Privacy Policy

1. What information do we collect?

In short: We collect personal information that you provide, that is generated when you use the Services, and in limited cases from authentication providers.

Information you provide. When you register, contact us, or use the Services, you may provide names, email addresses, usernames, passwords, and contact or authentication data.

Demo and early-access requests. If you submit the "Request a Demo" or "Early Access" form at planvault.ai, we collect your name, work email, company name, and optional message. The public site sends the submission to a Cloudflare Pages Function, which validates the payload and forwards accepted requests to our Google Workspace email inbox; submissions are not stored in PlanVault databases. Your IP address is used only for spam prevention (hashed rate-limiting in the function runtime, not stored in our database). We do not add demo request submissions to marketing lists. You may request deletion of retained email correspondence by emailing privacy@planvault.ai.

Sensitive categories for our own collections. We do not ask you to provide sensitive personal information for account registration or marketing, and we do not intentionally collect it for those purposes. Runtime and session content is addressed in Section 14.

You must provide accurate information and notify us of changes where applicable.

Information collected automatically. We collect certain technical information when you visit or use the Services, such as IP address, browser and device characteristics, operating system, language, referring URLs, and usage information (for example timestamps, pages viewed, and feature usage). This helps us operate and secure the Services.

Log and usage data may include IP address, device information, browser type, activity in the Services, and diagnostic information (for example error reports).

Device data may include device and application identifiers, approximate location derived from IP, ISP or carrier, and system configuration.

Policy consent evidence. When you accept the Privacy Policy, Terms of Service, or (where applicable) the demo disclaimer in the console, we record the policy versions you accepted, the timestamp, and — alongside that row — your client IP address and User-Agent string. We rely on the CF-Connecting-IP header set by our Cloudflare Tunnel edge (with X-Forwarded-For as a fallback) and truncate the User-Agent at 512 characters. This evidence is retained only to demonstrate your consent under Article 7(1) GDPR, is shown to you in your own data export, and is deleted together with the consent record when you use the account-erasure endpoint described in Section 10.

Google APIs. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. How do we process your information?

In short: We process personal information to provide, improve, and administer the Services, communicate with you, protect security, and comply with law.

Examples: account creation and authentication; delivering the Services; support; administrative messages about terms and policies; fraud prevention and security; vital interests where applicable; authentication and access control for organizations and projects; chat, API, and integration operations (sessions, runtime requests, history and metadata); audit logging and incident response.

3. What legal bases do we rely on?

Under the GDPR, UK GDPR, and Swiss FADP we may rely on: Consent (where we ask for it — you may withdraw); Performance of a contract; Legitimate interests (for example security, diagnostics, and organizational accountability, balanced against your rights); Legal obligation; Vital interests.

4. When and with whom do we share personal information?

We may share personal information with vendors that process data on our instructions for the public website, support, communications, and account administration, including Cloudflare for hosting and Google Workspace for demo and early-access email retention. The public planvault.ai website itself does not load any third-party analytics, consent, or embedded-policy widgets: Impressum and the Accessibility Statement are rendered as first-party pages. Vendors used inside a customer deployment are selected and assessed by the customer or their managed-service provider.

AI service providers under our bring-your-own-key (BYOK) model are not our subprocessors. Where you choose to use AI features, traffic is routed to the supported AI provider/model you configure using the API credentials you supply; we store those credentials only server-side in encrypted form under your organization DEK, and your relationship with the AI provider is governed directly by that provider's terms. See Section 11 for details.

We may also share information in connection with a business transfer (for example merger or acquisition), as required by law, or as described in this Notice.

5. Do we offer AI-based products?

Yes. Our Services include AI-related features (for example orchestration, natural language processing, and analysis).

Bring your own key (BYOK). For customer-selected AI providers, PlanVault does not maintain platform-owned provider-side API keys for customer traffic. Data sent to an AI provider is routed per the customer’s configuration using customer-supplied credentials stored encrypted under the organization DEK. Internal service credentials used to authenticate PlanVault services to self-hosted routing components are not AI-provider keys and are not shared with third-party providers. PlanVault’s relationship to that processing is described in Section 11 and Section 14; your AI provider’s terms and privacy policy apply to processing on their side.

Semantic Routing Cache. PlanVault may offer organizations a Semantic Routing Cache capability. Where the Semantic Routing Cache feature is enabled for the organization, this feature generates anonymized vector embeddings from workflow queries processed through the Services and stores them within your organization's encrypted data environment, strictly isolated to your tenant. Embedding generation uses the customer-configured BYOK embedding provider and the customer's credentials, in the same customer-controlled provider relationship described in Section 11. The stored embeddings are mathematical representations of query patterns — they are not reversible to the original query text and do not contain personally identifiable information. The stored embeddings are used exclusively to optimize workflow routing, reduce response latency, and minimize redundant calls to your AI provider, all within your organization only. This feature does not constitute AI model training; PlanVault does not use these embeddings to train any foundation model or any model used across tenants. Only an organisation OWNER may disable the organisation-wide Semantic Routing Cache in the product (Owner-only control accessible from the organization's settings); disabling triggers immediate deletion of all stored vector embeddings for that organization. This processing is based on our legitimate interests in providing an efficient and performant service (GDPR Art. 6(1)(f)), balanced against your right to object (Art. 21), which is exercisable via that control.

