Legal

Privacy Policy

Effective date: March 8, 2026

Last updated: March 8, 2026

PLNTH LLC (“PLNTH,” “we,” “us,” or “our”) operates the PLNTH platform, a managed service for deploying and controlling autonomous AI agents. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and the rights you have regarding your data.

By creating an account or using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, do not use the Service.

Data Controller: PLNTH LLC, a Wyoming limited liability company.

Contact: privacy@plnth.dev

Data We Collect

Account Data

/Email address — required for account creation, communications, and authentication.

/Name — optionally provided, or sourced from your OAuth identity provider profile.

/Authentication credentials — your password (stored as a secure hash via Clerk, our authentication provider) or an OAuth provider identifier.

/Billing information — name, email, and payment method collected and stored by Stripe. PLNTH does not store your full payment card number.

Connected Service Credentials

When you connect a third-party service (such as GitHub, Slack, or Gmail) via OAuth, we receive and store OAuth access tokens and refresh tokens for each connected service. These tokens are encrypted at rest and used exclusively to execute agent tasks on your behalf, in accordance with the scopes you approved during authorization. You may revoke access at any time from your dashboard.

Agent Execution Data

/Task instructions — the descriptions and prompts you provide to agents.

/Ward configurations — the permission boundaries you set for each agent.

/Audit logs — a complete record of every tool call, API request, LLM prompt and response, approval decision, file operation, and error that occurred during an execution.

/Execution metadata — duration, model used, token counts, estimated cost, and status.

/Execution output — results produced by agents, including files created, pull requests opened, messages sent, and similar artifacts.

Important disclosure: Audit logs contain the full content of tool calls and LLM interactions. This may include code from connected repositories, email message bodies, Slack message content, and API response payloads. PLNTH personnel may access audit logs for debugging, support, and security investigation. The platform is not zero-knowledge with respect to execution data.

Usage and Analytics Data

/Pages visited, features used, and session duration, collected via PostHog.

/IP address, for rate limiting and abuse prevention.

/Browser type and operating system, for compatibility and debugging.

PostHog analytics are configured to respect browser Do Not Track signals. We do not use this data for advertising.

Cookies

/Authentication session cookies (strictly necessary) — used to keep you logged in.

/Analytics cookies — used by PostHog. EU/EEA users are prompted for consent before these cookies are set.

We do not use advertising cookies or sell cookie data to third parties.

How We Use Your Data

We do not make automated decisions that produce legal effects based solely on your personal data.

Data	Purpose	Legal Basis (GDPR)
Account data	Provide and administer the Service; communicate with you	Contract performance
OAuth tokens	Execute agent tasks on your behalf	Contract performance
Audit logs	Observability, debugging, support, compliance	Contract performance + legitimate interest
Execution metadata	Billing, usage tracking, rate limiting	Contract performance
Usage analytics	Understand product usage; improve the Service	Legitimate interest
IP address	Security, rate limiting, abuse prevention	Legitimate interest
Billing data	Process payments; comply with financial regulations	Contract performance + legal obligation

Third-Party Data Sharing

We do not sell personal data. We do not share data with advertisers. We share data with third parties only as described below.

LLM Providers

When your agents execute, your task data flows through the following path:

Your instructions → PLNTH Agent → OpenRouter API → Model Provider (Anthropic, OpenAI, Google) → Response → PLNTH Agent → Audit Log

What model providers receive: The complete prompt context sent to the LLM, which may include your task instructions, tool call results, and any data the agent is actively processing — including code from connected repositories, email content, Slack messages, or other content from connected services.

/Anthropic — does not train on API inputs per their current data processing terms.

/OpenAI — does not train on API inputs when accessed via the API.

/Google (via Vertex AI) — review current Google Cloud data processing terms.

OpenRouter acts as an intermediary and its privacy policy governs its handling of data in transit. We recommend reviewing the data processing policies of each LLM provider before connecting sensitive services to agents.

Sub-Processors

All sub-processors are contractually required to maintain data protection standards equivalent to those described in this policy.

