Privacy Policy

INSEC is the data controller for PlaniMix.

Lindestraat 17, 1980 Zemst, Belgium · privacy@insec-consult.be

We collect only what's needed to run the platform.

• Account identity — email, optional display name, full name, phone, postal address, hashed password, MFA secret, hashed backup codes. Lawful basis: contract performance (Art. 6(1)(b) GDPR).
• Business data you enter — companies, projects, tickets, time entries, uploaded DWG / point-cloud files, invoices. Lawful basis: contract performance.
• Security telemetry — IP address and user agent on sign-in, failed-login records, MFA audit events, account-lockout events. Lawful basis: legitimate interest in platform security (Art. 6(1)(f)). Auto-purged on a fixed schedule (see Retention).
• Session storage — your authenticated session token (HttpOnly-equivalent local storage), your language and theme preferences. Strictly necessary.
• Push notification subscription — only if you opt in. Lawful basis: consent (Art. 6(1)(a)). The opt-in timestamp is logged as proof of consent.

• No analytics or usage tracking of any kind.
• No advertising trackers, no third-party tag managers, no fingerprinting.
• No marketing email. We only send transactional messages strictly needed for the service.
• No sale or rental of your data.
• Your data is never used to train AI models.
• No profiling, no automated decision-making with legal effect.

We rely on the following providers strictly to deliver the service. Each is bound by a data-processing agreement (DPA), and transfers outside the EEA rely on the European Commission's Standard Contractual Clauses (SCCs).

Planned future migration: Vercel hosting + Cloudflare Workers (EU region). This policy will be updated before the migration takes place.

• All connections use HTTPS/TLS.
• Data at rest is encrypted by the storage providers.
• Passwords are hashed (bcrypt); we never store plaintext.
• MFA (TOTP) is available and recommended; sensitive actions require a verified factor.
• Row-level security isolates data between users and companies.
• Failed-login records trigger temporary account lockout (5 failures / 15 min → 2 h lockout).
• Security events are written to an append-only audit log accessible only to authorized staff.

• Account and business data: kept while your account is active.
• Failed-login records: auto-deleted after 90 days.
• Resolved account lockouts: auto-deleted after 90 days.
• MFA audit log IP/user-agent: anonymized after 30 days; events themselves retained up to 365 days for security forensics, then deleted.
• Account deletion: all personal data erased within 30 days (usually immediately, see § 10).

PlaniMix sets only strictly-necessary storage. Under the ePrivacy Directive, no consent banner is required for these:

• sb-* — your authenticated session token, set by the authentication system.
• lang — your interface language (EN/FR).
• Theme preference — light/dark mode.

We do not set any other cookies, analytics IDs, or third-party trackers.

Push notifications are opt-in only. When you opt in we record the timestamp as proof of consent. You can revoke at any time from your notification preferences; the subscription is deleted immediately and the browser push endpoint is no longer contacted.

Under GDPR Art. 15–22 you have the right to:

• Access — see what we hold about you (most of it is visible in your account).
• Rectification — correct inaccurate data (editable in your profile).
• Erasure — delete your account (§ 10).
• Restriction of processing.
• Object to processing based on legitimate interest.
• Withdraw consent for push notifications.
• Lodge a complaint with the Belgian DPA (Gegevensbeschermingsautoriteit / Autorité de protection des données) or your national supervisory authority.

You can delete your account yourself from Settings → Account. We require your current password to confirm.

• Your profile, MFA factors, push subscriptions, and notification preferences are deleted.
• Your MFA audit history is deleted.
• Failed-login records are anonymized.
• Business data inside a company (files, tickets, time entries) remains with that company so colleagues retain continuity. If you are the sole owner of a company, transfer ownership before deleting.

Some sub-processors (Autodesk APS, browser push services, parts of Lovable and Resend) are based in the United States. These transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and the provider's supplementary safeguards. Map tiles are served by the OpenStreetMap Foundation (UK).

If a personal-data breach occurs, we will notify the competent supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33) and, where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Art. 34). Our breach inbox is security@insec-consult.be.

PlaniMix is a B2B platform and is not directed at children under 16. We do not knowingly collect data from minors.

We will update this page when our processing changes. Material changes will be communicated in-app to signed-in users.

Privacy questions or requests: privacy@insec-consult.be.