Privacy Policy

Effective date: 2026-05-21 Last updated: 2026-05-21 Provider: PlateNext.com (the "Service," "we," "us," or "our").

This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how long we keep it, and what choices and rights you have. It applies to the PlateNext suite, including the marketing site at platenext.com, the identity service at auth.platenext.com, and the member apps at mail.platenext.com, projects.platenext.com, contacts.platenext.com, files.platenext.com, and any other site, application, or API we operate under the PlateNext name (collectively, the "Service").

This Privacy Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

1. Who we are; data controller

PlateNext.com is the controller (for GDPR purposes) and the business (for CCPA/CPRA purposes) of personal data processed through the Service, except where we act as a processor or service provider on behalf of a customer organization that has signed a separate data processing agreement with us.

Contact: privacy@platenext.com

2. What data we collect

2.1 Account data

When you create an account with the identity manager (auth.platenext.com), we collect:

name and display name
email address, and (optionally) phone number
password hash, WebAuthn credentials, OAuth linkages, recovery codes, and 2FA configuration
account-safety metadata: active sessions, security activity log, sign-in IP addresses, user-agent strings, device fingerprints

2.2 Content you create or submit ("Your Content")

When you use the apps, we collect and store:

emails, drafts, contacts, and attachments you send or receive via the webmail app
projects, tasks, engagements, deliverables, commitments, participants, and activity feed entries created in the project manager
chat messages, room memberships, and DM threads (when chat launches)
files you upload and their metadata (filename, size, mime type, OCR-extracted text, embeddings, version history)
meeting metadata, audio if you record, transcripts, and action-item extractions (when live-meeting launches)
contact records, organization records, and address-book entries
AI agent configuration (persona, role, skills, on/off state) and records of actions an agent took on your behalf

2.3 Usage and device data

When you interact with the Service, we automatically collect:

IP address, approximate geolocation, browser type and version, operating system, device identifiers, screen size, language preference
log data including request URLs, timestamps, response codes, latency, referrers, click and view events
crash and error reports, performance traces, feature-flag assignments
cookie identifiers and similar local-storage identifiers

2.4 Payment data

If you purchase a paid plan, our payment processor (a third party) collects your payment method details. We do not store full card numbers ourselves; we store a tokenized reference, the billing address, and a record of the transaction.

2.5 Communications with us

When you contact support, file a bug, respond to a survey, or communicate with us, we collect the content of those communications and any metadata about them.

2.6 Data from third parties

If you sign in with Google OAuth, link a third-party calendar or mail account, or otherwise authorize a third-party integration, we receive the data those services share with us under the scope you grant. If a contact, customer, or correspondent of yours sends information to your account (e.g., an inbound email), we receive and store that data on your behalf.

2.7 Inferred and derived data

We generate derived data from the above, including AI-generated summaries, embeddings, classifications (e.g., "this thread is about vendor X"), aggregated usage metrics, and anti-fraud signals.

3. How we use your data

We use the data described in §2 for the following purposes:

Operate the Service — authenticate you, route and store Your Content, render the lensed views, deliver email, run AI features.
Maintain and improve the Service — fix bugs, debug, run experiments, train internal classifiers and quality models (subject to §6.4 of the Terms), measure feature adoption, plan capacity.
Personalize and recommend — surface relevant items in your inbox, project feed, and search results.
AI features — let AI agents read, summarize, draft, classify, and act on Your Content as you have configured.
Security, fraud, and abuse prevention — detect and prevent unauthorized access, abuse, spam, malware, and violations of the Terms.
Communicate with you — send transactional emails, security alerts, product announcements, and (where you have not opted out) marketing.
Billing and account management — process payments, manage subscriptions, recover unpaid balances, prevent payment fraud.
Legal and compliance — comply with applicable law, respond to lawful requests, enforce our agreements, exercise or defend legal claims, and protect the rights, property, or safety of PlateNext.com, our users, and the public.
Business operations — internal reporting, audits, financial planning, M&A diligence, and corporate transactions (see §5.4).

