Privacy Policy

Effective date: April 28, 2026 · Last reviewed: April 28, 2026

PlanMySaaS, a unit of ZTXO ARTLFY PVT LTD, 1st Floor, Kunj Bihar, Old Argora, Ranchi 834002, India ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. Please read this policy carefully. If you disagree with its terms, please discontinue use of the platform.

1. 1. Who We Are and What This Policy Covers

PlanMySaaS is a product of ZTXO ARTLFY PVT LTD, an Indian private limited company registered at 1st Floor, Kunj Bihar, Old Argora, Ranchi 834002, Jharkhand, India (Corporate Identification Number is available on request). In this policy "we", "us" and "our" refer to that company; "you" and "your" refer to the natural person whose personal data is being processed. This policy explains what personal data we collect when you visit www.planmysaas.com, sign up for an account, generate a SaaS blueprint, contribute to the public Featured Ideas directory, install the open-source PlanMySaaS Claude Skill, or contact us through any channel. It applies to processing carried out by us as a Data Fiduciary under Section 2(i) of the Digital Personal Data Protection Act 2023 (the "DPDP Act"), and as a Controller under Article 4(7) of the EU General Data Protection Regulation 2016/679 ("GDPR") where the GDPR applies to a specific user. The policy does not cover websites, products, or services operated by third parties even if linked from our pages. Where we name a specific third-party service provider in this document, the obligations in their own privacy notice apply in addition to ours.

2. 2. Categories of Personal Data We Collect

We collect the following categories of personal data, grouped by source so you can see what comes from where. Data you provide directly: full name; work or personal email address; phone number when you opt-in to UPI AutoPay or WhatsApp parent digest; password (stored as a salted hash, never in plaintext); product idea descriptions, blueprint inputs, persona notes, pricing assumptions, and any other free-text you enter into the planning wizard; messages you send through the contact form, support chat, or feedback widget. Data generated automatically when you use the platform: a UUID account identifier; session token (HTTP-only cookie, see Section 9); IP address (truncated to /24 for analytics, kept full only in security logs for 30 days); device type, browser, and operating system; pages visited, features used, and interaction timestamps; if you opt-in to error reporting, the call stack and request context of any errors you encounter. Data received from third parties: when you sign in with Google OAuth, Google sends us your account name, email, locale, and profile picture URL — nothing else, and only with your explicit consent on the OAuth screen. When you complete a payment, Razorpay sends us a transaction ID, the masked last four digits of the payment instrument, and the success/failure status — we never see your full card number or UPI PIN. When the open-source Claude Skill is installed, no personal data flows back to us. We do not knowingly collect biometric data, government identifiers (Aadhaar, PAN, passport), health data, or any other category of "sensitive personal data" as defined in Rule 3 of the IT (Reasonable Security Practices) Rules 2011, except where you voluntarily include such information in a free-text field. If you do, we treat it under the additional protections those rules require.

3. 3. Lawful Basis for Processing

Under Section 4 of the DPDP Act and Article 6 of the GDPR, we process your personal data only when one of the following applies. Consent (DPDP Section 6, GDPR Article 6(1)(a)): you have signed up for an account, opted into a marketing email, opted into the Featured Ideas directory, or otherwise affirmatively agreed to the processing. Consent is recorded with timestamp and the exact statement you saw at the time, and you may withdraw it at any moment without affecting prior lawful processing. Contractual necessity (DPDP Section 7(a), GDPR Article 6(1)(b)): the processing is necessary for us to deliver the service you signed up for — for example, sending your idea to the AI generation pipeline so the blueprint can be produced, or charging your registered payment method when your subscription renews. Legal obligation (DPDP Section 7(b), GDPR Article 6(1)(c)): we are required to retain certain billing records under the Companies Act 2013, the GST Act 2017, and the Income Tax Act 1961 for the periods those laws specify. Tax invoices and ledger entries fall in this category and are retained for the statutory period regardless of account deletion. Legitimate interest (DPDP Section 7(g) "specified legitimate uses", GDPR Article 6(1)(f)): we operate fraud detection, abuse prevention, and platform security on the basis that these activities protect users and our service. Where we rely on legitimate interest, we balance our interest against your rights and document that balancing.

