Privacy Policy

1. Introduction

planCoo ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service.

We strive to respect privacy laws relevant to our users, including principles from the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data Controller

planCoo is the data controller for personal information processed through our service.

3. Information We Collect

3.1 Information You Provide

  • Account Information: Name, email, company, job title, profile picture
  • Project Data: Tasks, timelines, comments, files you upload
  • Payment Information: Processed by LemonSqueezy (our payment processor)

3.2 Information Collected Automatically

  • Usage Data: How you interact with our service
  • Device Information: IP address, browser type, device type
  • Cookies & Similar Technologies: For authentication, preferences, and necessary service functionality

3.3 Information from Third Parties

  • Authentication data when you log in with Google (if you choose to use Google sign-in).
  • Authentication data when you log in with Microsoft (if you choose to use Microsoft sign-in).
  • Limited Microsoft Teams and Microsoft Entra ID context/authentication data when you access planCoo through the Microsoft Teams app, such as host context and authentication tokens required to render the service inside Teams and sign you in.
  • LinkedIn account/profile data when you choose to link LinkedIn or publish content via LinkedIn integrations.
  • Integration data from connected services

3.4 Business Inquiries via Microsoft Marketplace

If you contact us through the Microsoft Azure Marketplace ("Contact me" / "Kontakt meg"), Microsoft forwards the following information to us on your behalf:

  • First and last name
  • Job title
  • Company name
  • Country
  • Email address
  • Phone number (if provided)
  • Any message you included in the inquiry

This data is transmitted to planCoo by Microsoft in accordance with Microsoft's Marketplace policies, which you accepted when submitting the contact form. planCoo processes this data as an independent Data Controller solely to respond to your inquiry.

4. Legal Basis for Processing

We process your data based on the following legal grounds:

  • Contract Performance: To provide our service to you
  • Legitimate Interests: To improve our service, for security, and business operations. We also rely on legitimate interests to follow up on business inquiries submitted via Microsoft Marketplace, as you have actively expressed interest in our service by submitting the contact form.
  • Consent: For marketing communications (where applicable)
  • Legal Obligations: To comply with applicable laws

5. How We Use Your Information

  • To provide and maintain our service
  • To process payments and manage subscriptions
  • To improve and personalize the user experience
  • To communicate with you about service updates
  • To protect our service and prevent abuse
  • To analyze usage patterns and improve features

6. Data Sharing

6.1 Service Providers

We share data with trusted third parties who help us operate our service:

  • Microsoft Azure: For hosting and data storage
  • Microsoft Teams / Microsoft Entra ID: When you access planCoo through Microsoft Teams, Microsoft may provide the Teams host environment and authentication context needed to display planCoo inside Teams and support sign-in. Microsoft acts under its own terms and privacy commitments for its platform services.
  • Microsoft Azure OpenAI: For AI-powered features (project report generation, meeting briefings, and portfolio analysis). When you use these features, relevant project and meeting content — such as project titles, descriptions, task names, and team member display names — is transmitted to Azure OpenAI for processing. Microsoft does not use this content to train its AI models. All calls are made server-side; your data is never sent directly from your browser to Azure OpenAI.
  • Microsoft Partner Center / Azure Marketplace: For receiving business inquiries ("Contact me" form). Microsoft forwards contact details to us when you submit a marketplace inquiry.
  • Firebase: For authentication and user management
  • LemonSqueezy: For payment processing

6.2 Legal Requirements

We may disclose information when required by law or to protect rights and safety.

6.3 Business Transfers

If we're involved in a merger or acquisition, your data may be transferred.

7. International Data Transfers

planCoo uses EU/EEA-based storage for primary application data and also relies on certain global/US-based services (platform delivery, security/abuse prevention, payments). This may involve processing and transfers outside the EU/EEA.

Current overview (factual, as currently configured):


  • Primary application data and files (Microsoft Azure): West Europe (Netherlands) (Azure SQL Database and Azure Blob Storage).

  • Hosting/edge delivery (Azure Static Web Apps): Resource region: East US 2 (Azure resource location, as currently configured) with globally distributed edge delivery (Global).

