LeanTo

Privacy Policy

Last updated: April 27, 2026

This Privacy Policy describes how Anvil Systems LLC (“Anvil Systems,” “we,” “us”) collects, uses, and shares information when you use LeanTo (the “Service”), available at leanto.anvilsystems.com. By using the Service, you agree to the practices described here.

1. Who we are

LeanTo is operated by Anvil Systems LLC, a Tennessee limited liability company. For privacy questions or to exercise your rights described below, contact us at support@anvilsystems.com.

2. What data we collect

We collect the following categories of information:

  • Account information. Your email address, display name, a hashed copy of your password (we never store the plaintext), and, if you sign in with a social provider, the provider name and the unique account identifier they share with us.
  • Workspace and board content. Boards, columns, cards, comments, attachments, labels, custom fields, and any other content you or your collaborators create inside the Service.
  • Usage logs. IP address, user agent string, request timestamps, requested URLs, and similar technical metadata generated automatically when you interact with the Service. We use this data to operate, secure, and troubleshoot the Service.
  • Billing information. Subscription plan, billing email, and invoice history. Card numbers and other payment instrument details are handled by our merchant of record (see Section 4) and are not stored by LeanTo.
  • Support communications. When you email us or submit a support request, we retain that correspondence so we can follow up with you.

3. How we use it

We use the information we collect to:

  • Provide, maintain, and improve the Service;
  • Authenticate users and protect accounts from abuse;
  • Process subscriptions, invoices, refunds, and tax obligations;
  • Send transactional email (account verification, password resets, invitation notices, billing receipts, security notifications);
  • Respond to support requests and other inquiries;
  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms of Service; and
  • Comply with legal obligations.

We do not sell personal information. We do not use your workspace content to train machine-learning models.

4. Third parties

We rely on a small set of vetted service providers to operate LeanTo. Each one only receives the data needed to perform its role.

  • Paddle— merchant of record for subscriptions, payment processing, sales tax, and invoicing.
  • Resend— transactional email delivery (verification, password reset, invitation, billing notifications).
  • Vercel— application hosting, edge networking, and deployment.
  • Our managed Postgres provider— primary database hosting for account and workspace data. The specific provider is named here once selected; reach out to support@anvilsystems.com for current details.
  • GitHub and Google— OAuth identity providers, used only if you choose to sign in with one of them.

We may add or change processors over time. Material changes will be reflected in the list above and announced through the Last-updated date at the top of this page.

5. Data retention

  • Active accounts. We retain account and workspace data for as long as your account is active.
  • Deleted accounts. When you delete your account, we retain the data for up to 30 days to allow recovery from accidental deletion and to handle billing reconciliation, then we purge it from our production systems. Backups containing that data age out within an additional 30 days.
  • Billing records. Invoices and related billing records are retained for 7 years to satisfy U.S. tax recordkeeping requirements, regardless of account status.
  • Security logs. Authentication, request, and error logs are retained for up to 90 days unless required for an open security investigation.

6. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal information we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email support@anvilsystems.com from the address associated with your account. We will respond within 30 days. We will not charge a fee for reasonable requests, and we will not retaliate against you for exercising your rights.

Many of these requests can be self-served from your account settings (for example, editing your profile or deleting your account).

7. Security

We protect your information with industry-standard controls, including:

  • bcrypt password hashing for credential-based logins;
  • HTTPS for all traffic between your browser and the Service;
  • Encrypted secrets and database connections at rest and in transit;
  • Role-based access control inside the Service so members only see boards they belong to;
  • Audit logs of authentication events and administrative actions to support incident response.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you in accordance with applicable law.

8. International transfers

LeanTo is operated from the United States, and the data we collect is stored and processed in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States. Where required for transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or another lawful transfer mechanism with each processor listed in Section 4.

9. Children

This service is not directed to individuals under 16. By using LeanTo, you represent that you are at least 16 years old.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the Last-updated date at the top of this page. For material changes, we will provide additional notice through the Service or by email before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Contact

Questions about this policy or our privacy practices? Email support@anvilsystems.com.