Legal

Legal documents used by planCoo public pages:

Dpa.md

This Data Processing Agreement ("DPA") forms part of the Terms of Service between planCoo ("Processor") and the business customer ("Controller") using our services.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR (General Data Protection Regulation).

2. Processing Details

2.1 Subject Matter

Processing of personal data necessary to provide the planCoo services.

2.2 Duration

For the duration of the Terms of Service agreement.

2.3 Nature and Purpose

To provide project management and collaboration services to the Controller and its authorized users.

This may include providing access to the same planCoo service through Microsoft Teams as a client surface, including limited host-context and authentication flows needed to render the service in Teams and authenticate authorized users.

2.4 Types of Personal Data

  • Basic account information (names, email addresses)
  • Authentication data (email address; password credentials processed and stored by Firebase Authentication as salted/hashed values; authentication events such as sign-in timestamps and technical metadata)
  • Limited Microsoft Teams / Microsoft Entra authentication and host-context data when the Controller's authorized users access planCoo through Microsoft Teams
  • Profile information
  • Project and task metadata
  • User activity logs and technical logs (e.g. request timestamps, IP address, user agent, request identifiers, error traces)

2.5 Categories of Data Subjects

  • Controller's employees and contractors
  • Other individuals the Controller authorizes to use the service

2.6 Microsoft Teams Access Clarification

Where the Controller or its authorized users choose to access planCoo through Microsoft Teams, Microsoft Teams serves as an access channel to the existing planCoo service. This does not change the core roles of the parties under this DPA. planCoo continues to process personal data for the purposes described in this DPA, while Microsoft may process platform-level data under Microsoft's own terms and data protection commitments.

3. Obligations of the Processor

planCoo shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process the data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Assist the Controller in ensuring compliance with security obligations
  • Delete or return all personal data after the end of services
  • Make available information necessary to demonstrate compliance

4. Sub-processors

planCoo uses the following sub-processors:

  • Microsoft Azure (hosting, storage)
  • Microsoft Azure OpenAI (AI text generation for project reports, meeting briefings, and portfolio analysis)
  • Firebase Authentication and reCAPTCHA (Google LLC) (authentication and abuse prevention)
  • LemonSqueezy (payment processing)
  • Cloudflare (DNS management and security/traffic management)

The Controller hereby provides general authorization for planCoo to engage these sub-processors.

Optional third-party integrations initiated by end users (such as LinkedIn account linking/content sharing) may involve separate third-party processing contexts and are described in Section 5.

5. International Transfers

planCoo uses a mix of EU/EEA-based storage for primary application data and global/US-based processing for certain platform services and subprocessors.

Current processing/transfer overview (factual, as currently configured):

  • Microsoft Azure (primary application data and files): West Europe (Netherlands) for primary application data, including Azure SQL Database and Azure Blob Storage.
  • Azure Static Web Apps (hosting/edge delivery): Resource region: East US 2 (Azure resource location, as currently configured) with globally distributed edge delivery for static content (Global).
  • Telemetry and technical logs (Microsoft Azure Application Insights / Log Analytics): Not enabled (Application Insights resource has been removed; no application telemetry ingestion is configured at this time).
  • Firebase Authentication (Google LLC): Global service (Google). planCoo uses email + password, email-link sign-in (“magic link”), and Google sign-in.
  • Google reCAPTCHA (Google LLC): Global service (Google) used for abuse prevention on public endpoints.
  • Payments/subscriptions (LemonSqueezy): US/global processing by the payment provider.
  • Cloudflare (DNS/WAF): Global network processing for DNS and security/traffic management.
  • Azure OpenAI (Microsoft): Azure region as configured. Data submitted for AI processing is not used to train Microsoft's AI models. Covered by Microsoft Azure DPA and Standard Contractual Clauses.

Where personal data is processed/transferred outside the EU/EEA, planCoo relies on the European Commission Standard Contractual Clauses (SCCs) and applicable vendor contractual/technical safeguards.

5.1 Firebase Authentication – concrete scope

planCoo uses Firebase Authentication as a specialized authentication service so that planCoo does not have to implement and operate custom password storage and verification. This reduces security risk and leverages a mature authentication platform.

