Legal
Privacy Policy
Last updated 15 July 2026
The short version: Lean Design System is an open, free methodology, maintained in Germany and published as a public GitHub repository. There are no ads, no trackers, no analytics, and no data sales. We do not run our own servers, and there is no account to create. You can read everything on this website without giving us any data. The only companies involved are our EU-based website host and GitHub, where the methodology lives. The details follow.
1 · Who is responsible
The controller within the meaning of the EU General Data Protection Regulation (GDPR) is:
Daniel Kurfess
Forststr. 7
70794 Filderstadt, Germany
Email: hello [at] leandesignsystem [dot] org
Lean Design System is maintained in Germany and the website is hosted in the European Union.
2 · The website (leandesignsystem.org)
No cookies, no analytics, no tracking
The website sets no cookies, uses no analytics or tracking services, and embeds no third-party content. Fonts are hosted on our own server, so opening the site does not trigger requests to font providers such as Google Fonts.
Hosting
The website is hosted by BunnyWay d.o.o. (bunny.net), a company based in Slovenia in the European Union. Your data does not leave the EU when you visit the site.
We have switched off request logging for this site: Bunny does not write your IP address, the requested page, the referring page, or your browser and operating system information to any log. Bunny still needs to see your IP address for the brief moment it takes to send you the page, the same way any server on the internet does, but nothing is stored afterwards.
Legal basis for this transient connection handling: our legitimate interest in operating the website, Art. 6(1)(f) GDPR.
Domain name resolution
The domain leandesignsystem.org uses Cloudflare, Inc. (USA) as its DNS provider. Website traffic itself is not routed through Cloudflare; only the technical lookup of the domain name is answered by Cloudflare's name servers.
Links to other sites
The site links to our documentation and to GitHub. Once you follow such a link, the privacy policy of the linked site applies; for GitHub see docs.github.com/privacy.
Contact by email
If you write to us, we process your email address and the content of your message to answer you. Legal basis: Art. 6(1)(f) GDPR (answering your enquiry) or Art. 6(1)(b) GDPR where your enquiry relates to a contract. We delete correspondence once it is no longer needed, unless statutory retention duties apply.
3 · The GitHub repository
An open methodology, no account needed
The methodology itself is published as a public repository on GitHub. Reading it requires no account, no sign-in, and no personal data: you can browse the website, the documentation, and the repository without telling us who you are. We run no backend servers and keep no user database.
Visiting the repository
The repository is hosted by GitHub, Inc. (USA). When you open a page on github.com, GitHub processes your data under its own privacy policy (docs.github.com/privacy). We receive none of this data.
Contributing
If you choose to contribute, for example by starring the repository, opening an issue, or submitting a pull request, you do so with your own GitHub account under your own agreement with GitHub. Contributions to a public repository are public: your GitHub username and the content you submit become part of the project's openly visible history. We see this public activity like anyone else, and nothing beyond it.
Legal basis for processing the contributions we receive: our legitimate interest in maintaining an open-source project, Art. 6(1)(f) GDPR.
4 · Recipients and international transfers
We do not sell or share your personal data with third parties for their own purposes. The recipients that exist are:
- BunnyWay d.o.o. (Slovenia, EU): website hosting, as our processor under Art. 28 GDPR.
- GitHub, Inc. (USA): hosting of the public repository, under your own agreement with GitHub. Where data is transferred to the USA, GitHub is certified under the EU-US Data Privacy Framework, which the European Commission recognises as providing an adequate level of protection (Art. 45 GDPR).
- Cloudflare, Inc. (USA): DNS resolution for the domain only; no website content or visitor traffic passes through Cloudflare.
5 · How long we keep data
We keep no user database and no website request logs. Email correspondence is deleted once it is no longer needed, unless statutory retention duties apply. Public contributions on GitHub (issues, pull requests, commits) remain part of the repository's history; they are managed through GitHub and your GitHub account.
6 · Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you (Art. 15),
- have inaccurate data corrected (Art. 16),
- have your data deleted (Art. 17),
- restrict processing (Art. 18),
- receive your data in a portable format (Art. 20),
- object to processing based on legitimate interests (Art. 21), and
- withdraw any consent at any time with effect for the future (Art. 7(3)).
In practice we hold almost no personal data about you, usually nothing beyond email you have sent us. The fastest way to exercise these rights is to email us at hello [at] leandesignsystem [dot] org.
You also have the right to lodge a complaint with a data protection supervisory authority, for example the authority of the German federal state where you live or where we are based (Art. 77 GDPR).
We do not use automated decision-making or profiling.
7 · Children
Lean Design System is aimed at design and development professionals and is not directed at children. If you are under 16, please only contact us or contribute with the consent of a parent or guardian.
8 · Changes to this policy
If we change this policy, we will publish the new version here with an updated date.