Plen - Privacy Policy
This Privacy Policy explains what personal data Wilb collects when you visit plen.work or use Plen, why we collect it, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR / AVG).
It should be read together with our Terms & Conditions. Where the two overlap, this Policy governs questions about personal data.
1. Who is responsible for your data
The data controller for the personal data described in this Policy is:
- Wilb (eenmanszaak)
- Wibautstraat 150 – 2.67, 1091 GR Amsterdam, the Netherlands
- KvK number: 64118908
- BTW-ID: NL002294521B05
- Email: info@plen.work
In this Policy, “we”, “us” and “our” mean Wilb.
2. The short version
- Plen runs entirely on your own computer. We never see, collect, store or process the contents of your project files.
- The only personal data we hold about a customer is, in essence, your email address — used to deliver your Licence Key, send important software-related notices, and meet our legal record-keeping duties.
- We do not sell your data, we do not profile you, and the Site currently uses no cookies, tracking pixels or analytics.
- Your payment is handled by Paddle, who is the Merchant of Record and a separate data controller for payment data.
3. Your project data stays on your device
Plen is a local-first desktop application. The projects, tasks, schedules, costs and any other content you create or import live as ordinary files on your own computer. Plen does not transmit this content to us or to any third party, and we have no technical means of accessing it. Your Licence Key is also verified locally on your device, without contacting our servers.
Because of this architecture, your project data is not “personal data we process” in any meaningful sense — it never leaves your machine. Backing up that data is your responsibility, as described in our Terms & Conditions.
4. What we collect, why, and on what legal basis
4.1 Purchase and licence delivery
When you buy a Full Licence, we receive your email address (and a transaction reference) from Paddle so that we can generate and send your Licence Key.
- Data: email address; order/transaction reference; the Licence Key issued to you.
- Purpose: to deliver the Licence Key, to resend it if you lose it, and to contact you about issues directly affecting the software you bought (for example, a critical bug fix or a security notice).
- Legal basis: performance of our contract with you (Article 6(1)(b) GDPR) for delivery; our legitimate interest in supporting our own customers (Article 6(1)(f) GDPR) for essential software-related notices.
4.2 Tax and accounting records
As a Dutch business we are legally required to keep records relating to our sales.
- Data: transaction and invoice data associated with your purchase.
- Purpose: to comply with our fiscal obligations.
- Legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR), specifically the seven-year retention duty under Article 52 of the Algemene Wet inzake Rijksbelastingen (AWR). Note that Paddle, as Merchant of Record, holds the primary invoice and VAT records for your purchase.
4.3 Email you send us
If you email us — for example to ask a question, report a problem, or notify us of a licence transfer — we receive whatever you choose to put in that message.
- Data: your email address and the content of your message.
- Purpose: to respond to and handle your request, and to keep a record of a licence transfer where you tell us about one.
- Legal basis: our legitimate interest in answering correspondence and maintaining accurate licence records (Article 6(1)(f) GDPR).
4.4 Website visits
The Site is static and informational. It does not currently set cookies, use tracking pixels, or run third-party analytics. Our hosting provider may process limited technical server logs (such as IP address and request time) as a normal part of serving and securing a website; these are not used to identify or profile you.
5. Who we share data with (processors and other controllers)
We do not sell your personal data and we keep the list of parties who touch it deliberately short.
5.1 Paddle — payments (separate controller)
Paddle.com Market Ltd acts as Merchant of Record for your purchase. Paddle processes your payment, collects and remits VAT, and issues your invoice. For payment-related data, Paddle is a separate, independent data controller and applies its own privacy policy. We receive only the limited data described in section 4.1 from Paddle — we never see your full card or banking details.
5.2 Resend — email delivery (processor)
We use Resend to send transactional emails such as your Licence Key. Resend acts as our data processor, handling your email address and the content of the messages we send, on our instructions and under a data-processing agreement. Resend stores the emails it sends on our behalf. Where this involves transfers outside the EEA, those transfers are covered by appropriate safeguards, namely the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
5.3 Hosting (processor)
Our website and the serverless function that issues Licence Keys are hosted on our behalf by our hosting provider, acting as a processor. The provider may process limited technical logs as described in section 4.4.
5.4 Authorities
We may disclose data where we are legally required to do so — for example to the Belastingdienst in the context of our tax obligations, or in response to a lawful order.
6. How long we keep your data
- Tax and invoice records (section 4.2): seven years, as required by Article 52 AWR.
- Your email address and Licence Key (section 4.1): for as long as we reasonably consider the licence to be in active use, so that we can resend your key and send essential notices. Where the same data also forms part of a fiscal record, the seven-year period above applies to that record. You may ask us to delete your email address at any time; we will do so unless and to the extent we must retain it to meet the fiscal obligation.
- Support and other correspondence (section 4.3): for as long as needed to handle your request and to keep a reasonable record of licence transfers, after which it is deleted.
7. Your rights under the GDPR
You have the right to:
- access the personal data we hold about you;
- rectify data that is inaccurate or incomplete;
- erase your data (“right to be forgotten”), subject to our legal retention duties;
- restrict or object to our processing where it is based on legitimate interests;
- data portability, where processing is based on contract or consent and carried out by automated means; and
- withdraw consent at any time, where processing is based on consent (this does not affect processing already carried out).
To exercise any of these rights, email us at info@plen.work. We will respond within one month. We will not charge a fee unless a request is manifestly unfounded or excessive.
You also have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority in your country of residence.
8. Cookies and analytics
The Site does not currently use cookies, tracking pixels or third-party analytics. If we introduce any in the future, we will update this Policy and — for any non-essential cookies — ask for your consent before they are placed on your device, as required by Article 11.7a of the Dutch Telecommunications Act and the GDPR.
9. Children
Plen is a productivity tool intended for general and professional use. It is not directed at children, and we do not knowingly collect personal data from children.
10. Changes to this Policy
We may update this Policy from time to time. We will publish the current version at plen.work with a clear effective date. Material changes affecting how we use your personal data will be reflected in the version and date shown above.
11. Contact
For any question about this Policy or your personal data, email us at info@plen.work.