Leanbase & GDPR Compliance
The General Data Protection Regulation (GDPR) is a privacy and security law established by the European Union (EU). It applies to any organization that targets or collects data related to individuals in the EU — regardless of where that organization is based.
We strongly recommend reading the full text of the GDPR and seeking independent legal advice regarding your obligations. The consequences of violating GDPR can be severe.
If you require robust GDPR compliance, we recommend using Leanbase Cloud EU — a managed version of Leanbase hosted on servers located in Frankfurt, Germany.
What Data is Protected Under GDPR?
GDPR protects personal data, meaning any information that relates to an individual who can be directly or indirectly identified.
This includes names, email addresses, and other identifiers such as:
Location data
Ethnicity
Gender
Biometric information
Religious beliefs
Web cookies
Political opinions
Features to Manage PII (Personally Identifiable Information)
Stage | Features |
|---|---|
During collection | Autocapture controls, PII masking, and event sanitization |
Before ingestion | Data anonymization before storage |
These features help ensure that your organization captures and processes only the data that’s truly necessary.
The Impact of GDPR on Product Analytics
The core rule of GDPR is simple: Don’t collect, store, or use personal data unless you have a lawful basis to do so.
Valid lawful bases include:
Explicit consent — the individual has given clear, unambiguous consent (e.g., opting into product analytics or marketing communication).
Contractual necessity — processing is required to fulfill a contract (e.g., verifying user identity).
Legal obligation — processing is required to comply with the law.
Vital interests — processing is necessary to protect someone’s life.
Public interest — performing a task in the public interest or under official authority.
Legitimate interest — processing that serves a valid business purpose, as long as it does not override individuals’ rights or freedoms.
Acquiring “Unambiguous Consent”
Under GDPR, consent must be:
Freely given, specific, informed, and unambiguous
Clearly distinguishable from other terms or conditions
Presented in plain, understandable language
Users must be able to withdraw consent at any time, and you must honor that decision.
For minors under 13, parental permission is required.
You should also maintain documentation of user consent.
If you track users in your product using Leanbase, make sure to:
Explicitly ask for consent during sign-up or onboarding.
Explain how data is used to improve product experience.
Respect opt-out preferences via cookie banners or privacy settings.
For websites using Leanbase SDKs with cookies, ensure users can give or withdraw consent before tracking begins.
Handling Data Securely
GDPR requires that personal data be handled securely through appropriate technical and organizational measures.
This includes:
Technical safeguards: encrypting data in transit and at rest.
Organizational safeguards: staff training, access controls, and permission reviews.
If a data breach occurs, you must notify affected data subjects within 72 hours.
This requirement may be waived if encryption or similar measures render the data unusable.
Learn more about Leanbase’s Security and Privacy Guidelines and Access Control Features.
Avoid Transferring EU Data Outside the EU
If you self-host Leanbase on servers outside the EU and collect EU user data, you must anonymize that data.
Similarly, if you use Leanbase Cloud US, anonymization of EU user data is strongly recommended.
Leanbase supports real-time data transformations that anonymize user data before storage, ensuring GDPR compliance in both cases.
Setting Up Leanbase for GDPR Compliance
GDPR obligations depend on how your business interacts with personal data.
Hosting Type | Description | Data Processor | Data Controller |
|---|---|---|---|
Leanbase Cloud | Hosted and managed by Leanbase | Leanbase | You |
Self-hosted | Hosted on your private cloud or infrastructure | You | You |
Step 1: Choose a Hosting Provider
For full GDPR compliance, we recommend using Leanbase Cloud EU.
You can also use Leanbase Cloud US, provided you apply additional data-protection steps such as anonymization.
If self-hosting, ensure your hosting provider meets EU data protection standards.
Step 2: Deploy Leanbase
If you’re using Leanbase Cloud EU, follow the standard onboarding steps to start sending events.
For self-hosted deployments, use our deployment guides to configure your instance.
Note that Leanbase does not provide direct support for self-hosted installations.
Step 3: Security Configuration
When using Leanbase Cloud, manage access and permissions at the organization, project, and resource levels.
If you self-host Leanbase:
Always use HTTPS for data transmission.
Restrict access to authorized team members only.
Limit access to dashboards or reports containing personal data.
Exercise caution when connecting CDPs or external integrations to prevent unauthorized sharing of personal data.
Step 4: Configure Consent
Since Leanbase can automatically capture data, you must ensure that users explicitly consent to this capture.
In your consent documentation, specify:
The types of personal data collected
The tools used for processing (e.g., “Leanbase Product Analytics”)
If a user opts out, you must immediately stop all data collection and processing.
This means disabling Leanbase SDKs or turning off capture logic in your app when consent is withdrawn.
Step 5: Control What You Collect and Store
Leanbase provides controls to filter, redact, or anonymize data before it’s stored.
You can configure before-storage transformations to anonymize identifiers such as emails, IPs, or user IDs.
If you’re self-hosting Leanbase outside the EU or using Leanbase Cloud US, these transformations are required for GDPR compliance.
Step 6: Comply with “Right to be Forgotten” Requests
Under GDPR, users can request the deletion of their personal data.
You can facilitate this through:
Email or form-based deletion requests
API-triggered data deletions within Leanbase
Leanbase includes built-in data deletion features to help you meet “right to be forgotten” obligations.