Privacy Policy — LEAPWare

Executive Summary

Zero cookies on first load. First-party analytics only. No third-party tracking pixels. No cross-site identifiers. No data brokerage. No behavioral advertising. No sale, rent, or trade of personal data under any circumstance. Your data is never used to train, fine-tune, or evaluate any machine learning model — not ours, not our vendors', not anyone's. We process personal data only to deliver the services you explicitly request, to maintain the security and integrity of our platform, and to fulfill our legal obligations. Every data flow in our infrastructure is auditable by design and governed by cryptographic policy enforcement. This is not a marketing position. It is an architectural constraint.

Data Controller

Data Controller and Responsible Entity

The entity responsible for the processing of your personal data.

The data controller for all personal data processed in connection with LEAPWare products, services, and properties (including leapware.ai and all subdomains) is:

LEAPWare
Governed AI Workforce Infrastructure
United States

Data Protection Officer: Founder & CEO
DPO Contact: privacy@leapware.ai
Legal Inquiries: legal@leapware.ai

The Data Protection Officer (DPO) is designated in accordance with Article 37 of the General Data Protection Regulation (GDPR) and is responsible for overseeing data protection strategy, ensuring compliance with applicable privacy regulations, conducting privacy impact assessments, and serving as the primary point of contact for supervisory authorities and data subjects exercising their rights.

Where LEAPWare processes personal data on behalf of an enterprise customer (i.e., as a data processor), the customer remains the data controller, and processing is governed by the Data Processing Agreement executed between the parties. In all other cases — including website visitors, direct product users, and prospective customers — LEAPWare acts as the data controller.

Legal Framework

Legal Bases for Processing

Each category of personal data is mapped to a specific legal basis under applicable law.

Data Category	Legal Basis	Explanation
Website analytics (anonymized)	Legitimate interest	Understanding aggregate usage patterns to improve site performance and content. Data is fully anonymized at collection; no individual identification is possible. We have conducted a balancing test confirming minimal impact on data subject rights.
Contact form submissions	Consent	You actively choose to provide your name, email, and message content. Processing occurs only upon explicit submission. Consent may be withdrawn at any time by contacting privacy@leapware.ai.
Account registration data	Contractual necessity	Required to create, authenticate, and maintain your account; deliver the services described in our Terms of Service; and fulfill our contractual obligations to you.
Knowledge objects and content	Contractual necessity	Processing is essential to deliver the core LEAPCortex service — ingesting, indexing, governing, and serving organizational knowledge as contracted.
Agent execution logs	Contractual necessity / Legitimate interest	Execution logs are necessary to deliver governed AI workforce capabilities (contractual) and to maintain platform security and audit integrity (legitimate interest).
Billing and payment data	Contractual necessity / Legal obligation	Required to process payments under our service agreement and to comply with tax, accounting, and financial reporting obligations.
Security and access logs	Legitimate interest / Legal obligation	Maintaining the security and integrity of our systems, detecting and preventing unauthorized access, and complying with information security regulatory requirements.
Support communications	Contractual necessity	Processing support requests is necessary to fulfill our service-level obligations and resolve issues affecting your use of LEAPWare products.

Where processing is based on legitimate interest, we have conducted and documented a Legitimate Interest Assessment (LIA) for each processing activity. These assessments are available for review by supervisory authorities upon request. You have the right to object to processing based on legitimate interest at any time.

Data Collection

What We Collect

A comprehensive inventory of personal data categories, organized by context of collection.

Website Visitors

When you visit leapware.ai, we collect the minimum data necessary to deliver and secure the website:

Technical identifiers: Anonymized IP address (last octet zeroed), browser type and version, operating system, screen resolution, and preferred language. We do not store full IP addresses in analytics systems.
Navigation data: Pages visited, time on page, referring URL, and exit page. All navigation data is processed through first-party analytics only — no data leaves our infrastructure to third-party analytics providers.
Performance data: Page load times, resource timing, and Core Web Vitals metrics collected to maintain site performance standards.

We do not deploy fingerprinting techniques, cross-site tracking mechanisms, social media pixels, retargeting tags, or any form of persistent cross-session identification for website visitors who have not created an account.

Contact Form Submissions

When you submit a contact, partnership, or investment inquiry form, we collect:

Identity data: Full name, job title, and company name.
Contact data: Business email address and, if provided, phone number.
Communication content: The message body and any context you provide regarding your inquiry, including selected inquiry type (enterprise, partnership, investment, press).