4. 4. How We Use Your Personal Data

Each purpose listed here is bounded — your data is processed only to the extent that purpose requires, and is not silently repurposed. To provide the service: store your account, render the dashboard, run the planning wizard, generate the 8-stage blueprint output, deliver email confirmations, and handle login sessions. To process payments: route subscription charges through Razorpay using its secure tokenisation; store the resulting transaction record (no card number) for our books; send GST-compliant tax invoices to your registered email; reconcile billing with our internal credit ledger. To operate AI generation: forward your product idea, persona, pricing, and other planning inputs to the AI provider that powers the active model route — currently Anthropic (Claude family) as the primary, OpenAI (GPT family) as fallback, and Google (Gemini) for specific evaluation paths. These providers process your input under their respective enterprise data processing terms; under the agreements we have with them, your inputs are not used to train their public models. We do not aggregate user blueprints into the public Pattern Library — that library is built exclusively from publicly observable outcomes. To improve the service: study aggregated, de-identified usage statistics so we know which features are used and which generate errors. We do not read individual user blueprints to make product decisions. To communicate with you: send transactional emails (signup confirmation, billing receipt, password reset); reply to your support messages; if you have opted in, send product update emails — every marketing email carries an unsubscribe link. To defend our rights and yours: investigate suspected fraud, abuse, or terms-of-service violations; respond to lawful requests from courts, regulators, or law enforcement; protect against security incidents.

5. 5. AI Processing and Foundation Model Providers

Because our core feature is AI generation, this section is separate so the chain of custody for AI requests is fully visible. When you click "Generate" in the planning wizard, the prompt that is sent to the foundation model contains: your typed idea, the persona and pricing fields you filled in, any prior stages of your blueprint that the next stage needs as context, and our system prompt. Your account email, real name, and payment data are not included in any AI prompt. The request is routed through our LLM router (src/lib/ai/router.ts) which selects between Anthropic Claude (primary), OpenAI GPT (fallback), and Google Gemini (specific paths) based on availability and the type of stage being generated. The provider's response is returned to our server, stored against your project, and rendered to your dashboard. Only Anthropic, OpenAI, or Google sees the prompt at any given time — never all three. We operate under the enterprise data processing terms of each provider as they exist at the time of this policy: Anthropic Commercial Terms (effective 2024 onwards) explicitly state that customer inputs are not used to train Anthropic's models; OpenAI Enterprise / API terms (Section 3.c) state the same for API requests on a paid plan; Google Cloud's customer data terms apply for Gemini API. Each provider is contractually a Data Processor under the GDPR or a Data Processor under the DPDP Act, and is bound by confidentiality. We do not currently fine-tune any model on your data. If we ever offer fine-tuning as a paid feature, it will be opt-in per project, with explicit consent at the moment of upload, and a separate retention setting. The Pattern Library at /patterns is not derived from user blueprints. It is curated from publicly observable product outcomes — YC public batches, Product Hunt launches, editorial coverage, public revenue disclosures. Your private blueprint is never extracted into a pattern.

6. 6. Sharing With Third Parties

We share personal data only with the third parties listed here and only to the extent each one needs to deliver its service. Razorpay Software Private Limited — payments, subscriptions, UPI AutoPay mandate, refunds. Razorpay is registered in India and certified to PCI-DSS Level 1. Their privacy notice is at razorpay.com/privacy. Anthropic, OpenAI, and Google — AI model inference (see Section 5). Resend (Resend Inc., USA) — transactional email delivery (signup, password reset, billing receipt). Resend is contracted under a Data Processing Agreement that mirrors GDPR Article 28 obligations. Vercel Inc. (USA) — hosting and edge runtime. Vercel processes the HTTP request bytes that flow to and from your browser. Vercel's enterprise terms apply. Neon (Neon Inc., USA) — managed Postgres database storage with pgvector for embeddings. Data is encrypted at rest and in transit. Region: AWS ap-south-1 (Mumbai) for database primary; failover replica in us-east-1. Upstash (Upstash Inc., USA) — Redis cache and BullMQ queue backbone. Cached data is short-lived (TTL never exceeds 7 days) and contains derived values, not personal identifiers. Cloudflare R2 (Cloudflare Inc.) — object storage for audio (voice doubts), PDF (parent digests, invoices), and image uploads. Files are private by default and accessible only via signed URLs from your authenticated session. Meta WhatsApp Cloud API (Meta Platforms Ireland Ltd.) — only when you have opted into the parent digest. Meta processes the message content during delivery; we do not retain the message body in our database after delivery confirmation. NPCI BBPS / UPI AutoPay rails — operate the mandate flow when you subscribe. NPCI processes the mandate metadata under its public regulations. Google (when you sign in with Google OAuth) — Google's privacy policy applies to the OAuth handshake. We do not sell, rent, or trade personal data. We do not share data with advertisers. We do not embed third-party tracking pixels on the marketing site.