Firebase Authentication is an established authentication provider used widely in industry, with documented security and compliance controls.

What we use (authentication methods):

  • Email + password sign-in
  • Email-link sign-in (“magic link”)
  • Google sign-in (via Firebase Authentication)
  • Microsoft sign-in (via Firebase Authentication)

Personal data processed for authentication (typical categories):

  • Email address (used for account identification and for sending sign-in links)
  • Password credential (handled by Firebase Authentication; planCoo does not store raw passwords)
  • Firebase user identifier (UID)
  • For Google sign-in: provider identifier and basic profile attributes returned by the provider (typically name, email, profile picture)
  • For Microsoft sign-in: provider identifier and basic profile attributes returned by the provider (typically name, email, profile picture)
  • Authentication events/metadata (e.g. sign-in time, IP address and device/browser information used for security and fraud prevention)

Why this processing happens: to verify user identity, issue/validate authentication tokens, and secure access to the planCoo service.

5.2 Realtime Chat – concrete scope

planCoo provides a realtime chat feature to facilitate collaboration between users.

Service Provider & Location:

  • Firebase Realtime Database & Firestore (Google Cloud)
  • Region: europe-west1 (Belgium). All chat data is stored and processed exclusively within the EU/EEA.

Data Processed:

  • Chat messages (text content)
  • Metadata (timestamps, sender UID, participant UIDs)

Security Measures:

  • Strict Access Control: Database rules enforce that only the specific participants in a conversation can read or write messages.
  • Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest.
  • Data Minimization: Chat data is managed through access controls and account/data deletion workflows in the service.

5.3 Telemetry and operational logging – concrete scope

To operate and secure the service, planCoo (and relevant infrastructure providers) may process limited technical and operational data such as:

  • Request metadata (timestamps, URL path, response status codes)
  • Network identifiers (IP address)
  • Device/browser information (user agent)
  • Diagnostics and error traces

planCoo aims to minimize personal data in logs and uses redaction/pseudonymization where practical (e.g. not logging authentication tokens and avoiding logging full request bodies by default).

5.4 Sub-processor compliance (concrete controls)

planCoo uses the following concrete measures to maintain GDPR compliance when using subprocessors:

  • Contractual governance: We maintain DPAs (and SCCs where applicable) with subprocessors that process personal data.
  • Purpose limitation: Subprocessors are used for narrowly defined purposes (hosting, authentication, payments, security) and not for unrelated processing.
  • Data minimization: We minimize the personal data sent to subprocessors and avoid sending sensitive payloads where not necessary (e.g. do not log auth tokens; avoid logging full request bodies by default).
  • Access control: Access to production systems and operational tooling is restricted by role and least privilege.
  • Security measures: TLS in transit, encryption at rest where supported, and standard security controls from infrastructure providers.

5.5 LinkedIn account linking and sharing (optional)

planCoo offers optional LinkedIn features (account linking/verification and user-initiated sharing).

When this applies: only if an authorized user explicitly initiates LinkedIn linking or sharing.

Typical data categories involved: LinkedIn account identifier (sub), basic profile attributes returned by LinkedIn (typically name, email, profile image), LinkedIn profile URL, and content the user chooses to publish.

Token handling: LinkedIn OAuth access tokens are used on-demand for requested operations and are not stored persistently by planCoo.

Role of LinkedIn: For user-initiated posting/linking, LinkedIn may act as an independent controller for data processed in its platform according to LinkedIn's terms and privacy documentation.

5.6 Azure OpenAI – concrete scope

planCoo uses Microsoft Azure OpenAI to power AI-assisted features available to authenticated users, including project report generation, meeting briefings, and portfolio analysis.

Service Provider & Authentication:

  • Microsoft Azure OpenAI (Microsoft Corporation)
  • Authentication: API key stored as a server-side environment variable in Azure Functions. The API key is never transmitted to or accessible from the user's browser. All AI calls are made exclusively server-to-server.

What triggers processing:

AI features are user-initiated. Processing only occurs when a logged-in user explicitly requests an AI-generated report or briefing (e.g. clicks "Generate report"). No background or automatic AI processing of personal data occurs.

