Privacy Policy

1. Data Controller

The controller responsible for processing your personal data is:

Email: hello@plutat.com

2. Types of Data Collected

We collect and process the following types of personal data when you use our services:

• Contact Data: Email address, name, company name (when using the contact form)
• Newsletter Data: Email address (when subscribing to the newsletter)
• Technical Data: IP address (for abuse prevention and consent documentation)
• Communication Data: Subject and message content for contact inquiries

3. Legal Basis for Processing

We process your personal data on the following legal bases according to Article 6 GDPR:

• Consent (Art. 6(1)(a) GDPR): When you subscribe to our newsletter or provide explicit consent for specific processing activities
• Contract Performance (Art. 6(1)(b) GDPR): When processing is necessary for the performance of a contract with you or for pre-contractual measures
• Legitimate Interests (Art. 6(1)(f) GDPR): For security measures such as abuse prevention (rate limiting), where our legitimate interests are not overridden by your rights and freedoms
• Legal Obligation (Art. 6(1)(c) GDPR): When processing is necessary to comply with a legal obligation

4. Purposes of Data Processing

We process your personal data for the following purposes:

• Providing and maintaining our website
• Processing contact inquiries
• Sending newsletters (with your consent, double opt-in)
• Ensuring security and abuse prevention (rate limiting)
• Fulfilling legal obligations

5. Data Sharing and Third Parties

We may share your data with trusted third-party service providers who assist us in operating our website and services:

5.1 Hosting Provider

Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA)
Purpose: Website hosting and Content Delivery Network (CDN)
Server Location: Our serverless functions (API endpoints) run in Frankfurt (EU). Static content is delivered via a global CDN, with European requests typically served from European edge servers.
Data Transfer: Data transfers to the USA are based on the EU-US Data Privacy Framework (DPF), under which Vercel is certified, as well as the Standard Contractual Clauses of the EU Commission. We have concluded a Data Processing Agreement (DPA) with Vercel.
Privacy Policy: https://vercel.com/legal/privacy-policy | DPA

5.2 Email Service Provider

Resend
Purpose: Sending transactional emails and notifications
Location: EU (Ireland, eu-west-1)
Privacy Policy: https://resend.com/legal/privacy-policy

5.3 Database Provider

Neon (Neon Inc.)
Purpose: Secure storage of contact and newsletter data
Location: EU (Frankfurt, eu-central-1)
Privacy Policy: https://neon.tech/privacy-policy

5.4 Rate Limiting Service

Upstash
Purpose: Abuse prevention through rate limiting
Location: EU (Frankfurt, eu-central-1)
Privacy Policy: https://upstash.com/trust/privacy.pdf

Web Analytics (OpenPanel)

OpenPanel (Coderax AB, Sweden) – openpanel.dev
Privacy-friendly, cookieless web analytics. OpenPanel does not use cookies and does not track users across websites or devices.

The information collected includes: page URL, referrer, approximate geographic region, device type, browser type, and screen resolution. This data is aggregated and used to produce anonymous usage statistics. IP addresses are used temporarily for two purposes only and are never stored: (1) deriving approximate location (city, country, region); (2) generating a daily-rotating cryptographic hash from the IP address, user agent, project ID, and a rotating salt. The salt is replaced every 24 hours; only the current and previous salt are retained. The resulting identifier is cryptographically irreversible after approximately 24 hours.

OpenPanel processes this data on our behalf as a data processor pursuant to Art. 28 GDPR. A data processing agreement (DPA) is in place. Details: openpanel.dev/dpa. OpenPanel operates its cloud infrastructure on Hetzner Online GmbH (Germany). Backups are stored on Cloudflare R2 (EU). All data is processed and stored within the EU/EEA.

Legal basis: Art. 6 (1) lit. f GDPR. Our legitimate interest is the statistical analysis of website usage in order to improve our online offering. We have weighed this interest against your rights and consider the impact on your privacy to be minimal given the aggregated, non-identifying nature of the data collected.

You have the right to object to this processing at any time for reasons arising from your particular situation (Art. 21 (1) GDPR). To exercise this right, please contact us at the address provided above.

Privacy policy: https://openpanel.dev/privacy

6. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law.

• Newsletter Data: Until you request deletion or unsubscribe from the newsletter
• Contact Inquiries: Up to 3 years for customer service purposes
• Rate Limiting Data (IP addresses): Temporary storage for a few minutes for abuse prevention

7. Your GDPR Rights

As a data subject, you have the following rights:

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation of whether we process your personal data and, if so, to request access to that data
• Right to Rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data
• Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data under certain circumstances
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of processing under certain conditions
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used format
• Right to Object (Art. 21 GDPR): You have the right to object to processing based on legitimate interests or for direct marketing purposes

To exercise any of these rights, please contact us at: hello@plutat.com

8. Right to Withdraw Consent

If we process your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

You can withdraw consent by clicking the unsubscribe link in our emails or by contacting us directly.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

Supervisory authority for Germany:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf
Website: https://www.ldi.nrw.de

10. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest in our databases
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures

11. International Data Transfer

Most of our service providers process your data exclusively within the European Union:

• Neon (Database): EU (Frankfurt)
• Upstash (Rate Limiting): EU (Frankfurt)
• Resend (Email): EU (Ireland)

Vercel (Hosting): As a global Content Delivery Network, your data may also be processed outside the EEA. Vercel is certified under the EU-US Data Privacy Framework (DPF). Additionally, the Standard Contractual Clauses of the EU Commission apply.

12. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete that information.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of material changes by posting the new privacy policy on this page and updating the "last updated" date.

We recommend reviewing this privacy policy regularly to stay informed about the protection of your personal data.

14. Contact

If you have any questions, concerns, or requests regarding this privacy policy or our data processing practices, please contact us: