Privacy Policy

Your data is yours. We are custodians, not owners.

Effective Date: December 1, 2024 | Last Updated: December 2024

1. Introduction

Plenum Inc. ("Plenum", "Company", "we", "us", or "our"), a Delaware corporation, is committed to protecting the privacy and security of your personal information. This Privacy Policy ("Policy") describes how we collect, use, disclose, and safeguard information when you use the Plenum CRM platform and related services (collectively, the "Service").

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not use our Service.

Our Privacy Commitment

We believe your data belongs to you. We act as responsible custodians, processing your information only as necessary to provide our services and as you direct. We never sell your personal information.

2. Scope & Application

2.1 Who This Policy Applies To

This Privacy Policy applies to:

  • Business Customers: Companies and individuals who subscribe to and use our Service
  • Authorized Users: Employees, contractors, and agents of our business customers who access the Service
  • End Customers: Individuals whose data is stored in the Service by our business customers (e.g., homeowners who receive HVAC services)
  • Website Visitors: Individuals who visit our marketing website

2.2 Data Controller vs. Data Processor

For data about our business customers and website visitors, Plenum is the "data controller" (or equivalent under applicable law). For data that our business customers input about their own customers and operations, Plenum acts as a "data processor" on behalf of our business customers, who are the data controllers.

2.3 Third-Party Services

This Policy does not apply to third-party websites, applications, or services that may be linked from our Service. We encourage you to review the privacy policies of any third-party services you access.

3. Information We Collect

3.1 Account Information

When you create an account or sign up for our Service, we collect:

  • Name, email address, and phone number
  • Company name, address, and business details
  • Job title and role information
  • Account credentials and authentication data
  • Billing and payment information (processed by our payment processor)
  • Profile photos and preferences

3.2 Business Data

As part of using our Service, you and your authorized users may provide:

  • Customer Records: Names, addresses, contact information, communication history
  • Property Information: Addresses, property types, square footage, equipment details
  • Equipment Data: HVAC system information, model numbers, installation dates, service history
  • Appointment Records: Scheduling data, service notes, technician assignments
  • Financial Data: Estimates, invoices, payments, pricing information
  • Documents: Photos, files, contracts, and other uploaded materials
  • Communications: Messages, emails, and call logs within the Service

3.3 Automatically Collected Information

When you access our Service, we automatically collect certain information:

  • Device Information: Device type, operating system, browser type, unique device identifiers
  • Log Data: IP address, access times, pages viewed, referring URLs, and clickstream data
  • Location Data: General location based on IP address; precise location for field technicians (with explicit consent)
  • Usage Data: Features used, actions taken, interaction patterns, and error logs
  • Performance Data: Load times, crash reports, and diagnostic information

3.4 Information from Third Parties

We may receive information from third-party sources, including:

  • Property data providers (e.g., Zillow) for property intelligence features
  • Equipment data providers (e.g., AHRI) for rebate qualification
  • Payment processors regarding transaction status
  • Identity verification services

4. How We Use Your Information

4.1 To Provide the Service

  • Creating and managing your account
  • Processing transactions and payments
  • Enabling core features like scheduling, estimates, and invoicing
  • Providing customer portal and booking functionality
  • Sending transactional communications (confirmations, reminders, receipts)

4.2 To Improve the Service

  • Analyzing usage patterns to enhance features and user experience
  • Identifying and fixing bugs, errors, and performance issues
  • Developing new features and functionality
  • Conducting research and analysis (using aggregated, anonymized data)

4.3 For Security and Compliance

  • Detecting, preventing, and responding to fraud, abuse, and security threats
  • Authenticating users and protecting accounts
  • Maintaining audit logs for security and compliance purposes
  • Complying with legal obligations and responding to legal requests
  • Enforcing our Terms of Service and other policies

4.4 For Communication

  • Responding to your inquiries and support requests
  • Sending important notices about the Service (updates, security alerts)
  • Providing product tips, training, and best practices
  • Marketing communications (with your consent, where required)

6. Data Storage and Security

6.1 Infrastructure

Your data is stored securely using enterprise-grade cloud infrastructure provided by Supabase (built on Amazon Web Services). Data centers are located in the United States with redundant systems and disaster recovery capabilities.

6.2 Encryption

  • In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
  • At Rest: All stored data is encrypted using AES-256 encryption
  • Backups: Encrypted backups are maintained with geographic redundancy

6.3 Multi-Tenant Isolation

We use PostgreSQL Row-Level Security (RLS) policies at the database level to ensure complete data isolation between customers. Your data is logically separated and never accessible to other customers, even in the same database.

6.4 Security Measures

We implement comprehensive security measures including:

  • Role-based access controls and principle of least privilege
  • Multi-factor authentication support
  • Comprehensive audit logging of all data access
  • 24/7 security monitoring and intrusion detection
  • Regular security audits and vulnerability assessments
  • Penetration testing by independent security firms
  • Employee security training and background checks
  • Incident response and disaster recovery procedures

6.5 Security Incident Response

In the event of a security incident that affects your personal data, we will notify you promptly in accordance with applicable law and our contractual obligations. We maintain documented incident response procedures and will provide information about the nature, scope, and remediation of any incident.

7. Data Ownership

You own your data. Period.

