Legal
Privacy Policy
Last updated: 2026-04-27
We build privacy tools. We try to live by the same standards we ask data brokers to meet. This document says plainly what we collect, why, and what you can do about it.
Who we are
Plenitudo Privacy is operated by Plenitudo.ai. The web app lives at privacy.plenitudo.ai. Contact: info@plenitudo.ai.
What we collect and why
If you use the app without signing in (free, anonymous)
- Audit progress — stored in your browser's localStorage. Never sent to our servers. Cleared when you clear your browser data.
- Server logs — Vercel (our host) logs standard HTTP request metadata: IP address, timestamp, URL, response code. These are retained for 30 days by Vercel and used for infrastructure debugging only. We do not process them ourselves.
We run zero analytics, zero session replay, zero tracking pixels, and zero third-party ad scripts on any page. If you install our browser extension and do not sign in, no data ever leaves your device.
If you create an account (magic-link sign-in)
- Email address — used to send your sign-in link and, in future, breach alerts. Stored in Supabase Auth. Never sold. Never shared with advertisers.
- DSR requests — if you generate a data-subject-rights letter, we store the broker name, request type (opt-out / deletion), and timestamps. We use this to send you re-removal reminders and to track compliance with your request. We do not store the letter content unless you explicitly ask us to.
- Audit progress (Pro) — optionally synced to your account so progress survives across devices. Stored in our database. Deleted when you delete your account.
Browser extension
- Per-tab tracker hits — stored in storage.session (browser session memory). Cleared automatically when the tab closes or the browser exits. Never written to disk. Never sent to our servers.
- Your preferences — which domains you've manually blocked and whether global blocking is on. Stored in storage.local on your device only. Not synced to our servers unless you sign in and explicitly enable sync (not yet built).
The extension does not build a persistent log of sites you visit. The tracker hit list for a tab exists only while that tab is open.
What we do not collect
- Browsing history
- Search queries
- Device fingerprint
- Behavioral analytics or heatmaps
- Advertising identifiers
- Content of any private communications
- HealthKit or location data (even if you use our iOS app — those stay on device)
Who we share data with
We do not sell your data. We share it with the minimum number of processors required to run the service:
| Processor | What they see | Their policy |
|---|---|---|
| Supabase | Email, DSR records, account data | Privacy policy → |
| Vercel | HTTP request logs (IP, URL, timestamp) | Privacy policy → |
Your rights
We honor data subject rights within 7 days — no exceptions. These apply regardless of where you live.
- Export your data — go to Account → Export my data. You'll receive a JSON file of everything we hold about you within 24 hours.
- Delete your account — go to Account → Delete my account. This triggers a hard delete of your email, DSR records, and all account data from every table and from Supabase Auth within 7 days. No soft-deletes. No orphaned records.
- Email us — if you'd rather request via email: info@plenitudo.ai. Same 7-day SLA.
Cookies
We use one cookie: the Supabase session cookie, set only when you sign in. It expires when you sign out. No tracking cookies. No third-party cookies.
Data location
Our Supabase project runs in the US (AWS us-east-1). If you are in the EU, your data is transferred to the US under Supabase's Standard Contractual Clauses. EU-hosted infrastructure is on the roadmap post-launch.
Children
This service is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe we have, email us and we will delete it immediately.
Changes to this policy
If we make a material change — collecting new data, adding a processor, changing retention — we will email registered users at least 14 days before the change takes effect and update the "last updated" date above. The full history of changes will be visible in the public git repository.
Our commitment
We build tools to reduce data collection. It would be incoherent to collect data we don't need. If you ever find that we are collecting something not listed here, tell us — that is a bug, not a feature.