Privacy Policy
Plume · Effective 28 May 2026
1. Who we are
Plume ("the Service", "we", "us") is operated by Evgeny Savin, a self-employed professional (autónomo) registered in Spain (NIF [NIF]), [REGISTERED ADDRESS, SPAIN]. For any privacy matter, contact us at [privacy@your-domain].
2. Our two roles
This policy covers the data we decide the purposes for, where we act as the data controller: the information about you, the account holder. Separately, when you enter information about your own clients and customers into the Service, you are the controller of that data and we act only as your processor. That relationship is governed by our Data Processing Agreement, not this policy.
Read the Data Processing Agreement →
3. What we collect about you
- Account data: your email address, optional name, and a securely hashed password.
- Authentication data: session information needed to keep you signed in.
- Technical data: IP address, browser/device information, and server logs generated when you use the Service.
- Content you create: issuing entities, customers, items, and invoices. Note that invoices and customer records may contain personal data about your clients (see section 2).
4. Why we use it, and our legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating your account and the Service | Performance of a contract (Art. 6(1)(b)) |
| Keeping the Service secure; preventing fraud and abuse | Legitimate interests (Art. 6(1)(f)) |
| Meeting our own legal, accounting and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Service-related communications (e.g. important notices) | Performance of a contract (Art. 6(1)(b)) |
5. How long we keep it
- Account data: for as long as your account is active.
- Content you create: until you delete it, or until your account is closed.
- After account closure: we delete or anonymise your data within 30 days, except where we must keep records to meet a legal or tax obligation.
- Backups: routine encrypted backups are retained on a rolling basis and overwritten over time.
6. Who we share it with
We do not sell your personal data. We share it only with service providers (sub-processors) that help us run the Service, strictly as needed and under contract:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and content delivery | United States / global edge |
| Neon Inc. | Managed PostgreSQL database hosting | See account region (verify EU) |
We may also disclose data where required by law, or to establish, exercise or defend legal claims.
7. International transfers
Some of our service providers may process data outside the European Economic Area (EEA). Where that happens, the transfer is protected by appropriate safeguards, primarily the European Commission's Standard Contractual Clauses (SCCs), supplemented by technical measures such as encryption in transit and at rest. We are reviewing our hosting regions and aim to keep data within the EEA where practical.
8. Your rights
Under the GDPR you have the right to access your data, correct it, delete it, restrict or object to its processing, and receive it in a portable format. To exercise any right, email us at [privacy@your-domain]. We respond within one month. You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD, www.aepd.es), or your local supervisory authority.
9. Security
We protect your data with measures including hashed passwords (bcrypt), strict per-account data isolation, encryption in transit (HTTPS), and access controls. No system is perfectly secure, but we work to keep risks low and to detect and respond to incidents quickly.
10. Cookies
We use only strictly necessary cookies. See the Cookie Notice →
11. Children
The Service is intended for businesses and professionals. It is not directed at children, and we do not knowingly collect data from anyone under 18.
12. Changes
We may update this policy. When we do, we will revise the effective date at the top and, for material changes, notify you within the Service.
13. Contact
Questions about this policy or your data: [privacy@your-domain].