๐ Privacy & Data Protection
Privacy Policy
Version 1.0 ยท Effective date: 1 June 2025 ยท Data controller: IT-Consolidated BV
Courtesy translation. This is an English translation of our Dutch privacy policy, provided for convenience only. The Dutch version is legally binding; in the event of any discrepancy, the Dutch text prevails.
Summary: We only collect the data that is strictly necessary to provide the service. We never sell your data. Your data is stored on servers within the European Union. You can always view, correct or delete your data.
1. Who are we?
Planninn is a service provided by IT-Consolidated BV, Chamber of Commerce no.: 98881639, established in Capelle aan den IJssel, the Netherlands (hereinafter: "we", "us" or "Planninn").
We are the data controller within the meaning of the General Data Protection Regulation (GDPR). For questions about this privacy policy you can reach us at [email protected].
2. What data do we collect?
2.1 Account data
- Name
- Email address
- Encrypted password (bcrypt โ we never see your password in plain text)
- Profile colour and avatar (optional, set by you)
- Date of birth (optional, for birthday reminders)
2.2 Family and content data
- Family or team name and family photo (optional)
- Events, tasks, shopping lists and recipes that you create
- Locations that you link to events
2.3 Technical data
- Session tokens (stored as a cookie to keep you logged in)
- Device type and browser (general, for sending push notifications)
- Time of last login (for account security)
2.4 Payment data (future)
When you take out a paid subscription, payment data (card information) is processed exclusively by Stripe, our payment provider. We do not store any payment card details on our own servers. We only receive a customer ID from Stripe to track your subscription status.
3. Why do we process your data?
- Account management: creating, securing and managing your account
- Service provision: displaying your calendar, lists, tasks and recipes to your family members
- Communication: sending daily and/or weekly email summaries (only if you enable this yourself)
- Push notifications: sending notifications (only if you grant permission)
- Subscription management: tracking your subscription status and processing payments
- Security: detecting and preventing misuse
4. Legal basis for processing
We process your personal data on the basis of the following legal grounds (GDPR Article 6):
- Performance of a contract (Art. 6(1)(b)): the data is necessary to provide the service to you
- Consent (Art. 6(1)(a)): for email summaries and push notifications โ you can withdraw this consent at any time via your settings
- Legitimate interest (Art. 6(1)(f)): for security and fraud prevention
- Legal obligation (Art. 6(1)(c)): for retaining accounting records after payment
5. How long do we keep your data?
- Active accounts: for as long as your account exists
- After deletion of your account: data is permanently deleted within 30 days, with the exception of data we are legally required to retain longer (e.g. invoice data: 7 years under Dutch accounting law)
- Sessions: expire automatically after 30 days of inactivity
- Log files: retained for a maximum of 90 days for security purposes
6. With whom do we share your data?
We never sell your data. We only share your data in the following cases:
- Stripe (payment processing): your email address is shared with Stripe to create a customer profile when you take out a subscription. Stripe is PCI-DSS certified and processes data in accordance with the GDPR. More information: stripe.com/privacy
- Legal obligation: if we are legally required to do so (e.g. a court order), we will provide only the absolute minimum
We do not use any advertising networks, no social media tracking scripts and no analytics services that collect personal data. For website statistics we use a cookieless, privacy-friendly method (see section 9).
7. Where is your data stored?
Your data is stored on servers within the European Union and does not leave the EU. We do not use cloud services outside the EU for storing personal data.
8. Security
We take appropriate technical and organisational measures to protect your data:
- Communication via HTTPS/TLS (encrypted transport)
- Passwords stored as a bcrypt hash (never in readable form)
- Session tokens are randomly generated and temporary
- Database access restricted to the application server (not publicly accessible)
- SSH access to the server only via key pairs, password authentication disabled
9. Cookies and tracking
Planninn uses only one functional session cookie to keep you logged in. This cookie:
- Contains no personal data โ only an anonymous session ID
- Is not shared with third parties
- Is not used for tracking or advertising
- Disappears automatically on logout or after 30 days of inactivity
For website statistics on our public pages we use Cloudflare Web Analytics: a cookieless, privacy-friendly method that measures only aggregated, non-identifiable figures (such as the number of visits, pages visited, source and country). With this method:
- no cookies are placed and no device fingerprint is used;
- no personal data is collected, no profiles are built and nothing is sold;
- no advertising or tracking cookies are used;
- no analytics code whatsoever is active in the logged-in app.
Because no non-functional cookies are placed and no personal data is collected, a cookie consent banner is not required.
10. Your rights under the GDPR
As a data subject you have the following rights. You can exercise them via [email protected]:
- Right of access (Art. 15): you can request which data we hold about you
- Right to rectification (Art. 16): you can have incorrect data corrected (or do this yourself via your profile settings)
- Right to erasure (Art. 17): you can have your account and all associated data deleted
- Right to restriction (Art. 18): you can have the processing temporarily restricted
- Right to portability (Art. 20): you can request an export of your data in a machine-readable format
- Right to object (Art. 21): you can object to processing based on legitimate interest
- Right to withdraw consent: for email summaries and push notifications you can do this at any time via your settings
We respond to your request within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.
11. Children
Planninn is not specifically aimed at children under 16. Children can be added as a family member by a parent or guardian. We deliberately do not collect any additional data from minors. If you believe we have inadvertently collected a child's data without consent, please contact us so we can delete it.
12. Changes to this policy
We may amend this privacy policy from time to time. In the event of material changes, we will inform you by email or via a notification in the app, at least 14 days before the effective date. The most current version is always available on this page.
13. Contact & complaints