Where the GDPR or UK GDPR applies, we rely on these legal bases:

Contract (Art. 6(1)(b)) — to provide the Service you have requested.
Legitimate interests (Art. 6(1)(f)) — to secure, debug, improve, and personalize the Service, to detect abuse, and to market our own similar services to existing users.
Consent (Art. 6(1)(a)) — where required, including for non- essential cookies and certain marketing.
Legal obligation (Art. 6(1)(c)) — to comply with applicable law.

You can withdraw consent at any time, and you can object to processing based on legitimate interests; see §8.

4. AI processing of Your Content

Your Content is processed by automated systems, including large language models and other machine learning systems, to provide AI Features. This may include:

summarizing threads and documents
classifying messages by topic, urgency, project, or sender
drafting replies
extracting structured data (e.g., contacts, dates, action items)
generating embeddings used for search and similarity
letting AI agents you have configured read and respond to messages on your behalf

We do not use Your Content to train publicly released or third-party foundation models, except in aggregated or de- identified form that cannot reasonably be linked back to you. We may use Your Content to train internal classifiers and quality models used to operate the Service.

We use third-party AI model providers (subprocessors) to run some AI Features. Those providers process Your Content under contracts that prohibit them from training their public models on it, but they may retain it for a short period for abuse monitoring. The current list of AI subprocessors is available at platenext.com/legal/subprocessors.

We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising as those terms are defined under California law (CCPA/CPRA). We disclose data only as described below.

5.1 Service providers / subprocessors

We share data with vendors who process it on our behalf — cloud hosting (AWS or similar), email delivery, AI model providers, analytics, error monitoring, payment processing, customer support, fraud detection. They are bound by contract to use the data only to provide services to us. The current list of subprocessors is at platenext.com/legal/subprocessors.

5.2 Other users

Some of Your Content is shared with people you direct us to share it with — e.g., recipients of an email you send, members of a project you invite to it, participants in a meeting you host. We share the data the workflow requires; we do not broker your data to other PlateNext users behind your back.

5.3 Legal disclosures

We may disclose data if we believe in good faith that disclosure is necessary to (a) comply with applicable law, regulation, subpoena, court order, or lawful government request; (b) enforce the Terms; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of PlateNext.com, our users, or the public. Where lawful, we will use reasonable efforts to notify you of a legal request for your data.

5.4 Business transfers

If we are involved in a merger, acquisition, financing, asset sale, reorganization, bankruptcy, or similar transaction, your data may be transferred to the acquirer or successor entity as part of the transaction.

5.5 With your direction

We share data with third parties when you direct us to — e.g., when you authorize a third-party integration via OAuth, when you publish a file or page publicly, or when you ask us to.

5.6 Aggregated and de-identified data

We may share aggregated or de-identified data that cannot reasonably be used to identify you, for any purpose.

6. Retention

We retain personal data only as long as we need it for the purposes described in this Policy. The default retention periods are:

Category	Default retention
Account data (while account is open)	for the life of the account
Closed accounts	up to 30 days after closure, then deletion (some metadata may persist in backups for up to 90 days)
Inactive accounts (no sign-in for 24+ months)	we may delete, archive, or restrict the account, in our sole discretion
Email and chat messages	for the life of the account, unless you delete them
Files	for the life of the account, unless you delete them
Activity logs and audit logs	up to 18 months
Security logs (sign-in events, anti-fraud signals)	up to 24 months
Crash and error reports	up to 13 months
Backups	up to 90 days, after which deletion propagates
Billing and tax records	7 years, or as required by law
Records of legal claims and investigations	for the duration of the matter and any applicable limitations period

We may retain data longer where required by law, where necessary to defend legal claims, or where the data has been de-identified.

After the retention period, we delete or de-identify the data.

