Skip to main content
Back to Trust Center

Trust Center · GDPR

GDPR Compliance Statement

How Leapo complies with Regulation (EU) 2016/679, the General Data Protection Regulation. Designed to answer the question "is your platform GDPR-compliant?" in one document, self-contained and printable.

Version 1.0·Last updated May 21, 2026·Press Ctrl+P (⌘+P on Mac) to save as PDF

The short answer

Yes. Leapo is built privacy-by-design under EU/EEA law. All user-identifying data is processed within the EU (Frankfurt + Paris). Users can self-serve data export and deletion from the product. We publish a complete list of subprocessors, a ready-to-sign DPA template, and a pre-filled vendor security questionnaire. Personal data is redacted before any AI processing. We are not yet SOC 2 / ISAE 3402 certified, but our compliance roadmap is public.

1. Data controller

Service
Leapo, web application at https://leapo.app
Operated by
Hussam Aburamadan (founder)
Established in
Belgium (EU/EEA)
Privacy / DPO contact
privacy@leapo.app
Security contact
security@leapo.app
Supervisory authority
Belgian Data Protection Authority (APD-GBA), dataprotectionauthority.be

2. What personal data we collect, and why

We collect only what we need to run the service. Categories:

  • Identification: email address (required), name (optional during onboarding). Used for authentication and personalisation. Lawful basis: contract (Art. 6(1)(b)).
  • Professional context: business niche, target market, work style. Used to tailor the 9-phase roadmap and AI outputs. Lawful basis: contract.
  • Location: city and country (optional, used for local-context personalisation). Lawful basis: contract.
  • Free-text inputs:business-plan answers, AI coach conversation history. Stored to provide continuity in the user's journey. Lawful basis: contract.
  • Transactional data: subscription tier, Stripe billing status (we never see card numbers, those are tokenised by Stripe). Lawful basis: contract; for retention, legal obligation under Belgian tax law (Art. 6(1)(c)).
  • Usage data: feature interactions, AI generation counts (for rate-limit enforcement). Lawful basis: legitimate interest (Art. 6(1)(f)), to operate the service reliably.

We do not knowingly process special categories of personal data (Art. 9): health, biometric, racial, religious, political, or genetic data. We do not target children under 16.

3. Where data is stored and who processes it

All user-identifying data is processed within the European Economic Area:

  • Supabase (database + authentication), EU region eu-central-1 / Frankfurt, Germany, on AWS infrastructure
  • Vercel (application hosting + serverless compute), EU regions
  • Mistral AI (AI Coach, Lead Engine, Launch Kit generators), Paris, France. French data controller, no international transfer for AI processing
  • Stripe (subscription billing), EU controller (Stripe Payments Europe Ltd, Ireland)

Some operational processors are US-based and rely on Standard Contractual Clauses for the transfer:

  • OpenAI, fallback / kill-switch AI provider, only invoked if Mistral has an outage. SCCs under OpenAI's DPA
  • Resend, transactional email delivery. SCCs under Resend's DPA
  • Sentry, runtime error monitoring. Anonymous user IDs only, no personal data sent. SCCs under Sentry's DPA
  • PostHog, anonymous product analytics. No email, name, or business-plan content sent. SCCs under PostHog's DPA

The full subprocessor list with each provider's country, purpose, and DPA link is published at leapo.app/security/subprocessors.

4. How long we keep data

  • Account data: for the lifetime of the account. On deletion request, purged from the primary database within 30 days
  • Encrypted backups: retained 30 days after deletion request, then permanently destroyed (total 60 days from deletion to full purge)
  • Stripe billing records: retained for 7 years in compliance with Belgian tax law (legal obligation)
  • AI request data at Mistral:short-term for abuse monitoring, then permanently deleted (per Mistral's terms)
  • Audit logs (DSR requests, admin actions):retained indefinitely as required for compliance evidence. These contain no special-category data

5. Your rights under GDPR

You have the following rights regarding your personal data. Most are available directly in the product; the rest can be exercised by emailing privacy@leapo.app.

RightArticleHow to exercise
Access / portability15, 20In-product: /settings → "Download my data" (one-click JSON export)
Rectification16In-product: most profile fields are user-editable in /settings
Erasure17In-product: /settings → "Delete my account" (cascades through all tables, cancels subscription)
Restriction18Email privacy@leapo.app describing the processing you want restricted
Object21Email privacy@leapo.app to opt out of legitimate-interest processing
Withdraw consent7Same as delete: removes the basis for all consent-based processing
Complaint77Belgian DPA (dataprotectionauthority.be) or your local EU supervisory authority

Response SLA: within 30 days of receipt, per GDPR Art. 12(3). We acknowledge requests within 72 hours.

6. Security measures

  • Encryption at rest: AES-256 via PostgreSQL transparent data encryption (Supabase)
  • Encryption in transit: TLS 1.3 enforced, HSTS enabled on leapo.app with 12-month max-age
  • Access control: row-level security (RLS) on every user-data table at the database layer. Multi-factor authentication on all administrative access
  • PII minimization in AI calls:user's name, embedded email addresses, and phone numbers are redacted before any AI request is sent. Source: lib/security/pii.ts
  • Audit logging: all administrative actions written to an immutable audit table (admin_audit_log). Default-deny RLS, service-role-only writes
  • Subprocessor controls: signed DPAs with each subprocessor before live processing. Public list at /security/subprocessors
  • Vulnerability management: dependency scanning via GitHub Dependabot + weekly npm audit; static analysis via CodeQL on every pull request

7. International transfers

User-identifying data (account profile, business-plan answers, AI coach inputs) stays within the EU. The four operational processors based outside the EU (OpenAI as fallback, Resend, Sentry, PostHog) transfer under the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914). Each has signed a DPA with us; the relevant SCCs are incorporated by reference in those agreements.

8. Personal data breach notification

In the event of a personal data breach affecting your data, we will notify the supervisory authority without undue delay and in any case within 72 hours (GDPR Art. 33). Affected users will be notified without undue delay where required (Art. 34). For partners under contract, we commit to 24-hour notification with an initial scope assessment.

9. Certifications and compliance roadmap

We are not yetcertified under SOC 2, ISO 27001, or ISAE 3402. We've committed to the following milestones:

  • PII minimization in LLM calls, Active
  • EU-hosted LLM (Mistral, Paris), Active
  • GDPR data export + delete (Art. 15 + 17), Active
  • Cyber insurance €1M policy, planned Q3 2026
  • Penetration test by a Belgian firm, planned Q4 2026
  • SOC 2 Type I, targeted Q1 2027
  • ISAE 3402 readiness assessment, targeted 2027

Public roadmap with status indicators: leapo.app/security.

10. Supporting documents

The following companion documents are publicly available and referenced by this statement:

11. Statement of issuance

This statement is issued by Leapo and is accurate as of the "Last updated" date above. Material changes to our processing activities, subprocessor list, or security posture trigger an updated version of this document. Versioning is publicly tracked on the Trust Center.

Issued by

Hussam Aburamadan

Founder, Leapo

Belgium (EU/EEA)

For follow-up questions: privacy@leapo.app / security@leapo.app