PPlarma
Showcase Integrations How it works Security
Join Plarma

⚠️ Current application is under development.

This page is the draft of future Privacy Policy.

Placeholders that will be filled:

  • [LEGAL ENTITY NAME] — operator's legal name (no entity registered as of 2026-07-16)
  • [ADDRESS] — operator's registered/contact address
  • [EU REPRESENTATIVE] — legally required under GDPR Art. 27, because the operator is established outside the EU/EEA and the processing is not "occasional". Name, address and contact of an appointed representative in an EU member state. Must be appointed in writing before the service is offered to EU users. This is a blocker, not a formatting detail.
  • [EFFECTIVE DATE] / [LAST UPDATED]

Privacy Policy

Effective date: [EFFECTIVE DATE]

Last updated: [LAST UPDATED]

Contents

  1. 1. In short
  2. 2. Who is responsible for your data
  3. 3. What we collect
  4. 4. Where the data comes from
  5. 5. Data about people other than you
  6. 6. Why we use your data, and our legal basis
  7. 7. Google user data
  8. 8. Who else touches your data
  9. 9. Where your data is stored, and transfers outside the EU
  10. 10. How long we keep things
  11. 11. How we protect your data
  12. 12. Your rights
  13. 13. Cookies
  14. 14. Notice for California residents
  15. 15. Children
  16. 16. Changes to this policy
  17. 17. Contact

1. In short

Plarma collects notifications from tools you already use — Jira, Trello, Figma, Asana, Slack, ClickUp and Google Calendar — and shows them in one list. To do that, we need access to those tools on your behalf, and we store a small amount of what we find.

The essentials:

  • We only ever read. Every integration is connected with read-only permissions. Plarma does not post, comment, edit or delete anything in your tools.
  • Notifications are deleted after 7 days. Automatically, every night. We are not building an archive of your work.
  • We never sell or share your personal information, and we do not run advertising. There are no analytics or tracking scripts in Plarma or on our website — not a single one.
  • We do not send you email. No newsletters, no "product updates", nothing.
  • You can delete everything yourself, from Settings, at any time. Deletion is permanent.

This summary is here for orientation. It is not a substitute for the sections below.

2. Who is responsible for your data

[LEGAL ENTITY NAME], [ADDRESS] ("Plarma", "we", "us") is the data controller for the personal data described in this policy.

Contact: support@plarma.com

We have not appointed a Data Protection Officer. We are not required to: we do not carry out large-scale monitoring of individuals or process special categories of data as a core activity.

Our representative in the European Union

Plarma is operated from outside the EU/EEA. Under Article 27 GDPR we have appointed the following representative in the Union, who can be contacted by data subjects and supervisory authorities on all matters relating to our processing of personal data:

[EU REPRESENTATIVE — name, address, contact]

Contacting our representative does not replace your right to contact us directly at support@plarma.com, or your right to complain to a supervisory authority (see section 12).

3. What we collect

3.1 Your account

You sign in to Plarma with Google. There is no other way to create an account, and Plarma has no passwords — we never receive, store or process one.

From your Google profile we store exactly three things:

Data Notes
Email address Used to identify your account.
Name Shown in the interface.
Google account ID Stored only as an irreversible HMAC-SHA256 hash. We keep it to recognise you on your next sign-in; we cannot recover the original ID from it.

We do not store your Google profile picture, even though Google offers it to us.

3.2 Your integrations

When you connect a tool, we store:

  • Access and refresh tokens issued by that provider. These are encrypted (see section 10).
  • Technical identifiers needed to talk to the right account — for example your Jira Cloud ID and site URL, your Slack team ID and team name, your Asana user ID, your Figma handle, your Trello username and full name, your ClickUp user ID, calendar sync tokens.

