Plainwerk
Legal / Privacy Policy
v1.0 · May 5, 2026

Legal · Plainwerk

Privacy Policy

Last updated: May 5, 2026 · Version 1.0

01

Who we are

Plainwerk is a multi-tenant project management and issue tracking service (the “Service”) operated by Naviria Labs S.L., a company registered in Spain (“we”, “us”, “our”).

Registered address
[REGISTERED ADDRESS]
Contact
support@plainwerk.dev

For matters relating to your personal data, please contact us at the address above.

02

Scope of this policy

This Privacy Policy explains how we collect, use, share, and protect your personal data when you:

  • Visit our website at plainwerk.dev or its subdomains
  • Create an account with Plainwerk
  • Use the Service through the web app or REST API
  • Communicate with us by email or other channels

It applies to all visitors and users of the Service, regardless of location. Where applicable, it incorporates rights and obligations under:

  • The EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR)
  • The Spanish Organic Law 3/2018 on the Protection of Personal Data and Digital Rights (LOPDGDD)
  • The UK General Data Protection Regulation (UK GDPR)
  • The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA / CPRA)

03

Data we collect

3.1 Information you provide

  • Account information: name, email address, and password. Passwords are stored only as peppered HMAC-SHA256 hashes; we never store, log, or transmit your raw password.
  • Profile information: name, email, and (where available) profile picture from your Google or GitHub account if you sign in via OAuth.
  • Workspace content: organizations, teams, issues, comments, projects, cycles, labels, and any other content you create within Plainwerk.
  • Communications: the content of emails, support tickets, or other messages you send us.
  • Billing information: if you subscribe to a paid plan, billing details handled by our payment processor. We do not store full card numbers ourselves.

3.2 Information we collect automatically

  • Usage data: features used, request timestamps, and error logs (server-side, retained for limited periods; not shared with third parties for advertising).
  • Technical data: IP address, browser type and version, device type, operating system, referrer URL.
  • Cookies and similar technologies: see Section 06.

3.3 Information from third parties

  • Authentication providers: when you sign in with Google or GitHub we receive your name, email, and profile picture (where you have made it available) under those services’ permissions.
  • Email delivery: delivery and engagement metadata from our email provider (e.g., bounces) where applicable.

04

How we use your data

We process your personal data for the following purposes and on the following legal bases under the GDPR:

PurposeExamplesLegal basis
Provide the ServiceCreate and authenticate accounts; display workspace content; deliver issue notificationsContract (Art. 6(1)(b))
Operate and secure the ServiceDiagnose errors; back up data; rate-limit and defend against abuseLegitimate interests (Art. 6(1)(f))
Communicate with youRespond to support requests; send service notices and security alertsContract / Legitimate interests
Marketing and product updatesOccasional product news, only with your consent or where permitted by lawConsent (Art. 6(1)(a))
Analytics on public pagesAggregate visitor behaviour on the marketing site (home, sign-in, sign-up, invitation pages, public docs)Consent (Art. 6(1)(a))
Comply with the lawTax, accounting, lawful requests from authoritiesLegal obligation (Art. 6(1)(c))

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

05

Who we share data with

5.1 Subprocessors

We rely on the following service providers to operate Plainwerk. Each is bound by a written contract that requires them to protect your data:

SubprocessorPurposeLocation
Amazon Web Services, Inc.Cloud hosting (compute, storage, database)Ireland (EU, eu-west-1)
Google Ireland Ltd.Google Sign-In; Google Analytics on public pagesEU + United States
GitHub, Inc.OAuth authentication (optional)United States
Resend, Inc.Transactional email deliveryUnited States

We will update this list as our subprocessors change. Material additions will be announced via the Service or by email where appropriate.

5.2 Within your organization

If you join an organization on Plainwerk, members of that organization can see your name, email, and the workspace content you create or share. Owners and admins have additional administrative visibility (such as the ability to disable accounts and manage membership).

5.3 Legal requirements and acquisitions

We may share data when required by law, subpoena, or other legal process; to enforce our terms; to protect users or the public; or in connection with a merger, acquisition, or sale of assets (subject to confidentiality and continued protection).