7. International transfers

We are based in the United States and process data there. If you access the Service from outside the U.S., your data will be transferred to, stored in, and processed in the U.S. (and in any other country where our subprocessors operate).

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the U.S., we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum / Swiss equivalents, as applicable). You may request a copy of the relevant transfer mechanism by emailing privacy@platenext.com.

8. Your rights and choices

Depending on where you live, you may have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Correction / rectification — ask us to correct inaccurate or incomplete data.
Deletion / erasure — ask us to delete your data.
Portability — receive certain data in a portable format.
Restriction — ask us to restrict processing.
Objection — object to processing based on our legitimate interests, including direct marketing.
Withdraw consent — withdraw consent where processing is based on consent. Withdrawal does not affect prior processing.
Opt out of sale / sharing / targeted advertising / automated decision-making with significant effects — under CCPA/CPRA, Virginia, Colorado, Connecticut, Utah, Texas, and similar U.S. state laws. As noted in §5, we do not sell or share personal data for cross-context behavioral advertising.
Lodge a complaint with a supervisory authority (EEA / UK residents).
Non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised a privacy right (except where the right itself, e.g., deletion, makes service infeasible).

To exercise a right, email privacy@platenext.com with the request and a way to verify your identity. We will respond within the time required by applicable law (typically 30–45 days). We may ask for additional information to verify your identity and may deny requests where permitted by law (e.g., where the request would harm another person's rights, undermine an active investigation, or contradict a legal obligation).

You may designate an authorized agent to make a request on your behalf, subject to verification.

9. Cookies and similar technologies

We use cookies, local storage, session storage, and similar technologies to keep you signed in, remember preferences, run the suite-wide single sign-on at .platenext.com, prevent fraud, and measure usage. Some are strictly necessary for the Service to work; others (analytics, product measurement) are not, and we honor the Global Privacy Control (GPC) signal as an opt-out for those.

We do not use third-party advertising cookies and do not allow third parties to track you across unaffiliated sites through our Service.

You can control cookies through your browser settings. Blocking strictly-necessary cookies will break sign-in and other core functionality.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, email privacy@platenext.com and we will delete it.

11. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your data, including encryption in transit, encryption at rest for sensitive fields, access controls, audit logging, and incident response procedures.

No system is completely secure. We do not guarantee that your data will not be lost, accessed without authorization, altered, or disclosed, and we disclaim all liability for any such loss, access, alteration, or disclosure to the maximum extent permitted by law. See §§ 11–13 of the Terms.

If we become aware of a personal data breach affecting your data, we will notify you and the relevant supervisory authority as required by applicable law.

12. California-specific disclosures (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act and the California Privacy Rights Act. The categories of personal information we collect, the sources we collect from, the business purposes for collection, and the categories of third parties we disclose to are described in §§ 2, 3, and 5. We do not sell or share personal information as those terms are defined under California law, and we do not knowingly sell or share the personal information of consumers under 16.

You have the right to know, delete, correct, and opt out of sale or sharing (none, as noted), and the right to limit the use of sensitive personal information. Exercise these rights by emailing privacy@platenext.com or by submitting the form at platenext.com/legal/privacy-request.

We will not discriminate against you for exercising your rights.

If you are in the EEA, UK, or Switzerland, you have the rights listed in §8. Our legal bases for processing are listed in §3.1. We transfer data to the U.S. under the safeguards described in §7.

You have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

14. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects on you. AI Features (summaries, classifications, drafts, agent actions) are advisory, are subject to human review by you, and do not by themselves produce legal or similarly significant effects.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will give you reasonable notice — for example, by email, by an in-app banner, or by updating the "Last updated" date at the top of this Policy. Your continued use of the Service after the changes take effect constitutes acceptance of the revised Policy.

16. Contact

Questions, complaints, or rights requests: privacy@platenext.com

Legal notices: legal@platenext.com

Registered mailing address: platenext.com/legal/contact.