Here is exactly what each integration is allowed to do. These are the permissions we request, verbatim:

Integration Permissions requested
Jira read:jira-work, read:jira-user, offline_access
Trello read (token set to never expire)
Figma current_user:read, file_comments:read, file_metadata:read
Asana tasks:read, stories:read, projects:read, users:read, workspaces:read, plus webhooks:read, webhooks:write, webhooks:delete
Slack users:read, channels:read, groups:read, channels:history, groups:history, im:history, mpim:history
ClickUp ClickUp does not use granular permission scopes.
Google Calendar https://www.googleapis.com/auth/calendar.events.readonly
Google (sign-in only) Basic profile and email address

The Asana write permissions are the one exception to "read-only", and they are narrow: they exist solely so Plarma can register and remove its own webhooks — the subscriptions that let Asana tell us when something happened. They do not allow us to change anything in your Asana content.

3.3 Your notifications

This is the part worth reading carefully, because it is the heart of the service.

When something happens in a connected tool, we store a notification record:

Field Encrypted? What it actually contains
Title No A short headline. This can include a person's name — for example, a Slack direct message is titled "<name> sent you a message".
Context No Labels such as a Jira issue key or a Slack workspace name.
Link No A URL pointing back to the item in the original tool.
Body Yes Up to 500 characters of the actual content — the text of a Jira comment (with its author's name), a preview of a Slack message, details of a calendar event. Anything longer is cut off and never stored.
Internal identifiers, timestamps, read/hidden state No Housekeeping.

To be precise about what this means, rather than reassuring:

  • Yes, we store content from your tools — comment text and message previews — not just links to it.
  • Names of other people are stored. Some are inside the encrypted body; some, such as the sender of a Slack direct message, are in the unencrypted title. We are not going to tell you that all third-party content is encrypted, because it isn't.
  • We do not store other people's email addresses or profile pictures. For Slack we do briefly cache a sender's display name and avatar URL to render the list, but only in a short-lived cache that expires after 24 hours, kept separate from our database.

3.4 Things you create in Plarma

Tags, favourites, per-tag settings, display preferences, and a daily count of how many notifications you received.

3.5 Technical data

  • Server logs. Warnings and errors from our backend. They are not designed to contain personal data, though an error message from a provider's API could incidentally include some.
  • Error reports. When something breaks, a report goes to Sentry, our error-monitoring provider. We do not enable Sentry's option to attach user identity, IP addresses or cookies to reports. However, an error report includes recent log lines and technical details of the failed request, so we cannot honestly promise that no personal data ever reaches it. We can promise it is never used for anything except fixing the failure.

3.6 What we do not collect

No advertising identifiers. No behavioural or analytics tracking. No location data. No payment data (the service is free and contains no payment functionality whatsoever). No special categories of data — we do not ask for anything about your health, beliefs, ethnicity, politics or sex life, and we do not infer them.

4. Where the data comes from

Two sources only:

  1. You — when you sign in and when you connect an integration.
  2. The providers you connect — Jira, Trello, Figma, Asana, Slack, ClickUp, Google Calendar. We receive data from their APIs, either by asking periodically or by receiving webhooks.

That's the whole list. We do not buy data, we do not receive data from data brokers, we do not scrape anything, and we do not enrich your profile from other sources.

5. Data about people other than you

Notifications inevitably describe other people: whoever commented on your Jira issue, whoever sent you a Slack message, whoever invited you to a meeting.

We want to be straight about this rather than hide it in a definition.

Legally, we act as a controller for that data. GDPR Article 14 would normally require us to inform each of those people that we hold data about them. We cannot: we have no contact details for them — we deliberately do not store their email addresses — and we have no relationship with them. Locating and notifying every colleague whose comment passed through Plarma would involve disproportionate effort within the meaning of Article 14(5)(b), so we rely on that exemption.

Article 14(5)(b) is conditional on taking appropriate measures to protect those people's rights. Ours are concrete, and are the reason this section exists:

  • The content of what they wrote is encrypted and truncated to 500 characters.
  • It is deleted after 7 days.
  • Their email addresses and profile pictures are never stored.
  • The data is used for exactly one purpose — showing your own notifications to you — and for nothing else. It is never profiled, analysed, sold or shared.