We do not sell your personal data, and we do not “share” it for cross-context behavioural advertising as defined under the CCPA/CPRA.

06

Cookies and similar technologies

6.1 Strictly necessary

These keep the Service working and cannot be disabled:

  • Authentication cookies (NextAuth session): identify you while signed in.
  • Consent state (plainwerk_consent_v1 in your browser’s localStorage): records your cookie choice so we don’t show the banner again.

6.2 Analytics — consent-based

We use Google Analytics 4 on our public marketing pages only (the home page, sign-in/sign-up pages, invitation pages, and documentation). It loads in “denied” mode by default and only sets cookies after you click Accept on the consent banner. We do not run analytics inside the authenticated app.

You can change your choice at any time using the Cookie Settings link in the website footer, or by clearing your browser storage.

07

International data transfers

Your personal data is primarily processed in the European Union (Ireland). Some subprocessors are located outside the EU/EEA, including in the United States. Where we transfer personal data to a country that has not been deemed adequate by the European Commission, we rely on appropriate safeguards, including:

  • The EU-US Data Privacy Framework, where the recipient is certified
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary measures such as encryption in transit and at rest

You may request a copy of the safeguards in place by contacting us.

08

How long we keep your data

We retain personal data only for as long as necessary to provide the Service and meet legal obligations:

  • Active account data: for the duration of your account.
  • Workspace content: until you or an organization owner deletes it, or for 30 days after account closure (after which we permanently delete or anonymize it).
  • Authentication and security logs: up to 12 months.
  • Backups: up to 35 days, after which they are overwritten on rotation.
  • Billing and tax records: as required by Spanish tax law (typically 4–6 years).

You can request deletion of your data at any time (see Section 10).

09

Security

We apply industry-standard security measures, including:

  • Encryption in transit (TLS 1.2 or higher)
  • Encryption at rest for database storage and backups
  • Secrets and credentials stored in environment-isolated stores; never committed to source control
  • Passwords stored as peppered HMAC-SHA256 hashes; raw passwords are never recorded
  • Personal API keys stored only as peppered HMAC; the raw key is shown to you once and never again
  • Role-based access controls within the Service (Owner, Admin, Member, Guest)
  • Regular dependency updates and infrastructure patching

No system is perfectly secure. If you believe your account has been compromised, please contact us immediately at support@plainwerk.dev.

10

Your rights

Under the GDPR (and similar laws in the UK and elsewhere), you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data (“right to be forgotten”) in certain circumstances
  • Restrict or object to our processing
  • Portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es) or your local supervisory authority

To exercise any of these rights, email support@plainwerk.dev. We will respond within one month, as required by GDPR Art. 12.

11

California Notice (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we have collected about you, the sources, purposes, and recipients
  • Right to delete your personal information, subject to certain exceptions
  • Right to correct inaccurate personal information
  • Right to opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioural advertising; there is nothing to opt out of, but you may confirm this status at any time
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes other than providing the Service
  • Right to non-discrimination. We will not deny service or charge different prices because you exercise any of these rights

To exercise these rights, contact support@plainwerk.dev. We will verify your identity (typically by confirming control of the email associated with your account) before processing the request.

Categories of personal information collected (last 12 months):

  • Identifiers (name, email, IP address)
  • Customer records (account credentials, billing information)
  • Internet activity (interactions on public pages, with consent)
  • Geolocation (approximate, derived from IP)
  • Inferences — none; we do not build behavioural profiles

12

Children’s privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete it.

13

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or the law. We will post the updated version on this page and update the “Last updated” date. For material changes, we will provide more prominent notice (such as a banner or email).

14

How to contact us

For any questions, requests, or complaints about this Privacy Policy or your personal data:

Email
support@plainwerk.dev
Postal
Naviria Labs S.L. — [REGISTERED ADDRESS]
EU supervisory authority
Agencia Española de Protección de Datos (AEPD) — www.aepd.es

This document is published in English. Where translations are provided, the English version prevails in case of conflict.