Plandek Application

Plandek Ltd. · Last Updated: 1 May 2026

Scope of this Notice

This Privacy Policy describes how Plandek Ltd. ("Plandek," "we," "our," or "us") handles personal data in connection with the Plandek application available at dashboards.plandek.com (the "Application") and related product services.

It applies to:

• Authenticated users of the Application ("End Users")

• Account administrators acting on behalf of a Plandek customer

• Other individuals whose personal data is processed in the course of operating, supporting, securing, or billing for the Application

If you are visiting our public website or interacting with our marketing or sales activities, please refer to our separate Website Privacy Policy, which governs that processing.

1.0 Introduction

Plandek provides engineering analytics that ingest data from a customer's software delivery toolchain (such as version control, ticketing, and CI/CD systems) and surface insights to authorised users within the customer's organisation. Plandek Ltd. is registered in the United Kingdom and operates from offices in London, UK and North Carolina, US, with a remote-first workforce.

Our Role: Controller and Processor

Our role under data protection law depends on the data in question:

• Customer Data (Plandek as Processor). Personal data ingested into the Application from a customer's connected systems, or otherwise uploaded by a customer or its End Users, is processed by Plandek as a processor on behalf of the customer (the "Controller"). This includes, for example, names and email addresses associated with code commits, issue assignees, reviewers, and similar engineering metadata. Plandek processes such data only on the documented instructions of the customer, in accordance with the Data Processing Agreement (DPA) entered into with the customer.

  If your personal data appears in the Application because your employer or another organisation is a Plandek customer, please direct privacy questions and requests to that organisation. Plandek will support customers in responding to your requests as required under the DPA.

• Account Data (Plandek as Controller). Plandek acts as a controller of personal data we process for our own purposes in operating the Application, such as account administration, authentication, support interactions, billing, security monitoring, fraud prevention, audit logging, and product analytics performed at an aggregated or pseudonymised level. This notice describes that controller-side processing.

For details of the technical and organisational measures we apply to all personal data processed within the Application, please see our Technical and Organisational Measures (TOM), available on request and provided as part of customer DPAs.

2.0 Personal Data We Process as Controller

2.1 Account and Administrator Data

When a customer registers for the Application, or when an administrator creates additional accounts, we collect:

• Name and business email address of the administrator and other End Users

• Authentication credentials and identifiers (managed via our authentication provider)

• Role and permissions assigned within the customer account

• Billing contact information and, where applicable, billing address (payment card data is handled by our payment processor and not stored by Plandek)

2.2 Support and Communications

When you contact Plandek for support, raise a question, or provide feedback, we may collect:

• The contents of the support request and any attachments you choose to share

• Contact details (name, email address, telephone number)

• Records of our communications with you

2.3 Authentication, Security, and Audit Data

We collect technical and audit data to operate, secure, and monitor the Application, including:

• Authentication events (sign-ins, sign-in attempts, multi-factor authentication events)

• IP address, user agent, device characteristics, and approximate location

• Audit logs of administrative actions and access to data within the Application

• Logs and telemetry generated by the Application's infrastructure components

2.4 Product Telemetry

We collect information about how the Application is used, including pages viewed, features used, and performance characteristics. Where feasible, we minimise, aggregate, or pseudonymise this data and use it to operate, troubleshoot, and improve the Application. We do not use this telemetry to build profiles of individual End Users for advertising purposes.

3.0 How We Use Personal Data (Controller-Side)

We use the personal data described above for the following purposes:

• Provide, maintain, and operate the Application

• Authenticate users and manage access

• Provide customer support and respond to enquiries

• Bill customers and manage subscriptions

• Monitor, secure, and audit the Application against unauthorised access, abuse, fraud, and other security incidents

• Detect, investigate, and respond to security incidents and policy violations

• Maintain audit logs as required by our security and compliance commitments

• Improve the Application, troubleshoot issues, and develop new features

• Communicate operational matters such as service updates, security notices, scheduled maintenance, and changes to terms or policies

• Comply with legal, regulatory, and contractual obligations

• Establish, exercise, or defend legal claims

We do not use Customer Data for our own commercial purposes outside the scope of providing the Application, and we do not sell personal data.