Sub-Processor	Purpose	Location
Google Cloud Platform	Compute, Cloud Functions, messaging, storage, monitoring	United States (us-central1)
Neon	Managed PostgreSQL database	United States
Vercel	Frontend hosting and deployment	United States / Global CDN
Clerk	User authentication and session management	United States
Stripe	Payment processing	United States
OpenRouter	LLM API routing	United States
Anthropic / OpenAI / Google	LLM inference (via OpenRouter)	United States
Sentry	Error monitoring	United States
PostHog	Product analytics	United States
Cloudflare	DNS, CDN, DDoS protection (via Vercel)	Global

We will update this list when we add new sub-processors and will provide 30 days' advance notice to enterprise customers who have signed a Data Processing Agreement.

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect our rights or property, prevent fraud or abuse, or protect the safety of our users or the public.

Business Transfers

If PLNTH is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you via email and/or in-app notice before your information becomes subject to a different privacy policy.

Data Retention

We retain data for as long as necessary to provide the Service and comply with our legal obligations.

Data Type	Retention Period
Account data	Duration of account + 30 days post-deletion
OAuth tokens	Until revoked by user or account deletion
Audit logs	90 days (Free); 12 months (Paid)
Execution output	Same as audit logs
Billing records	7 years (tax and financial regulations)
Usage analytics	26 months (anonymized after account deletion)

Upon account deletion, PLNTH will delete your personal data within 30 days, except for billing records retained for tax and legal purposes and any data we are required to retain under applicable law.

Your Rights

All Users

/Access — request a copy of the personal data we hold about you.

/Correction — request that we correct inaccurate or incomplete personal data.

/Deletion — request that we delete your personal data (subject to legal retention obligations).

/Data portability — request an export of your account data and audit logs in JSON format.

To exercise these rights, contact privacy@plnth.dev. We will respond within 30 days.

GDPR Rights (EU/EEA Users)

/Right to restriction — request that we restrict processing in certain circumstances.

/Right to object — object to processing based on our legitimate interests.

/Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

/Right to lodge a complaint — lodge a complaint with your local data protection authority.

CCPA Rights (California Users)

/Right to know — what personal information we collect, use, disclose, and sell.

/Right to delete — request deletion of your personal information.

/Right to opt-out of sale — we do not sell personal information. This right is not applicable.

/Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.

Security

/Encryption in transit — all data transmitted between your browser, the platform, and our infrastructure uses TLS 1.2 or higher.

/Encryption at rest — database contents, including OAuth tokens and audit logs, are encrypted at rest using GCP managed encryption keys.

/OAuth token encryption — tokens are additionally encrypted at the application layer before storage.

/Network isolation — agents run in isolated container environments. Network egress is controlled by an egress proxy that enforces ward-configured domain allowlists.

/Ward system — configurable permission boundaries restrict agent actions to explicitly authorized tools, domains, file paths, and API operations.

/Audit logging — all agent actions are logged, providing a complete record for security review.

/Access controls — internal access to production data is restricted on a least-privilege basis. Access to customer data for debugging is logged.

No security measure is 100% effective. In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

International Data Transfers

Your data is primarily processed in the United States (GCP us-central1 region). If you are located outside the United States, your data will be transferred to and processed in the United States.

For EU/EEA users: Data transfers from the EU to the US are conducted on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of the applicable SCCs is available upon request at privacy@plnth.dev.

Children’s Privacy

The Service is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at privacy@plnth.dev and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — including changes to the categories of data collected, new sub-processors, or changes to your rights — we will provide at least 30 days' advance notice via email and an in-app notification. Non-material changes will be reflected in an updated “Last Updated” date.

Previous versions of this Policy are available upon request.

Contact

Privacy inquiries: privacy@plnth.dev

Data deletion or export requests: privacy@plnth.dev

Abuse reports: abuse@plnth.dev

PLNTH

Pricing Security Blog Docs Terms

The governance layer for AI agents.