Privacy Policy
Privacy Statement
The following information provides an overview of the type, scope, and purpose of the collection and use of personal data when using the Lean Financial Solutions GmbH (hereinafter referred to as "LEAN FS") website. Personal data refers to all information that serves to determine your identity and that can be traced back to you, e.g., your name, your email address, and your phone number.
Controller
LEAN FS
Lean Financial Solutions GmbH
Meret Oppenheim-Platz 1
4053 Basel, Switzerland
Commercial Register: CHE-246.886.717 (Canton of Basel-Stadt). VAT-No.: CHE-246.886.717 MWST.
Data Protection Officer (DPO)
We have appointed an internal contact for all data protection matters. This single channel handles every request from data subjects — including access (Art. 25 revFADP / Art. 15 GDPR), rectification (Art. 32 revFADP / Art. 16 GDPR), erasure (Art. 32 revFADP / Art. 17 GDPR), restriction (Art. 18 GDPR), objection (Art. 30 revFADP / Art. 21 GDPR), data portability (Art. 20 GDPR) and withdrawal of consent.
Contact: dpolean-fschCopied. We respond to requests within one month, as required by Art. 12(3) GDPR and Art. 19 revFADP.
Cookies and Consent
We use cookies and similar technologies (such as localStorage and sessionStorage in your browser) on our website. Essential cookies are required for the operation of the site. Analytics and tracking technologies (e.g., Google Analytics and Microsoft Clarity) are only used if you have given your consent via our cookie banner. You can adjust or withdraw your consent at any time via the "Cookie Settings" link in the footer of every page.
Cookies and storage we use
The table below lists the cookies and browser-storage entries we set, grouped by purpose. Names containing a wildcard (e.g. `_ga_<id>`) represent a family of entries.
| Name | Provider | Purpose | Type | Retention |
|---|---|---|---|---|
| cookiesAccepted | LEAN FS | Indicates that the cookie banner was acknowledged | Essential | 12 months |
| functionalAccepted | LEAN FS | Stores granular consent for functional cookies | Essential | 12 months |
| analyticsAccepted | LEAN FS | Stores granular consent for analytics | Essential | 12 months |
| marketingAccepted | LEAN FS | Stores granular consent for marketing/tracking | Essential | 12 months |
| _ga, _ga_<id> | Google Analytics | Distinguishes visitors and sessions for usage analytics | Analytics | Up to 14 months (data retention setting) |
| lfs_locale_pref | LEAN FS | Remembers your selected language (en or de) so the site opens in your preferred language on return visits | Functional | 12 months |
| _clck | Microsoft Clarity | Persists a Clarity user identifier across visits | Marketing | 1 year |
| _clsk | Microsoft Clarity | Connects multiple page views into a single Clarity session | Marketing | 1 day |
| MUID, ANONCHK, SM, CLID | Microsoft | Auxiliary identifiers used by Clarity / Microsoft platform | Marketing | Up to 13 months |
| lfs_lead_score_v1 | LEAN FS (localStorage) | Anonymous interest score per device; never leaves your browser unless you submit a form | Marketing | 13 months |
| lfs_visitor_profile_v1 | LEAN FS (sessionStorage) | Tab-scoped page-visit profile used to enrich form submissions | Marketing | Browser tab session |
| lfs_rid | LEAN FS (sessionStorage) | First-party outreach attribution identifier; only set when you arrive via a personalised outreach link. Measurement-only; never shared with advertising networks | Analytics | Browser tab session |
Use of Google Analytics
This website uses Google Analytics 4 (provided by Google Ireland Limited, with infrastructure operated by Google LLC in the United States) to analyse the use of our website. Google Analytics uses cookies and similar technologies that enable an evaluation of how you use the website. According to Google, Google Analytics 4 does not permanently store or log IP addresses and IP-anonymisation (`anonymize_ip`) is enabled. We have configured the maximum data-retention period of 14 months for event-level data in our Google Analytics property.
Where consent is required, processing is based on your consent (Art. 6(1)(a) GDPR / Art. 6 revFADP). The identifiers generated by Google Analytics (e.g. `_ga` client_id) are pseudonymous and, on their own, do not allow us to identify you (Art. 11 GDPR). You can withdraw your consent at any time via the cookie settings.