Personal data processed through AI features is handled in line with this Privacy Notice where we control the processing, and otherwise under the customer's documented deployment choices and any separate signed agreement that applies.

6. Is your information transferred internationally?

Customer production deployments follow the customer's infrastructure choices. Data residency, transfer mechanism, vendor selection, and supplementary measures depend on where the customer runs PlanVault and which external providers the customer connects.

For our own public website, support, and communications tooling, transfers outside the EEA are governed by the vendor contracts and safeguards applicable to those services.

7. How long do we keep your information?

We retain personal information only as long as necessary for the purposes in this Notice, unless a longer period is required or permitted by law. Retention may depend on your account, organization settings, and backup processes. When retention ends, we delete or anonymize data where possible, or isolate it until deletion is feasible (for example in backups).

Organization-level deletion (business customers). When an authorized administrator deletes an organization through the product, the organization enters a 7-day grace window during which it is invisible to all users but may be restored by us on the customer's written request. At the end of the grace window, deletion is finalized by crypto-shred: the organization-specific encryption key is permanently deleted and tenant records are purged, so any residual content (including in short-rotation backups) becomes unrecoverable. This grace window applies only to whole-organization deletion; individual data-subject erasure requests remain immediate and are not subject to it.

8. How do we keep your information safe?

We implement technical and organizational measures appropriate to the risk. No electronic transmission or storage is completely secure; you use the Services at your own risk and should use a secure environment.

For customer-configured integrations (for example HTTP tools, webhooks, and retrieval of OpenAPI documents from URLs), we apply outbound URL validation and egress-oriented controls intended to reduce abuse against internal infrastructure; which targets are permitted depends on deployment settings and your organisation configuration.

9. Do we collect information from minors?

The Services are intended for business use by adults acting in a professional capacity (see Terms of Service intro and Section 3). When acting as a controller for our own website visitors and account holders, we do not knowingly process personal information of children below the applicable age of digital consent under Article 8(1) GDPR (typically 16 in Poland under Article 4(1) of the Polish Data Protection Act of 10 May 2018; the threshold varies between 13 and 16 across other Member States). Where a business customer's integration involves end-users below that age, the customer (acting as controller for those end-users) is responsible for obtaining and verifying parental consent under Article 8(1) GDPR before submitting such personal data through the Services. If you become aware that personal information of a child has been submitted contrary to this paragraph, contact privacy@planvault.ai.

10. What are your privacy rights?

If you are located in the EEA, UK, or Switzerland, applicable data protection laws may grant you rights including the right to request access and obtain a copy of your personal information, rectification or erasure, restriction of processing, data portability, and objection to processing. PlanVault, in providing the Services, does not make decisions based solely on automated processing that produce legal or similarly significant effects on you (Article 22(1) GDPR). Where a business customer configures workflows on the Services that result in such decisions, that customer is the controller of the resulting decision-making and is responsible for the Article 22 safeguards (meaningful information about the logic involved, the right to obtain human intervention, the right to express a point of view, and the right to contest the decision) toward the affected data subjects. If you are an end-user of such a customer integration, please direct your Article 22 request to that customer.

Signed-in console users may self-service export or erasure via the Account section of the admin console (Export my data and Delete my data controls) or via the documented admin API endpoints described on our Security page.

You may exercise your rights by contacting us. Under Article 77 GDPR, if you are located in the EEA and you believe we are unlawfully processing your personal information, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority under Article 56 GDPR is the Polish supervisory authority, Urząd Ochrony Danych Osobowych (Urzędu Ochrony Danych Osobowych — UODO), ul. Stawki 2, 00-193 Warsaw, Poland; https://uodo.gov.pl. If you are located in the UK, you may also contact the ICO (Information Commissioner's Office). If you are located in Switzerland, you may contact the FDPIC (Federal Data Protection and Information Commissioner).

End-users of our business customers. If you are an end-user of one of our business customers (for example you interact with an application built on PlanVault rather than hold a PlanVault account yourself), please direct your privacy requests (such as access, rectification, or deletion) to that business customer, which is typically the controller for your personal data under Article 4(7) GDPR. If we receive such a request directly, we will forward it to the relevant customer where we can identify them and where required.

