Plango Studios

Privacy Policy

Last updated: February 4, 2026

1. Preface and Scope

Plango Studios ("Company," "we," "our," or "us") is dedicated to the robust protection of your personal digital identity and proprietary business data. This Privacy Policy ("Policy") constitutes a legally binding document illustrating our comprehensive data handling framework, strictly adhering to global data privacy standards including GDPR, CCPA, and SOC 2 Type II compliance protocols where applicable.

This Policy applies to all services, platforms, APIs, and digital products offered by Plango Studios. By accessing our platform, you explicitly consent to the data collection and processing methods tailored herein.

2. Comprehensive Data Collection Strategy

We employ a multi-layered data ingestion strategy to ensure service optimization. Data points collected include:

A. Identity & Authentication Data

  • Full Legal Name & Corporate Identity
  • Authenticated Email Addresses (OAuth2/SSO)
  • Telephonic Contact Details & Geo-Location Metadata
  • Cryptographic Identity Tokens & Session Cookies

B. Financial & Transactional Instrumentation

  • PCI-DSS Compliant Payment Tokens (Processed via Stripe)
  • Billing Address & Taxation Jurisdiction Data
  • Subscription Lifecycle Metadata & Invoice History
  • Fraud Detection Fingerprints (Device ID, IP, Velocity Checks)

C. Proprietary Business Logic & Content

  • Brand Assets (Vector Logos, HEX/RGB Palettes, Typography)
  • Strategic Business Descriptions & Market Positioning Data
  • Uploaded Media (Images, Videos, Documents) processed via S3 Buckets
  • AI Interaction Logs & Prompt Engineering Metadata

D. Telemetry & Analytics

  • Real-time usage metrics (Vercel Analytics)
  • Error stack traces and performance profiling
  • Client-side interaction heatmaps
  • Network latency and edge request routing logs

3. Algorithmic Data Processing & Utilization

Data is processed via determinstic and probabilistic algorithms to deliver our core value proposition:

  • **AI Model Training (Limited Scope):** utilizing anonymized business descriptors to fine-tune our generative models (e.g., GPT-4o) for superior copy generation.
  • **Automated DevOps Pipelines:** Provisioning isolated infrastructure (Git repos, Vercel deployments, Supabase instances) based on project parameters.
  • **Dynamic Fraud Prevention:** Real-time analysis of transaction headers to prevent card tumbling and arbitrage attacks.
  • **Lifecycle Marketing Automation:** Triggering transactional emails (Postmark) and SMS notifications (Twilio) based on state-machine transitions.

4. Infrastructure & Third-Party Processors

We operate on a "Zero-Trust" architecture leveraging best-in-class processors. Data is never sold. It is shared strictly with:

  • **Supabase (AWS us-east-1):** Encrypted-at-rest database storage (AES-256).
  • **Stripe Inc:** Payment logic and PCI compliance offloading.
  • **Vercel Inc:** Edge computing and static asset delivery.
  • **OpenAI API:** Secure, stateless transmission of prompts for content generation (Enterprise tier data exclusion applies).
  • **Twilio/SendGrid:** Communication infrastructure.

5. Data Sovereignty & Encryption Standards

Encryption in Transit: All network traffic is secured via TLS 1.3 (Transport Layer Security) with HSTS (HTTP Strict Transport Security) preloading enabled.

Encryption at Rest: Database volumes and S3 buckets are encrypted using industry-standard AES-256 keys managed via AWS KMS.

Access Control: Administrative access is strictly enforced via Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA).

6. User Rights & Data Portability

You retain full sovereignty over your data. You may exercise rights to:

  • **Right to Erasure (Right to be Forgotten):** Request permanent deletion of all non-transactional data.
  • **Right to Portability:** Request a structured JSON/CSV export of your project data.
  • **Right to Rectification:** Update inaccurate business logic via the dashboard.
  • **Right to Restrict Processing:** Halt AI-based processing of your brand assets.

Submit formal Data Subject Access Requests (DSAR) to legal@plangostudios.com.

7. Cookie Policy & Local Storage

We utilize `httpOnly` secure cookies for authentication state management. We do not use third-party tracking pixels (e.g., Facebook Pixel) on our dashboard to preserve business privacy. Local Storage is used strictly for UI preference persistence (e.g., theme toggle).

8. International Data Transfer Mechanisms

If you access our services from the EEA or UK, note that data is processed in the United States. We rely on Standard Contractual Clauses (SCCs) and the Data Privacy Framework (DPF) adequacy decision to legitimize these transfers.

9. Contact & Data Protection Officer

For escalated privacy concerns or security disclosures:

Plango Studios Legal Dept.
123 Innovation Drive
Hampton, GA 30228
Email: legal@plangostudios.com