pliuz
Get started
Menu
Featuresvs DIYSecurityDocsAbout
Sign in

Legal · Privacy

Privacy Policy

Placeholder. This page is a structural placeholder while we work with counsel on the formal document. We do not fake legal text. Full document available on request: founder@pliuz.com.

Pliuz processes minimal personal data: account email, optional name, optional profile photo. We do not run analytics that require cookies (we use Plausible — cookie-free). We do not sell, share, or use personal data for advertising. We never train AI models on customer payloads.

  • Personal data we collect as controller: account email (required), name (optional), avatar (optional), Slack workspace mapping (when you connect Slack), founder@pliuz.com correspondence, and — if you join the pre-launch waitlist — your corporate email, company name and role (plus optional product context).
  • Personal data we process as processor (for Customer tenants): approval payloads (tool args), context messages (agent reasoning), approver identities, decisions + execution outcomes. Customer is the controller; Pliuz processes under DPA Art 28.
  • Audit log captures end-user PII of Customer tenants (third-party data subjects). SDK-side redaction primitives let Customer remove sensitive fields BEFORE they reach Pliuz. Tenant is responsible for identifying and instructing redaction.
  • Analytics: Plausible (cookie-free, EU-hosted, GDPR-compliant by design). No tracking cookies. No consent banner needed.
  • Cookies: only essential session cookies (Supabase Auth). No marketing or third-party cookies.
  • Waitlist (pre-launch): if you opt in, we use your details only to tell you when Pliuz launches and to offer early access — legal basis is your consent (GDPR Art 6(1)(a)), via an unticked, unbundled checkbox with double opt-in confirmation. We pass your email to Resend (our email provider, EU region — Ireland) solely to send these messages. This is consent-based and uses no tracking cookies. One-click unsubscribe in every email; we delete unconverted leads within 12 months (or 6 months after launch, whichever is earlier).
  • Sharing: never sold, rented, or shared. Sub-processors only per /legal/subprocessors with 30-day notice on changes.
  • Cross-border transfers: EU-only by default (Supabase Frankfurt, Vercel Frankfurt, Plausible EU). Slack notifications use Slack US infrastructure when Customer opts in — covered by SCCs Module 2 in the DPA.
  • Retention: account data deleted within 30 days of account closure on request. Audit event data per Customer-configured tenant policy (default per tier 7d / 90d / 1y / 10y). Retention enforcement implementation in progress.
  • Rights (GDPR): access (Art 15), rectification (Art 16), erasure (Art 17), portability (Art 20), restriction (Art 18), objection (Art 21). For data we control, email founder@pliuz.com — response within 30 days. For data of Customer end-users, contact the Customer (controller) first.
  • No AI training, no payload reading for non-execution purposes — mechanically enforced (no ML pipeline; SDK-side redaction architecture) and contractually committed in the DPA.
  • No automated decision-making about humans (GDPR Art 22) — Pliuz exists to ENABLE human review, never to replace it.
  • Data controller for Pliuz-controlled data: Pliuz (founder@pliuz.com). Update to incorporated entity contact once entity is formed.

Last updated: 2026-06-01. Reviewed internally; independent counsel review pending. Material changes will be emailed at least 30 days in advance.

← Read our security model