If you are one of those people and you want to know what we hold or want it deleted, write to support@plarma.com and we will help.

When you connect a workspace to Plarma, you confirm that you are entitled to do so under the rules of your organisation and of that tool.

6. Why we use your data, and our legal basis

What we do Why Legal basis (GDPR Art. 6)
Create and run your account You asked for an account Performance of a contract — Art. 6(1)(b)
Fetch and display your notifications This is the service Performance of a contract — Art. 6(1)(b)
Connect a specific tool and store its tokens You chose to connect it Performance of a contract — Art. 6(1)(b); the connection itself is authorised by your explicit action in the provider's own consent screen
Keep the service secure, investigate abuse To stop the service being misused Legitimate interests — Art. 6(1)(f)
Diagnose crashes and errors To keep the service working Legitimate interests — Art. 6(1)(f)

Where we rely on legitimate interests, the interest is specifically: keeping Plarma available, functioning and not abused. We have weighed this against your rights and consider it proportionate because the data involved is technical, is not used to build any profile of you, and is not shared for anyone else's purposes. You can object to this processing — see section 12.

Providing your data is not a statutory requirement, but it is necessary to use Plarma. Without a Google account you cannot sign in; without connecting a tool there are no notifications to show. The consequence of not providing it is simply that the service does not work.

We do not make automated decisions with legal or similarly significant effects, and we do not profile you. Plarma sorts and displays your notifications; it does not evaluate you.

7. Google user data

This section is specific to data obtained through Google APIs — Google Calendar and Google Sign-In.

Plarma's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Concretely:

  • What we access. Calendar events, read-only (calendar.events.readonly), and your basic profile and email address for sign-in.
  • How we use it. Only to show you notifications about your own calendar events, inside Plarma's interface. That is a feature you can see on screen; there is no secondary use.
  • How we store it. OAuth tokens are encrypted. An event's details live in a notification body that is encrypted at rest; the event's title is stored unencrypted, like every notification title (see section 3.3). Both are deleted after 7 days.
  • How we share it. We don't, except with the infrastructure providers in section 8 who host the service on our behalf.
  • What we never do. We do not transfer or sell Google user data to advertising platforms, data brokers or information resellers. We do not use it for advertising of any kind, including retargeting and personalised or interest-based advertising. We do not use it to determine creditworthiness or for lending purposes.
  • Human access. Plarma contains no administrator interface, no support console and no privileged role — there is literally no feature through which any person could read another user's data. The unavoidable exception is that whoever administers our servers and database could technically do so; that access is used only to operate and repair the service, to investigate abuse or security incidents, or where the law requires it — and otherwise not at all.

You can revoke Plarma's access to your Google account at any time at myaccount.google.com/permissions, or by removing the integration in Plarma.

8. Who else touches your data

We do not sell your personal information, we do not share it for advertising, and we do not disclose it to anyone for their own purposes. The only third parties involved are the providers who run our infrastructure:

Provider What they do Where
Amazon Web Services Servers, database, configuration storage Frankfurt, Germany (eu-central-1)
CloudAMQP Message queue — background jobs pass through it, including notification content eu-central-1
Cloudflare Hosts our website and app, and terminates HTTPS for our API — which means our traffic passes through their network in readable form Cloudflare, Inc. (USA); traffic served from EU edge locations
Sentry Error monitoring (backend only) EU region (Germany)

Each of these processes data only on our instructions, under a data processing agreement.

The tools you connect — Atlassian, Trello, Figma, Asana, Slack, ClickUp, Google — are not our processors. They are your tools. We read from them under the permissions you granted; we send them nothing about you beyond what is needed to authenticate and make those requests. Your relationship with them is governed by their own privacy policies.

We may disclose data if we are legally required to, or to establish or defend legal claims. If that ever happens and we are permitted to tell you, we will.

9. Where your data is stored, and transfers outside the EU

Your data is hosted in the European Union — in Frankfurt, Germany (AWS region eu-central-1).