Withdrawing your consent. If we are relying on your consent, you have the right to withdraw it at any time. Withdrawal will not affect the lawfulness of processing before its withdrawal nor, where permitted by law, processing based on legal grounds other than consent.

Account information can be reviewed or updated in account settings where available. We may retain certain information where required for fraud prevention, legal compliance, or similar purposes.

Organization-wide data portability (business customers). When an authorized member exports organization-held data as JSON, the archive supports access and portability: it typically includes authentication-provider profile fields linked to accounts where available, session and interaction history for the chosen export scope, policy and consent records, and organization membership summaries where your keys allow decryption. Cleartext integration secrets are not included as values; the exact field layout depends on export scope and role.

11. AI service providers (BYOK)

PlanVault operates on a bring your own key (BYOK) model. We do not maintain platform-owned provider-side API keys with AI service providers for customer traffic. Customer-supplied provider credentials are stored server-side encrypted under the organization DEK, and we do not send customer content to an AI provider except as routed using the customer’s credentials and configuration. Internal credentials for self-hosted routing components are not AI-provider keys.

Customers choose the supported provider/model, supply API credentials, and are responsible for their contractual relationship with that provider (including applicable data processing terms). PlanVault acts as a technical intermediary/proxy routing requests through our infrastructure. Your use of an AI provider is subject to that provider’s terms and privacy policy.

12. Information sources

When you authenticate with Google OAuth, Google may provide your name, email address, and profile picture. We do not collect personal information from marketing partners, affiliate programs, data brokers, or similar third-party sources.

13. Tracking and advertising

We do not serve advertisements or targeted advertising on our Services, and we do not allow third parties to use tracking technologies on our Services for advertising. Cookies and similar technologies are used for authentication, security, functional UI customization that you explicitly request by using in-product controls (theme, locale, density, accessibility preferences), and authenticated-console functional state (sidebar layout, navigation history, onboarding dismissals). These functional preferences can be reset at any time in /app/settings/preferences and are not used for tracking or advertising. See https://planvault.ai/cookies.

14. Sensitive data in customer payloads (processor role)

As stated above, we do not ask for or intentionally collect sensitive personal information for account management or our own marketing. However, when a business customer uses our Services (for example prompts, chat, or API payloads), content may include special categories of personal data depending on what the customer or its users submit.

Where such content is processed in a customer-operated deployment, the customer is responsible for lawful basis, transparency, documented instructions, and restrictions applicable to that content. PlanVault provides technical controls for encryption, retention, export, and erasure, but those controls do not replace the customer's legal process.

PlanVault does not use customer runtime content to train any foundation AI model or any PlanVault-operated model used across tenants. Separately, to optimize routing performance, where the Semantic Routing Cache feature is enabled for the organization (see Section 5), PlanVault derives anonymized vector embeddings from workflow queries through the customer-configured BYOK embedding provider using the customer's credentials. These stored embeddings: (a) are mathematical statistical representations that cannot be reversed to recover the original query text; (b) are strictly isolated to the submitting organization's encrypted data environment and never shared across tenants; (c) do not constitute AI model training and are not used to train any model; (d) are deleted immediately when an organisation OWNER disables the Semantic Routing Cache (same Owner-only control as Section 5). Processing by the customer's chosen AI provider is governed by that provider's terms.

15. Updates to this Notice

We may update this Privacy Notice from time to time. The date at the top indicates the last update. We may notify you of material changes as required by law or as described in our Terms of Service (including in-product notice where applicable).

16. Contact

Privacy-specific email (preferred for data subject requests, breach notifications, and appeals): privacy@planvault.ai. General email: support@planvault.ai. Postal address: Bohdan Matviichuk, ul. Dziewanny 21/19, 20-539 Lublin, Poland.

Inbound vs. outbound mail addresses. Users may write to us at privacy@planvault.ai (data-subject requests, breach inquiries, appeals), legal@planvault.ai (Digital Services Act notices — see Terms of Service Section 29), security@planvault.ai (vulnerability reports, encrypted-evidence requests), or support@planvault.ai (general). Outgoing operational and lifecycle notifications — including account verification, password reset, organization-membership invites, retention warnings, GDPR Article 34 personal-data-breach notifications, and DSA Article 17 statements of reasons — are sent from notifications@planvault.ai. Personalised support correspondence comes from support@planvault.ai. Always verify the sender domain (@planvault.ai) and treat email from other domains claiming to be PlanVault as suspicious.

We aim to acknowledge privacy requests within 5 business days and to provide a substantive response within 30 calendar days, extendable by up to 60 additional days under Article 12(3) GDPR where necessary (we will inform you of the extension and the reason). Please include enough detail to verify your identity and locate your records.

17. Review, update, or delete your data

Depending on applicable law, you may request access, correction, or deletion of personal information. Self-service options may be available at https://planvault.ai/support; otherwise use the contact details in Section 16.