§1Our commitment
At Plaany, data protection isn't paperwork — it's a trust condition of the product. This policy describes precisely what data we collect, why, who it's shared with, how long it's kept, and how you can exercise your rights.
It applies to the site plaany.com, the associated mobile apps, and all Plaany-operated services.
§2Data controller & DPO
The data controller under article 4(7) GDPR is Plaany, whose full details appear in the Legal Notice.
For any question about personal data: hello@plaany.com (subject: "GDPR").
Plaany is currently not required to appoint a DPO under article 37 GDPR, as processing is neither the core activity nor involves large-scale systematic monitoring. A DPO will be appointed should these conditions change.
§3Applied GDPR principles
Per article 5 GDPR, any processing upholds:
- Lawfulness, fairness and transparency
- Purpose limitation — data used only for declared goals
- Data minimisation — the minimum necessary
- Accuracy — you can always correct inaccuracies
- Storage limitation — precise durations in §9
- Integrity and confidentiality — encryption, restricted access, audits
- Accountability — we maintain a processing register (art. 30)
§4Data collected
4.1. Provided by you
| Category | Examples |
|---|---|
| Identity | First and last name, date of birth (if provided) |
| Contact | Email, phone, postal address (Providers) |
| Authentication | Password (bcrypt hashed), OAuth identifiers |
| Professional profile | Category, areas, portfolio, rates, company number |
| Projects & events | Brief, date, venue, budget, exchanged messages |
| Reviews & ratings | Text, stars, rated service ID |
4.2. Collected automatically
| Category | Examples |
|---|---|
| Technical | IP address, browser, OS, screen resolution, language |
| Usage | Pages visited, actions, session duration |
| Essential cookies | Session, theme, language |
4.3. Processed by partners
Payment data (card number, CVV, IBAN) is entered and processed entirely by Stripe. Plaany neither sees nor stores it. We only receive a Stripe token and the last 4 digits of the card.
§5Purposes of processing
- Service delivery: account, matching, messaging, contract, payment.
- Security & fraud prevention.
- Legal obligations: bookkeeping, tax, anti-money-laundering.
- Product improvement: aggregated analytics, bug resolution.
- Transactional communications: essential notifications.
- Marketing communications: newsletter, product announcements — consent-based only, revocable anytime.
- Moderation & support: handling reports, dispute mediation.
§6Legal bases (art. 6 GDPR)
| Processing | Legal basis |
|---|---|
| Account, matching, payment | Contract performance — art. 6(1)(b) |
| Bookkeeping, invoicing, AML | Legal obligation — art. 6(1)(c) |
| Security, fraud prevention, aggregate analytics | Legitimate interest — art. 6(1)(f) |
| Newsletter, marketing, non-essential cookies | Consent — art. 6(1)(a) |
§7Recipients & processors
Your data is shared only with strictly necessary technical processors, each bound by a GDPR-compliant DPA.
| Processor | Role | Location |
|---|---|---|
| Stripe Payments Europe Ltd | Payments & escrow | Dublin, Ireland (EU) |
| Supabase Inc. | Database & auth | Frankfurt, Germany (EU) |
| Vercel Inc. | Front-end hosting & CDN | USA (with EU edge) |
| Resend / Sendy | Transactional & marketing emails | EU / AWS EU |
| Twilio | Post-payment phone proxy (optional) | Dublin, Ireland (EU) |
| Sentry | Technical error monitoring | USA (EU region option) |
Plaany never sells data to third parties for advertising or commercial purposes.
§8International transfers
Most of your data is hosted in the EU. However, some processors (Vercel, Sentry) may have servers in the United States.
Transfers are framed by:
- Standard Contractual Clauses (SCC) from the EU Commission (decision 2021/914).
- Additional technical measures (encryption, pseudonymisation) aligned with post-Schrems II EDPB recommendations.
- Data Privacy Framework (DPF) for certified U.S. entities.
§9Retention periods
| Data type | Retention |
|---|---|
| Active account | As long as the account is active |
| Deleted account | 30 days (deletion or anonymisation) |
| Invoices & accounting data | 10 years (Belgian Economic Law Code III.86) |
| AML data | 5 years after end of relationship |
| Security logs | Max. 13 months |
| Marketing consent | 3 years after last interaction |
| Waitlist (non-registered) | 3 years after collection |
§10Data security
Plaany implements appropriate technical and organisational measures (art. 32 GDPR):
- In-transit encryption: TLS 1.3 (HSTS enabled).
- At-rest encryption: AES-256 for databases and backups.
- Passwords: bcrypt with salt, never stored in plain text.
- Strong authentication: 2FA recommended for Providers.
- Internal access: least-privilege, SSO, audit logs.
- Backups: daily encrypted snapshots, 30-day retention.
- Monitoring: automated anomaly detection.
- Security tests: annual pentest planned before public beta.
§11Personal-data breach
In case of a breach likely to risk users' rights and freedoms, Plaany commits to:
- Notify the Belgian Data Protection Authority (APD/GBA) within 72 hours of discovery (art. 33 GDPR).
- Inform affected users without undue delay when risk is high (art. 34 GDPR), by email and in-app.
- Take all measures to contain and remediate the breach.
- Document the incident in the internal breach register.
§12Your GDPR rights
- Access (art. 15)
- Confirm your data is processed and receive a structured copy.
- Rectification (art. 16)
- Correct inaccurate or incomplete data (editable from your account).
- Erasure (art. 17)
- Delete your data ("right to be forgotten"), subject to statutory retention.
- Restriction (art. 18)
- Request temporary suspension of processing pending verification.
- Portability (art. 20)
- Receive your data in a structured, machine-readable format (JSON).
- Objection (art. 21)
- Object to processing based on legitimate interest (including marketing).
- Automated decision-making (art. 22)
- Not be subject to a decision based solely on automated processing producing legal effects.
- Consent withdrawal
- Withdraw consent anytime without affecting prior processing lawfulness.
- Post-mortem directives
- Define what happens to your data after your death.
§13Exercising your rights
Most rights can be exercised directly from your account (Settings → Privacy): download, rectify, delete.
For other requests, write to hello@plaany.com (subject: "GDPR rights").
A response will be provided within 1 month (extendable by 2 months if complex, with prior notice).
§14Supervisory authorities
If your rights haven't been respected, you may lodge a complaint with the competent authority:
- 🇧🇪 Belgium — Data Protection Authority
- 🇫🇷 France — CNIL
- 🇳🇱 Netherlands — Autoriteit Persoonsgegevens
The Belgian DPA is Plaany's lead supervisory authority for cross-border processing.
§15Cookies & trackers
| Cookie | Purpose | Duration | Basis |
|---|---|---|---|
plaany_session | Keep session active | Session | Essential |
plaany-theme | Light / dark preference | 1 year | Essential |
plaany-lang | Language preference | 1 year | Essential |
No third-party advertising or tracking cookies are dropped without prior explicit consent.
§16Profiling & automated decisions
Plaany does not take automated decisions with significant legal effects under art. 22 GDPR. Algorithms (offer ranking, fraud detection, anti-disintermediation filter) are decision aids; human review is always in place before a sanction.
§17Minors
The Platform is reserved for adults (18+). We do not knowingly collect minors' data.
§18Changes to this policy
Material changes are notified by email at least 30 days before effective date.
§19Contact
Any question about personal data or this policy: hello@plaany.com (subject: "GDPR").
We reply in under 48 hours.
If this document doesn't cover your situation or something isn't clear, write to us directly — no forms, no bots.
hello@plaany.com