Legal
Privacy Policy
- Effective
- May 20, 2026
- Last updated
- May 20, 2026
This Privacy Policy describes how APIDLY LTD (a company registered in England and Wales under number 17042735), which operates the Planoda product ("we", "us"), collects, uses, and discloses information when you use our Service. APIDLY LTD is the data controller for personal data processed about your account. We believe privacy is a feature, not a footnote.
1. Information we collect
- Account information — name, email address, and profile photo, handled through our authentication provider (Clerk).
- Workspace content — issues, comments, files you upload, and metadata required to operate the Service (timestamps, authorship, references).
- Telemetry — request IDs, timing data, error payloads (with PII scrubbed before transmission to Sentry).
- Payment data — handled by Stripe; we receive only a tokenized reference, never the full card number.
2. How we use it
We use your data to provide the Service, prevent abuse, improve reliability, fulfil legal obligations, and communicate about your account. We do not sell your data, and we do not use it for advertising.
3. AI processing
When AI features are enabled, prompts and outputs are routed through the Vercel AI Gateway. Model providers (currently Anthropic and OpenAI) may temporarily process your text to generate responses; their retention policies are bound by zero-retention enterprise terms. We do not use your data to train models and do not share your content with providers for training purposes.
4. Data retention
We retain workspace content as long as your account is active. Upon deletion we purge from primary, replicas, and object storage within 30 days. Audit logs are retained for 12 months for compliance. Backups roll out of point-in-time recovery within 30 days.
5. Your rights
EU, UK, and California residents may request access, correction, deletion, or portability of their personal data at any time by emailing privacy@planoda.com. We respond within 30 days. You may also lodge a complaint with your local data-protection authority.
6. Cookies & telemetry
We use first-party session cookies for authentication and a small set of first-party preference cookies (theme, sidebar collapse). We do not use third-party advertising cookies and we do not load tracking pixels.
7. Sub-processors
We use Vercel (hosting), Neon (database), Clerk (authentication), Stripe (billing), Backblaze B2 (object storage), Upstash Redis (caching, rate limits), Anthropic / OpenAI via Vercel AI Gateway (AI), Resend (transactional email), and Sentry (observability). Real-time collaboration, background jobs and agent workflow orchestration run on infrastructure we operate ourselves, not a third-party processor. A current list with location and purpose is available at /legal/dpa.
8. International transfers
Workspace data is hosted in US-East by default; EU-West is available on Business and Enterprise plans. Where personal data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses (Module 2: Controller to Processor) incorporated into our DPA.
9. Children's privacy
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
10. Contact
Privacy questions or rights requests: privacy@planoda.com. Our registered address is APIDLY LTD, 82a James Carter Road, Mildenhall, Bury St Edmunds, Suffolk, IP28 7DE, United Kingdom (company number 17042735).