PlenDesk LogoPlenDesk

© 2025 - 2026 PlenDesk

Terms·Privacy·Refunds·Legal Notice·Help·support@plendesk.com
Back to home

Privacy Policy

Last updated: 2026-06-18·Effective: 2026-06-18

This Privacy Policy explains how PlenDesk ("we", "us") collects, uses, and protects personal data in connection with myID, our software service for privacy-first QR tags and lost-and-found item recovery ("Services"). It is written to satisfy the Swiss Federal Act on Data Protection (nDSG, as revised in 2023) and the EU General Data Protection Regulation (GDPR) where applicable.

1. Controller

The controller responsible for your personal data is:

Jürgen Walter
Lindachstrasse 13
3038 Kirchlindach BE
Switzerland
Email: privacy@plendesk.com

PlenDesk is a Swiss sole proprietorship. If you have any question about this Policy or about how we process your personal data, please contact us at the email above.

2. What personal data we collect

When you use myID, we may collect:

  • Account data — name, email address, login metadata, preferences. Collected when you create an account via Clerk.
  • myID tag data — tag labels, public finder page text, QR-code paths, optional custom slugs, item categories, and tag status. Collected when you create or manage a myID tag.
  • Finder messages — messages submitted through a public myID finder page, optional finder contact details, message timestamps, scan metadata, and anonymous chat tokens.
  • Billing data — plan, credit balance, invoice metadata. Payment card data is processed by the payment provider shown at checkout and never reaches our servers.
  • Technical data — IP address, browser type, device information, error events. Used only for operating and securing the Services.

3. Purposes and legal bases

  • Providing the Services (nDSG Art. 31 para. 2 lit. a / GDPR Art. 6(1)(b) — contract performance). Includes creating QR tags, showing public finder forms, delivering finder messages, authenticating users, and managing billing.
  • Security and abuse prevention (nDSG Art. 31 para. 2 lit. c / GDPR Art. 6(1)(f) — legitimate interest). Includes error monitoring, rate limiting, fraud detection.
  • Compliance with legal obligations (GDPR Art. 6(1)(c)) — e.g. tax record-keeping, regulatory requests.
  • Communications about the Services — transactional emails such as account, billing, support, and finder-message notifications. We do not send marketing messages.

4. Who we share your data with

We use carefully selected external service providers ("sub-processors") to operate the Services. Each has a signed Data Processing Addendum with PlenDesk under nDSG Art. 9 and where applicable GDPR Art. 28. Our current sub-processors:

ProviderPurposeCountryLegal basis for transferDPA
Clerk
clerk.com
Authentication, account management, and session securityUnited StatesDPA, SCCs, and applicable data transfer safeguardsView DPA
Convex
convex.dev
Application database, server functions, and real-time data syncUnited StatesDPA, SCCs, and applicable data transfer safeguardsView DPA
Vercel
vercel.com
Hosting, edge routing, deployment, and web analyticsUnited StatesDPA, SCCs, and applicable data transfer safeguardsView DPA
Sentry
sentry.io
Error monitoring, diagnostics, and security troubleshootingUnited StatesDPA, SCCs, and applicable data transfer safeguardsView DPA

Some of these providers in turn rely on their own sub-processors (e.g. infrastructure providers such as AWS). A consolidated list is maintained via the DPA links above; we update this page when the underlying providers change.

5. International transfers

Most of our providers are headquartered in the United States. Transfers from Switzerland and the EU are covered by the Swiss-US Data Privacy Frameworkand/or the European Commission's Standard Contractual Clauses, as referenced in each provider's DPA linked above. We do not transfer personal data to countries without an adequate level of protection unless such safeguards are in place.

6. How long we keep your data

  • Account data — for as long as your account is active, plus a reasonable window for deletion requests and legal obligations.
  • myID tag data — for as long as the tag exists in your account, unless you delete or retire it earlier.
  • Finder messages and anonymous chats — retained so you can recover the tagged item and review your recent contact history; deleted when the related tag or account is deleted unless a legal obligation requires retention.
  • Security and access logs — retained for a limited period needed to operate, secure, and troubleshoot the Services.
  • Verification codes — deleted on use or after expiry (minutes to hours).
  • Billing records — retained for as long as Swiss tax law requires (currently 10 years).

If you delete your account, all personal data under our control is deleted within a few minutes via an automated cascade, except where a legal obligation (e.g. accounting) requires continued retention.

7. Your rights

Under nDSG and GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure("right to be forgotten") — request deletion. For most account data this happens automatically within minutes of deleting your account in Clerk.
  • Restriction — ask us to limit how we process your data.
  • Objection — object to processing based on our legitimate interest.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent — where processing is based on consent, at any time.

To exercise any of these rights, email privacy@plendesk.com. We respond within 30 days.

If you are in Switzerland and believe we process your data unlawfully, you may also lodge a complaint with the Federal Data Protection and Information Commissioner (EDÖB). If you are in the EU, you may lodge a complaint with your local data protection authority.

8. Cookies and tracking

PlenDesk uses strictly functional cookies that are necessary to operate the Services (authentication session, CSRF protection). No advertising or cross-site tracking cookies are used.

Our administrator dashboards may use Sentry Session Replay to record UI interactions when an error occurs, strictly for debugging. Text input and media are masked by default; token-bearing public finder and contact pages are excluded from recording entirely.

9. Security

We implement technical and organisational measures appropriate to the risk, including TLS encryption in transit, authentication via Clerk, role-based access control, and continuous error monitoring. Public finder pages use bot protection and rate-limiting to prevent abuse. Despite our efforts, no system is perfectly secure; please contact us immediately if you suspect a breach.

10. Children's privacy

The Services are not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us so we can delete it.

11. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be communicated through the Services.

12. Governing law

This Policy is governed by Swiss law. Any disputes are subject to the exclusive jurisdiction of the competent courts of Kirchlindach, Switzerland.

Resend
resend.com
Transactional emails such as account, support, and finder messagesUnited StatesDPA, SCCs, and applicable data transfer safeguardsView DPA
Polar
polar.sh
Intended payment provider and Merchant of Record for paid checkout when enabledUnited StatesPayment processing terms and applicable data transfer safeguardsView DPA