Last updated:
Data Protection Policy
Version: 1.0 · Status: Active · Effective: 2026-05-05
1. Purpose
This policy describes the technical and organisational measures Projan AI Ltd (company number 17196385) applies to protect personal data processed through the Projan service. It is consistent with the Privacy Policy published at projan.ai/privacy and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Scope
This policy covers all personal data processed across the Projan platform, including the web and mobile applications, API services, messaging integrations, and supporting cloud infrastructure.
3. Data Categories
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address | User registration |
| Authentication identifiers | Externally managed user ID | Identity provider |
| Content data | Conversations, messages, documents, plans | User interaction with AI agents |
| Billing metadata | Subscription status, billing address, plan tier, seat count | Payment processor (card details are never stored by Projan) |
| Integration credentials | OAuth access tokens, refresh tokens | Third-party service connections |
| Team membership | Role, invitation status | Team features |
| Usage metadata | Token consumption, feature usage counts | Service operation |
| Messaging metadata | Workspace and channel identifiers, thread references | Slack integration |
Not collected: Projan does not store passwords (managed by our identity provider), payment card numbers (managed by our payment processor), advertising profiles, or social media data.
4. Data Minimisation
Projan collects only the data necessary to deliver the service:
- No password storage. Authentication is delegated to a dedicated identity provider. Projan holds only an opaque reference identifier.
- No payment card details. All payment instruments are managed by our PCI-compliant payment processor. Only a customer reference and subscription metadata are stored locally.
- Anonymised analytics. Product analytics collect anonymised usage data that is not linked to individual user identity.
- No advertising cookies. Only functional session cookies and anonymised analytics cookies are used.
- Minimal integration data. Only the OAuth tokens required for an integration to function are stored - not user content from those platforms.
- Content size limits. Both project context and individual messages are subject to reasonable size caps to prevent excessive data ingestion.
5. Encryption Controls
At Rest
All sensitive credentials - including OAuth tokens for every supported integration - are encrypted using AES-256-GCM before storage. API keys are stored as irreversible cryptographic hashes.
For full details on key derivation, rotation procedures, and storage format, refer to the Encryption Key Management Policy.
In Transit
- All external traffic is served over HTTPS/TLS, enforced at the load balancer and CDN level.
- Real-time connections use secure WebSocket (WSS) transport.
- Internal service communication occurs within a private network boundary.
Additional Controls
- Timing-safe comparison is used for all security-critical token verification to prevent timing attacks.
- Cryptographically random parameters are generated for all OAuth authorisation flows.
- Infrastructure secrets are managed through a dedicated secrets management service with access controls.
6. Data Retention
Projan applies the following retention schedule, also published at /security/data-retention:
| Data Type | Retention Period |
|---|---|
| Account data | Active account + 30 days post-deletion |
| Conversations and documents | Until deleted by user or account closure |
| Integration credentials | Immediately purged on disconnect |
| Payment records | 7 years (UK tax law / HMRC requirement) |
| Audit logs | 90 days (365 days for production environments) |
| Email delivery logs | 30 days |
| Backups | 7 days with automated rotation |
| Beta registration data | Until account activation or 12 months |
Deleted accounts undergo a soft-deletion process with a defined retention window, after which data is permanently removed. Users may request immediate permanent deletion by contacting the data protection contact below.
7. Data Subject Rights
Right to Erasure
- Self-service deletion. Authenticated users can delete their own account directly through the application without requiring administrator intervention.
- Administrator deletion. Account administrators can permanently remove user records upon request.
- Integration disconnect. Encrypted credentials are immediately purged when a user disconnects an integration.
Right of Access
Data subject access requests are handled manually. Contact privacy@projan.ai to request a copy of your personal data. Requests are fulfilled within 30 days in accordance with UK GDPR Article 15.
Right to Rectification
Users can update their profile information - including name, preferences, and settings - directly through the application.
Right to Data Portability
Data export is available on request. Contact privacy@projan.ai prior to account deletion if you wish to receive a portable copy of your data.
