Privacy Policy

1. What information do we collect?

In short: We collect personal information that you provide, that is generated when you use the Services, and in limited cases from authentication providers.

Information you provide. When you register, contact us, or use the Services, you may provide names, email addresses, usernames, passwords, and contact or authentication data.

Demo and early-access requests. If you submit the "Request a Demo" form at planvault.ai/request-demo, we collect your name, work email, company name, and optional message. We use this information solely to respond to your enquiry. Your IP address is used only for spam prevention (hashed rate-limiting, not stored in our database). We do not add demo request submissions to marketing lists or share them with third parties. You may request deletion of this data by emailing [email protected].

Sensitive categories for our own collections. We do not ask you to provide sensitive personal information for account registration or marketing, and we do not intentionally collect it for those purposes. Runtime and session content is addressed in Section 14.

You must provide accurate information and notify us of changes where applicable.

Information collected automatically. We collect certain technical information when you visit or use the Services, such as IP address, browser and device characteristics, operating system, language, referring URLs, and usage information (for example timestamps, pages viewed, and feature usage). This helps us operate and secure the Services.

Log and usage data may include IP address, device information, browser type, activity in the Services, and diagnostic information (for example error reports).

Device data may include device and application identifiers, approximate location derived from IP, ISP or carrier, and system configuration.

Policy consent evidence. When you accept the Privacy Policy, Terms of Service, or (where applicable) the demo disclaimer in the console, we record the policy versions you accepted, the timestamp, and — alongside that row — your client IP address and User-Agent string. We rely on the CF-Connecting-IP header set by our Cloudflare Tunnel edge (with X-Forwarded-For as a fallback) and truncate the User-Agent at 512 characters. This evidence is retained only to demonstrate your consent under Article 7(1) GDPR, is shown to you in your own data export, and is deleted together with the consent record when you use the account-erasure endpoint described in Section 10.

Google APIs. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. How do we process your information?

In short: We process personal information to provide, improve, and administer the Services, communicate with you, protect security, and comply with law.

Examples: account creation and authentication; delivering the Services; support; administrative messages about terms and policies; fraud prevention and security; vital interests where applicable; authentication and access control for organizations and projects; chat, API, and integration operations (sessions, runtime requests, history and metadata); audit logging and incident response.

3. What legal bases do we rely on?

Under the GDPR, UK GDPR, and Swiss FADP we may rely on: Consent (where we ask for it — you may withdraw); Performance of a contract; Legitimate interests (for example security, diagnostics, and organizational accountability, balanced against your rights); Legal obligation; Vital interests.

4. When and with whom do we share personal information?

We may share personal information with vendors that process data on our instructions to operate the Services. The current subprocessors that may process Company Personal Data are Amazon Web Services (cloud infrastructure in Germany — eu-central-1), Cloudflare (edge, tunnel, routing), and Google (authentication emails via Google Workspace / Gmail SMTP, and Login with Google via Google OAuth). The public planvault.ai website itself does not load any third-party analytics, consent, or embedded-policy widgets: Impressum and the Accessibility Statement are rendered as first-party pages. The full list of subprocessors is published at https://planvault.ai/subprocessors; we use contracts designed to protect personal data.

AI service providers under our bring-your-own-key (BYOK) model — currently OpenAI, Anthropic, and Google LLC (Google Cloud AI) — are not our subprocessors. Where you choose to use AI features, traffic is routed using the API credentials you supply; we store those credentials only server-side in encrypted form under your organization DEK, and your relationship with the AI provider is governed directly by that provider's terms. See Section 11 for details.

We may also share information in connection with a business transfer (for example merger or acquisition), as required by law, or as described in this Notice.

5. Do we offer AI-based products?

Yes. Our Services include AI-related features (for example orchestration, natural language processing, and analysis).

Bring your own key (BYOK). For customer-selected AI providers, PlanVault does not maintain platform-owned API keys for customer traffic. Data sent to an AI provider is routed per the customer’s configuration using customer-supplied credentials stored encrypted under the organization DEK. PlanVault’s relationship to that processing is described in Section 11 and Section 14; your AI provider’s terms and privacy policy apply to processing on their side.

Semantic Routing Cache. By default, PlanVault enables a Semantic Routing Cache for each organization. This feature generates anonymized vector embeddings from workflow queries processed through the Services and stores them within your organization's encrypted data environment, strictly isolated to your tenant. These embeddings are mathematical representations of query patterns — they are not reversible to the original query text and do not contain personally identifiable information. The embeddings are used exclusively to optimize workflow routing, reduce response latency, and minimize redundant calls to your AI provider, all within your organization only. This feature does not constitute AI model training; PlanVault does not use these embeddings to train any foundation model or any model used across tenants. Only an organisation OWNER may disable the organisation-wide Semantic Routing Cache in the product (Owner-only control; typically Organization → General settings); disabling triggers immediate deletion of all stored vector embeddings for that organization. This processing is based on our legitimate interests in providing an efficient and performant service (GDPR Art. 6(1)(f)), balanced against your right to object (Art. 21), which is exercisable via that control.

