Privacy Policy

Plugantic is built on the principles of privacy by design and data minimization. We believe your data belongs to you, and we process it only to the extent necessary to provide, secure, and improve the Service.

Our core commitments: - We do not use advertising trackers or sell personal data to third parties, ever. - We do not share your personal information with data brokers or marketing networks. - We collect only the minimum data required for the purposes described in this policy. - We apply industry-standard security measures to protect all data we process.

We collect and process the following categories of data depending on how you interact with the Service:

• Account data: name, email address, organization name, and billing information provided during registration or subscription.
• Authentication data: login timestamps, IP addresses at login, session tokens, MFA enrollment status, password reset events, and — if you sign in with Google — your Google account identifier, name, and profile picture as provided by Google Identity Services.
• Service usage data: API request metadata (endpoints called, response codes, latency), dashboard interactions, feature usage patterns, and error diagnostics.
• Device and browser data: browser type, operating system, screen resolution, language preferences, and referring URL — collected automatically via standard HTTP headers.
• Support data: communications with our support team, including email content, ticket history, and any attachments you provide.
• Payment data: processed by our third-party payment processor. We do not store full credit card numbers on our servers.

We use the data we collect for the following purposes:

• Account provisioning: to create and manage your account, authenticate your identity, and process subscriptions.
• Service delivery: to route API requests, enforce rate limits, and deliver the features you have subscribed to.
• Security and abuse prevention: to detect and respond to unauthorized access, suspicious activity, and potential abuse of the platform.
• Operational monitoring: to maintain service reliability, diagnose technical issues, and measure system performance.
• Product improvement: to analyze aggregated usage patterns and inform feature development decisions. Individual-level data is never used for this purpose without anonymization.
• Communication: to send transactional emails (confirmations, alerts, billing), product updates, and security notifications. You can opt out of non-essential communications at any time.
• Legal compliance: to comply with applicable laws, regulations, legal processes, or governmental requests.

We do not sell, rent, or trade your personal data. We may share limited data with the following categories of trusted third parties, solely to operate and improve the Service:

• Infrastructure providers: cloud hosting, CDN, and database services that store and process data on our behalf under strict contractual obligations.
• Payment processors: to handle billing and subscription management. They receive only the data necessary to process transactions.
• Authentication providers: if you choose to sign in with Google, your authentication request is processed through Google Identity Services. We receive only your Google account identifier, email, name, and profile picture. Google's handling of your data is governed by Google's Privacy Policy.
• Analytics tools: aggregated and anonymized usage metrics to understand platform performance. No personally identifiable information is shared.
• Legal authorities: when required by applicable law, regulation, subpoena, court order, or governmental request.

All third-party processors are contractually bound to handle your data in accordance with this Privacy Policy and applicable data protection laws.

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law. Specific retention periods:

• Account data: retained for the lifetime of your account plus 30 days after deletion to allow for recovery.
• Authentication logs: retained for 12 months for security audit purposes.
• API usage logs: retained for 90 days in identifiable form, then aggregated and anonymized for long-term analytics.
• Support communications: retained for 24 months after resolution for quality and reference purposes.
• Billing records: retained for the period required by applicable tax and accounting regulations (typically 7 years).

When data is no longer needed, it is securely deleted or irreversibly anonymized.

We implement technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and least-privilege policies for internal systems
• Multi-factor authentication for administrative access
• Regular security assessments, vulnerability scanning, and penetration testing
• Incident response procedures with defined escalation and notification protocols

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users in the event of a data breach as required by applicable law.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: obtain confirmation of whether we process your data and request a copy of it.
• Right to rectification: request correction of inaccurate or incomplete personal data.
• Right to erasure: request deletion of your personal data, subject to legal retention requirements.
• Right to restrict processing: request limitation of processing in certain circumstances.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@plugantic.com. We will respond within 30 days and may require identity verification before processing your request.

Plugantic is based in France. If you access the Service from outside the European Economic Area (EEA), your data may be transferred to and processed in countries that may not provide the same level of data protection as your jurisdiction.

When transferring data outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions, to ensure your data receives an equivalent level of protection.

For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

• Email: hello@plugantic.com
• Data Protection Officer: dpo@plugantic.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In France, the relevant authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).