Contact form data is stored in our primary infrastructure and is not transmitted to third-party CRM systems. Submissions are retained for 24 months from the date of last interaction, after which they are permanently deleted unless an ongoing business relationship has been established.

Product Users

When you create a LEAPWare account or use any LEAPWare product, we process the following categories of personal data:

Account Data

Full name, business email address, and organizational affiliation
Authentication credentials (passwords are salted, hashed with Argon2id, and never stored in plaintext)
Role assignments, permission sets, and Cedar policy bindings
Multi-factor authentication enrollment status and recovery identifiers
Account creation timestamp, last login timestamp, and session metadata

Knowledge Objects (LEAPCortex)

All nine typed knowledge objects ingested into your LEAPCortex instance: Published Intelligence, Experiential Knowledge, Procedural Knowledge, Decisional Records, Institutional Memory, Domain Ontologies, Regulatory Mappings, Relationship Graphs, and Temporal Patterns
Source metadata, ingestion timestamps, confidence scores, and provenance chains
Knowledge object access patterns and query logs (used exclusively for governance enforcement and audit)

Knowledge objects are customer data. LEAPWare processes this data solely as instructed by the customer and in accordance with the applicable Data Processing Agreement. We do not access, analyze, aggregate, or derive insights from customer knowledge objects for any purpose other than delivering the contracted service.

Agent Execution Data (LEAPHive, LEAPCrew)

Agent charter definitions, role assignments, and authority boundaries
Task execution logs, including inputs, outputs, reasoning traces, and policy evaluation results
Inter-agent communication records governed by dual-protocol (MCP + A2A) enforcement
Escalation events, human-in-the-loop approval records, and override logs

Operational Metadata

API request logs (endpoint, method, response code, latency — request bodies are not logged)
Feature flag evaluation records and entitlement checks
Billing events: plan tier, usage metrics, invoice generation timestamps, and payment transaction references (full payment card details are never stored on LEAPWare systems; they are processed exclusively by our PCI DSS Level 1 compliant payment processor)
System health telemetry: error rates, latency percentiles, and availability metrics (no personal data is included in telemetry payloads)

Data Use

How We Use Your Data

Explicit permitted uses and categorical prohibitions.

Permitted Uses

Service delivery: Authenticating your identity, enforcing access policies, serving knowledge queries, executing agent tasks, generating governance reports, and maintaining audit trails.
Service improvement: Analyzing aggregate, anonymized usage patterns to improve product functionality, performance, and reliability. Individual-level behavioral analysis is never performed.
Security operations: Detecting, investigating, and mitigating security threats, unauthorized access attempts, and platform abuse. Security logs are processed by automated systems with human review triggered only by anomaly detection thresholds.
Communication: Responding to your inquiries, delivering transactional notifications (account verification, password resets, billing confirmations), and providing service status updates. We do not send unsolicited marketing communications without explicit opt-in consent.
Legal compliance: Fulfilling obligations under applicable law, including tax reporting, responding to valid legal process, and cooperating with regulatory investigations as required.
Billing and payments: Processing subscription charges, generating invoices, calculating usage-based fees, and managing payment disputes.

Categorical Prohibitions

LEAPWare commits to the following absolute prohibitions. These are not policy preferences — they are architectural constraints enforced at the infrastructure level:

We never sell, rent, lease, or trade personal data to any third party, for any purpose, under any circumstance.
We never use customer data to train, fine-tune, evaluate, or improve any machine learning model — including our own internal models, our LLM providers' models, or any third-party model.
We never engage in behavioral advertising, profile-based targeting, or cross-site tracking of any kind.
We never share personal data with data brokers, advertising networks, or consumer data aggregators.
We never access customer knowledge objects or agent execution data except as necessary to deliver the contracted service or respond to a customer-initiated support request with explicit authorization.
We never combine personal data across tenants for analytics, benchmarking, or any other purpose. Tenant isolation is cryptographic, not just logical.
We never retain personal data beyond the documented retention periods specified in this policy unless required by law or requested by the data subject.

Cookie Schedule

Cookies and Local Storage

Complete enumeration of all cookies and client-side storage mechanisms.