Personal data processed through AI features is handled in line with this Privacy Notice and, where we act as a processor for a business customer, with our Data Processing Agreement (https://planvault.ai/dpa).

6. Is your information transferred internationally?

Primary hosting in the EU. For our hosted service (planvault.ai), primary application infrastructure (compute, PostgreSQL, DynamoDB, application-layer encryption key handling — typically Google Tink with an AWS KMS KEK for org key material on SaaS; some legacy tenants may use direct AWS KMS wrap of DEK bytes — and short-rotation managed backups) is located in Germany on AWS region eu-central-1 (Frankfurt). Tenant data at that application layer stays within that region. Self-hosted deployments use infrastructure chosen by the customer; durable session history may be stored in PostgreSQL or on local disk instead of DynamoDB depending on configuration.

Necessary onward transfers to the United States. Despite our EU-first hosting posture, the Services necessarily depend on two US-based subprocessors that process limited data outside the European Economic Area: (a) Cloudflare, Inc. (USA / global edge network) provides DNS, edge TLS termination, and a Cloudflare Tunnel to our Frankfurt origin, so customer requests traverse Cloudflare's global edge (which may route through non-EU points of presence) before reaching the origin, and Cloudflare may briefly hold transport-layer telemetry; (b) Google LLC (USA) provides transactional email (Google Workspace / Gmail SMTP) for password reset, invites, and lifecycle notifications, and Login with Google (OAuth) for users who choose to sign in with Google. As a result, full data-flow isolation exclusively within the EU / EEA is NOT guaranteed on the standard hosted tier.

Safeguards for transfers outside the EEA. Transfers of personal data to Cloudflare, Google, and any other subprocessor located outside the EEA are covered by the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2 (controller-to-processor) or Module 3 (processor-to-processor) as applicable), together with the supplementary technical and organizational measures described in our Data Processing Agreement (https://planvault.ai/dpa) and Security page (https://planvault.ai/security) — notably TLS 1.2+ in transit, AES-256-GCM at rest with per-tenant encryption keys, cryptographic tenant isolation, and short-rotation encrypted backups. A copy of the executed Standard Contractual Clauses and the relevant transfer impact assessment (TIA) summary is available to business customers on request under NDA.

Your AI-provider choice. If you enable AI features under our bring-your-own-key (BYOK) model, the AI provider you select (for example OpenAI, Anthropic, or Google LLC for Google Cloud AI) may also process data in the United States. As described in Section 11, those providers are not our subprocessors; your contract with the AI provider, not our DPA, governs that processing leg.

Contact. If the combination of EU hosting with US-based routing, email, and (if you enable AI features) AI providers is not acceptable for your use case, please contact [email protected] before submitting personal data — we can discuss self-hosted or private-cloud deployment options, alternative transactional-email providers, or other mitigations.

7. How long do we keep your information?

We retain personal information only as long as necessary for the purposes in this Notice, unless a longer period is required or permitted by law. Retention may depend on your account, organization settings, and backup processes. When retention ends, we delete or anonymize data where possible, or isolate it until deletion is feasible (for example in backups).

Organization-level deletion (business customers). When an authorized administrator deletes an organization through the product, the organization enters a 7-day grace window during which it is invisible to all users but may be restored by us on the customer's written request. At the end of the grace window, deletion is finalized by crypto-shred: the organization-specific encryption key is permanently deleted and tenant records are purged, so any residual content (including in short-rotation backups) becomes unrecoverable. This grace window applies only to whole-organization deletion; individual data-subject erasure requests remain immediate and are not subject to it.

8. How do we keep your information safe?

We implement technical and organizational measures appropriate to the risk. No electronic transmission or storage is completely secure; you use the Services at your own risk and should use a secure environment.

For customer-configured integrations (for example HTTP tools, webhooks, and retrieval of OpenAPI documents from URLs), we apply outbound URL validation and egress-oriented controls intended to reduce abuse against internal infrastructure; which targets are permitted depends on deployment settings and your organisation configuration.

9. Do we collect information from minors?

We do not knowingly collect data from or market to children under 18. If you believe we have collected such data, contact [email protected].

10. What are your privacy rights?

If you are located in the EEA, UK, or Switzerland, applicable data protection laws may grant you rights including the right to request access and obtain a copy of your personal information, rectification or erasure, restriction of processing, data portability, and objection to processing. Where applicable, you also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects; if such a decision is ever made, we will inform you, explain the main factors, and offer a simple way to request human review.

