Privacy Policy
Last updated: February 2026
The short version: We collect only what we need to run Pland. We don’t sell your data, use it for advertising, or share it with third parties for their own purposes. Your organisation’s data is isolated from every other customer. You can export or delete it at any time.
Who we are
Pland is operated by PL& Ltd, registered in England and Wales. For the purposes of UK GDPR, we are the data controller for website visitor data and the data processor for customer organisation data entered into the Service.
Contact: hello@plandforecast.com
What we collect and why
| When | What we collect | Why | Legal basis |
|---|---|---|---|
| You visit the website | Page views, device type, approximate location (country level) | Understand how people find and use the site | Legitimate interest |
| You request pricing | Email address, firm size | Send pricing, follow up, book a demo | Legitimate interest (pre-contractual enquiry) |
| You subscribe | Name, email, organisation name, billing details | Provide the Service, manage billing, communicate updates | Contract performance |
| You use Pland | Data you enter: people, projects, allocations, rates | Operate the Service | Contract performance |
| You contact support | Email content, any attachments | Resolve your query | Legitimate interest |
How we protect your data
All data is encrypted in transit (TLS) and at rest. Each organisation’s data is isolated at the database level using row-level security. No organisation can access another’s data, even in the event of an application error.
Access to production systems is restricted to essential personnel. We maintain audit logs of data changes within the Service.
Where your data is stored
Pland uses the following sub-processors:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) |
| Vercel | Application hosting | EU / US edge |
| Resend | Transactional email | US |
Where data is processed outside the UK, appropriate safeguards are in place (Standard Contractual Clauses or UK adequacy decisions).
How long we keep your data
- Website analytics: Aggregated, no personal identifiers retained beyond session
- Pricing requests: Until you ask us to delete, or 24 months without engagement
- Subscriber data: Duration of subscription plus 30 days for export
- Backups: Purged within 90 days of account deletion
- Support correspondence: 24 months after resolution
Your rights
Under UK GDPR, you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate data
- Erasure: ask us to delete your data (subject to legal obligations)
- Restriction: ask us to limit how we process your data
- Portability: receive your data in a structured, machine-readable format
- Object: object to processing based on legitimate interest
To exercise any of these rights, email hello@plandforecast.com. We’ll respond within 30 days.
Cookies
We use two types of cookies:
- Essential cookies: required for the Service to function (authentication, session management). You can’t opt out of these and use Pland.
- Analytics cookies: anonymous usage data to understand how people use the site. You can opt out of these without affecting functionality.
We don’t use advertising cookies or tracking pixels. We don’t allow third parties to set cookies through our site for their own purposes.
Children
Pland is a business tool for professional consultancies. We don’t knowingly collect data from anyone under 18. If you believe we have, please contact us and we’ll delete it promptly.
Changes to this policy
We may update this policy from time to time. If we make material changes, we’ll notify subscribers by email. The “last updated” date at the top reflects the most recent revision.
Complaints
If you’re not happy with how we’ve handled your data, please contact us first at hello@plandforecast.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.