LEAPWare deploys zero cookies on first page load. No cookie consent banner is required because no non-essential cookies are set before user interaction. The following schedule represents the complete set of cookies and local storage entries that may be set across all LEAPWare properties:

Name / Category	Purpose	Duration	Legal Basis
Strictly Necessary
`__lw_session`	Maintains authenticated session state for logged-in users. Contains an opaque session identifier only — no personal data is stored in the cookie value.	Session (expires on browser close)	Contractual necessity
`__lw_csrf`	Cross-Site Request Forgery protection token. Validated server-side on every state-changing request to prevent unauthorized form submissions.	Session	Legitimate interest (security)
`__lw_cc`	Records cookie consent preference to avoid repeated consent prompts. Stores only the consent state (accepted/declined) and timestamp.	365 days	Legal obligation (ePrivacy)
Analytics (First-Party Only)
`__lw_aid`	Anonymous visitor identifier for first-party analytics. Generated as a random UUID with no connection to any personal identifier. Used to calculate unique visitor counts without cross-site tracking.	90 days	Legitimate interest (requires consent in EU/UK)
`__lw_ref`	Stores the referring URL for first-party attribution analysis. No data is shared with third parties.	30 days	Legitimate interest (requires consent in EU/UK)
Preferences
`__lw_theme`	Stores user-selected color theme preference (light/dark/system) to maintain visual consistency across sessions.	365 days	Consent
`__lw_locale`	Stores preferred language and locale setting for internationalized content delivery.	365 days	Consent

We do not use any third-party cookies, tracking pixels, web beacons, fingerprinting scripts, or invisible image tags. Analytics cookies are set only after affirmative consent in jurisdictions requiring it (EU, UK, Brazil). For visitors in these jurisdictions who decline analytics cookies, we fall back to fully anonymous, cookieless page-view counting that cannot identify or re-identify any individual.

Architecture

Data Isolation Architecture

How we structurally guarantee tenant separation at every layer of the stack.

LEAPWare implements defense-in-depth tenant isolation that goes significantly beyond industry-standard practices. Isolation is not a configuration choice — it is an architectural invariant enforced at multiple layers:

Compute Isolation

Each tenant's AI agent workloads execute in dedicated, container-isolated environments with independent process namespaces, network policies, and resource quotas. Agent containers cannot address, discover, or communicate with containers belonging to other tenants. Orchestration enforces hard scheduling boundaries at the node level.

Storage Isolation

Knowledge objects, agent execution logs, and operational data are stored in tenant-scoped partitions with distinct encryption keys derived from a hierarchical key management system. Each tenant's data-at-rest encryption uses a unique AES-256-GCM key wrapped by a tenant-specific key-encryption key (KEK) stored in a hardware security module (HSM). Cross-tenant data access is not merely unauthorized — it is cryptographically impossible without the tenant's KEK.

Network Isolation

Tenant workloads operate within isolated virtual network segments with zero-trust network policies. All inter-service communication is mutually authenticated via mTLS with short-lived certificates (24-hour rotation). Network policies default-deny all traffic and explicitly allowlist only the minimum required service-to-service paths.

Policy Isolation

Every data access request — whether from a human user, an AI agent, or an internal service — is evaluated against the tenant's Cedar policy store before execution. Cedar policies are tenant-scoped and cryptographically signed. Policy evaluation occurs at the query boundary, not at the application layer, ensuring that no code path can bypass governance enforcement.

This architecture is validated through continuous automated testing, including cross-tenant access attempts that run in production (against canary tenants) on a 15-minute cycle. Any successful cross-tenant data access immediately triggers a P0 security incident response.

Sub-Processors

Sub-Processor Registry

All third-party entities that process personal data on our behalf.

LEAPWare maintains a limited set of sub-processors, each bound by a Data Processing Agreement that imposes obligations no less protective than those in this Privacy Policy. We evaluate sub-processors annually for security posture, data handling practices, and regulatory compliance. Enterprise customers are notified at least 30 days in advance of any sub-processor addition or change, with the right to object.

