Back to Lenkbear

Legal

Data Protection Policy

Effective date: June 28, 2026

This Data Protection Policy sets out the principles, standards, and measures by which Lenkbear Inc. ("Lenkbear," "we," "us," or "our") protects the personal data of users, visitors, and customers of lenkbear.com. This policy supplements our Privacy Policy and reflects our commitment to responsible data stewardship under applicable US privacy laws, including the CCPA/CPRA, VCDPA, CPA, CTDPA, and related regulations.

1. Scope and Purpose

This policy applies to all personal data processed by Lenkbear, including data collected through our website, services, and any future mobile applications. It covers:

  • All categories of personal data we collect from users and visitors
  • All systems and processes used to store, transmit, or process personal data
  • All employees, contractors, and third-party service providers who handle personal data on our behalf

The purpose of this policy is to ensure that personal data is collected, stored, used, and shared in a lawful, transparent, and secure manner, and that individuals' rights are respected at every stage of data processing.

2. Data Protection Principles

All personal data processed by Lenkbear must adhere to the following principles:

Lawfulness, Fairness & Transparency

Data is collected and processed on a lawful basis and in a manner that is transparent to the individual.

Purpose Limitation

Data is collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes.

Data Minimization

We collect only the data that is necessary for the stated purpose — no more.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date.

Storage Limitation

Data is retained only for as long as necessary and securely deleted or anonymized thereafter.

Integrity & Confidentiality

Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Accountability

Lenkbear takes responsibility for compliance with these principles and can demonstrate that compliance upon request.

3. Technical Security Measures

We implement the following technical controls to protect personal data:

Encryption

  • All data transmitted between users and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Sensitive data at rest (including user credentials and payment tokens) is encrypted using AES-256 or equivalent standards
  • Passwords are stored using a strong one-way cryptographic hash (bcrypt or Argon2)

Access Controls

  • Access to personal data is restricted to employees and contractors who require it for their role (principle of least privilege)
  • Multi-factor authentication (MFA) is required for all internal systems containing personal data
  • Access is logged and reviewed regularly

Infrastructure Security

  • Our platform is hosted on infrastructure with SOC 2 Type II certification
  • Regular vulnerability scans and penetration tests are performed
  • Automated monitoring detects and alerts on anomalous activity
  • Regular backups are taken and encrypted; recovery procedures are tested periodically

4. Organizational Measures

  • Data Protection Training: All team members with access to personal data receive training on data protection obligations and best practices
  • Confidentiality Agreements: All employees and contractors sign confidentiality agreements covering personal data
  • Third-Party Vetting: We conduct due diligence on all third-party service providers before sharing personal data, and require them to maintain appropriate security standards via contractual obligations
  • Policy Review: This policy is reviewed and updated at least annually or whenever there is a material change to our data processing activities

5. Data Breach Response

In the event of a confirmed data breach involving personal information, Lenkbear will:

  1. Contain the breach as quickly as possible and assess its scope
  2. Notify affected individuals without unreasonable delay and no later than required by applicable state law (typically 30–72 hours for regulatory notice, 30–60 days for individual notice, depending on state)
  3. Provide notification to relevant state attorneys general or regulators as required by law
  4. Document the breach, its causes, and our response in an internal incident report
  5. Take corrective action to prevent recurrence

Breach notification obligations vary by state. We comply with the data breach notification laws of all 50 US states and will provide notifications in accordance with the law of the affected individual's state of residence.

6. Third-Party Processors

We use third-party service providers (data processors) to deliver our services. Each processor is subject to:

  • A written data processing agreement that limits how they may use personal data
  • Requirements to implement appropriate technical and organizational security measures
  • Prohibitions on sub-processing personal data without our written authorization
  • Obligations to notify us promptly of any security incidents

Current categories of processors include: cloud hosting providers, email delivery services, analytics providers, and (upon launch) payment processors. A full list of processors is available upon request.

7. Data Retention & Deletion

Data Category Retention Period
Waitlist email addresses Until unsubscribed or deletion requested
Account data (when available) 5 years from last active use, or as required by law
Transaction / billing records 7 years (US tax and accounting requirements)
Server logs (IP addresses, access logs) 90 days
Analytics data (aggregated) 2 years
Support correspondence 3 years from last correspondence
Legal hold data Duration of legal hold

Upon expiry of the applicable retention period, personal data is securely deleted using industry-standard methods (e.g., cryptographic erasure for cloud storage). Anonymized data may be retained indefinitely for statistical purposes.

8. Individual Rights & How to Exercise Them

Under applicable US state privacy laws, you have rights over your personal data. A full description of these rights is provided in our Privacy Policy (Section 5). To exercise any right:

  1. Email privacy@lenkbear.com with "Privacy Rights Request" in the subject line
  2. Specify which right(s) you wish to exercise and provide sufficient information for us to verify your identity
  3. We will confirm receipt within 10 business days and respond substantively within 45 days (or as required by applicable law)
  4. If we cannot fulfill your request, we will explain why and provide information on how to appeal

We will not charge a fee for reasonable requests. We may limit or deny requests that are manifestly unfounded, excessive, or that would require us to violate our legal obligations.

9. Children's Data

Lenkbear does not knowingly collect, process, or store personal data from individuals under 13 years of age. We comply with the Children's Online Privacy Protection Act (COPPA). If a parent or guardian believes their child has submitted personal data to us, they should contact us immediately at privacy@lenkbear.com and we will delete such data promptly.

10. Governing Law

This policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. We comply with all applicable US federal and state data protection and privacy laws. This policy does not constitute a waiver of any rights or obligations under applicable law.

11. Updates to This Policy

We review this Data Protection Policy at least annually and update it when our data processing activities change materially or when required by changes in law. All updates will be reflected by a new "Effective date" at the top of this page. Material changes will be communicated to users by email or site notice where practicable.

12. Contact & Complaints

For questions about this policy or our data protection practices, or to submit a complaint, contact us:

Lenkbear Inc. — Data Protection

Delaware, United States

privacy@lenkbear.com

If you are not satisfied with our response, you may contact your state Attorney General or relevant consumer protection authority. For California residents, you may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.