4.0 How We Share Personal Data

4.1 Sub-Processors

To deliver the Application, we engage a limited number of trusted sub-processors. Each sub-processor is bound by written terms requiring confidentiality, security, and processing of personal data only on Plandek's documented instructions.

The current sub-processors used to deliver the Application are listed in our Sub-Processor Register, available on request and as referenced in customer DPAs. Core sub-processors include:

We provide advance notice of changes to our sub-processors in accordance with the terms of customer DPAs.

4.2 Customers and Other End Users

Within a customer's account, personal data may be visible to other End Users of that account in accordance with the access permissions configured by the customer. Plandek does not control which users a customer grants access to.

4.3 Professional Advisors

We may share personal data with auditors, legal advisors, accountants, and other professional advisors under appropriate confidentiality obligations.

4.4 Legal Disclosures

We may disclose personal data where required to comply with applicable law, regulation, legal process, or enforceable governmental request. Where we receive a request that relates to Customer Data, we will, where lawful and practicable, redirect the requester to the customer and notify the affected customer in line with our DPA commitments.

4.5 Change in Control

If Plandek is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. Any successor entity will be required to handle the data in accordance with this notice or to provide notice and choice before any materially different use.

5.0 How We Secure Personal Data

We are committed to protecting personal data processed within the Application. Our security programme includes:

• Encryption of data in transit and at rest

• Strong authentication, role-based access controls, and least-privilege principles

• Network segmentation, monitoring, and intrusion detection

• Vulnerability management and secure development practices

• Vendor risk management for sub-processors and other third parties

• Incident response, business continuity, and disaster recovery procedures

• Regular reviews and independent assessments aligned to recognised security frameworks

Full details are set out in our Technical and Organisational Measures (TOM), provided to customers under our DPA.

6.0 Your Rights

Subject to applicable law, you have the following rights in relation to personal data we hold about you:

• Access: request confirmation of whether we process your personal data and a copy of that data

• Rectification: ask us to correct inaccurate or incomplete data

• Erasure: ask us to delete your personal data

• Restriction: ask us to limit how we use your personal data

• Objection: object to our processing of your personal data

• Portability: receive a copy of certain personal data in a structured, machine-readable format

• Withdraw consent: where we rely on consent, withdraw it at any time

Where you are an End User of the Application and your personal data was provided to Plandek by your employer or another customer, Plandek processes that data as a processor. In that case, please direct your request to your employer or the relevant customer; we will support them in responding as required under the DPA. For account-level data we control (such as your administrator credentials or support correspondence), please contact us directly.

We do not make decisions about you using solely automated processing that produces legal or similarly significant effects.

To exercise any of these rights in relation to data we control, please contact privacy@plandek.com. You also have the right to lodge a complaint with the supervisory authority in your country. In the UK, this is the Information Commissioner's Office (ICO).

7.0 How Long We Keep Personal Data

We retain personal data for as long as necessary to deliver the Application, fulfil the purposes described in this notice, and comply with our legal, regulatory, and contractual obligations.

• Account and authentication data is retained for the duration of the customer's subscription and a defined period thereafter, after which it is deleted or anonymised in accordance with our DPA commitments.

• Audit logs and security telemetry are retained for the periods required to support our security and compliance obligations.

• Support records are retained for as long as needed to provide effective ongoing support and meet legal obligations.

• Customer Data processed as processor is retained, deleted, and returned in accordance with the customer's instructions and the DPA.

When personal data is no longer required, we delete it or anonymise it.

8.0 International Data Transfers

Plandek operates from offices in the United Kingdom and the United States, with a remote-first workforce. The Application is hosted in the European Union, and certain sub-processors process limited personal data outside the EU/UK as identified in the table in section 4.1.