Provider	Purpose	Data Categories	Location
Cloudflare	CDN, DDoS protection, DNS, edge caching for leapware.ai static assets	IP addresses (transient, not logged beyond 24hr), HTTP request metadata	Global edge network (US-headquartered)
Amazon Web Services	Primary cloud infrastructure: compute, storage, databases, key management	All customer data categories (encrypted at rest and in transit)	US regions (us-east-1, us-west-2)
Anthropic	LLM inference for AI agent reasoning, knowledge synthesis, and natural language processing	Query context and prompts (no persistent storage by provider per our agreement; zero-retention API access)	United States
Stripe	Payment processing, subscription billing, invoice generation	Payment card details, billing address, transaction history	United States (PCI DSS Level 1)
Postmark	Transactional email delivery (account verification, password resets, billing notifications)	Email address, email subject, delivery metadata	United States

Notably absent from this registry: advertising platforms, data brokers, behavioral analytics providers, A/B testing services that process personal data, and social media tracking integrations. Their absence is intentional and permanent.

AI Governance

AI and Automated Decision-Making

Our commitments regarding artificial intelligence, profiling, and automated decisions.

LEAPWare builds AI products. This creates an elevated obligation to be precise about how AI interacts with personal data:

No Automated Decisions with Legal or Significant Effect. LEAPWare does not use personal data to make automated decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of GDPR Article 22. All AI agent actions that could have material consequences are subject to human-in-the-loop approval workflows governed by Cedar policy. Agents operate under chartered authority boundaries — they cannot exceed their defined scope without human escalation and explicit authorization.

No Profiling. We do not engage in profiling as defined by GDPR Article 4(4). We do not analyze or predict personal aspects relating to your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Our AI systems process organizational knowledge and execute business workflows — they do not model individuals.

Human Oversight Guarantee. Every LEAPWare AI product implements the LEAP cycle (Listen, Explain, Act, Prove) which requires that AI reasoning be explainable, that actions be authorized under policy, and that outcomes be provable through audit trails. Human oversight is not optional — it is an architectural requirement enforced by the governance layer. Any customer can configure their Cedar policies to require human approval for any category of agent action, at any threshold.

Model Provider Data Handling. When LEAPWare transmits data to LLM providers (currently Anthropic) for inference, we enforce the following constraints contractually and technically:

All inference requests use zero-retention API endpoints. The provider does not log, store, or retain prompt content or model outputs beyond the duration of the API request.
Customer data included in inference context is the minimum necessary for the requested operation (principle of data minimization at the prompt level).
No customer data is used by the provider for model training, fine-tuning, evaluation, safety research, or any purpose other than generating the immediate inference response.
We maintain contractual audit rights to verify provider compliance with these restrictions.

International Transfers

International Data Transfers

How we protect personal data when it crosses borders.

LEAPWare is headquartered in the United States. If you are located outside the United States, your personal data will be transferred to the United States for processing. We implement the following safeguards to ensure that international data transfers comply with applicable data protection laws:

Standard Contractual Clauses (SCCs): All transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States are governed by the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor, and Module 3: Processor to Processor, as applicable), incorporated into our Data Processing Agreements. We use the SCCs adopted by Commission Implementing Decision (EU) 2021/914, supplemented with the UK International Data Transfer Addendum where required.
EU-U.S. Data Privacy Framework: LEAPWare monitors developments under the EU-U.S. Data Privacy Framework and will self-certify where applicable and appropriate. Regardless of framework status, our SCC-based transfer mechanisms remain in force as an independent safeguard.
Transfer Impact Assessments: We have conducted Transfer Impact Assessments (TIAs) for each data transfer to evaluate the legal framework of the recipient country and confirm that our supplementary measures provide an essentially equivalent level of data protection. TIA results are reviewed annually or upon material changes in the legal landscape.
Supplementary Technical Measures: All data in transit is encrypted using TLS 1.3. All data at rest is encrypted with AES-256-GCM using tenant-specific keys. These measures ensure that data remains protected even in the event of a lawful interception order, as decryption requires access to our HSM-managed key hierarchy.
Adequacy Decisions: Where the European Commission has issued an adequacy decision for a recipient country, we rely on that decision as the transfer mechanism. We monitor adequacy decisions for continued validity.

Retention

Data Retention Schedule

How long we keep each category of data and how we delete it.

