Data Ownership Policy
Your data is yours. Always.
Last updated: June 28, 2026
Most software vendors hold your data as leverage. LeanStream is built on the opposite principle. You own the data layer. You own the output. When the engagement ends, we leave — and so does any access we had. Here is exactly how that works.
During an Engagement
LeanStream accesses your data to build, configure, and deploy your operations system. This access is limited to what is required for the engagement scope and is governed by your SOW. We never use client data for any purpose other than delivering your engagement.
At Handoff
When the engagement closes, LeanStream provides a full data export of everything held in your Supabase instance. Your credentials are transferred. Our access is revoked. Nothing remains on LeanStream infrastructure unless you are on a support retainer — and even then, access is scoped to support tickets only.
Shared Tenant Model
In the default shared tenant model, your portfolio company data is isolated from other clients using row-level security (RLS) in Supabase. The PE firm's operators can see their portfolio. LeanStream can see anonymized aggregates for cross-portfolio benchmarking only — never raw client data.
Private Tenant Model
Security-sensitive engagements (healthcare, financial services, government contractors) use a dedicated Supabase instance owned entirely by the client. LeanStream never has access to the raw data in a private tenant deployment. We receive only aggregated metrics via a federated read layer — and only while on an active support retainer.
The Lessons Learned Corpus
With your consent, anonymized patterns from your engagement contribute to the cross-portfolio lessons learned corpus. No company names. No financial figures. No identifying information. Pattern-level insights only — e.g., 'companies in this industry tend to underestimate integration effort by X%.' Consent is opt-in. You may withdraw at any time.
Data Deletion
You may request complete deletion of your engagement data within 30 days of engagement close. After 30 days, data is archived for 12 months then permanently deleted unless you are on an active support retainer.
Contact for Data Requests
All data requests: dave@leanstream.ai
Response within 5 business days.
If you have specific data sovereignty requirements — regulatory, contractual, or otherwise — raise them in the discovery call. We have handled HIPAA, SOC 2, and government contractor requirements before. We will tell you upfront what we can and cannot accommodate.