Privacy Policy for PlanCoo

1. Introduction

planCoo ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service.

We strive to respect privacy laws relevant to our users, including principles from the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data Controller

planCoo is the data controller for personal information processed through our service.

Email: [email protected]

3. Information We Collect

3.1 Information You Provide

Account Information: Name, email, company, job title, profile picture
Project Data: Tasks, timelines, comments, files you upload
Payment Information: Processed by LemonSqueezy (our payment processor)

3.2 Information Collected Automatically

Usage Data: How you interact with our service
Device Information: IP address, browser type, device type
Cookies & Similar Technologies: For authentication, preferences, and analytics

3.3 Information from Third Parties

Authentication data when you log in with Google (if you choose to use Google sign-in).
Authentication data when you log in with Microsoft (if you choose to use Microsoft sign-in).
LinkedIn account/profile data when you choose to link LinkedIn or publish content via LinkedIn integrations.
Integration data from connected services

3.4 Business Inquiries via Microsoft Marketplace

If you contact us through the Microsoft Azure Marketplace ("Contact me" / "Kontakt meg"), Microsoft forwards the following information to us on your behalf:

First and last name
Job title
Company name
Country
Email address
Phone number (if provided)
Any message you included in the inquiry

This data is transmitted to PlanCoo by Microsoft in accordance with Microsoft's Marketplace policies, which you accepted when submitting the contact form. PlanCoo processes this data as an independent Data Controller solely to respond to your inquiry.

4. Legal Basis for Processing

We process your data based on the following legal grounds:

Contract Performance: To provide our service to you
Legitimate Interests: To improve our service, for security, and business operations. We also rely on legitimate interests to follow up on business inquiries submitted via Microsoft Marketplace, as you have actively expressed interest in our service by submitting the contact form.
Consent: For marketing communications (where applicable)
Legal Obligations: To comply with applicable laws

5. How We Use Your Information

To provide and maintain our service
To process payments and manage subscriptions
To improve and personalize the user experience
To communicate with you about service updates
To protect our service and prevent abuse
To analyze usage patterns and improve features

6. Data Sharing

6.1 Service Providers

We share data with trusted third parties who help us operate our service:

Microsoft Azure: For hosting and data storage
Microsoft Partner Center / Azure Marketplace: For receiving business inquiries ("Contact me" form). Microsoft forwards contact details to us when you submit a marketplace inquiry.
Firebase: For authentication and user management
LemonSqueezy: For payment processing
Analytics Services: For service improvement

6.2 Legal Requirements

We may disclose information when required by law or to protect rights and safety.

6.3 Business Transfers

If we're involved in a merger or acquisition, your data may be transferred.

7. International Data Transfers

PlanCoo uses EU/EEA-based storage for primary application data and also relies on certain global/US-based services (platform delivery, security/abuse prevention, payments). This may involve processing and transfers outside the EU/EEA.

Current overview (factual, as currently configured):

Primary application data and files (Microsoft Azure): West Europe (Netherlands) (Azure SQL Database and Azure Blob Storage).

Hosting/edge delivery (Azure Static Web Apps): Resource region: East US 2 (Azure resource location, as currently configured) with globally distributed edge delivery (Global).

Operational telemetry (Azure Application Insights / Log Analytics): Not enabled (no application telemetry ingestion is configured at this time).

Authentication and abuse prevention (Google: Firebase Authentication, reCAPTCHA): Global service (Google).

Optional social integration (LinkedIn): Global service used only when users explicitly initiate account linking or sharing.

Payments/subscriptions (LemonSqueezy): US/global processing by the payment provider.

DNS/traffic security (Cloudflare): Global network processing for DNS and security controls.

Where relevant, international transfers are addressed through contractual safeguards (including the European Commission's Standard Contractual Clauses) and vendor documentation.

Microsoft Azure's compliance documentation is available at: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr

8. Data Security

We implement reasonable security measures including:

Encryption in transit and at rest
Access controls and authentication
Regular security assessments
Employee training on data protection

9. Data Retention

We retain your personal data only as long as necessary to provide our service and fulfill the purposes outlined in this policy, unless longer retention is required by law.

9.1 Microsoft Marketplace Inquiry Data

Personal data received through the Microsoft Marketplace "Contact me" form is subject to the following retention limits:

| Status | Deleted after |
|---|---|
| No response / not followed up | 12 months |
| Active dialogue initiated | 24 months |
| Became a customer or formal relationship established | 36 months, or for the duration of the customer relationship + applicable statutory retention period |

You may request deletion of your inquiry data at any time by contacting us at [email protected]. We will process deletion requests within 30 days.

10. Your Rights

Depending on your location, you may have the right to:

Access your personal data
Correct inaccurate data
Delete your data (with certain limitations)
Object to or restrict certain processing
Data portability
Withdraw consent
Lodge a complaint with a supervisory authority

To exercise any of these rights, including requesting a copy of your data (Data Portability), please contact us at [email protected]. We will process your request within 30 days.

10.1 California Residents

California residents have additional rights under the CCPA/CPRA. We do not sell personal information as defined by the CCPA.

11. Cookies and Tracking Technologies

We use necessary cookies and browser storage to ensure the website works correctly, protect sign-in and security flows, remember essential preferences, and support specific user-triggered integrations.

11.1 Types of Cookies We Use

Necessary (Always Active): Essential for the website to function and cannot be switched off.

- Examples: Firebase authentication/session handling, theme preference, editor recovery data, and security-related browser storage.

User-triggered third-party service storage: Some third-party services may place cookies or similar storage only when you actively use a feature that depends on them.

- Examples: Google reCAPTCHA for abuse prevention, LemonSqueezy checkout, Google/Microsoft sign-in through Firebase, and optional LinkedIn sharing or account-linking flows.

We do not currently use optional analytics cookies or advertising cookies on the website.

11.2 Managing Consent

When you first visit our site, you will see a notice explaining our use of necessary cookies and browser storage. Because these technologies are required for core functionality and security, they cannot be switched off from the banner. You can still control cookies through your browser settings, but doing so may break login, checkout, or abuse-prevention features.

11.3 Third-Party Processors

We use the following third-party services which may process your data:

Google (Firebase, reCAPTCHA, and related infrastructure): For authentication and abuse prevention.
LinkedIn (optional integration): For user-initiated account linking and social publishing.
LemonSqueezy: For processing payments and managing subscriptions.
Microsoft Azure: For secure hosting and database services.

You can manage browser-level cookie behavior through your browser settings.

12. Children's Privacy

Our service is intended for professional and educational collaboration use, including school deployments where institutions may authorize student use under applicable law.

For school deployments involving minors, the school/organization (as Controller) is responsible for lawful basis, parental/guardian consent where required, and role/access configuration. We recommend data minimization (e.g., student IDs or pseudonyms where appropriate).

PlanCoo does not knowingly collect personal data directly from children outside an authorized school/organizational context.

13. Changes to This Policy

We may update this Privacy Policy. We'll notify you of significant changes through the service or via email.

14. Contact Us

For questions about this Privacy Policy or to exercise your rights:

Email: [email protected]

If you're unsatisfied with our response, you may contact the Norwegian Data Protection Authority (Datatilsynet).

Last updated: March 9, 2026