  • AI features (Microsoft Azure OpenAI): Sweden Central (EU/EEA) (typically within the Microsoft Azure global network). Data submitted for AI processing is not used to train Microsoft's AI models. Covered by Microsoft Azure's DPA and Standard Contractual Clauses.

  • Operational telemetry (Azure Application Insights / Log Analytics): Not enabled (no application telemetry ingestion is configured at this time).

  • Authentication and abuse prevention (Google: Firebase Authentication, reCAPTCHA): Global service (Google).

  • Optional social integration (LinkedIn): Global service used only when users explicitly initiate account linking or sharing.

  • Payments/subscriptions (LemonSqueezy): US/global processing by the payment provider.

  • DNS/traffic security (Cloudflare): Global network processing for DNS and security controls.

Where relevant, international transfers are addressed through contractual safeguards (including the European Commission's Standard Contractual Clauses) and vendor documentation.

Microsoft Azure's compliance documentation is available at: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr

8. Data Security

We implement reasonable security measures including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee training on data protection

9. Data Retention

We retain your personal data only as long as necessary to provide our service and fulfill the purposes outlined in this policy, unless longer retention is required by law.

9.1 Microsoft Marketplace Inquiry Data

Personal data received through the Microsoft Marketplace "Contact me" form is subject to the following retention limits:

| Status | Deleted after |
|---|---|
| No response / not followed up | 12 months |
| Active dialogue initiated | 24 months |
| Became a customer or formal relationship established | 36 months, or for the duration of the customer relationship + applicable statutory retention period |

You may request deletion of your inquiry data at any time by contacting us at [email protected]. We will process deletion requests within 30 days.

10. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (with certain limitations)
  • Object to or restrict certain processing
  • Data portability
  • Withdraw consent
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, including requesting a copy of your data (Data Portability), please contact us at [email protected]. We will process your request within 30 days.

10.1 California Residents

California residents have additional rights under the CCPA/CPRA. We do not sell personal information as defined by the CCPA.

11. Cookies and Tracking Technologies

We use necessary cookies and browser storage to ensure the website works correctly, protect sign-in and security flows, remember essential preferences, and support specific user-triggered integrations.

11.1 Types of Cookies We Use

  • Necessary (Always Active): Essential for the website to function and cannot be switched off.
- Examples: Firebase authentication/session handling, theme preference, editor recovery data, and security-related browser storage.
  • User-triggered third-party service storage: Some third-party services may place cookies or similar storage only when you actively use a feature that depends on them.
- Examples: Google reCAPTCHA for abuse prevention, LemonSqueezy checkout, Google/Microsoft sign-in through Firebase, and optional LinkedIn sharing or account-linking flows.

We do not currently use optional analytics cookies or advertising cookies on the website.

11.2 Managing Consent

When you first visit our site, you will see a notice explaining our use of necessary cookies and browser storage. Because these technologies are required for core functionality and security, they cannot be switched off from the banner. You can still control cookies through your browser settings, but doing so may break login, checkout, or abuse-prevention features.

11.3 Third-Party Processors

We use the following third-party services which may process your data:

  • Google (Firebase, reCAPTCHA, and related infrastructure): For authentication and abuse prevention.
  • LinkedIn (optional integration): For user-initiated account linking and social publishing.
  • LemonSqueezy: For processing payments and managing subscriptions.
  • Microsoft Azure: For secure hosting and database services.

You can manage browser-level cookie behavior through your browser settings.

12. Children's Privacy

Our service is intended for professional and educational collaboration use, including school deployments where institutions may authorize student use under applicable law.

For school deployments involving minors, the school/organization (as Controller) is responsible for lawful basis, parental/guardian consent where required, and role/access configuration. We recommend data minimization (e.g., student IDs or pseudonyms where appropriate).

planCoo does not knowingly collect personal data directly from children outside an authorized school/organizational context.

13. Changes to This Policy

We may update this Privacy Policy. We'll notify you of significant changes through the service or via email.

14. Contact Us

For questions about this Privacy Policy or to exercise your rights:

If you're unsatisfied with our response, you may contact the Norwegian Data Protection Authority (Datatilsynet).

Last updated: June 8, 2026