Privacy Policy
This policy explains what personal data PlanOps collects, why we collect it, how it is stored and processed, and how you can exercise your rights. It applies to the PlanOps website, web application, mobile applications (iOS and Android), and API.
Last updated: 2 April 2026 · Effective from: 2 April 2026
1. Who we are
PlanOps is a trading name of PlanOps Ltd, a company registered in England and Wales. We are the data controller for personal data processed through our platform. For the purposes of UK GDPR, our contact details are:
- Email: privacy@planops.ai
- Website: planops.ai
2. Data we collect
2.1 Account information
When you create a PlanOps account (authenticated via our identity provider, Clerk), we collect your name, email address, and any optional profile details you choose to provide such as phone number, job title, company, department, location, biography, avatar image, and social profile links.
2.2 Organisation information
If you create or join an organisation, we store the organisation name, address, phone number, email, website, and logo.
2.3 Device and technical information
We collect standard technical data when you use our services, including your IP address, browser or app user-agent string, operating system, device type, screen resolution, and referring URL. On mobile devices this may also include device model and OS version. We do not use device fingerprinting or cross-site tracking.
2.4 Usage analytics
We use PostHog to understand how people use PlanOps. Analytics events record which features you interact with, page views, session duration, and similar behavioural data. Events are associated with your account identifier. We also use Zoho PageSense on our marketing website — a privacy-respecting, fully GDPR-compliant analytics service.
2.5 Push notification tokens
If you enable push notifications on the mobile app, we store the device push token provided by Apple (APNs) or Google (FCM) so we can deliver notifications you have opted into. You can revoke this at any time via your device settings or the in-app notification preferences.
2.6 Photographs and files
If you use features that involve uploading photographs (for example, site capture or document attachment), those files are stored securely in Cloudflare R2 object storage. File metadata (filename, size, content type) is recorded alongside the upload.
2.7 Location data
PlanOps may process location data in two ways. First, you can manually enter project or meeting locations, which are geocoded via Geoapify to provide map and routing functionality. Second, if you grant the mobile app location permission, we may use your device location for on-site features. Location permission is optional and can be revoked in your device settings at any time. We do not track your location in the background.
2.8 Payment and billing data
Subscription payments are processed by Stripe. We store your Stripe customer identifier, subscription status, and invoice metadata, but we do not store full card numbers or bank account details — Stripe handles that directly under PCI-DSS compliance.
2.9 Support interactions
If you contact support or use the in-app help assistant, we store the conversation history, any error context shared automatically (such as the page you were on and your user-agent), and your feedback rating.
2.10 Marketing attribution
When you sign up, we may record the referring URL, UTM campaign parameters, landing page, and referral code so we can understand which channels bring users to PlanOps. This data is stored alongside your account.
3. How we use your data
We process personal data for the following purposes:
- Providing and improving our services — authenticating your identity, delivering platform functionality, generating AI-powered insights, and improving our product based on aggregated usage patterns.
- Communication — sending transactional emails (via Resend), push notifications, and in-app messages related to your account, projects, and tasks.
- Billing — managing subscriptions and processing payments through Stripe.
- Security and fraud prevention — monitoring for unauthorised access, logging errors via Sentry, and protecting the integrity of our platform.
- Legal compliance — meeting our obligations under UK law, including tax, health and safety, and data protection requirements.
- Marketing — with your consent, sending product updates and promotional communications. You can unsubscribe at any time.
4. Lawful bases for processing
Under UK GDPR, we rely on the following lawful bases:
- Contract performance (Article 6(1)(b)): processing that is necessary to provide the services you have signed up for.
- Legitimate interests (Article 6(1)(f)): platform improvement, security monitoring, fraud prevention, and aggregated analytics — where these interests are not overridden by your rights.
- Legal obligation (Article 6(1)(c)): where we are required to process data to comply with UK law (for example, HMRC record-keeping).
- Consent (Article 6(1)(a)): marketing communications and optional features. Consent can be withdrawn at any time.
5. How and where data is stored
Application data is served via our API at api.planops.ai and stored in MongoDB Atlas, hosted within data centres that comply with ISO 27001 and SOC 2. Uploaded files (documents, photographs) are stored in Cloudflare R2 object storage. All data in transit is encrypted with TLS 1.2 or higher, and data at rest is encrypted using AES-256. Our web application and API are served through Cloudflare, which provides DDoS protection and edge caching.
Where data is transferred outside the UK (for example, to cloud infrastructure providers), we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or equivalent mechanisms recognised by the ICO.
