Legal
Privacy Policy
PlainWeb is committed to protecting your personal data. This policy explains what data we collect, how we use it, and your rights — wherever you are in the world.
1. Who We Are
PlainWeb is a software-as-a-service platform that helps freelancers and web agencies generate automated monthly maintenance reports for their clients. Our service is operated globally and available at plainweb.io.
2. Data We Collect
We collect data in two ways: data you provide directly, and data collected automatically.
Data you provide
- Account information: name, email address, password (managed by Clerk)
- Brand settings: brand name, logo, brand color, brand email address
- Client data you enter: client names, client email addresses, website URLs
- Payment information: billing details processed directly by Stripe — we never store card numbers
- Google OAuth tokens: if you connect Google Search Console or Google Analytics 4
Data collected automatically
- Website analysis data: performance scores, SSL status, uptime, broken links, and SEO metrics for sites you add
- Usage analytics: page views, feature usage, session data — collected via PostHog
- Error logs: crash reports and error traces collected via Sentry
- Log data: IP address, browser type, and timestamps of requests to our servers
- IP address (collected automatically for security logging and by PostHog, Sentry, and Vercel for analytics and error tracking)
3. Third-Party Services We Use
We use trusted third-party processors to operate our service. Each has their own privacy policy:
| Service | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication & user management | Email, name, OAuth tokens |
| Supabase | Database & file storage | All app data, PDF reports |
| Stripe | Payment processing | Email, billing address |
| Resend | Transactional email | Email address, email content |
| OpenAI | AI report summaries | Anonymised site metrics |
| Google APIs | Search Console & Analytics data | OAuth tokens (your own account) |
| PostHog | Product analytics | Usage events, IP address |
| Sentry | Error tracking | Error logs, IP address |
| Vercel | Hosting & edge network | Request logs, IP address |
4. How We Use Your Data
- Service delivery: to analyze your client websites, generate PDF reports, and send them to your clients on your behalf
- Account management: to create and maintain your account, process your subscription, and send billing-related communications
- Product improvement: to understand how features are used and improve the service (PostHog analytics)
- Security: to detect fraud, prevent abuse, and monitor for errors (Sentry)
- Legal compliance: to comply with applicable laws, regulations, and legal processes
- Communications: to send you product updates, trial reminders, and support responses — never unsolicited marketing
5. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:
- Contract performance: processing necessary to deliver the PlainWeb service you subscribed to
- Legitimate interests: product analytics, security monitoring, and fraud prevention
- Legal obligation: retaining billing records and fulfilling tax obligations
- Consent: where we rely on your explicit consent (e.g., optional cookies)
Data we process on your behalf (Processor role)
When you add client information to PlainWeb — such as a client's name or email address for automated report delivery — you act as the data controller for that data and PlainWeb acts as the data processor (GDPR Art. 28). This means:
- You are responsible for having a lawful basis to share your clients' data with us.
- We process that data solely to provide the service you requested (e.g. sending reports to your client).
- We do not use your clients' data for our own marketing or analytics purposes.
- We delete it when you delete the associated site or when your account is deleted.
6. Data Retention
- Account data: retained while your account is active; deleted within 30 days of account deletion request
- Report history: retained according to your plan (Starter
- Billing records: retained for 7 years to comply with tax and accounting obligations
- Analytics data: PostHog events retained for 12 months; Sentry error logs retained for 90 days
- Google OAuth tokens: deleted immediately when you disconnect Google integrations or delete your account
7. International Data Transfers
PlainWeb is a global service. Your data may be processed in the United States and other countries where our service providers operate. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, and/or ensure our processors maintain appropriate certifications (e.g., EU-U.S. Data Privacy Framework).
8. Your Rights
Depending on your location, you may have the following rights:
Access
Request a copy of your personal data
Rectification
Correct inaccurate data about you
Erasure
Request deletion of your personal data
Portability
Receive your data in a machine-readable format
Restriction
Limit how we process your data
Objection
Object to processing based on legitimate interests
Opt-out (CCPA)
California residents: opt out of sale of personal information — we do not sell personal data
Withdraw consent
Withdraw consent at any time where processing is based on consent
We will respond within 30 days. If you are in the EEA/UK and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority (in Spain: AEPD — aepd.es).
9. Cookies & Tracking
We use the following cookies and tracking technologies:
- Strictly necessary cookies: session cookies required to keep you logged in (Clerk). These cannot be disabled.
- Analytics cookies: PostHog first-party analytics to understand product usage. You can opt out by contacting us.
- No advertising cookies: we do not use third-party advertising or retargeting cookies.
EU/EEA visitors: PostHog is configured in cookieless mode where legally required. No personal data is shared with advertising networks.
10. Security
We implement industry-standard security measures including HTTPS/TLS encryption in transit, encrypted storage at rest (Supabase + Vercel), HTTP security headers (HSTS, CSP, X-Frame-Options), encrypted OAuth token storage, and access controls limiting employee access to personal data. No transmission over the internet is 100% secure — in the event of a data breach, we will notify affected users in accordance with applicable law.
11. Children's Privacy
PlainWeb is a professional B2B service not intended for use by persons under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@plainweb.io and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the 'Last updated' date at the top of this page and, for material changes, notify you by email. Continued use of the service after a policy update constitutes acceptance of the revised policy.
13. Contact Us
For any privacy-related questions, data requests, or complaints:
Email: privacy@plainweb.io
Website: plainweb.io/contact