7. 7. International Data Transfers

Some of the third parties listed in Section 6 are located outside India. Where personal data is transferred outside India, the transfer relies on the following safeguards. For transfers to the United States (Resend, Vercel, Neon, Upstash, Cloudflare, Anthropic, OpenAI), we rely on the contractual obligations in each provider's Data Processing Agreement, which include obligations equivalent to those required by Section 16(2) of the DPDP Act and by the GDPR Standard Contractual Clauses (Module 2: Controller-to-Processor). The Indian government has not yet issued a final list of "notified countries" under Section 16(1) DPDP for unrestricted transfer; until then we rely on the contractual safeguard route. For transfers to the European Union (limited use of EU-region resources by Vercel for European edge cache), the GDPR rules apply natively because the receiving jurisdiction is itself a GDPR jurisdiction. We do not transfer personal data to any country in respect of which the Central Government of India has notified a restriction under Section 16(1) DPDP. We will publish an update to this section if such a notification is issued and any of our processing relationships are affected.

8. 8. Retention Periods

We keep personal data only as long as one of the lawful bases in Section 3 still applies. The specific retention periods are below. Account profile (name, email, password hash, preferences): for the lifetime of your account, plus 30 days after you delete the account, after which the row is hard-deleted from our primary database and removed from backup snapshots within 90 days. Generated blueprints, ideas, and project documents: for the lifetime of your account, plus 30 days after deletion. You may export at any time and may delete individual projects from your dashboard. Tax invoices and billing ledger entries: 7 years from the date of generation, in compliance with Section 36 of the GST Act 2017 and Section 44AA of the Income Tax Act 1961. These records are retained even after account deletion because the law requires it. IP address in security logs: 30 days, then deleted. Used only for fraud detection and incident response. IP address in analytics (truncated /24): 14 months, then deleted. Used only for aggregate usage analysis. Support email and chat transcripts: 24 months, then deleted unless you have an active subscription requiring older context for support continuity. Audio uploads (voice doubts, on the Voice-First product): 30 days for free tier, 90 days for paid tier, then automatically deleted from R2. Marketing email subscription record: until you unsubscribe, plus a tombstone record of the unsubscribe to ensure we do not re-email you. We document any deviations from these defaults inside the relevant feature's documentation.

9. 9. Cookies and Similar Technologies

We use the minimum set of cookies needed to operate the platform. We do not use third-party advertising cookies, behavioural retargeting cookies, or tracking pixels embedded by ad networks. Essential cookies: a single HTTP-only, Secure, SameSite=Lax session cookie keeps you logged in. Without it the platform cannot function and consent is not required under Rule 9(1) of the DPDP Rules (where finalised) or Recital 30 of the GDPR. Functional cookies: when you set a theme preference (light or dark) or a locale preference, that choice is stored in a small client-side cookie or localStorage entry. It contains no personal identifier. Analytics: we use first-party server-side analytics only — no Google Analytics tag, no Hotjar, no Mixpanel client SDK. Pageview counts are derived from server access logs with IP truncated. Third-party content: when our blog or guide pages embed an image from a third-party CDN, that CDN may set its own cookies on its domain. This is not under our control. You can configure your browser to block third-party cookies if this concerns you.

10. 10. Security Measures

We follow the practices required by Rule 8 of the IT (Reasonable Security Practices) Rules 2011, the Reasonable Security Safeguards required by Section 8(5) of the DPDP Act, and the technical and organisational measures required by Article 32 of the GDPR. In transit: all traffic to www.planmysaas.com is forced over HTTPS via HSTS with a preload header (max-age 63072000). Modern TLS suites only — TLS 1.0 and 1.1 are disabled at the edge. At rest: database encryption is performed by Neon at the volume level. Object storage on Cloudflare R2 is encrypted with provider-managed keys. Backups are encrypted with the same key class. Access controls: the production database is reachable only from the application's serverless runtime — no direct human access in normal operations. Administrative database access is gated behind named individual credentials, IP allowlisting, and 2FA. We log every administrative database session. Secrets management: every API key (Razorpay, Anthropic, OpenAI, Google, Resend) lives only in Vercel encrypted environment variables. None are committed to source control. The pre-commit hook scans staged diffs for accidental secret patterns and blocks the commit when one is detected. Audit logs: every administrative action against user data is logged with actor identity, timestamp, IP, before/after diff, and a written reason. Logs are retained 12 months. Vulnerability management: we run a Tier-1 watchdog suite four times a day that checks SSL, security headers, broken links, and known secret leaks. Findings are triaged within one business day. No system is unbreakable. If we suffer a personal data breach, we will notify the Data Protection Board of India under Section 8(6) DPDP and the affected users without undue delay, with the information required by Rule 7 of the DPDP Rules and, where applicable, Article 34 GDPR.