Data Type	Retention Period	Deletion Method
Website analytics (anonymized)	90 days from collection	Automated purge from analytics data store; data is aggregated into non-reversible statistical summaries before deletion of raw records.
Contact form submissions	24 months from last interaction	Permanent deletion from primary and backup storage. Backup propagation completes within 30 days of deletion trigger.
Account registration data	Duration of account + 90 days	Account deletion triggers a 90-day grace period (to allow account recovery), followed by cryptographic erasure of all associated data.
Knowledge objects (customer content)	Duration of contract + 60 days	Upon contract termination, customers receive a 60-day data export window. After expiration, all knowledge objects are permanently deleted via cryptographic erasure (destruction of tenant KEK renders all encrypted data unrecoverable).
Agent execution logs	Duration of contract + 60 days	Same as knowledge objects. Execution logs are included in the data export window and subject to the same cryptographic erasure process.
Billing and payment data	7 years from transaction date	Retained to comply with tax and financial reporting obligations (IRS, applicable state law). Deleted via secure overwrite after the statutory retention period expires.
Security and access logs	12 months from creation	Automated rotation and deletion. Logs related to active security investigations are preserved until investigation closure + 90 days.
Support communications	Duration of account + 12 months	Deleted from support systems. Anonymized support interaction metadata may be retained for service quality analysis.
Cookie consent records	3 years from consent action	Retained as evidence of valid consent under GDPR and ePrivacy Directive requirements. Deleted via automated lifecycle management.

All deletion methods are verified through automated compliance checks that confirm the absence of residual data. Cryptographic erasure — used for all customer content — provides a deletion guarantee equivalent to physical destruction: once the tenant's key-encryption key is destroyed, the encrypted data is computationally irrecoverable regardless of storage medium retention.

Your Rights

Data Subject Rights

Your rights under GDPR, CCPA, CPRA, and other applicable privacy laws.

Rights Under the GDPR (EU/UK/EEA Residents)

Right of Access (Article 15): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to access that data and receive a copy in a structured, commonly used, and machine-readable format.
Right to Rectification (Article 16): You have the right to obtain the correction of inaccurate personal data and to have incomplete personal data completed.
Right to Erasure (Article 17): You have the right to obtain the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, where you object to processing, or where processing is unlawful.
Right to Restriction (Article 18): You have the right to restrict processing while we verify the accuracy of your data, if processing is unlawful and you prefer restriction over erasure, or if we no longer need the data but you require it for legal claims.
Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller without hindrance.
Right to Object (Article 21): You have the right to object to processing based on legitimate interest or public interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right Regarding Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. As stated above, LEAPWare does not engage in such processing.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

Rights Under the CCPA/CPRA (California Residents)

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions (legal obligations, security, completing transactions).
Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale/Sharing: You have the right to opt out of the sale or sharing of your personal information. LEAPWare does not sell or share personal information as defined under the CCPA/CPRA, so this right is satisfied by default.
Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to purposes necessary to perform the services you request. LEAPWare processes sensitive personal information only for such purposes.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality of service, or access levels based on your exercise of privacy rights.

To exercise any of these rights, submit a request to privacy@leapware.ai with the subject line "Data Subject Request" or use the mechanisms described in the following section.

Request Process

Data Subject Requests

How to submit, verify, and track requests to exercise your privacy rights.

Submission. Data subject requests may be submitted via email to privacy@leapware.ai. Enterprise customers may also submit requests through their designated account manager or via the LEAPControl customer portal. All request channels are treated with equal priority and urgency.

Verification. To protect your privacy, we verify the identity of every data subject request before processing. For account holders, verification is performed through email confirmation sent to the registered account email address. For non-account holders, we may request additional identifying information sufficient to match the request to our records. We will never ask for government-issued identification numbers, financial account details, or passwords as part of verification.

Authorized Agents. California residents may designate an authorized agent to submit requests on their behalf. The authorized agent must provide written authorization signed by the data subject and must be verified as described above. We may contact the data subject directly to confirm the authorization.

Service-Level Commitments.

Acknowledgment: Within 48 hours of receipt, we will acknowledge your request and provide a reference number and estimated completion timeline.
GDPR Fulfillment: Requests under the GDPR will be fulfilled within 30 calendar days. If the request is complex or we have received a high volume of requests, we may extend this period by an additional 60 days with written notice and justification, as permitted by Article 12(3).
CCPA/CPRA Fulfillment: Requests under the CCPA/CPRA will be fulfilled within 45 calendar days. If reasonably necessary, we may extend this period by an additional 45 days with written notice, as permitted under the CCPA.
Format: Data access and portability requests are delivered in JSON or CSV format, encrypted in transit and at rest, via a secure, time-limited download link.