Depending on your location, Google Analytics is loaded through Google Consent Mode v2. For visitors in the EU, the EEA and the United Kingdom we apply the "Basic" configuration: no Google Analytics request is sent before you make a consent choice. For visitors elsewhere, including Switzerland, we apply the "Advanced" configuration: even before you choose, Google Analytics may send minimal, cookieless signals to Google that are used solely for aggregate, statistical modelling. These signals set no cookies, store no Analytics identifier (such as the `_ga` client_id) and are not used to recognise or profile you; full, identified measurement only begins once you consent, and declining or withdrawing consent prevents it. Insofar as these aggregate signals constitute personal data, we rely on our legitimate interest in measuring the use of our website (Art. 6(1)(f) GDPR / Art. 6 revFADP).
Transfers of personal data to the United States are governed by Google's Standard Contractual Clauses (SCC, EU Commission Decision 2021/914) and additional safeguards documented by Google. Switzerland-specific adequacy is covered by the Swiss FDPIC adequacy recognition of the EU-U.S. Data Privacy Framework (Google LLC participating).
Use of Microsoft Clarity
This website uses Microsoft Clarity (provided by Microsoft Corporation, Redmond, USA) to better understand how visitors use our website (for example through heatmaps and session recordings). Microsoft Clarity uses cookies and similar technologies to capture user interactions and to help us improve usability and content. Depending on the configuration, information generated in this context may be transmitted to and processed by Microsoft, including in the United States.
Microsoft Clarity is only used if you have given your consent via the cookie banner. You can adjust or withdraw your consent at any time via the cookie settings. Microsoft Clarity masks form inputs and other sensitive content by default; masked content is therefore not transmitted to Clarity. The identifiers generated by Clarity (e.g. `_clck` user_id) are pseudonymous and, on their own, do not allow us to identify you (Art. 11 GDPR).
When you contact us via our forms, we may include a deep-link to your Clarity session recording in our internal notification e-mail so our team can prepare your enquiry with full context. This processing is based on our legitimate interest (Art. 6(1)(f) GDPR / Art. 6 revFADP) in providing relevant, well-prepared responses.
We also calculate an anonymous interest score from your interactions, stored locally in your browser (`lfs_lead_score_v1` in localStorage) for up to 13 months. This score never leaves your browser unless you submit a form, and is cleared automatically when its retention period expires.
Transfers of personal data to the United States are governed by Microsoft's Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework (Microsoft Corporation participating). Microsoft's Clarity API does not currently offer per-visitor deletion; because the data we hold via Clarity is pseudonymous within the meaning of Art. 11 GDPR, this is communicated transparently here.
Outreach link attribution
If you arrive at our website via a personalised link from our outreach, the URL may contain a short identifier called `rid` that lets us attribute your visit to the specific outreach through which you reached us. We use this identifier purely for measurement and customer-relationship purposes — to understand which outreach is effective and to connect your visit, and (once you contact us) your enquiry, into a single record so we can prepare a relevant response and avoid double-counting. We do not use it to show you personalised advertising, and we never share it with advertising networks or data brokers.
The identifier is a short hash. On this website we store only the hash, the page URL, and a timestamp. We do not store any directly identifying data (such as your name or e-mail address) in connection with the identifier on this website. The mapping of the hash to a specific outreach context is held separately from this website, as part of our outreach operations.
Legal basis — two layers. (i) The client-side identifier is kept in your browser's session storage (only while the tab is open) on the basis of your consent, under the Analytics/Statistics category of our cookie banner; where you grant that consent it may be forwarded to our analytics provider (Google Analytics), and where you additionally grant marketing consent it may also be associated with your Microsoft Clarity session. (ii) Separately, we keep a server-side record of the click (the page URL, the rid value, and a timestamp) for as long as needed for our attribution window — currently up to 25 months — on the basis of our legitimate / overriding interest in measuring our outreach (Art. 6(1)(f) GDPR / Art. 31 revFADP). We do not capture your IP address for this purpose.
You can withdraw the analytics consent at any time via the "Cookie Settings" link in the footer, and you have the right to object to the legitimate-interest processing at any time, free of charge, by contacting us at dpolean-fschCopied. A documented Legitimate Interest Assessment is available on request via the same channel.
