Privacy Policy

• We collect the minimum data needed to operate the service.
• We never sell personal data and never share it for cross-context advertising.
• Author email addresses on testimonials are structurally absent from every public API response. It's collected for follow-up and stored separately.
• We honor Global Privacy Control (GPC) signals as a valid opt-out under California law.
• We use one AI subprocessor (Anthropic, via Vercel AI Gateway) for the support chat — see §3.
• We don't use tracking cookies, cross-site cookies, or advertising pixels.

For account data, project data, dashboard usage, billing, and the marketing site, Plauditly is the data controller under GDPR and the business under CCPA/CPRA.

For testimonials submitted by your end-users through your collection link, Plauditly is the data processor acting on your instructions; you are the controller. If you process EU personal data through us at scale, request a signed Data Processing Agreement at /legal/dpa.

Contact for privacy matters: privacy@plauditly.app (or hello@plauditly.app — both reach the same inbox).

Every category of data, the purpose, the GDPR lawful basis, and the retention period in one place:

We don't process special-category data (health, biometrics, religion, politics, etc.) intentionally, and ask that you not submit it. We don't profile you or make automated decisions with legal effect about you (GDPR Art. 22).

The support chat on this site is powered by Anthropic Claude Haiku, routed through the Vercel AI Gateway. When you send a message:

• The message text + a static system prompt are sent to Anthropic via Vercel AI Gateway.
• Vercel AI Gateway operates with zero data retention; messages are not stored on Vercel's side.
• Anthropic's API has zero retention by default for the model we use; messages are not used to train models.
• We don't store chat transcripts ourselves. The conversation lives in your browser session only and is lost on page refresh.
• AI-generated answers may be inaccurate. Don't rely on the chatbot for legal, medical, financial, or binding product commitments — escalate to hello@plauditly.app for those.

This is a limited-risk AI system under the EU AI Act (Art. 50). It is clearly identified as a chatbot in the UI; no attempt is made to imply a human is responding.

Regardless of where you live, you can email privacy@plauditly.app to exercise any right below. We aim to respond within 30 days (GDPR) or 45 days (CCPA), extendable once with notice.

EEA, UK, and Swiss residents (GDPR / UK-GDPR / FADP)

• Access — request a copy of your personal data (Art. 15).
• Rectification — correct inaccurate data (Art. 16). Most of it is editable in your dashboard.
• Erasure — request deletion ("right to be forgotten") (Art. 17), subject to legal retention obligations.
• Restriction — pause processing while a dispute is open (Art. 18).
• Portability — receive your data in a machine-readable format (Art. 20). We provide JSON exports.
• Object — object to processing based on legitimate interest, including direct marketing (Art. 21).
• Withdraw consent at any time for processing based on consent (Art. 7(3)); withdrawal does not affect prior lawful processing.
• Lodge a complaint with your local supervisory authority — find yours at edpb.europa.eu/about-edpb/members.

California residents (CCPA / CPRA)

• Right to know what personal information we collect, use, disclose, and the categories of sources and recipients.
• Right to delete personal information we collected from you (with statutory exceptions).
• Right to correct inaccurate personal information (CPRA addition).
• Right to opt-out of sale or sharing — we don't sell or share personal information for cross-context behavioral advertising. The opt-out is satisfied by default.
• Right to limit use of sensitive personal information (CPRA) — we don't process sensitive PI for inferences beyond the disclosed purpose.
• Right to non-discrimination for exercising any of the above.
• You can also designate an authorized agent to make a request on your behalf. We may require verification.
• We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request for California, Colorado, and Connecticut users.

Other US states

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island have substantially similar rights to those listed above (access, correction, deletion, portability, opt-out of targeted advertising and sale, opt-out of profiling for significant decisions). Email us; we treat all such requests under the strictest applicable standard.

Brazil (LGPD)

Brazilian residents have rights to confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, and revocation of consent (Art. 18 LGPD).

Your data is stored primarily in United States regions (Supabase, Stripe, Vercel, Resend, Anthropic).

For transfers from the EEA, UK, and Switzerland to the US, we rely on:

• The EU-US Data Privacy Framework (DPF) where the recipient is certified, and
• Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 as a fallback, with supplementary measures (encryption in transit and at rest, role-restricted access).
• UK transfers use the UK International Data Transfer Addendum to the SCCs.
• Swiss transfers rely on the Swiss-US DPF where applicable, with SCCs as fallback.

A list of every subprocessor, its data location, and the relevant transfer mechanism is at /legal/subprocessors.

Technical and organizational measures we use to protect your data:

• TLS 1.3 in transit; AES-256 at rest (Supabase, Stripe, Vercel defaults).
• Row-Level Security (RLS) policies on every table — owners can only access their own data, enforced at the database layer.
• Per-request authentication via Supabase Auth; secret keys never reach the browser.
• Webhook signature verification on all third-party callbacks (Stripe).
• Honeypot + rate limiting on all public POST endpoints.
• Privacy-by-design: testimonial author emails are stored in a column the public API physically cannot read.
• Security headers including HSTS, CSP, X-Frame-Options, COOP, and Permissions-Policy on every response.
• Detailed security practices + vulnerability disclosure policy at /legal/security.

Breach notification. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33), and affected users without undue delay (Art. 34). Our incident-response playbook is summarized at /legal/security.

We use one strictly necessary cookie for your sign-in session. No tracking cookies, no advertising cookies, no cross-site cookies, no third-party analytics cookies. Vercel Web Analytics is cookieless. Full breakdown at /legal/cookies.

We honor the Global Privacy Control (GPC) browser signal where it expresses a privacy preference under applicable law.

The newsletter signup in the footer is opt-in. We comply with CAN-SPAM (US) and GDPR consent (EU). Every marketing email contains a one-click unsubscribe link and a postal address. Transactional emails (sign-in links, billing receipts) are sent without consent under contract performance and do not contain marketing content.

Plauditly is not directed at children under 13 (COPPA, US) or under 16 where local law sets a higher age for digital consent (e.g. Germany, France, Italy, the Netherlands). We don't knowingly collect data from minors below those thresholds. If you believe we have, email privacy@plauditly.app and we will delete it within 30 days.

We'll post a changelog entry at /changelog and email active users at least 30 days before material changes take effect. The "Last updated" date at the top of this page reflects the most recent change.

For privacy questions or to exercise any right: privacy@plauditly.app.

Plauditly does not currently meet the GDPR Art. 27 threshold for required EU representative appointment (no large-scale processing of EU personal data; no special-category data). If our processing ever crosses that threshold, we will appoint a representative and publish their contact details here within 30 days.

This Privacy Policy does not constitute legal advice; consult your own counsel for your specific situation.