Appeals. If you are dissatisfied with our response to your data subject request, you may appeal by emailing privacy@leapware.ai with the subject line "DSR Appeal" and your original reference number. Appeals are reviewed by the Data Protection Officer within 15 business days. You also retain the right to lodge a complaint with your local supervisory authority at any time.

Government Requests

Government and Law Enforcement Requests

Our policy on government access to customer data.

LEAPWare is committed to protecting customer data from overbroad or unlawful government access. Our policy on government and law enforcement requests is as follows:

Legal Process Required. We will not voluntarily disclose customer data to any government agency, law enforcement authority, or intelligence service without valid legal process (subpoena, court order, or warrant as appropriate for the data category requested). We scrutinize every request for legal sufficiency and jurisdictional authority.
Narrow Compliance. When we are legally compelled to disclose data, we produce the minimum data responsive to the specific legal instrument. We do not provide bulk access, persistent access, or standing data feeds to any government entity.
Customer Notification. Unless legally prohibited by a court-issued gag order, we will notify the affected customer before disclosing their data in response to legal process, providing them the opportunity to seek a protective order or other remedy. If we are subject to a gag order, we will challenge its scope and duration where legally permissible and will notify the customer promptly upon expiration of the prohibition.
No Backdoors. LEAPWare has not built, and will not build, any mechanism that provides government agencies with persistent, direct, or backdoor access to our systems or customer data. We have never received a National Security Letter with a gag order or a FISA court order. If we receive such an instrument, we will challenge its legality to the fullest extent permitted by law.
Transparency Reporting. We will publish an annual transparency report disclosing the number and type of government data requests received, the number complied with, and the number challenged or rejected, broken down by jurisdiction to the extent permitted by law.

Children's Privacy

Our commitments regarding minors' data under COPPA, GDPR, and applicable law.

LEAPWare products are designed for business and enterprise use. Our services are not directed at, marketed to, or intended for use by individuals under the age of 16 (or under 13 in jurisdictions where the COPPA age threshold applies).

COPPA Compliance. We do not knowingly collect, use, or disclose personal information from children under 13 as defined by the Children's Online Privacy Protection Act (COPPA). Our website and products do not contain content or features designed to attract children, and our registration process requires users to confirm that they are of legal age to enter into a binding agreement.

GDPR-K Compliance. For users in the European Economic Area, we do not knowingly process personal data of children under 16 without verified parental consent, in accordance with Article 8 of the GDPR. Member state variations in the age of digital consent (ranging from 13 to 16) are respected based on the user's jurisdiction.

Discovery and Remediation. If we discover that we have inadvertently collected personal data from a child below the applicable age threshold, we will immediately delete all such data, notify the child's parent or legal guardian (if identifiable), and document the incident in our internal privacy incident log. To report a concern about a child's data, contact privacy@leapware.ai with the subject line "Children's Privacy Concern."

Enterprise

Data Processing Agreement

Contractual framework for enterprise customers.

Enterprise customers processing personal data through LEAPWare products are entitled to execute a Data Processing Agreement (DPA) that establishes the contractual framework for our role as data processor. Our DPA includes:

Processing Scope and Instructions: Detailed description of the nature, purpose, duration, and categories of data processing, together with the customer's documented processing instructions.
Standard Contractual Clauses: Pre-signed EU SCCs (Modules 2 and 3) and the UK International Data Transfer Addendum, ready for countersignature.
Sub-Processor Obligations: Complete sub-processor list, 30-day advance notification of changes, and customer right to object.
Security Measures: Annex II technical and organizational security measures, including encryption standards, access controls, incident response procedures, and audit rights.
Audit Rights: Customer right to conduct or commission audits of LEAPWare's data processing activities, including on-site inspections with reasonable notice.
Data Return and Deletion: Obligations for data return in machine-readable format and certified deletion upon contract termination.
Breach Notification: Commitment to notify the customer without undue delay (and within 72 hours at maximum) of any personal data breach affecting customer data.

To request a DPA, contact legal@leapware.ai. Pre-signed DPAs are available for immediate execution to avoid delays in enterprise procurement cycles.

Assessments

Privacy Impact Assessments

Our commitment to privacy-by-design evaluation.

