PlenDesk Logo
Back to home

Privacy Policy

Last updated: 2026-04-14·Effective: 2026-04-14

This Privacy Policy explains how PlenDesk ("we", "us") collects, uses, and protects personal data in connection with our software services ("Services"), including pd_watchdog and any other PlenDesk sub-applications. It is written to satisfy the Swiss Federal Act on Data Protection (nDSG, as revised in 2023) and the EU General Data Protection Regulation (GDPR) where applicable.

1. Controller

The controller responsible for your personal data is:

PlenDesk
Lindachstrasse
3038 Kirchlindach BE
Switzerland
Email: privacy@plendesk.com

PlenDesk is a Swiss sole proprietorship. If you have any question about this Policy or about how we process your personal data, please contact us at the email above.

2. What personal data we collect

Depending on which PlenDesk Services you use, we may collect:

  • Account data — name, email address, login metadata, preferences. Collected when you create an account via Clerk.
  • Contact details of monitored persons (pd_watchdog only) — name, phone number, email of the watchpoint person and each contact you configure. Collected from you as the administrator.
  • Check-in activity — timestamps, method (app, link, SMS, voice), incident state, messages in incident chats.
  • Billing data — plan, credit balance, invoice metadata. Payment card data is processed by Lemon Squeezy as our Merchant of Record and never reaches our servers.
  • Technical data — IP address, browser type, device information, error events. Used only for operating and securing the Services.

3. Purposes and legal bases

  • Providing the Services (nDSG Art. 31 para. 2 lit. a / GDPR Art. 6(1)(b) — contract performance). Includes sending check-in reminders, alerting contacts on missed check-ins, authenticating users, and managing billing.
  • Security and abuse prevention (nDSG Art. 31 para. 2 lit. c / GDPR Art. 6(1)(f) — legitimate interest). Includes error monitoring, rate limiting, fraud detection.
  • Compliance with legal obligations (GDPR Art. 6(1)(c)) — e.g. tax record-keeping, regulatory requests.
  • Communications about the Services— transactional email and SMS you've configured (check-in links, incident alerts). We do not send marketing messages.

4. Who we share your data with

We use carefully selected external service providers ("sub-processors") to operate the Services. Each has a signed Data Processing Addendum with PlenDesk under nDSG Art. 9 and where applicable GDPR Art. 28. Our current sub-processors:

ProviderPurposeCountryLegal basis for transferDPA

Some of these providers in turn rely on their own sub-processors (e.g. infrastructure providers such as AWS). A consolidated list is maintained via the DPA links above; we update this page when the underlying providers change.

5. International transfers

Most of our providers are headquartered in the United States. Transfers from Switzerland and the EU are covered by the Swiss-US Data Privacy Frameworkand/or the European Commission's Standard Contractual Clauses, as referenced in each provider's DPA linked above. We do not transfer personal data to countries without an adequate level of protection unless such safeguards are in place.

6. How long we keep your data

  • Account data — for as long as your account is active, plus a reasonable window for deletion requests and legal obligations.
  • Notification log (sentMessages) — 90 days, then automatically deleted.
  • Event log (activity history) — 10 days, then automatically deleted.
  • Incident chats — retained with the incident record; contacts can set a retention period of 2 days, 30 days, or 6 months after archiving, after which they are deleted automatically.
  • Public page sessions — up to 30 days from last login, then expired.
  • Verification codes — deleted on use or after expiry (minutes to hours).
  • Billing records — retained for as long as Swiss tax law requires (currently 10 years).

If you delete your account, all personal data under our control is deleted within a few minutes via an automated cascade, except where a legal obligation (e.g. accounting) requires continued retention.

7. Your rights

Under nDSG and GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure("right to be forgotten") — request deletion. For most account data this happens automatically within minutes of deleting your account in Clerk.
  • Restriction — ask us to limit how we process your data.
  • Objection — object to processing based on our legitimate interest.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent — where processing is based on consent, at any time.

To exercise any of these rights, email privacy@plendesk.com. We respond within 30 days.

If you are in Switzerland and believe we process your data unlawfully, you may also lodge a complaint with the Federal Data Protection and Information Commissioner (EDÖB). If you are in the EU, you may lodge a complaint with your local data protection authority.

8. Cookies and tracking

PlenDesk uses strictly functional cookies that are necessary to operate the Services (authentication session, CSRF protection). No advertising or cross-site tracking cookies are used.

Our administrator dashboards use Sentry Session Replay to record UI interactions when an error occurs, strictly for debugging. Text input and media are masked by default; token-bearing routes (public check-in and contact pages) are excluded from recording entirely.

9. Security

We implement technical and organisational measures appropriate to the risk, including TLS encryption in transit, authentication via Clerk, role-based access control, and continuous error monitoring. PIN-based public-page authentication uses timing-safe comparison and rate-limiting to prevent brute force. Despite our efforts, no system is perfectly secure; please contact us immediately if you suspect a breach.

10. Children's privacy

The Services are not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us so we can delete it.

11. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be communicated through the Services.

12. Governing law

This Policy is governed by Swiss law. Any disputes are subject to the exclusive jurisdiction of the competent courts of Kirchlindach, Switzerland.