Data Controller

Plain is the controller of personal data under this policy (GDPR Article 4(7) / PIPL Article 73). All processing activities described herein are determined by Plain as to purpose and means. Use the contact details at the end of this policy for any matter relating to personal data protection.

Data we process

Plain processes only data that is necessary to provide the service or that you affirmatively provide. The categories are listed below.

• Account identifiers

  Email address; if you authenticate with a third-party identity provider (Google, GitHub, etc.), the corresponding platform identifier and display name.

• User content

  Document sources you create, upload, or generate in the service (Markdown, Plain DSL, CSV), along with rendered artifacts and uploaded media.

• Service interaction records

  Your inputs to and outputs from Plain AI assistants, retained to maintain context within and across sessions.

• Operational and security logs

  Request source IP, user agent, timestamps, and exception events, used solely for security, fraud prevention, and troubleshooting.

• Payment and billing data

  Collected and held by a PCI-DSS qualified third-party payment processor; Plain receives only the information necessary for billing, such as last-four digits of the card, billing region, and transaction identifiers.

• Cookies and local storage

  Session credentials and language/theme preferences (necessary); an optional anonymous product-analytics identifier (which you may disable in settings). Plain does not use advertising cookies or cross-site tracking pixels.

Purposes and legal bases

In accordance with GDPR Article 13(1)(c) and comparable rules, the purposes and legal bases for each category are as follows.

• Service delivery

  Performance of the service contract, including storing and rendering your content, running AI generation, and issuing share links. Basis: contract / GDPR 6(1)(b).

• Account security and abuse prevention

  Anomaly detection, rate-limiting, and spam control. Basis: legitimate interests / GDPR 6(1)(f).

• Billing and tax compliance

  Settlement, invoicing, and tax filings. Basis: legal obligation / GDPR 6(1)(c).

• Product quality improvement

  Aggregated usage analytics not linked to identifiable individuals. Basis: legitimate interests; you may opt out in settings.

• Service notices

  Communications directly related to the service (login links, billing notices, policy updates). Basis: contract.

• Marketing communications

  Product updates and release notes. Basis: consent. One-click unsubscribe.

Third-party processors

Plain does not sell personal data. To deliver the service we share only the data necessary with processors in the categories listed below; each is engaged under a data processing agreement satisfying GDPR Article 28 and is required to maintain security and confidentiality standards no less protective than Plain's.

• Infrastructure and content delivery

  Providers used for compute, object storage, and content delivery networks.

• Database

  Managed relational database providers used to store account and content metadata.

• Email delivery

  Providers used to dispatch transactional service emails.

• AI model inference

  Third-party large language model APIs. All providers are engaged in zero-data-retention enterprise mode and are contractually prohibited from using requests and responses passing through the service for model training.

• Payment processing

  PCI-DSS qualified payment processors responsible for the collection and handling of payment credentials.

• Product analytics (optional)

  Anonymous, identifier-based product analytics that you may disable in settings.

• Complete disclosure

  Business customers may, under a confidentiality agreement, receive the complete list of third-party processors and the corresponding DPAs.

• Law enforcement requests

  Plain responds only to lawful, enforceable legal process following counsel review. Unless prohibited by law, Plain will notify the affected user beforehand.

AI models and your data

To enable AI generation and editing features, Plain transmits the minimum data necessary to third-party large language model APIs for inference.

• Scope of transmission

  Your input prompt, the source of the document you are editing, and any cross-document snippets you expressly reference. Plain does not transmit your account identifiers, billing data, IP address, or other users' data to model providers.

• Training restriction

  All integrated model providers undertake not to use requests and responses passing through this service for training of public models.

• Plain's own practice

  Plain does not train general-purpose models.

• Provider selection

  You may switch model provider and version in settings; the default routes through Plain's gateway, and bring-your-own-key (BYOK) mode is supported.

• Ownership of outputs

  Ownership and licensing of AI outputs are governed by the Content Ownership section of the Terms of Service.

Cross-border transfers

Plain's infrastructure operates across multiple jurisdictions. Where personal data is transferred internationally, Plain establishes a lawful basis and applies appropriate technical and organizational safeguards in accordance with applicable rules.

• EU and UK

  Transfers rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum (IDTA), supplemented by transfer impact assessments and additional technical measures.

• People's Republic of China

  Plain provides separate-consent mechanisms required under PIPL Chapter III, maintains a Personal Information Protection Impact Assessment (PIA), and executes the prescribed standard contractual clauses.

• California (CCPA/CPRA)

  Plain does not sell personal information and does not share it for cross-context behavioral advertising. You may exercise the Right to Know, Delete, Correct, Opt-out, and Limit.

• Other jurisdictions

  Plain extends equivalent protection to users in jurisdictions applying comparable regimes (e.g., LGPD, APPI).

Retention periods

Plain retains personal data only for as long as necessary to fulfill the purpose for which it was collected, after which the data is deleted or anonymized.

• Account and content

  Retained for the duration of the account.

• After account deletion

  A 30-day grace period during which restoration is possible; thereafter the data is deleted from production and backups, except where retention is required by law.

• Operational and security logs

  90 days.

• Billing records and invoices

  7 years (to satisfy tax and accounting obligations).

• AI conversation history

  Default 180 days; configurable in settings to 30 days or disabled.

Your rights

Regardless of jurisdiction, Plain extends the following rights to all users at the standard set by GDPR Chapter III. Submit requests via the contact email at the end of this policy.

• Information and access

  Obtain a copy of your data.

• Rectification

  Correct inaccurate or incomplete data.

• Erasure

  Have your data deleted, subject to legal exceptions.

• Restriction

  Request restriction of processing where grounds exist.

• Portability

  Receive your data in a structured, machine-readable format. Plain offers one-click export in Markdown, CSV, and Plain DSL.

• Objection

  Object to processing based on legitimate interests.

• Withdrawal of consent

  Withdraw consent at any time, without affecting the lawfulness of processing carried out beforehand.

• Complaint to a supervisory authority

  Lodge a complaint with your local data protection authority.

Security measures

Plain implements technical and organizational measures proportionate to the risk.

• Transit

  TLS 1.3 with HSTS; all domains and subdomains served over HTTPS only.

• Storage

  Encryption at rest is enabled across databases and object storage.

• Access control

  Principle of least privilege, single-use authentication links, modern salted password hashing, and audited access to production data.

• Vulnerability disclosure

  Security researchers may submit reports to support@inplain.app under responsible disclosure; first reply within seven business days.

• Breach notification

  Notification to supervisory authorities within 72 hours of confirmed incident; notification to affected users within 48 hours.

Minors

Plain is not directed at children under 13 (COPPA) and does not knowingly process data of users under 16 without verifiable parental consent (GDPR Article 8). Where Plain becomes aware of inadvertent collection from a minor, the data will be deleted within seven days of notice.

Cookies and local storage

Plain uses only the cookies necessary to maintain login and preferences, plus an optional anonymous product-analytics cookie that you may disable in settings. Plain does not use advertising cookies, cross-site tracking pixels, or browser fingerprinting techniques. In applicable jurisdictions, Plain obtains explicit consent on first visit.

Policy changes

Plain may revise this policy as the service evolves. Material changes — including new processing categories, additional sub-processors, or any reduction in user rights — will be notified at least 30 days in advance by in-app notice and email. Continued use of the service after the effective date constitutes acceptance of the revised policy.