Signed-in console users may self-service export or erasure via GET /admin/v1/me/data-export and POST /admin/v1/me/data-erasure (Keycloak access JWT required), as described on our Security page.

You may exercise your rights by contacting us. If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State or UK data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

End-users of our business customers. If you are an end-user of one of our business customers (for example you interact with an application built on PlanVault rather than hold a PlanVault account yourself), please direct your privacy requests (such as access, rectification, or deletion) to that business customer, which is the data controller for your personal data under Article 4(7) GDPR. If we receive such a request directly, we will forward it to the relevant customer and, where required, acknowledge the requester without otherwise acting on the request, consistent with our processor role under our Data Processing Agreement (https://planvault.ai/dpa).

Withdrawing your consent. If we are relying on your consent, you have the right to withdraw it at any time. Withdrawal will not affect the lawfulness of processing before its withdrawal nor, where permitted by law, processing based on legal grounds other than consent.

Account information can be reviewed or updated in account settings where available. We may retain certain information where required for fraud prevention, legal compliance, or similar purposes.

Organization-wide data portability (business customers). When an authorized member exports organization-held data as JSON, the archive supports access and portability: it typically includes authentication-provider profile fields linked to accounts where available, session and interaction history for the chosen export scope, policy and consent records, and organization membership summaries where your keys allow decryption. Cleartext integration secrets are not included as values; the exact field layout depends on export scope and role.

11. AI service providers (BYOK)

PlanVault operates on a bring your own key (BYOK) model. We do not maintain platform-owned API keys with AI service providers for customer traffic. Customer-supplied provider credentials are stored server-side encrypted under the organization DEK, and we do not send customer content to an AI provider except as routed using the customer’s credentials and configuration.

Customers choose the provider, supply API credentials, and are responsible for their contractual relationship with that provider (including applicable data processing terms). PlanVault acts as a technical intermediary routing requests through our infrastructure. Supported providers may include OpenAI, Anthropic, and Google LLC (Google Cloud AI). Your use of an AI provider is subject to that provider’s terms and privacy policy.

12. Information sources

When you authenticate with Google OAuth, Google may provide your name, email address, and profile picture. We do not collect personal information from marketing partners, affiliate programs, data brokers, or similar third-party sources.

13. Tracking and advertising

We do not serve advertisements or targeted advertising on our Services, and we do not allow third parties to use tracking technologies on our Services for advertising. Cookies and similar technologies are used for authentication, security, and essential functionality. See https://planvault.ai/cookies.

14. Sensitive data in customer payloads (processor role)

As stated above, we do not ask for or intentionally collect sensitive personal information for account management or our own marketing. However, when a business customer uses our Services (for example prompts, chat, or API payloads), content may include special categories of personal data depending on what the customer or its users submit.

Where we process such content on behalf of a business customer, we act as a data processor and process it only on documented instructions, in accordance with our Data Processing Agreement at https://planvault.ai/dpa. The customer is responsible for lawful basis, transparency, and restrictions applicable to that content.

PlanVault does not use customer runtime content to train any foundation AI model or any PlanVault-operated model used across tenants. Separately, to optimize routing performance, where the organization has not disabled the Semantic Routing Cache feature (see Section 5), PlanVault derives anonymized vector embeddings from workflow queries. These embeddings: (a) are mathematical statistical representations that cannot be reversed to recover the original query text; (b) are strictly isolated to the submitting organization's encrypted data environment and never shared across tenants; (c) do not constitute AI model training and are not used to train any model; (d) are deleted immediately when an organisation OWNER disables the Semantic Routing Cache (same Owner-only control as Section 5). Processing by the customer's chosen AI provider is governed by that provider's terms.

15. Updates to this Notice

We may update this Privacy Notice from time to time. The date at the top indicates the last update. We may notify you of material changes as required by law or as described in our Terms of Service (including in-product notice where applicable).

16. Contact

Privacy-specific email (preferred for data subject requests, breach notifications, and appeals): [email protected]. General email: [email protected]. Postal address: Bohdan Matviichuk, ul. Dziewanny 21/19, 20-539 Lublin, Poland.

We aim to acknowledge privacy requests within 5 business days and to provide a substantive response within 30 calendar days, extendable by up to 60 additional days under Article 12(3) GDPR where necessary (we will inform you of the extension and the reason). Please include enough detail to verify your identity and locate your records.

17. Review, update, or delete your data

Depending on applicable law, you may request access, correction, or deletion of personal information. Self-service options may be available at https://planvault.ai/support; otherwise use the contact details in Section 16.