1. Data We Collect

Plinto collects the following categories of personal data to provide our compensation job matching service:

• Account Information: Email address, full name, and company affiliation provided during registration or invitation.
• Job Matching Data: Job titles, departments, functions, levels, and descriptions uploaded by your organization for matching purposes.
• Usage Data: Actions performed within the platform (project creation, match editing, validations) stored in audit logs.
• Technical Data: IP address, browser type, and device information collected automatically for security and analytics.
• Billing Information: Payment details processed by Stripe. We do not store credit card numbers directly.

2. How We Use Your Data

• Job Matching: Processing uploaded job data through our AI-powered matching pipeline to generate survey benchmark matches.
• Service Improvement: Using validated match results to improve matching accuracy for your company (validated data is never shared across tenants).
• Billing: Processing subscription payments through Stripe.
• Security: Maintaining audit logs and monitoring for unauthorized access.
• Communication: Sending service-related emails (invitations, password resets, GDPR request confirmations).

3. Data Retention

• Project Data: Retained until the user or admin deletes the project.
• Validated Matches: Retained indefinitely for AI learning improvement within your company scope.
• XLSX Exports: Stored for 90 days, then automatically deleted.
• Audit Logs: Retained for 7 years for regulatory compliance.
• Account Data: Retained until account deletion is requested and confirmed.

4. Data Sharing

We do not sell your data. We share data only with the following third-party services necessary to operate Plinto:

• Stripe: Payment processing for subscription billing.
• Supabase: Database hosting and authentication services.
• OpenAI: AI model processing for job matching (job titles and descriptions only, no personal data).

Your company's data is strictly isolated from other tenants. No cross-company data access is possible, enforced at the database level through Row-Level Security policies.

5. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of Access (Article 15): You can download a complete copy of all your personal data at any time from Settings > Privacy & Data.
• Right to Erasure (Article 17): You can request account deletion from Settings > Privacy & Data. Your personal data will be anonymized while preserving data integrity for existing projects.
• Right to Data Portability (Article 20): Your data export is provided in standard JSON format, allowing you to transfer your data to another service.
• Right to Rectification (Article 16): You can update your personal information in your account settings at any time.
• Right to Restriction (Article 18): Contact us to request restriction of processing for your data.

6. Security

We implement appropriate technical and organizational measures to protect your personal data:

• Row-Level Security (RLS) for tenant data isolation
• JWT-based authentication with secure session management
• HTTPS encryption for all data in transit
• Database encryption at rest
• Rate limiting on authentication endpoints
• Webhook signature validation for all integrations
• Comprehensive audit logging of all sensitive operations

7. GDPR Compliance

Plinto is designed with GDPR compliance as a core requirement. Our multi-tenant architecture ensures complete data isolation between companies. All data processing is performed with a lawful basis, and we maintain detailed audit logs of all data access and modifications.

For data processing agreements (DPA) or compliance questions, contact our Data Protection Officer at the address below.

8. Contact Information

For privacy-related inquiries or to exercise your data rights, contact us at:

We will respond to all data requests within 30 days as required by GDPR.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top of this page indicates when this policy was last revised.