Data categories transmitted to Azure OpenAI:

  • Project titles, descriptions, and status information
  • Task names and completion status
  • Team member display names and roles within the project context
  • Meeting titles and agenda content (for meeting briefings)

Data categories NOT transmitted to Azure OpenAI:

  • Email addresses, passwords, or authentication tokens
  • Payment or subscription data
  • Private messages or chat content
  • Firebase UIDs or internal system identifiers

Microsoft's data use obligations:

Under the Microsoft Azure OpenAI terms of service, Microsoft does not use inputs or outputs from planCoo's Azure OpenAI resource to train, retrain, or improve Microsoft's AI models. Microsoft may retain inputs and outputs for up to 30 days solely for safety and abuse monitoring, after which they are deleted.

Legal basis for processing: Contractual necessity (providing the AI feature the user has explicitly requested).

Azure region: Sweden Central (EU/EEA). No transfer outside the EU/EEA for AI processing.

International transfer safeguards: Microsoft Azure DPA and Standard Contractual Clauses (SCCs) as issued by the European Commission.

6. Security Measures

planCoo implements appropriate technical and organizational security measures including:

6.1 Authentication & Access Control

  • Authentication via Firebase Authentication (email + password, email-link sign-in “magic link”, Google sign-in, and Microsoft sign-in)
  • Role-based access control for system resources
  • Token-based authentication using short-lived Firebase ID tokens for API access

6.2 Data Storage Security

  • Data encryption at rest in Azure SQL Database
  • Transparent Data Encryption (TDE) for database protection
  • Azure Blob Storage with encryption for file content

6.3 Data Transmission Security

  • HTTPS/TLS encryption for all data in transit
  • Secure API endpoints with proper authentication
  • Time-limited Shared Access Signatures (SAS) for blob storage access
  • Secure webhook implementation with signature verification
  • SSL/TLS termination and optimization through Cloudflare

6.4 Application Security

  • Regular security updates and patch management
  • Input validation and output encoding to prevent injection attacks
  • Protection against common web vulnerabilities (XSS, CSRF)
  • Secure development practices and code reviews
  • Content Security Policy (CSP) implementation restricting resource origins
  • Browser security headers (X-XSS-Protection, X-Content-Type-Options)

6.5 Infrastructure Security

  • Hosting on Microsoft Azure (cloud infrastructure security and access controls)
  • DDoS protection through both Azure services and Cloudflare
  • Cloudflare Web Application Firewall (WAF)
  • Access controls for operational systems

6.6 Operational Security

  • Operational monitoring and troubleshooting using telemetry and technical logs (see Section 5.3)

6.7 Organizational Measures

  • Access provided on a need-to-know basis
  • Documented internal policies and review cadence (where established)

6.8 Third-Party Security

  • Contractual requirements for subprocessors (DPAs, and SCCs where applicable)

Annex A — Processing details (summary)

  • Subject matter: Provision of planCoo services.
  • Duration: For the term of the services.
  • Nature and purpose: Project management and collaboration features, account administration, security and abuse prevention.
  • Categories of data subjects: Authorized users of the Controller.
  • Types of personal data: As listed in Section 2.4.
Note on marketing and sales inquiry data: Personal data collected through the Microsoft Azure Marketplace "Contact me" form (prospective customer inquiries) is processed by planCoo as an independent Data Controller for its own sales and business development purposes. This data is not processed on behalf of a Controller within the scope of this DPA. Retention and processing of such data is described in planCoo's Privacy Policy (Section 3.4 and 9.1).

Annex B — Subprocessors (summary)

planCoo uses the subprocessors listed in Section 4 for the purposes described below:

  • Microsoft Azure: Hosting, application data storage (Azure SQL Database, Blob Storage), and platform delivery (Static Web Apps).
  • Google LLC (Firebase Authentication, reCAPTCHA): Authentication and abuse prevention.
  • LinkedIn (optional, user-initiated integration): Account linking/verification metadata and user-initiated social publishing.
  • LemonSqueezy: Payment and subscription processing.
  • Cloudflare: DNS and security/traffic management.