6. Third-party services
We share personal data only with service providers who need it to deliver our platform. Each provider is bound by a data processing agreement.
| Provider | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication & identity | Name, email, user ID |
| PostHog | Product analytics | User ID, feature events, session data |
| Cloudflare (incl. R2) | Hosting, CDN, file storage | IP address, uploaded files |
| Stripe | Payments & billing | Customer ID, subscription details |
| Resend | Transactional email | Email address, message content |
| Sentry | Error monitoring | User ID, error context, user-agent |
| MongoDB Atlas | Database hosting | All application data (encrypted) |
| Geoapify / Mapbox | Geocoding & maps | Location strings (no personal identifiers) |
| Zoho PageSense | Marketing website analytics | Page views, session data (anonymised) |
We do not sell your personal data to any third party. We do not use your project data to train AI models — see our AI Data Use Policy for full details.
7. Data retention and deletion
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Retention periods vary by data type, taking into account the legal obligations specific to the UK construction industry.
7.1 Retention periods
| Data category | Retention period | Reason |
|---|---|---|
| Account profile data | Duration of account + 30 days | Service delivery; grace period for reactivation |
| Project documentation & construction records | 15 years after project completion | Limitation Act 1980 — latent defect claims in construction can be brought up to 15 years after the act or omission (s.14B); aligns with standard professional indemnity insurance run-off |
| Health & safety files (CDM 2015) | Life of the structure | CDM 2015 Regulation 12(5) requires the health and safety file to be kept for as long as the structure exists and passed to subsequent owners |
| Financial and billing records | 6 years + current tax year | HMRC requirements; Companies Act 2006 s.386 |
| Contracts and agreements (executed under seal) | 12 years after expiry | Limitation Act 1980 s.8 — deeds have a 12-year limitation period |
| Contracts and agreements (simple contracts) | 6 years after expiry | Limitation Act 1980 s.5 — simple contract limitation period |
| Usage analytics events | 90 days (detailed); aggregated data kept longer | Product improvement; individual events pruned automatically |
| Error and support logs | 12 months | Debugging and service improvement |
| Marketing attribution data | 24 months | Campaign performance analysis |
| Push notification tokens | Until revoked or app uninstalled | Required to deliver notifications |
Where you are an organisation administrator, please note that deleting your personal account does not automatically delete project data that may be subject to the longer construction-industry retention periods above. We can help you understand which data falls into which category — contact privacy@planops.ai.
7.2 Deletion and account closure
You may request deletion of your personal data at any time by emailing privacy@planops.ai or using the "Delete my account" option in your account settings. Upon receiving a verified deletion request, we will:
- Delete or anonymise your personal profile data within 30 days.
- Remove your push notification tokens, analytics identifiers, and marketing attribution data.
- Revoke your authentication credentials with Clerk and invalidate all active sessions.
- Retain any data we are legally required to keep (as set out in the table above), clearly marking it as belonging to a deleted account with access restricted to compliance purposes only.
We will confirm completion of the deletion by email within 30 days. If you believe we have not acted on your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. Your rights under UK GDPR
You have the following rights in relation to your personal data:
- Access — request a copy of the personal data we hold about you (subject access request).
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your personal data, subject to legal retention obligations.
- Portability — receive your data in a structured, commonly used, machine-readable format (CSV or JSON).
- Restriction — request that we limit the processing of your data in certain circumstances.
- Objection — object to processing based on legitimate interests or direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@planops.ai. We will respond within 30 days. In complex cases we may extend this by a further 60 days, and we will let you know if that is necessary.
You also have the right to complain to the Information Commissioner's Office if you believe your data protection rights have been infringed.
9. Cookies
Our website uses essential cookies required for it to function, and optional analytics cookies that are only set with your consent. We do not use advertising cookies or cross-site trackers. You can manage your cookie preferences at any time using the cookie settings link in our website footer. For full details, see our Cookie Policy.
10. Children
PlanOps is a business-to-business platform for the construction industry. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. AI data processing
PlanOps uses AI to provide features such as document analysis, report generation, and risk assessment. When AI processes your data, it is done in real-time and is isolated to your organisation. We do not use your project data to train AI models, and our enterprise agreements with AI providers explicitly prohibit them from doing so. For full details, see our AI Data Use Policy.
12. International data transfers
Some of our third-party service providers operate outside the UK. Where personal data is transferred internationally, we ensure it is protected by appropriate safeguards recognised by the ICO, including the UK International Data Transfer Agreement (IDTA), adequacy decisions, or binding corporate rules.
13. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, regular security reviews, and automated monitoring. For more detail on our security practices, see our Security page.
14. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notification before they take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
15. Contact us
If you have any questions about this privacy policy, your personal data, or wish to exercise your rights, please contact us:
- Email: privacy@planops.ai
- Subject line: Privacy Enquiry
For broader trust and compliance enquiries, visit our Trust Center.