Privacy Policy

Planbase Limited

Last Updated: 20 February 2026

This Privacy Policy explains what personal data Planbase Limited collects about you, why we collect it, how we use it, and what rights you have in relation to it. We have written it in plain language because we think you deserve to understand exactly how your information is handled.

Planbase is a portfolio platform built specifically for architects and designers, operating as a Software-as-a-Service (SaaS) product. We are based in the United Kingdom and this policy reflects our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as the EU GDPR where applicable to users in the European Union.

If you have any questions about this policy or how we handle your data, please contact us at hello@planbase.app.

1. Who We Are

The data controller for Planbase is:

• Company: Planbase Limited

• Address: Flat 6 Langton Court, 34 Charles Street, Newport, Wales, NP20 1AE

• Email: hello@planbase.app

• Website: https://planbase.app

As data controller, we are responsible for deciding how and why your personal data is processed. We do not currently have a designated Data Protection Officer (DPO), but if you have a data protection concern, please contact us directly at hello@planbase.app.

2. What Data We Collect and Why

We only collect data that we genuinely need to provide and improve the Planbase service. Below is a breakdown of each category, what it includes, our legal basis for processing it under UK/EU GDPR, and how long we keep it.

2.1 Account Information

When you register for Planbase, we collect your name and email address. If you subscribe to a paid plan, your payment is handled by Stripe and we do not store your full card details ourselves.

• Legal basis: Performance of a contract (Article 6(1)(b) UK/EU GDPR). We need this information to create and manage your account.

• Retention: We keep account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, unless we are required by law to retain it for longer.

2.2 Portfolio and Project Content

When you upload projects, images, descriptions, and other content to your portfolio, that content is stored on our platform. You retain ownership of everything you upload.

• Legal basis: Performance of a contract (Article 6(1)(b)). Providing portfolio storage and display is the core function of the service.

• Retention: Your content is retained for as long as your account remains active. On account deletion, content is removed within 30 days.

2.3 Orbi AI Inputs

Orbi AI is our built-in assistant that helps with project planning, technical questions, and conceptual design support. Orbi AI is powered by Google Gemini, a service provided by Google LLC. When you interact with Orbi AI, your prompts and inputs are sent to Google for processing.

• Legal basis: Performance of a contract (Article 6(1)(b)). Processing your inputs is necessary to deliver the AI assistant feature.

• Important: Please do not include sensitive personal data (such as health information, financial details, or third-party personal information) in your Orbi AI prompts. Google processes these inputs in accordance with its own terms and privacy policy.

• Retention: We do not store Orbi AI conversation history long-term. Google's data retention practices are governed by Google's privacy policy at https://policies.google.com/privacy.

2.4 Usage and Analytics Data

We collect information about how you use Planbase. This includes pages visited, features used, time spent on the platform, clicks, and general interaction patterns. This data helps us understand what is working well and what needs improvement.

We use the following tools to collect this information:

• Google Analytics and Google Tag Manager: to understand traffic patterns and page performance.

• Hotjar: to analyse how users navigate and interact with the platform, including heatmaps and session recordings.

• PostHog (EU Cloud): to track product usage events and understand feature adoption. We use PostHog's EU cloud region, which means data is stored and processed within the European Economic Area.

• Gately (usegately.com): for user authentication and access management.

• Legal basis: Legitimate interests (Article 6(1)(f)). We have a legitimate interest in understanding how our platform is used so we can improve it. Where analytics tools involve non-essential cookies, we rely on your consent, which you can manage through our cookie banner.

• Retention: Aggregated analytics data may be retained for up to 26 months. Raw session data (such as Hotjar recordings) is retained for shorter periods in line with each provider's default settings.

2.5 Payment Information

Payments are processed by Stripe, Inc. Stripe collects and processes your payment card details directly. We receive only limited transactional information from Stripe, such as confirmation that a payment was successful, your subscription plan, and billing history.

• Legal basis: Performance of a contract (Article 6(1)(b)) and compliance with legal obligations (Article 6(1)(c)).

• Retention: Transaction records are retained for up to 7 years to comply with UK financial and tax regulations.