7. Contact Information

For DPA matters, contact: [email protected]

Last updated: June 8, 2026

PrivSta.md

1. Introduction

planCoo ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service.

We strive to respect privacy laws relevant to our users, including principles from the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data Controller

planCoo is the data controller for personal information processed through our service.

3. Information We Collect

3.1 Information You Provide

  • Account Information: Name, email, company, job title, profile picture
  • Project Data: Tasks, timelines, comments, files you upload
  • Payment Information: Processed by LemonSqueezy (our payment processor)

3.2 Information Collected Automatically

  • Usage Data: How you interact with our service
  • Device Information: IP address, browser type, device type
  • Cookies & Similar Technologies: For authentication, preferences, and necessary service functionality

3.3 Information from Third Parties

  • Authentication data when you log in with Google (if you choose to use Google sign-in).
  • Authentication data when you log in with Microsoft (if you choose to use Microsoft sign-in).
  • Limited Microsoft Teams and Microsoft Entra ID context/authentication data when you access planCoo through the Microsoft Teams app, such as host context and authentication tokens required to render the service inside Teams and sign you in.
  • LinkedIn account/profile data when you choose to link LinkedIn or publish content via LinkedIn integrations.
  • Integration data from connected services

3.4 Business Inquiries via Microsoft Marketplace

If you contact us through the Microsoft Azure Marketplace ("Contact me" / "Kontakt meg"), Microsoft forwards the following information to us on your behalf:

  • First and last name
  • Job title
  • Company name
  • Country
  • Email address
  • Phone number (if provided)
  • Any message you included in the inquiry

This data is transmitted to planCoo by Microsoft in accordance with Microsoft's Marketplace policies, which you accepted when submitting the contact form. planCoo processes this data as an independent Data Controller solely to respond to your inquiry.

4. Legal Basis for Processing

We process your data based on the following legal grounds:

  • Contract Performance: To provide our service to you
  • Legitimate Interests: To improve our service, for security, and business operations. We also rely on legitimate interests to follow up on business inquiries submitted via Microsoft Marketplace, as you have actively expressed interest in our service by submitting the contact form.
  • Consent: For marketing communications (where applicable)
  • Legal Obligations: To comply with applicable laws

5. How We Use Your Information

  • To provide and maintain our service
  • To process payments and manage subscriptions
  • To improve and personalize the user experience
  • To communicate with you about service updates
  • To protect our service and prevent abuse
  • To analyze usage patterns and improve features

6. Data Sharing

6.1 Service Providers

We share data with trusted third parties who help us operate our service:

  • Microsoft Azure: For hosting and data storage
  • Microsoft Teams / Microsoft Entra ID: When you access planCoo through Microsoft Teams, Microsoft may provide the Teams host environment and authentication context needed to display planCoo inside Teams and support sign-in. Microsoft acts under its own terms and privacy commitments for its platform services.
  • Microsoft Azure OpenAI: For AI-powered features (project report generation, meeting briefings, and portfolio analysis). When you use these features, relevant project and meeting content — such as project titles, descriptions, task names, and team member display names — is transmitted to Azure OpenAI for processing. Microsoft does not use this content to train its AI models. All calls are made server-side; your data is never sent directly from your browser to Azure OpenAI.
  • Microsoft Partner Center / Azure Marketplace: For receiving business inquiries ("Contact me" form). Microsoft forwards contact details to us when you submit a marketplace inquiry.
  • Firebase: For authentication and user management
  • LemonSqueezy: For payment processing

6.2 Legal Requirements

We may disclose information when required by law or to protect rights and safety.

6.3 Business Transfers

If we're involved in a merger or acquisition, your data may be transferred.

7. International Data Transfers

planCoo uses EU/EEA-based storage for primary application data and also relies on certain global/US-based services (platform delivery, security/abuse prevention, payments). This may involve processing and transfers outside the EU/EEA.