Where we transfer personal data internationally, we rely on appropriate safeguards required under applicable law, including the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, the UK Addendum, and applicable adequacy decisions. Copies of the relevant safeguards are available on request from privacy@plandek.com.

9.0 Lawful Bases (UK/EEA)

Where UK GDPR or EU GDPR applies and Plandek acts as controller, we rely on the following lawful bases:

• Contract: to provide the Application to our customers and the End Users they authorise.

• Legitimate interest: to operate, secure, monitor, and improve the Application; to maintain audit logs; to detect and respond to security incidents and abuse; and to communicate with our customers and their administrators about the service.

• Legal obligation: to comply with applicable laws and regulatory obligations, including financial record keeping and responding to lawful requests from authorities.

• Consent: for any limited processing where we ask for it specifically.

For Customer Data processed as processor, the customer (as controller) is responsible for identifying the lawful basis under which they upload, process, and direct us to process such data.

10.0 Children

The Application is intended for business use and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have collected such data, please contact us so we can delete it.

11.0 Changes to this Notice

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this notice will reflect the most recent revision. Where a change materially affects how we process personal data, we will notify customer administrators in advance through the Application or by email.

12.0 Contact

For privacy questions, requests, or complaints relating to the Application, please contact:

Plandek Ltd.
Email: privacy@plandek.com

For support questions, please contact support@plandek.com.

Appendix A — Information for Individuals in the UK, EU, EEA, and Switzerland

For personal data described in this notice that Plandek processes as controller, Plandek Ltd. is the controller. Lawful bases are described in section 9.0.

For personal data Plandek processes as processor on behalf of a customer, the customer is the controller. Please direct privacy requests relating to such data to the customer (typically your employer or the organisation that granted you access to the Application).

You have the rights set out in section 6.0. You may also lodge a complaint with your local supervisory authority. Contact details for EU data protection authorities are available at edpb.europa.eu; in the UK, complaints can be made to the Information Commissioner's Office.

International transfers are addressed in section 8.0.

Appendix B — Information for Individuals in California

This appendix supplements the notice with information required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").

Plandek's Role

In most cases, personal information processed within the Application on behalf of a Plandek customer is processed by Plandek as a service provider to that customer under the CCPA. Plandek does not retain, use, or disclose such information for any purpose other than the specific business purpose of providing the Application as set out in our agreements with customers.

For account-level data Plandek processes as a controller (such as administrator credentials, billing contacts, and support records), the following provisions apply.

Categories of Personal Information

In the previous twelve months, we have collected the following categories of personal information about End Users and administrators:

• Identifiers (e.g., name, business email address, IP address)

• California Customer Records (e.g., business contact details, job title)

• Internet or other electronic network activity (e.g., authentication events, page interactions, device information)

• Geolocation data (approximate, derived from IP address)

• Professional and employment information (e.g., role within the customer organisation)

We do not knowingly collect sensitive personal information about California consumers within the Application beyond authentication credentials necessary to provide the service.

Sources, Purposes, and Recipients

Sources, purposes of use, and recipient categories are described in sections 2.0, 3.0, and 4.0.

California Rights

Subject to verification and applicable exceptions, California residents may:

• Request to know the categories and specific pieces of personal information collected, the sources, the purposes, and the categories of recipients

• Request deletion of personal information

• Request correction of inaccurate personal information

• Opt out of the sale or sharing of personal information for cross-context behavioural advertising

• Limit the use and disclosure of sensitive personal information

• Be free from discrimination for exercising these rights

We do not sell personal information, and we do not share personal information for cross-context behavioural advertising in connection with the Application.

How to Exercise California Rights

Submit a request to privacy@plandek.com. We will need to verify your identity using information we already hold about you. You may use an authorised agent; we will require written authorisation and may contact you to confirm.

If you are an employee or former employee of a Plandek customer, please direct your request to your employer or former employer (the controller of your personal information within the Application).