

We do not sell your data and we do not share it for advertising. The only third parties involved are the service providers (processors) that make the app work, each acting under contract and for the limited purpose shown:

• RevenueCat — Validates your purchase / subscription receipt for Lean Pro
• PostHog — Anonymous, opt-in product analytics — never includes your logged health data
• Sentry — Crash and error reporting to keep the app stable
• Apple — App Store billing, Sign in with Apple (optional), and iCloud sync for Pro
• Google — Google Play billing on Android

Some of our service providers may process limited data on servers outside your country, including outside the EEA, the UK, or India. Where that happens we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses or an equivalent mechanism, and the providers' own compliance programmes — to protect your data to the standard required by applicable law.

Data stored on your device is retained until you delete it in the app or remove the app. Where we process data on our backend, we keep it only for as long as needed to provide the relevant feature, and we delete or anonymise it within a reasonable period after you delete your account or it is no longer needed. Anonymous analytics and crash data are retained in aggregate for a limited period and cannot be tied back to you.

We use reasonable, industry-standard technical and organisational measures to protect information — including on-device storage by default, encryption in transit for any network calls, and access controls on any backend systems. No method of electronic storage or transmission is 100% secure, however, and we cannot guarantee absolute security. If a personal-data breach occurs that is likely to affect your rights, we will notify the relevant supervisory authority and affected users as required by applicable law.

Because your data lives on your device, you control it directly — edit or delete any entry in the app, or remove everything at once by deleting the app. In addition, depending on where you live, you have the following rights, which we honour for all users:

• Access a copy of the personal data we hold about you;
• Rectify inaccurate data;
• Erase your data (“right to be forgotten”);
• Port your data to another service;
• Object to or restrict certain processing, and withdraw consent for optional processing such as analytics;
• Nominate a person to exercise your rights in the event of death or incapacity (India DPDP Act);
• Not be discriminated against for exercising your rights (CCPA/CPRA), and to know that we have not sold or “shared” your personal information in the preceding 12 months.

To exercise any right, email [email protected]. We will respond within the timeframes required by law. You also have the right to complain to your data-protection authority — for example the Data Protection Board of India, your EU/EEA supervisory authority, or the UK ICO.

Lean is intended for adults and is not directed to children. We do not knowingly collect personal data from children under the age of 13 (or under 16 in the EEA, or as otherwise defined by local law). If you believe a child has provided us personal data, contact us and we will delete it.

Leandoes not make decisions about you that produce legal or similarly significant effects through solely automated means. The app does not use advertising cookies or cross-app tracking. Our website may use strictly necessary cookies and respects browser “Do Not Track” and Global Privacy Control signals where applicable.

If we change this policy we will update the date above and, for material changes, surface a notice in the app. Questions, requests, or grievances? Write to our Grievance Officer at [email protected]. See also the Lean Terms of Service.