All customer data, business records, and information you provide through our Service belongs to you. We act as a data processor on your behalf, not as the owner of your data.

7.1 Your Rights to Your Data

You retain all ownership rights to your data, including:

  • The right to export your data at any time in standard formats
  • The right to request deletion of your data
  • The right to control who has access to your data
  • The right to data portability

7.2 Our Limited License

You grant us a limited license to use your data solely to provide the Service, improve our offerings (using aggregated, anonymized data), and comply with legal requirements. We do not use your data for any other purpose.

7.3 Upon Termination

When you terminate your account, you may export your data for up to 30 days. After that period, we will delete your data in accordance with our retention policies, except where required by law or for legitimate business purposes (such as maintaining audit logs).

8. Data Sharing and Disclosure

We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Ever.

8.1 Service Providers

We share information with trusted third-party service providers who assist in operating our Service, subject to confidentiality agreements:

  • Infrastructure: Supabase (hosting), Vercel (frontend), AWS (cloud infrastructure)
  • Payment Processing: Stripe (payment processing)
  • Communications: Twilio (SMS), SendGrid (email)
  • Mapping: Google Maps Platform (geocoding, routing)
  • Analytics: Vercel Analytics, Sentry (error tracking)
  • Property Data: Zillow (property intelligence)

8.2 Legal Requirements

We may disclose your information when required by law or to:

  • Comply with legal process (subpoenas, court orders)
  • Respond to lawful requests by public authorities
  • Protect our rights, privacy, safety, or property
  • Enforce our Terms of Service
  • Prevent fraud or address security issues

We will notify you of legal requests for your data unless prohibited by law or court order.

8.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

8.4 With Your Consent

We may share your information with third parties when you explicitly authorize us to do so, such as when you enable integrations with other services.

9. International Data Transfers

Our Service is primarily operated in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by relevant authorities
  • Data processing agreements with appropriate privacy protections
  • Compliance with applicable data transfer frameworks

By using our Service, you consent to the transfer of your information to the United States and other countries as described in this Policy.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

  • Essential Cookies: Required for the Service to function (authentication, security, session management)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how you use the Service (anonymized usage patterns)
  • Performance Cookies: Monitor Service performance and identify issues

10.2 Third-Party Cookies

Some of our service providers may place cookies on your device. These include analytics providers and error tracking services. These third parties are bound by their own privacy policies.

10.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of our Service. Most browsers allow you to:

  • View and delete cookies
  • Block third-party cookies
  • Block all cookies
  • Clear cookies when you close the browser

10.4 Do Not Track

We do not currently respond to "Do Not Track" browser signals, as there is no industry standard for interpreting these signals. We will update this Policy if that changes.

11. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

11.1 Access

You have the right to request access to the personal information we hold about you, including a copy of such data in a portable format.

11.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update most information directly in your account settings.

11.3 Deletion

You have the right to request deletion of your personal information, subject to legal retention requirements and our legitimate business interests.

11.4 Data Portability

You have the right to receive your personal information in a structured, commonly used, machine-readable format (CSV, JSON).

11.5 Objection

You have the right to object to certain processing activities, including processing for direct marketing purposes.

11.6 Restriction

You have the right to request restriction of processing in certain circumstances, such as while we verify the accuracy of your data.

11.7 Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

11.8 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

12. Data Retention

12.1 Retention Periods

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Policy:

  • Account Data: For the duration of your account plus 30 days for data export
  • Business Data: As directed by you; deleted upon account termination after the export period
  • Financial Records: 7 years as required by tax and accounting regulations
  • Audit Logs: 2 years for security and compliance purposes
  • Marketing Data: Until you unsubscribe or request deletion

12.2 Post-Termination

When you terminate your account, we will delete or anonymize your personal data within 30 days of the export period ending, except where retention is required by law or for legitimate business purposes.

13. Children's Privacy

Our Service is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will take steps to delete such information.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

14.1 Right to Know

You have the right to know what personal information we collect, use, disclose, and sell (though we do not sell personal information).

14.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

14.3 Right to Opt-Out

You have the right to opt-out of the sale of your personal information. Note: We do not sell personal information.

14.4 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

14.5 Authorized Agents

You may authorize an agent to submit a request on your behalf. We may require verification of the agent's authorization.

14.6 Categories of Information

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email, phone, IP address)
  • Commercial information (transaction history, billing)
  • Internet activity (usage data, browsing history)
  • Geolocation data (with consent for technicians)
  • Professional information (company, job title)

15. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

15.1 Legal Basis

We process your personal data based on the legal bases described in Section 5 of this Policy.

15.2 Data Protection Officer

For questions about data protection, you may contact us at [email protected].

15.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law.

15.4 International Transfers

When transferring data outside the EEA, we use Standard Contractual Clauses and other appropriate safeguards as described in Section 9.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will update the "Last Updated" date at the top of this Policy
  • We will provide notice via email and/or prominent notice within the Service at least 30 days before changes take effect
  • We will obtain your consent where required by applicable law

We encourage you to review this Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Plenum Inc.

Privacy Inquiries: [email protected]

Data Protection Officer: [email protected]

General Contact: [email protected]

Address: Denver, Colorado, USA

We will respond to all privacy-related inquiries within 30 days.