Privacy Policy
This policy explains what personal data PLEXUS collects, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable data protection laws.
1. Who We Are
PLEXUS Engineering Ltd. is the data controller for personal data processed through the PLEXUS platform (www.plexus-plc.com).
For data protection enquiries, contact our Privacy Officer at privacy@plexus-plc.com.
2. What Personal Data We Collect
| Category | Examples | Lawful Basis |
|---|---|---|
| Account data | Name, email address, job title | Contract (Art. 6(1)(b)) |
| Usage data | IP address, browser type, pages visited, timestamps | Legitimate interest (Art. 6(1)(f)) |
| Engineering content | PLC program files, tag names, plant hierarchy names you create | Contract (Art. 6(1)(b)) |
| Audit log | Actions performed (logins, file uploads, PLC writes) with timestamp and IP | Legal obligation / Legitimate interest (Art. 6(1)(c)(f)) |
| Communications | Support emails, feedback submissions | Legitimate interest (Art. 6(1)(f)) |
| Payment data | Billing name, country, last 4 digits (Stripe processes full card data) | Contract (Art. 6(1)(b)) |
We do not collect special category data (health, biometric, racial/ethnic origin, etc.) and the platform is not intended for processing such data.
3. How We Use Your Data
- Providing, maintaining, and improving the PLEXUS platform.
- Authenticating your identity and enforcing role-based access controls.
- Generating an immutable audit trail of PLC write operations as required by ISO 9001 and IEC 61508 compliance obligations.
- Processing subscription payments and sending receipts.
- Responding to support requests.
- Sending product update emails where you have subscribed — you may unsubscribe at any time.
- Detecting and preventing fraud, abuse, and security incidents.
4. Sub-Processors
We share data with the following trusted sub-processors, each bound by appropriate Data Processing Agreements:
| Processor | Service | Location | Link |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt) | supabase.com/privacy |
| Vercel Inc. | Web hosting and edge functions | US / Global CDN | vercel.com/legal/privacy-policy |
| Anthropic PBC | AI-powered linter and tag suggestions | US | anthropic.com/privacy |
| Stripe Inc. | Payment processing | US / EU | stripe.com/privacy |
| Upstash Inc. | Rate-limiting (Redis) | EU | upstash.com/privacy |
| Sentry (Functional Software) | Error monitoring | US | sentry.io/privacy |
We do not sell, rent, or trade your personal data to any third party.
5. Cookies and Tracking
We use the following cookies:
| Cookie | Purpose | Duration | Essential? |
|---|---|---|---|
| sb-*-auth-token | Supabase authentication session | Session / 7 days (refresh) | Yes |
| plexus-cookie-consent | Records that you accepted this cookie notice | 1 year | Yes |
| _vercel_* | Vercel performance and security (edge) | Session | Yes |
We do not use advertising trackers, third-party analytics pixels, or fingerprinting scripts.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account & profile data | Duration of account + 30 days after deletion |
| Audit logs | 90 days from creation (rolling) |
| PLC program files (Code Vault) | Until deleted by the user or company admin |
| Support communications | 2 years from last contact |
| Payment records | 7 years (statutory accounting requirement) |
| Anonymised usage analytics | Indefinitely (no personal identifiers) |
7. Your Rights Under GDPR
You have the following rights. To exercise any of them, email privacy@plexus-plc.com:
- Access (Art. 15) — Request a copy of all personal data we hold about you. Available instantly via Settings → Account → Download My Data.
- Rectification (Art. 16) — Correct inaccurate data via your profile settings or contact us.
- Erasure (Art. 17) — Request deletion of your account and personal data. Available instantly via Settings → Account → Delete Account.
- Portability (Art. 20) — Export your data in machine-readable JSON format.
- Restriction (Art. 18) — Request that we restrict processing while a dispute is resolved.
- Objection (Art. 21) — Object to processing based on legitimate interest.
- Withdraw consent — Where processing is based on consent, you may withdraw at any time.
You also have the right to lodge a complaint with your national supervisory authority. In the UK: the Information Commissioner's Office (ICO). In the EU: your local DPA.
8. Security Measures
- PLC program files are encrypted client-side with AES-256-GCM before upload. Decryption keys never leave the browser.
- All data in transit is protected by TLS 1.3.
- Supabase stores data at rest with AES-256 (managed encryption).
- All API endpoints are protected by JWT authentication and enforce row-level security (RLS) at the database layer.
- Rate limiting prevents brute-force and abuse on all endpoints.
- An immutable audit log records all PLC write operations in compliance with ISO 9001 and IEC 61508.
9. Changes to This Policy
We may update this policy. When we do, we will update the "Last updated" date at the top and, for material changes, notify registered users by email. Continued use of the platform after the effective date constitutes acceptance.
10. Contact Us
Privacy Officer: privacy@plexus-plc.com
General support: support@plexus-plc.com
We aim to respond to all data-subject requests within 30 days.