Privacy Policy

Last updated: 25 April 2026

This policy explains how PlanNexus collects and uses personal data. We are the controller for personal data we hold about you as an account-holder. We act as both controller and processor, depending on context, for personal data appearing inside planning records.

1. Who we are

PlanNexus is operated from the United Kingdom. Use our contact form for any privacy enquiry, including to exercise the rights described in section 8.

2. Data we collect about account-holders

Account details: email address, hashed password, and the name you put on your account.
API key metadata: the keys you generate (we store a one-way hash, not the raw key), key prefixes, and the names you give them.
Billing details: when you subscribe to a paid plan, payment is processed by Stripe. We receive a customer ID and subscription status from Stripe but do not store full card details.
Usage telemetry: per-key request counts, the timestamp of last use, and aggregate per-month usage counts. Used for rate-limit enforcement, billing, and abuse detection.
Logs: request method, path, status code, and duration. Logs are retained for up to 30 days.

3. Personal data inside planning records

Planning applications published by Local Planning Authorities may include personal data — typically applicant or agent names, the address of the application site, and case-officer details. This data is published by the LPA in the public interest under the Town and Country Planning regime; PlanNexus mirrors what the LPA chose to publish.

We rely on the lawful basis of legitimate interests (UK GDPR Article 6(1)(f)) for processing this data: building a single, queryable index of public planning records is a substantial improvement over the current fragmented portal estate, and the data was already public.
We do not enrich planning records with other personal data we hold about you, and we do not perform automated decisions that have legal or similarly significant effects on data subjects.
If you appear in a planning record indexed by us and want to exercise data-protection rights, contact us at the address above. Note that, for many requests, the LPA is the original controller and may need to be contacted directly to remove the record at source.

4. How we use account-holder data

To provide the Service and maintain your account (contract).
To enforce rate limits, quotas, and these terms (legitimate interests).
To bill you and reconcile payments (contract / legal obligation).
To send service notifications such as quota warnings, security alerts, and material changes (contract / legitimate interests).
To send occasional product updates by email; you can opt out at any time (legitimate interests).
To investigate suspected abuse or breach of these terms (legitimate interests).

5. Sharing

We share data only with our processors, who act under written agreements:

Stripefor payment processing (UK / EEA / US, covered by Stripe’s standard contractual clauses).
Hosting and email infrastructure providers within the UK / EEA.

We do not sell or rent personal data, and we do not share it with third parties for their own marketing.

6. International transfers

Where data is processed outside the UK (for example, by Stripe), we rely on adequacy decisions or Standard Contractual Clauses to ensure equivalent protection.

7. Retention

Account data is retained while your account is active.
On account closure, account data is deleted within 30 days, except for billing records we are required to retain for tax and accounting purposes (typically up to 6 years).
Request logs are retained for up to 30 days.
Per-month usage snapshots are retained for up to 24 months for audit, dispute resolution, and analytics.
Planning records are refreshed continuously from LPA portals; we keep historical snapshots indefinitely as part of the dataset.

8. Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, objection, and portability. To exercise any of these, send the request via our contact form. We aim to respond within one calendar month. If you are not satisfied with our response, you can complain to the UK Information Commissioner’s Office at ico.org.uk.

9. Cookies and similar

We use a small number of strictly-necessary cookies to keep you signed in and to remember your theme preference. We do not use third-party advertising or cross-site tracking cookies.

10. Security

Passwords are hashed using a modern key-derivation function. API keys are stored as one-way hashes; the raw key is shown to you only once. Traffic is served over TLS. We follow the principle of least privilege for internal access.

11. Changes

We may update this policy from time to time. Material changes will be notified by email and/or in-app.