International Data Transfers
Some of the service providers we use process personal data in the United States (notably Google LLC for Google Analytics, and Microsoft Corporation for Microsoft Clarity). The United States is, in the view of the European Commission and the Swiss Federal Data Protection and Information Commissioner (FDPIC), recognised as offering an adequate level of protection under the EU-U.S. Data Privacy Framework (DPF) and the Swiss-U.S. DPF for participating organisations.
In addition, transfers are based on Standard Contractual Clauses (SCC, EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021) concluded with each respective provider, supplemented by technical and organisational measures (e.g., IP-anonymisation, masking of sensitive fields) where appropriate.
A list of all sub-processors we rely on and their respective DPAs (Data Processing Agreements) is maintained internally and is available on request via dpolean-fschCopied.
Email Transit and Delivery
We use Resend (Resend, Inc., based in the United States) to transmit transactional and confirmation e-mails on our behalf. Resend acts as our processor under a signed Data Processing Agreement that incorporates the EU Standard Contractual Clauses (Module Two, Controller to Processor). The legal basis is performance of contract (Art. 6(1)(b) GDPR / Art. 6 revFADP) for transactional messages, and your prior consent (Art. 6(1)(a) GDPR / Art. 6 revFADP) for any optional marketing e-mails.
Transfers of personal data to the United States are governed by Resend's Standard Contractual Clauses and by Resend's certification under the EU-U.S. Data Privacy Framework (DPF) and the Swiss-U.S. DPF, where applicable.
We do not currently activate Resend's individual-level open or click tracking features for any of our e-mails. If we ever do so for marketing e-mails, we will update this policy in advance and seek separate, granular consent in accordance with the European Data Protection Board and CNIL 2025/2026 guidance on tracking pixels in e-mails.
Communication via Third-Party Services
We may use third-party communication services such as WhatsApp to interact with clients and partners and manage internal communications. We ensure that any personal data exchanged via these services is handled with strict confidentiality and in accordance with applicable privacy laws. It is important to note that these third-party services are governed by their own privacy policies, which we acknowledge and take into consideration in our data management practices.
We use Linktree (Linktree Pty Ltd, Melbourne, Australia, with infrastructure operated in the United States) to host a bio-link page. Linktree operates its own cookie consent banner on that page and handles consent capture in accordance with EU GDPR, UK GDPR, and equivalent regulations. The processing on the Linktree-hosted page is governed by Linktree's privacy notice (linktr.ee/s/privacy), not by this policy. We receive only aggregate, non-identifying click counts at the link level from Linktree. Transfers of personal data to the United States are governed by Linktree's Standard Contractual Clauses.
Survey Data Collection and Use
When you participate in a LEAN FS survey, we may collect personal data as well as other information you provide or that is automatically tracked. Surveys are conducted using third-party platforms such as Typeform. The collected data may be used for various purposes. With your consent, personal data may be used internally for sales or marketing follow-up. Aggregated and anonymised responses may support benchmarking, market analysis, or the development of client-facing materials. Anonymised data may also be used in academic research collaborations.
With Typeform Standard, survey data may be processed and stored on infrastructure in the United States. Where personal data is transferred to countries without an adequate level of protection, we implement appropriate safeguards (in particular Standard Contractual Clauses) to ensure a level of protection that is essentially equivalent to Swiss and European standards.
If you request a personalised report, survey responses may additionally be processed via API by external LLM providers. We use such providers under contractual arrangements (including a DPA). As a rule, we only transmit pseudonymised or anonymised content. Direct identifiers (e.g., name, email address, phone number) are removed. Company names or URLs may be used to personalise the report.
Surveys conducted via Typeform may use cookies or similar technologies to analyse user behaviour and enhance the survey experience. For more information, please refer to Typeform's privacy policy.
Typeform displays its own cookie consent banner inside the survey iframe in regions where required. Your acceptance or rejection there applies to Typeform's own cookies and is governed by Typeform's privacy notice. We do not set any of our own tracking cookies inside the Typeform iframe.
