Name: Plott
Rating: 4.8 (24 reviews)
Author: Plott

1. Who we are

Plott (“we”, “us”) operates the Plott SaaS platform at plott.uk. We are the “controller” for the personal data we process about our customers and their colleagues. Customers (typically construction, architecture, planning or property firms) are the controller for any personal data they upload and for their own outreach communications.

2. What personal data we process

Account data: name, work email, role, company name, and authentication identifiers (issued by Neon Auth).
Billing data: Stripe customer IDs, subscription status, VAT / tax IDs, billing address. We do not store card numbers; Stripe handles all payment card data as a PCI-DSS Level 1 processor.
Product usage: map searches, saved searches, generated letters, reminders, audit logs. Used to operate the service and detect abuse.
Uploaded assets: company logos, drawn/uploaded signatures, generated PDFs. Stored on Vercel Blob under tenant-scoped paths.
Third-party data about property owners and applicants:retrieved on-demand from public sources (HM Land Registry, PlanWire, Companies House, LPA portals). We cache minimally and expire data within 30 days.

3. Lawful bases (UK GDPR Art.6)

Contract — for operating your account and providing the service you subscribe to.
Legitimate interests — for security, anti-abuse, analytics, and product improvement.
Legal obligation — for statutory accounting, anti-money-laundering and tax records.
Consent — for optional analytics cookies and marketing emails, where applicable.

4. Sub-processors

We rely on the following sub-processors:

Vercel (hosting, Blob storage, Edge, EU regions)
Neon (Postgres database, EU region)
Neon Auth (authentication)
Stripe (payments & billing)
Resend (transactional email)
Upstash (Redis rate-limiting, EU region)
Google (Maps JavaScript API, Places, Street View)
Sentry and PostHog (error + product analytics, EU regions)
PropertyData (HM Land Registry title/proprietor lookups)
PlanWire (planning application enrichment)

Current sub-processor list is maintained at /legal/subprocessors. We notify customers of material changes at least 30 days in advance.

5. Data retention

Account + product data: retained while your subscription is active, and up to 90 days after cancellation to handle reactivation and statutory obligations.
Enrichment cache (applicant names, agent contacts from public sources): auto-expires after 30 days.
Billing records: retained for 7 years as required by UK tax law.
Audit logs: retained for 12 months.

6. International transfers

Primary data storage is in the EEA / UK. Where sub-processors transfer data outside the UK (e.g. Sentry US, Google global), we rely on the UK International Data Transfer Addendum and EU SCCs (2021/914) with appropriate safeguards.

7. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict processing, portability, and to object to processing. Email us at privacy@plott.uk. We respond within 30 days. You can also complain to the UK Information Commissioner's Office at ico.org.uk.

8. Security

We encrypt data in transit (TLS 1.2+) and at rest, isolate tenants via our data model, rate-limit our APIs, and require MFA for staff access. See our Trust Centre for the full security posture.

9. Contact

Plott Ltd, registered in England & Wales. Privacy enquiries: privacy@plott.uk.

1. Who we are

2. What personal data we process

Account data: name, work email, role, company name, and authentication identifiers (issued by Neon Auth).

Billing data: Stripe customer IDs, subscription status, VAT / tax IDs, billing address. We do not store card numbers; Stripe handles all payment card data as a PCI-DSS Level 1 processor.

Product usage: map searches, saved searches, generated letters, reminders, audit logs. Used to operate the service and detect abuse.

Uploaded assets: company logos, drawn/uploaded signatures, generated PDFs. Stored on Vercel Blob under tenant-scoped paths.

Third-party data about property owners and applicants:retrieved on-demand from public sources (HM Land Registry, PlanWire, Companies House, LPA portals). We cache minimally and expire data within 30 days.

3. Lawful bases (UK GDPR Art.6)

Contract — for operating your account and providing the service you subscribe to.

Legitimate interests — for security, anti-abuse, analytics, and product improvement.

Legal obligation — for statutory accounting, anti-money-laundering and tax records.

Consent — for optional analytics cookies and marketing emails, where applicable.

4. Sub-processors

We rely on the following sub-processors:

Vercel (hosting, Blob storage, Edge, EU regions)

Neon (Postgres database, EU region)

Neon Auth (authentication)

Stripe (payments & billing)

Resend (transactional email)

Upstash (Redis rate-limiting, EU region)

Google (Maps JavaScript API, Places, Street View)

Sentry and PostHog (error + product analytics, EU regions)

PropertyData (HM Land Registry title/proprietor lookups)

PlanWire (planning application enrichment)

Current sub-processor list is maintained at /legal/subprocessors. We notify customers of material changes at least 30 days in advance.

5. Data retention

Account + product data: retained while your subscription is active, and up to 90 days after cancellation to handle reactivation and statutory obligations.

Enrichment cache (applicant names, agent contacts from public sources): auto-expires after 30 days.

Billing records: retained for 7 years as required by UK tax law.

Audit logs: retained for 12 months.

Privacy Notice

1. Who we are

2. What personal data we process

3. Lawful bases (UK GDPR Art.6)

4. Sub-processors

5. Data retention

6. International transfers

7. Your rights

8. Security

9. Contact

Privacy Notice

1. Who we are

2. What personal data we process

3. Lawful bases (UK GDPR Art.6)

4. Sub-processors

5. Data retention

6. International transfers

7. Your rights

8. Security

9. Contact