Privacy Policy — Plano

Last updated: March 2026

Data controller: Ilias Kyriakos, Platanos, Leros - Dodecanese, PC 85400

1. Data we collect

We collect account information (email, business name), usage data (bookings, guests and financial information you enter into the platform) and technical data (IP address, session cookies and logs).

2. Purpose of processing

Data is used to provide and improve the service, communicate with the user and comply with legal obligations. Technical data is also used for security, operational monitoring and prevention of misuse.

3. Legal basis

Processing is based on the performance of a contract (Article 6§1b GDPR) and legitimate interest in improving the service and ensuring security (Article 6§1f GDPR).

4. Processing roles

The user of the service acts as Data Controller for their customers' data. The provider of the Plano platform acts as Data Processor, processing data exclusively on behalf of the user.

5. Storage & security

Data is stored on infrastructure within the European Union (Supabase). TLS encryption and per-tenant access controls (multi-tenant isolation) are applied. The Provider implements appropriate technical and organisational measures to protect data.

6. Sub-processors

The following sub-processors are used to operate the service: Supabase (database), Vercel (hosting), Resend (email delivery). Sub-processors may change, with equivalent security standards maintained. The Provider does not sell or trade personal data.

7. Data transfers

Data is not transferred outside the European Union unless appropriate safeguards are applied in accordance with the GDPR.

8. User rights

Under the GDPR, you have the right to access, rectify, erase, port and object to the processing of your data. Requests may be submitted to info@planoapp.gr and will be answered within 30 days. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

9. Data retention

Data is retained for as long as the subscription is active and for up to 90 days after expiry. After this period, data is permanently deleted and is no longer recoverable.

10. Data breaches

In the event of a personal data breach, the Provider will notify affected users within 72 hours, in accordance with the GDPR.

11. Minors

The service is intended exclusively for professionals. We do not knowingly collect data from persons under 18 years of age.

12. Cookies

Only essential session cookies are used for the operation of the platform. These cookies do not require consent under applicable law. No advertising or third-party cookies are used.

13. Changes

Any changes to this policy will be communicated via the platform or by email at least 14 days before they take effect. In case of discrepancy between the Greek and English versions, the Greek version prevails.