Current overview (factual, as currently configured):

  • Primary application data and files (Microsoft Azure): West Europe (Netherlands) (Azure SQL Database and Azure Blob Storage).
  • Hosting/edge delivery (Azure Static Web Apps): Resource region: East US 2 (Azure resource location, as currently configured) with globally distributed edge delivery (Global).
  • AI features (Microsoft Azure OpenAI): Sweden Central (EU/EEA) (typically within the Microsoft Azure global network). Data submitted for AI processing is not used to train Microsoft's AI models. Covered by Microsoft Azure's DPA and Standard Contractual Clauses.
  • Operational telemetry (Azure Application Insights / Log Analytics): Not enabled (no application telemetry ingestion is configured at this time).
  • Authentication and abuse prevention (Google: Firebase Authentication, reCAPTCHA): Global service (Google).
  • Optional social integration (LinkedIn): Global service used only when users explicitly initiate account linking or sharing.
  • Payments/subscriptions (LemonSqueezy): US/global processing by the payment provider.
  • DNS/traffic security (Cloudflare): Global network processing for DNS and security controls.

Where relevant, international transfers are addressed through contractual safeguards (including the European Commission's Standard Contractual Clauses) and vendor documentation.

Microsoft Azure's compliance documentation is available at: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr

8. Data Security

We implement reasonable security measures including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee training on data protection

9. Data Retention

We retain your personal data only as long as necessary to provide our service and fulfill the purposes outlined in this policy, unless longer retention is required by law.

9.1 Microsoft Marketplace Inquiry Data

Personal data received through the Microsoft Marketplace "Contact me" form is subject to the following retention limits:

StatusDeleted after
No response / not followed up12 months
Active dialogue initiated24 months
Became a customer or formal relationship established36 months, or for the duration of the customer relationship + applicable statutory retention period

You may request deletion of your inquiry data at any time by contacting us at [email protected]. We will process deletion requests within 30 days.

10. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (with certain limitations)
  • Object to or restrict certain processing
  • Data portability
  • Withdraw consent
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, including requesting a copy of your data (Data Portability), please contact us at [email protected]. We will process your request within 30 days.

10.1 California Residents

California residents have additional rights under the CCPA/CPRA. We do not sell personal information as defined by the CCPA.

11. Cookies and Tracking Technologies

We use necessary cookies and browser storage to ensure the website works correctly, protect sign-in and security flows, remember essential preferences, and support specific user-triggered integrations.

11.1 Types of Cookies We Use

  • Necessary (Always Active): Essential for the website to function and cannot be switched off.
  • Examples: Firebase authentication/session handling, theme preference, editor recovery data, and security-related browser storage.
  • User-triggered third-party service storage: Some third-party services may place cookies or similar storage only when you actively use a feature that depends on them.
  • Examples: Google reCAPTCHA for abuse prevention, LemonSqueezy checkout, Google/Microsoft sign-in through Firebase, and optional LinkedIn sharing or account-linking flows.

We do not currently use optional analytics cookies or advertising cookies on the website.

11.2 Managing Consent

When you first visit our site, you will see a notice explaining our use of necessary cookies and browser storage. Because these technologies are required for core functionality and security, they cannot be switched off from the banner. You can still control cookies through your browser settings, but doing so may break login, checkout, or abuse-prevention features.

11.3 Third-Party Processors

We use the following third-party services which may process your data:

  • Google (Firebase, reCAPTCHA, and related infrastructure): For authentication and abuse prevention.
  • LinkedIn (optional integration): For user-initiated account linking and social publishing.
  • LemonSqueezy: For processing payments and managing subscriptions.
  • Microsoft Azure: For secure hosting and database services.

You can manage browser-level cookie behavior through your browser settings.

12. Children's Privacy

Our service is intended for professional and educational collaboration use, including school deployments where institutions may authorize student use under applicable law.

For school deployments involving minors, the school/organization (as Controller) is responsible for lawful basis, parental/guardian consent where required, and role/access configuration. We recommend data minimization (e.g., student IDs or pseudonyms where appropriate).

planCoo does not knowingly collect personal data directly from children outside an authorized school/organizational context.

13. Changes to This Policy

We may update this Privacy Policy. We'll notify you of significant changes through the service or via email.