Data Processing for Inquiries, Subscriptions, and Communications
When you submit our contact form, book a meeting, or otherwise reach out to us, we process the data you provide to handle your enquiry and to provide the information or service you requested. This processing is based on Art. 6(1)(b) GDPR / Art. 6 revFADP (steps prior to entering into a contract).
We do not automatically add you to any marketing distribution list. We only send you newsletters, event invitations, or announcements of new offerings if you have separately and explicitly opted in via a clearly visible, unticked checkbox on our forms. That separate opt-in is the legal basis under Art. 6(1)(a) GDPR / Art. 6 revFADP (consent). Each such e-mail contains a free, one-click unsubscribe link, and you can also withdraw your consent at any time by contacting us at dpolean-fschCopied.
If you become a paying customer of LEAN FS, we may additionally send you e-mails about similar own services on the basis of the existing-customer exception (Art. 13(2) ePrivacy Directive / § 7 Abs. 3 UWG (DE) / Art. 3 Abs. 1 lit. o UWG (CH)). At the time of contract we will clearly inform you that your e-mail address may be used for this purpose. The "similar" requirement is interpreted narrowly: we will only send you information about services in the same product family as the one you purchased. Every such e-mail contains a free, one-click unsubscribe link, and your right to object is unconditional.
Upon withdrawal of consent or objection, or upon fulfilment of the original purpose, your data will be deleted unless legal retention obligations require further storage.
Data Subject Rights
Under the Swiss revised Federal Act on Data Protection (revFADP, in force since 1 September 2023) and — where applicable — the EU General Data Protection Regulation (GDPR), you have the following rights regarding personal data we hold about you. To exercise any of these rights, please contact us at dpolean-fschCopied. We respond within one month.
Right of Access (Art. 25 revFADP / Art. 15 GDPR)
You can request a copy of the personal data we process about you, together with information on the purpose, the categories of data, the recipients (or categories of recipients), the retention period, and the source of the data if it was not collected directly from you.
Right to Rectification (Art. 32(1) revFADP / Art. 16 GDPR)
If the data we hold about you is inaccurate or incomplete, you may request correction or completion.
Right to Erasure (Art. 32(2) revFADP / Art. 17 GDPR)
You may request the deletion of your personal data when it is no longer necessary, when you withdraw consent, or when our processing has no other valid legal basis. Statutory retention obligations (e.g., commercial-law book-keeping duties) may prevent immediate erasure; in such cases we will restrict processing instead.
Right to Restriction (Art. 18 GDPR)
You may request that processing of your personal data be restricted, e.g. while the accuracy of the data is being verified or while an objection (see below) is pending.
Right to Object (Art. 30 revFADP / Art. 21 GDPR)
You may object at any time, for reasons relating to your particular situation, to processing based on our legitimate interests (including any profiling). Where your data is processed for direct-marketing purposes, you have an unconditional right to object, after which we will stop the corresponding processing.
Right to Data Portability (Art. 28 revFADP / Art. 20 GDPR)
For data you have provided to us and that we process on the basis of consent or a contract, you have the right to receive it in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Right to Withdraw Consent (Art. 6(6) revFADP / Art. 7(3) GDPR)
Where processing is based on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal. Withdrawal of consent for cookies / tracking is possible at any time via the "Cookie Settings" link in the footer of every page.
Right to Lodge a Complaint
You can lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch) or, where applicable, with an EU supervisory authority in the member state of your habitual residence or place of work.
Updates
We may update this Privacy Statement from time to time, for example when we introduce new services or if legal requirements change. The version published on this website is the one that applies.
Disclaimer
Individuals who access the LEAN FS website and retrieve information agree to the following provisions:
Website Usage
In close cooperation with our hosting providers, LEAN FS makes every effort to ensure the secure operation of the website and to protect the databases from unauthorized access, losses, misuse, or falsification as much as possible. Access to the website is therefore at your own risk and responsibility.
Liability Exclusion
LEAN FS rejects any liability for damages or consequential damages resulting from access to its website or parts thereof (e.g., downloaded documents), their use, or links to other websites.
Warranty Disclaimer
LEAN FS uses all its care to ensure that the information on the website is correct and up-to-date at the time of publication and does not violate the rights of third parties (especially personal rights). Nevertheless, LEAN FS cannot guarantee the accuracy, reliability, or completeness of the information.