3. Cookies and Tracking Technologies

Planbase uses cookies and similar tracking technologies. Under the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive, we are required to obtain your consent before placing non-essential cookies on your device.

We use the following categories of cookies:

• Essential cookies: These are strictly necessary for the platform to function. They keep you logged in and ensure security features work correctly. These do not require your consent.

• Analytics cookies: Set by Google Analytics, Hotjar, and PostHog to help us understand usage patterns. These require your consent.

• Functional cookies: Set by tools like Gately to support authentication flows. These are generally essential but may vary.

When you first visit Planbase, you will be presented with a cookie consent banner. You can accept or decline non-essential cookies. You can also change your cookie preferences at any time through your browser settings or by contacting us. Please note that disabling certain cookies may affect the functionality of the platform.

4. Who We Share Your Data With

We do not sell your personal data. We only share it with third parties where necessary to operate the platform or as required by law. Our current third-party processors are listed below.

• Supabase: Our primary database and backend infrastructure provider. Your account data and uploaded content are stored on Supabase's servers.

• Stripe, Inc.: Processes payments on our behalf. Stripe is PCI DSS compliant and handles card data securely.

• Google LLC: Provides analytics (Google Analytics, Google Tag Manager) and powers Orbi AI through Google Gemini.

• Hotjar Limited: Provides session recording and heatmap analytics.

• PostHog, Inc.: Provides product analytics and event tracking, using their EU cloud region.

• Gately (usegately.com): Provides user authentication and access management functionality.

Each of these providers is bound by data processing agreements and is required to handle your data only in accordance with our instructions and applicable data protection law. We may also disclose your data to law enforcement or regulatory bodies where required by law, a court order, or to protect the rights and safety of others.

5. International Data Transfers

As a UK-based company, Planbase is subject to the UK GDPR's rules on transferring personal data outside the United Kingdom. Some of our third-party processors are based in countries that do not have a UK adequacy decision, which means we need to put specific legal safeguards in place to protect your data when it leaves the UK.

5.1 Transfers to the United States

Several of our providers are US-based: Google LLC, Stripe, Inc., Hotjar Limited, and PostHog, Inc. The United States does not have a blanket UK adequacy decision, which means transfers to US processors must be covered by one of the safeguards set out in Article 46 of the UK GDPR.

The UK-US Data Bridge (the UK extension to the EU-US Data Privacy Framework) provides a transfer mechanism for UK organisations sending data to US companies that are certified under the Data Privacy Framework. Where applicable, we rely on this mechanism for transfers to certified providers.

Where a US provider is not certified under the Data Privacy Framework, or as a fallback safeguard, we rely on the International Data Transfer Agreement (IDTA) issued by the ICO, or the EU Standard Contractual Clauses (2021 version) with the ICO's UK Addendum annexed to them. Both of these mechanisms were introduced by the ICO in March 2022 and replaced the old EU SCCs for UK transfers.

Please note: the UK-US Data Bridge and the wider EU-US Data Privacy Framework are subject to ongoing legal and political scrutiny. We monitor developments in this area and maintain fallback contractual mechanisms in place at all times so that transfers remain lawful regardless of any challenge to the Data Bridge.

5.2 PostHog: EU Region

We use PostHog's EU cloud region (eu.posthog.com), which means data processed by PostHog is stored within the European Economic Area and does not constitute a restricted transfer from the UK under UK GDPR. The European Commission's adequacy decision for the UK (currently extended to December 2025 pending renewal) permits data to flow freely between the UK and EEA.

5.3 Supabase

Supabase is incorporated in the US but offers EU and UK data hosting regions. We use a region within the UK or EU for our Supabase database to minimise international transfers. Supabase's Data Processing Addendum incorporates the EU Standard Contractual Clauses (2021) and the ICO's UK Addendum, providing the appropriate safeguards required under UK GDPR Article 46 for any transfers.

5.4 Transfer Risk Assessments

Where we rely on the IDTA, UK Addendum, or Standard Contractual Clauses, we carry out a Transfer Risk Assessment (TRA) as required by the ICO. This involves assessing the laws of the destination country to confirm that the contractual protections can be enforced in practice. If you would like more information about the specific transfer mechanisms we rely on for any particular processor, please contact us at hello@planbase.app.

