Lepsta Privacy Policy

Last Updated: 19 August 2025

Lepsta (“we,” “our,” or “us”) respects your privacy and is committed to safeguarding your personal information.
This Privacy Policy explains how we collect, use, disclose, and protect your information when you use Lepsta’s services, including our applications, integrations, and AI-powered features.

If you do not agree with this policy, please do not use Lepsta.


1. Who We Are

Lepsta is a collaboration platform that helps teams (especially remote and hybrid) improve their efficiency, plan, manage, and track their work. For most data processing activities, Lepsta acts as the data controller. When you connect Lepsta to a third-party service (e.g., Google, Microsoft, GitHub), those providers remain independent data controllers of their own services.


2. Information We Collect

We collect the following categories of personal data:

a. Account & Identity Information

  • Full name, email address, profile photo, and authentication details.
  • Workspace details (organization name, members, roles).

b. Workspace Content

  • Tasks, projects, files, comments, attachments, and messages you upload.
  • Metadata (timestamps, activity history, preferences).

c. Integrations & Connected Accounts

When you connect Lepsta to third-party services, we may store:

  • OAuth tokens or API keys to enable synchronization.
  • Data retrieved from integrations (e.g., GitHub issues, Jira tickets, Google calendar events, Microsoft Outlook tasks).
  • Sync logs (e.g., timestamps of the last sync, status messages).

This data is retained only while the integration remains active.

d. Payments & Billing

  • Subscription details, plan type, and billing history.
  • Limited payment data handled by Stripe (we never store full card details).

e. Device & Technical Data

  • IP address, browser type, operating system, device identifiers.
  • Access logs, crash reports, and usage analytics.
  • Cookies and similar tracking technologies (see Section 11).

f. AI Features (LLMs)

  • Prompts or text you provide to AI-powered features.
  • These prompts are sent to OpenAI and IBM Watsonx solely for inference.
  • We do not share unrelated personal information, nor do we use your prompts for model training beyond what providers disclose in their terms.

3. How We Use Your Information

We process personal data to:

  • Deliver Lepsta’s core services (task management, collaboration).
  • Enable integrations with external platforms.
  • Provide AI-assisted functionality (summaries, insights, task suggestions).
  • Process and manage subscriptions and billing.
  • Communicate with you about features, security alerts, and support.
  • Monitor usage to maintain performance and security.
  • Comply with legal and regulatory requirements.

We do not sell personal data or use integration data for advertising.


4. Legal Bases for Processing

We rely on the following legal bases under GDPR/UK GDPR:

  • Contract Performance – e.g., creating an account, syncing tasks or files with a third-party, or providing workspace collaboration.
  • Consent – e.g., connecting Google Calendar, receiving marketing emails, enabling AI features. You may withdraw consent at any time.
  • Legal Obligation – e.g., storing invoices for tax compliance.
  • Legitimate Interests – e.g., improving service functionality, detecting fraud, or ensuring platform security. Where legitimate interests apply, we balance them against your rights and freedoms.

5. Sharing Your Information

We may share data with:

a. Service Providers

Infrastructure (DigitalOcean, Cloudflare, AWS, IBM Cloud), analytics, support, and email delivery services under strict contractual controls.

b. LLM Providers

OpenAI and IBM Watsonx process only the text prompts you submit.

  • No unrelated data is shared.
  • Data is used only for inference and not for advertising.

c. Payment Processor

Stripe processes payments on our behalf and acts as an independent processor.

d. Third-Party Integrations

If you choose to connect Lepsta with services like GitHub, Jira, Freshdesk, Asana, Google, or Microsoft:

  • We store authentication tokens and retrieve necessary data to power the integration.
  • You may revoke access at any time via Lepsta or the third-party platform.

Google Integrations

  • When using Google APIs (Gmail, Calendar, Drive), Lepsta’s use of information obtained is subject to the Google API Services User Data Policy, including the Limited Use requirements.
  • We only access the minimum data required to provide the feature.
  • We do not use or transfer Google data for advertising.

Microsoft Integrations

  • When using Microsoft APIs (Outlook, Teams, OneDrive), Lepsta processes your data in compliance with Microsoft’s API Terms and applicable developer policies.
  • We only access the data needed for the feature you have enabled.
  • Data from Microsoft services is not shared with third parties for unrelated purposes.

e. Legal Disclosures

We may disclose personal data if required by law, regulation, or valid legal process, or if necessary to protect rights, safety, and property.

f. Business Transfers

If Lepsta undergoes a merger, acquisition, or sale, your data may be transferred as part of the transaction.


6. Data Storage & International Transfers

  • Primary hosting is in the United Kingdom.
  • Some providers may process data in the EU, US, or other regions.
  • International transfers are safeguarded by:
    • Standard Contractual Clauses (SCCs),
    • UK Addendum to SCCs, or
    • Adequacy decisions (where applicable).

7. Data Retention

We keep personal data:

  • While your account is active.
  • While integrations remain enabled.
  • For legally required retention periods (e.g., tax, accounting).
  • Data is securely deleted or anonymized when no longer needed.

8. Your Rights

If you are in the UK, EU, or equivalent jurisdictions, you have the right to:

  • Access your data.
  • Rectify inaccurate or incomplete information.
  • Erase data where legally permitted.
  • Restrict processing in certain circumstances.
  • Port your data to another provider.
  • Object to processing based on legitimate interests.
  • Withdraw Consent where processing is based on consent.
  • Challenge Automated Decisions if applicable.

To exercise your rights, email us at [email protected].

You also have the right to complain to your supervisory authority (e.g., the UK Information Commissioner’s Office (ICO)).


9. Children’s Privacy

Lepsta is not directed at children under 16 years old.
We do not knowingly collect data from minors. If we learn a child has registered, we will delete the account.


10. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Keep you signed in.
  • Save preferences.
  • Measure usage and improve performance.
  • Provide secure authentication.

You may disable cookies in your browser settings, but some functionality may not work.


11. Security

We use industry-standard safeguards including:

  • Encryption of data in transit and at rest.
  • Multi-factor authentication for sensitive operations.
  • Role-based access and audit logging.
  • Regular security reviews and penetration testing.
  • Data minimization and pseudonymization where possible.

No method is completely secure, but we continuously work to protect your information.


12. Contact Us

If you have questions about this Privacy Policy or how your data is handled, contact us at:

Lepsta
Email: [email protected]


13. Changes to This Policy

We may update this policy periodically.
Significant changes will be communicated via email or in-app notification before they take effect.


14. Summary (Plain-Language)

  • We collect account details, workspace data, and integration data you choose to share.
  • AI features only send your prompts to OpenAI or IBM Watsonx for processing.
  • Google and Microsoft integrations follow their strict API policies.
  • Payments are handled securely via Stripe.
  • Your data is stored in the UK, with safeguards for international transfers.
  • You have GDPR/UK GDPR rights, including access, deletion, and portability.
  • We do not sell your data.
  • Accounts are restricted to users aged 16+.