14. Contact Us

For questions about this Privacy Policy or to exercise your rights:

If you're unsatisfied with our response, you may contact the Norwegian Data Protection Authority (Datatilsynet).

Last updated: June 8, 2026

TermServ.md

1. Introduction

planCoo is a cloud-based platform for project management and collaboration that offers functionality for user profiles, company pages, project management, and professional networking.

These Terms constitute a legally binding agreement between you ("User") and planCoo ("we", "us", "our"). By registering or using our service, you accept these terms.

2. Service Description & Subscription

2.1 Service Features

Our platform provides project management and collaboration tools that may include Gantt charts, user permissions, communication features, and other productivity tools.

2.2 Subscription Plans

We offer different subscription plans with varied features and user limits. Current pricing and plan details are available at Pricing plan.

2.3 Payment Terms

  • Payments are processed through LemonSqueezy
  • Subscriptions automatically renew unless cancelled
  • No refunds except where required by law
  • You can manage subscriptions through your Subscription Manager

2.4 Microsoft Teams Access

planCoo may also be accessed through Microsoft Teams as an alternative access channel to the same planCoo service.

  • The Microsoft Teams app provides access to the existing planCoo web application inside the Teams environment.
  • Use of planCoo through Microsoft Teams is subject to these same Terms of Service, including all rules on acceptable use, liability, and subscription/licensing.
  • Certain sign-in, host, and session capabilities in the Teams environment may depend on Microsoft Teams, Microsoft 365, and Microsoft Entra ID.
  • planCoo does not grant any separate license through Teams beyond the subscription or access rights already granted for the planCoo service.

3. User Obligations

3.1 Account Information

You must provide accurate information when creating an account and keep it updated.

3.2 Responsible Use

You agree not to:

  • Use the service for illegal purposes
  • Distribute spam or malicious content
  • Attempt unauthorized access to the system
  • Overload or damage our infrastructure
  • Infringe on third-party intellectual property rights
  • Collect data about other users without consent
  • Engage in harassment or hate speech

3.3 Compliance with Laws

You must use the service in accordance with applicable laws and regulations.

4. Data & Content

4.1 Your Content Ownership

You retain ownership of all content you upload. You grant us a license to store, process, and display this content to provide our service.

4.2 Data Export

You can export your project data by contacting support.

4.3 Content Removal

We reserve the right to remove content that violates these terms.

5. Service Conditions

5.1 Availability & Modifications

We strive to maintain service availability but cannot guarantee uninterrupted access. We may modify features with reasonable notice.

5.2 Third-Party Services

Our service uses:

  • Firebase for authentication
  • Microsoft Azure for hosting and storage
  • LemonSqueezy for payments
  • Other supporting infrastructure and security services as needed to operate the service

6. Privacy & Security

6.1 Privacy Policy

Our Privacy Policy describes how we collect, use, and protect data.

6.2 Security Measures

We implement industry-standard security measures, but no internet transmission is completely secure.

7. Liability Limitations

7.1 "As Is" Service

The service is provided "as is" without warranties of any kind.

7.2 Limitation of Liability

We are not liable for indirect, special, or consequential damages. Our total liability shall not exceed the amount paid by you for the service in the past 12 months.

7.3 Data Loss

You are responsible for maintaining backups of important data.

8. Term & Termination

8.1 Term

This agreement remains in effect while you use our service.

8.2 Termination by User

You may terminate your account at any time through our service or by contacting us.

8.3 Termination by Us

We may suspend or terminate accounts for terms violations or at our discretion with reasonable notice.

8.4 Effect of Termination

Upon termination, you lose access to our service. You can request a copy of your data within 30 days of termination.

9. Changes to Terms

We may update these terms and will notify you of material changes via email or through the service. Continued use after changes constitutes acceptance.

10. Legal Framework

10.1 Governing Law

These terms are governed by Norwegian law.

10.2 Dispute Resolution

Disputes shall first be resolved through negotiation. If unsuccessful, disputes will be resolved by the local Court.

10.3 Severability

If any provision is found invalid, the remaining provisions remain in effect.

11. Contact Information

For questions about these terms, contact us at:

Last updated: March 24, 2025