6. Your Rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions, but we will always respond to your request clearly and promptly.

• Right of access: You can ask us for a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month.

• Right to rectification: You can ask us to correct personal data that is inaccurate or incomplete.

• Right to erasure: You can ask us to delete your personal data. You can also delete your account directly from your account settings, and we will remove your data within 30 days.

• Right to restrict processing: You can ask us to pause the use of your data in certain circumstances, for example while a dispute is being resolved.

• Right to data portability: Where we process your data based on your consent or a contract, you can ask us to provide it in a structured, machine-readable format.

• Right to object: You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds that override your interests.

• Rights related to automated decision-making: We do not use your data for solely automated decisions that have a legal or similarly significant effect on you.

To exercise any of these rights, please contact us at hello@planbase.app. We will verify your identity before acting on any request.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk, or with your local data protection supervisory authority if you are based in the EU.

7. Data Security

We take the security of your personal data seriously. Planbase uses Supabase for data storage, which provides industry-standard security including encryption at rest and in transit (TLS/SSL). Access to personal data within our team is restricted on a need-to-know basis.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

8. Children's Privacy

Planbase is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child under 16 has provided us with their personal data, please contact us at hello@planbase.app and we will take steps to remove that information as quickly as possible.

9. Marketing Communications

We may contact you with updates about Planbase, new features, and relevant news for the architecture community. We will only do this where you have given us permission, or where we have a legitimate interest in communicating with existing users about closely related services.

You can unsubscribe from marketing emails at any time using the unsubscribe link in any email we send, or by contacting us at hello@planbase.app. Opting out of marketing does not affect the transactional emails we need to send you to manage your account.

10. Changes to This Policy

We may update this Privacy Policy from time to time, for example when we add new features or when data protection law changes. When we make material changes, we will notify you by email or through a prominent notice on the platform at least 14 days before the change takes effect.

The 'Last Updated' date at the top of this policy will always reflect when it was most recently changed. We encourage you to review this policy periodically.

11. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your data, please get in touch:

• Email: hello@planbase.app

• Website: https://planbase.app

• Address: Flat 6 Langton Court, 34 Charles Street, Newport, Wales, NP20 1AE

For complaints, you may also contact the UK Information Commissioner's Office:

• Website: www.ico.org.uk

• Phone: 0303 123 1113

Download architecture portfolio app for architects on Google Play.
Planbase App badge
Top Architecture Software
Planbase - Build Your Story | Product Hunt
Company

About

Privacy Policy

Terms and condition

Featured ads

Press Assets

Give Feedback

Help

Support

FAQ

Affiliate

Other Products

Documentation

Changelog

Resources

Blog

Use cases

Pricing

Comparison

Download App

Student Discount

Socials

Facebook

Linkedln

X(Twitter)

Instagram

Community

Pinterest

Product Hunt

Blog

Build Your Story

© 2026 Planbase All rights reserved.
Download architecture portfolio app for architects on Google Play.
Planbase App badge
Top Architecture Software
Planbase - Build Your Story | Product Hunt
Company

About

Privacy Policy

Terms and condition

Featured ads

Press Assets

Give Feedback

Help

Support

FAQ

Affiliate

Other Products

Documentation

Changelog

Resources

Blog

Use cases

Pricing

Comparison

Download App

Student Discount

Socials

Facebook

Linkedln

X(Twitter)

Instagram

Community

Pinterest

Product Hunt

Blog

Build Your Story

© 2026 Planbase All rights reserved.
Download architecture portfolio app for architects on Google Play.
Planbase App badge
Top Architecture Software
Planbase - Build Your Story | Product Hunt
Company

About

Privacy Policy

Terms and condition

Featured ads

Press Assets

Give Feedback

Help

Support

FAQ

Affiliate

Other Products

Documentation

Changelog

Resources

Blog

Use cases

Pricing

Comparison

Download App

Student Discount

Socials

Facebook

Linkedln

X(Twitter)

Instagram

Community

Pinterest

Product Hunt

Blog

Build Your Story

© 2026 Planbase All rights reserved.

Create a free website with Framer, the website builder loved by startups, designers and agencies.