11. 11. Your Rights as a Data Principal

Under the DPDP Act 2023 (where you are a Data Principal in India) and under the GDPR (where you are a Data Subject in the EU/EEA), you have the rights listed here. Where the two laws give similar but not identical rights we have adopted the more user-favourable position. Right to access (DPDP Section 11, GDPR Article 15): you can ask for a copy of the personal data we hold about you and for a list of the third parties with whom we have shared it. Right to correction and erasure (DPDP Section 12, GDPR Articles 16 and 17): you can correct inaccurate data and you can ask for erasure subject to the legal obligations described in Section 8 of this policy. Right to data portability (GDPR Article 20): we provide your blueprint exports in machine-readable Markdown and JSON. The DPDP Act does not yet codify portability separately, but our practice meets the standard. Right to restriction (GDPR Article 18): you can request that we limit processing while we investigate a correction or objection. Right to object (GDPR Article 21): you can object to processing based on legitimate interest. Right to nominate (DPDP Section 14): you may nominate another individual to exercise your rights in case of death or incapacity. Right to withdraw consent (DPDP Section 6(4), GDPR Article 7(3)): you can withdraw consent at any time. We will stop the corresponding processing as soon as we receive the request. To exercise any of these rights, email support@planmysaas.com from the address registered on your account, or contact our Grievance Officer (Section 13). We respond within 30 days as required by Rule 13 of the DPDP Rules and Article 12(3) GDPR. There is no fee for the first request in any 12-month period. If you are not satisfied with our response, you may complain to the Data Protection Board of India under Section 27 DPDP, or to your local supervisory authority under Article 77 GDPR. We support that escalation; it is your right.

12. 12. Children's Personal Data

Section 9 of the DPDP Act sets a high bar for processing the personal data of any individual under 18 years of age. We follow it strictly. We do not knowingly create accounts for users under 18 without verifiable parental consent. Where the platform serves products that are commonly used by minors (for example, a JEE tutoring product piloted on the Voice-First Vernacular pattern), we collect a verifiable parent or guardian email or phone, send an opt-in confirmation requiring an explicit "yes" reply, and only then proceed with the minor's account creation. We do not target advertising to children, profile children for behavioural advertising, or share children's data with any third party for any purpose other than service delivery and the legal obligations in Section 3. If you believe a child has provided personal data to us without parental consent, please email support@planmysaas.com and we will delete the account and associated data within 7 days.

13. 13. Grievance Officer (DPDP Act + IT Rules)

As required by Section 10(2) of the DPDP Act 2023 and Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, the contact details of the Grievance Officer responsible for receiving complaints regarding personal data and intermediary obligations are below. Name: Abhi Verma (Director, ZTXO ARTLFY PVT LTD) Designation: Grievance Officer Entity: ZTXO ARTLFY PVT LTD (operating PlanMySaaS) Address: 1st Floor, Kunj Bihar, Old Argora, Ranchi 834002, Jharkhand, India Email: grievance@planmysaas.com Response window: we acknowledge within 24 hours and resolve within 15 days as required by Rule 5(9) of the IT Rules. When you write to the Grievance Officer, please include enough detail for us to investigate — the email registered to your account, a description of the issue, and the date and time it occurred. If your complaint concerns content posted by another user, please include the URL.

14. 14. Data Protection Officer for EU/EEA Users

For users in the European Union or the European Economic Area, the same Grievance Officer named in Section 13 also acts as our point of contact for GDPR matters. We are not currently required to appoint a separate Data Protection Officer under Article 37 GDPR because we do not engage in large-scale systematic monitoring or process special-category data on a large scale. If our processing activities change in a way that triggers the appointment requirement, we will publish the DPO contact in this section.

15. 15. Updates to This Policy

We update this policy when our processing activities change, when our service providers change, when the underlying laws change (the DPDP Rules are still being phased in by MeitY), or when we discover a way to make a section clearer. For non-material edits (typos, clarifications), we update silently and bump the "Last reviewed" date at the top. For material edits (a new third-party processor, a new lawful basis, a longer retention period, or a substantive change to your rights), we email all account holders at least 14 days before the change takes effect and we keep a copy of the previous version available on request. Your continued use of the platform after the effective date of a material change indicates acceptance. If you disagree with a material change, you can export your data and close your account before the effective date.

16. 16. How to Reach Us

For privacy and personal-data matters: grievance@planmysaas.com (Grievance Officer) or support@planmysaas.com (general). For billing or product questions unrelated to privacy: support@planmysaas.com. Postal: ZTXO ARTLFY PVT LTD, 1st Floor, Kunj Bihar, Old Argora, Ranchi 834002, Jharkhand, India. We do not have a phone hotline. We answer email faster.