8. Third-Party Processors
Core Processors
| Processor | Data Shared | Purpose | Retention by Processor |
|---|---|---|---|
| OpenRouter | Conversation content (messages, system prompts) | AI inference for document and plan generation | Not retained (processed and returned) |
| Stripe | Email, name, billing address, payment method tokens | Payment processing and subscription management | Per Stripe’s data processing agreement |
| Resend | Email addresses, email content | Transactional email delivery | 30 days (delivery logs) |
| AWS Cognito | Email, user identifiers | Authentication and password management | Per AWS data processing terms |
| MongoDB Atlas | All application data | Database hosting (EU region) | Controlled by Projan retention settings |
| Google Analytics | Anonymised usage data (no PII) | Product analytics | 26 months |
Integration Processors
The following processors are activated only when a user explicitly connects the integration:
| Processor | Data Shared | Purpose |
|---|---|---|
| Slack | Messages, channel metadata | Conversational document creation |
| Atlassian / Jira | Plan tasks | Ticket export from plan breakdowns |
| Notion | Document content | Document export |
| Linear, ClickUp, Monday.com | Plan tasks | Task export |
| Google Tasks, Todoist, Microsoft To Do | Task titles and descriptions | Task export |
| GitHub | Issue data | Issue export |
The full sub-processor list is published at /security/sub-processors.
9. AI Data Handling
What Is Sent to AI Providers
When a user sends a message, the following is transmitted for AI inference:
- The conversation history within the active thread
- An agent-specific system prompt selected by conversation type
- Project context, if the user has linked a project to the conversation
- Document template structure relevant to the agent type
- Thread summaries (where context summarisation has been applied)
What Is NOT Sent
- User email addresses or account identifiers
- Payment or billing information
- Integration credentials or OAuth tokens
- Data from other users’ conversations
Training Commitment
Projan does not use customer content to train AI models. Conversations and documents are processed solely for the purpose of delivering the service. Our AI provider processes content for inference and returns structured responses without retaining content for training or other purposes.
Usage Tracking
Token usage is tracked internally for context window management and cost monitoring. This operational metadata does not leave Projan infrastructure.
10. Integration Data Flows
OAuth Token Lifecycle
Integration connections follow a secure OAuth lifecycle:
- The user initiates the connection, and a cryptographically random authorisation state is generated.
- On successful authorisation callback, the state is verified using timing-safe comparison.
- Access tokens (and refresh tokens, where applicable) are encrypted with AES-256-GCM before storage.
- Tokens are decrypted only at the point of use when making API calls to the integration.
- If decryption fails (for example, following key rotation), the integration is gracefully marked as requiring reconnection.
- On disconnect, all stored credentials are immediately and permanently purged.
For integrations that support token refresh, expired access tokens are automatically refreshed and re-encrypted before storage.
Data Flow Summary
| Integration | Direction | What Syncs |
|---|---|---|
| Slack | Bidirectional | Inbound: user messages, mentions. Outbound: AI responses, canvas updates |
| Jira | Outbound | Plan breakdown tasks exported as Jira issues |
| Notion | Outbound | Documents exported as Notion pages |
| Linear | Outbound | Plan tasks exported as Linear issues |
| ClickUp | Outbound | Plan tasks exported as ClickUp tasks |
| Monday.com | Outbound | Plan tasks exported as Monday items |
| Google Tasks | Outbound | Plan tasks exported as Google Tasks |
| Todoist | Outbound | Plan tasks exported as Todoist tasks |
| Microsoft To Do | Outbound | Plan tasks exported as To Do tasks |
| GitHub | Outbound | Plan tasks exported as GitHub issues |
11. Review Schedule
| Activity | Frequency | Responsible |
|---|---|---|
| Policy review | Annually, or after significant system changes | Director |
| Sub-processor list review | Quarterly | Director |
| Encryption controls audit | Annually | Director |
| Data retention compliance check | Quarterly | Director |
Next scheduled review: May 2027
12. Contact
For data subject requests (access, erasure, rectification, portability): privacy@projan.ai
For security concerns, vulnerability reports, or questions about our data protection controls: security@projan.ai
All data subject requests are acknowledged within 5 working days and fulfilled within 30 days in accordance with UK GDPR requirements.
Projan AI Ltd, registered in England and Wales (company number 17196385). This policy is reviewed annually and updated when data handling practices change.