LEAPWare conducts Data Protection Impact Assessments (DPIAs) in accordance with GDPR Article 35 for all product changes, new features, and architectural modifications that involve the processing of personal data or could affect the privacy rights of data subjects. Our DPIA process includes:

Trigger Analysis: Every product change undergoes a privacy screening to determine whether a full DPIA is required. Changes that introduce new data categories, new processing purposes, new sub-processors, or new cross-border data flows automatically trigger a full assessment.
Systematic Description: Each DPIA includes a systematic description of the processing operations, their purposes, and the legitimate interests pursued where applicable.
Necessity and Proportionality: We assess whether the processing is necessary and proportionate in relation to its purpose, and whether less privacy-intrusive alternatives exist.
Risk Assessment: We evaluate the risks to data subjects' rights and freedoms, including risks of unauthorized access, data loss, discriminatory effects, and loss of confidentiality.
Mitigation Measures: We document the technical and organizational measures implemented to address identified risks, including encryption, access controls, anonymization, data minimization, and retention limits.
DPO Review: All DPIAs are reviewed and approved by the Data Protection Officer before the relevant processing activity commences.
Ongoing Monitoring: DPIAs are living documents. They are reviewed whenever there is a material change to the processing activity and at minimum annually.

DPIAs are retained internally as part of our accountability documentation under GDPR Article 5(2) and are available for review by supervisory authorities upon request.

Breach Notification

Data Breach Notification

Our response obligations in the event of a personal data breach.

LEAPWare maintains a comprehensive incident response plan that addresses the detection, containment, assessment, notification, and remediation of personal data breaches. Our commitments:

72-Hour Supervisory Authority Notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, LEAPWare will notify the relevant supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. The notification will include the nature of the breach, approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Customer Notification. Where LEAPWare acts as a data processor and a breach affects customer data, we will notify the affected customer without undue delay after becoming aware of the breach, providing sufficient detail for the customer to fulfill its own notification obligations as data controller. Our target for customer notification is within 48 hours of breach confirmation.

Data Subject Notification. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, LEAPWare will communicate the breach to affected data subjects without undue delay, in clear and plain language, describing the nature of the breach, the likely consequences, and the measures taken to mitigate harm, in accordance with GDPR Article 34.

Post-Incident Review. Following every security incident, we conduct a formal post-incident review that includes root cause analysis, timeline reconstruction, control gap identification, and remediation planning. Findings are documented and incorporated into our security program. Material findings that affect our data protection posture are reflected in updated DPIAs.

Changelog

Policy Changelog

Version history documenting all material changes to this policy.

Version	Date	Changes
2.0	March 27, 2026	Comprehensive rewrite. Added Legal Bases table, Cookie Schedule with specific cookie names, Data Isolation Architecture section, Sub-Processor Registry, AI and Automated Decision-Making section, International Data Transfer safeguards and TIA disclosures, Data Retention Schedule with deletion methods, expanded GDPR and CCPA/CPRA rights enumeration, Data Subject Request SLAs, Government and Law Enforcement request policy, Children's Privacy (COPPA + GDPR-K), Data Processing Agreement details, Privacy Impact Assessment process, Data Breach Notification procedures. Restructured all sections for institutional-grade comprehensiveness.
1.0	March 1, 2026	Initial privacy policy published. Covered basic data collection, cookie policy, GDPR rights summary, and contact information.

Material changes to this policy will be communicated to registered users via email at least 30 days before they take effect. Continued use of LEAPWare services after the effective date constitutes acceptance of the updated policy. The current version is always available at leapware.ai/legal/privacy.

Contact

How to reach us regarding privacy and data protection matters.

Data Protection Inquiries

For all questions about this privacy policy, data subject requests, privacy complaints, or concerns about our data handling practices:

Data Protection Officer
Email: privacy@leapware.ai
Subject line: Include "Privacy Inquiry," "Data Subject Request," or "Privacy Complaint" as appropriate.
Response time: Within 48 hours for acknowledgment; substantive response within 5 business days.

Legal Inquiries

For Data Processing Agreement requests, regulatory correspondence, legal process, or law enforcement requests:

Legal Department
Email: legal@leapware.ai
Subject line: Include "DPA Request," "Legal Process," or "Regulatory Inquiry" as appropriate.
Response time: Within 48 hours for acknowledgment; DPA execution available within 5 business days.

We take every privacy inquiry seriously. If you believe that your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so that we can attempt to resolve your concern directly.