Privacy Policy
Last updated: 19 February 2026
Summary in Plain Language
- We collect only what we need to run PlanIT (email, name, usage data).
- We never sell your data to anyone.
- Your project data belongs to you — always.
- We use trusted sub-processors (Supabase, Vercel, Stripe, Resend, Google Analytics).
- You can export, correct, or delete your data at any time.
- We comply with GDPR (EU) and UK GDPR.
1. Data Controller
PlanIT is operated by ITNIR (“we”, “us”, “our”). We are the data controller responsible for your personal data.
Contact: privacy@itnir.com
Website: https://www.itnir.com
Address: ITNIR, Israel
2. What Data We Collect
2.1 Data You Provide
| Data | When Collected | Purpose |
|---|---|---|
| Email address | Account creation | Authentication, notifications, communication |
| Display name | Profile setup | Identification within your organization |
| Profile avatar | Optional upload | Visual identification |
| Password (hashed) | Account creation | Authentication |
| Organization name | Organization creation | Workspace identification |
| Project content | Product usage | Core service delivery |
2.2 Data Collected Automatically
| Data | Method | Purpose |
|---|---|---|
| IP address (anonymized) | Server logs | Security, abuse prevention |
| Browser type & version | HTTP headers | Compatibility, debugging |
| Pages visited | Google Analytics 4 | Product improvement |
| Feature usage events | Google Analytics 4 | Product improvement |
| Device type | HTTP headers | Responsive design optimization |
2.3 Data We Do NOT Collect
- We do not collect sensitive personal data (race, religion, health, biometrics).
- We do not use tracking pixels or third-party advertising trackers.
- We do not sell, rent, or trade personal data.
3. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation & authentication | Contract — necessary to provide the service (Art. 6(1)(b)) |
| Sending transactional emails (invitations, verification) | Contract — necessary to provide the service (Art. 6(1)(b)) |
| Processing payments | Contract — necessary to provide the service (Art. 6(1)(b)) |
| Analytics (GA4, anonymized) | Legitimate interest — product improvement (Art. 6(1)(f)) |
| Security logging & abuse prevention | Legitimate interest — protecting the service (Art. 6(1)(f)) |
| Marketing communications | Consent — opt-in only (Art. 6(1)(a)) |
4. How We Use Your Data
- To provide, maintain, and improve PlanIT.
- To authenticate you and secure your account.
- To send transactional emails (invitations, password resets, verification).
- To process payments and manage subscriptions.
- To analyze usage patterns and improve the product (anonymized).
- To prevent abuse, fraud, and security threats.
- To comply with legal obligations.
5. Sub-Processors & Third-Party Services
We use the following third-party services to operate PlanIT. Each processes data as described:
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, storage | All account and project data | EU (Frankfurt) / US |
| Vercel | Frontend hosting, edge delivery | HTTP requests, IP addresses | Global edge network |
| Stripe | Payment processing | Payment information, email | US (PCI DSS compliant) |
| Resend | Transactional email delivery | Email address, email content | US |
| Google Analytics 4 | Usage analytics (anonymized) | Anonymized usage events, IP (anonymized) | US (Google Cloud) |
All sub-processors are bound by data processing agreements (DPAs) and maintain appropriate security certifications. We evaluate sub-processors for GDPR compliance before engagement.
6. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom. When this occurs, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework: Our US-based sub-processors (Stripe, Vercel, Google) participate in the EU-US Data Privacy Framework.
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on European Commission-approved Standard Contractual Clauses.
- UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or UK Addendum to SCCs as appropriate.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, name) | Until account deletion |
| Project data (issues, projects, iterations) | Until account or organization deletion |
| Server logs | 90 days |
| Analytics data (GA4) | 14 months (GA4 default) |
| Payment records | 7 years (legal requirement) |
| Audit logs | 12 months |
When you delete your account, we delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., payment records).
8. Your Rights
Under GDPR (EU) and UK GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data. |
| Erasure (Art. 17) | Request deletion of your personal data (“right to be forgotten”). |
| Restriction (Art. 18) | Request that we restrict processing of your data. |
| Data Portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Object (Art. 21) | Object to processing based on legitimate interest (including analytics). |
| Withdraw Consent (Art. 7) | Withdraw consent at any time where processing is based on consent. |
| Automated Decisions (Art. 22) | We do not make automated decisions or profile you. |
To exercise any of these rights, contact us at privacy@itnir.com. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
9. Cookies
9.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| supabase-auth-token | Essential | Authentication session | Session / 7 days |
| NEXT_LOCALE | Functional | Language preference | 1 year |
| _ga, _ga_* | Analytics | Google Analytics 4 — anonymized usage tracking | 2 years |
9.2 Managing Cookies
Essential cookies are required for PlanIT to function. You can disable analytics cookies through your browser settings. Disabling analytics cookies does not affect your ability to use PlanIT.
10. Children's Privacy
PlanIT is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@itnir.com.
11. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security (RLS) policies ensuring users can only access their own data.
- Regular security audits and vulnerability assessments.
- Access controls limiting employee access to personal data.
- Passwords are hashed using bcrypt — we never store plaintext passwords.
12. Supervisory Authorities
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority:
- EU: Contact your local Data Protection Authority (DPA). A list is available at edpb.europa.eu.
- UK: Contact the Information Commissioner's Office (ICO) at ico.org.uk or by phone at 0303 123 1113.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by placing a prominent notice on our website. The “Last updated” date at the top of this page indicates when this policy was last revised.
Continued use of PlanIT after changes constitutes acceptance of the updated policy. If you disagree with any changes, you may delete your account.
14. Contact Us
For any privacy-related questions, concerns, or data subject requests:
Email: privacy@itnir.com
Website: https://www.itnir.com
Response time: Within 30 days of receipt