Two qualifications, both of which we would rather state plainly than bury:

Cloudflare. Cloudflare, Inc. is a United States company. It sits in front of our API and terminates HTTPS, so our traffic passes through its network — served from EU edge locations, but operated by a US provider. This transfer is covered by the European Commission's Standard Contractual Clauses, incorporated into Cloudflare's data processing agreement.

Our own access. Plarma is operated from Ukraine. Ukraine is not covered by a European Commission adequacy decision. Operating and maintaining the service requires administrative access to systems in Frankfurt from Ukraine. We are telling you this because it is true and material, not because we have a tidy answer for it: we are not going to claim a safeguard that does not exist. What we can tell you is what limits it in practice — the access exists to run and repair the service, there is no interface built for reading your data, provider tokens and notification bodies are encrypted, and notifications are gone within 7 days.

If you are in the EU/EEA and this arrangement is not acceptable to you, please do not connect accounts to Plarma, and contact us at support@plarma.com with any questions.

10. How long we keep things

Nothing here is aspirational — each of these is enforced by code, not by policy.

Data Retention
Notifications (including all content from your tools) 7 days. A cleanup job runs every night at 02:00 UTC and deletes everything older.
Cached Slack display names and avatars 24 hours, in a short-lived cache separate from our database
Sign-in session tokens 30 days
Provider access tokens Until you disconnect that integration, or delete your account
Account data, tags, favourites, settings, daily counts Until you delete your account
Server logs Rotated automatically; capped at roughly 30 MB per service — days, not months

We do not keep database backups. This has two consequences, and you should know both. In your favour: when you delete something, it is genuinely gone — there is no copy quietly living in a backup for months, and we do not need the usual "your data may persist in backups" caveat. Against you: we cannot restore your data if something goes wrong. Given that Plarma holds nothing you cannot find in the original tool, we consider this an acceptable trade — but it is a trade, and it is your right to know about it.

11. How we protect your data

  • Encrypted in transit. All traffic between your browser and Plarma uses TLS. Traffic between our edge provider and our servers is also encrypted. To be accurate: this is not end-to-end encryption — HTTPS terminates at our edge provider, so data is readable there and by us.
  • Encrypted at rest, in part. Provider tokens, webhook secrets and notification bodies are encrypted with AES-256-GCM. As noted in section 3.3, some fields — including notification titles, which can contain a person's name — are not.
  • Pseudonymised identifiers. Your Google account ID is stored as an irreversible hash.
  • Session cookies are HttpOnly, Secure and SameSite=Lax, so they cannot be read by scripts.
  • No privileged access paths. Plarma has no admin role and no administrative endpoints.

No service can promise perfect security, and we won't. If we ever suffer a breach affecting your data, we will notify the relevant supervisory authority and, where required, you.

12. Your rights

If you are in the EU/EEA, you have the right to:

  • Access the data we hold about you
  • Rectify it if it is wrong
  • Erase it
  • Restrict how we use it
  • Object to processing based on our legitimate interests
  • Data portability — receive your data in a machine-readable format
  • Complain to a supervisory authority in your country of residence, work, or where the issue occurred. You can do this without contacting us first, though we would like the chance to help.

How to exercise them:

  • Deleting your account is self-service — Settings → delete account. You are signed out at once, and the clean-up then runs to completion in the background: we delete the stored tokens, remove the webhooks we created, revoke Plarma's authorisation at providers whose API supports that (Trello, Slack), and erase your data. If a step fails — a provider's API being down, say — we retry it until it succeeds rather than leave anything behind.
  • Disconnecting a single tool is self-service — Integrations → remove. This deletes that tool's tokens from our systems, which ends Plarma's access; for Trello and Slack we also revoke Plarma's authorisation on their side. For the other tools, the authorisation entry remains visible in that provider's own security settings until you remove it there — for Google, at myaccount.google.com/permissions.
  • Everything else — access, correction, a copy of your data — goes through support@plarma.com. We have not built a self-service export, so we are not going to pretend the button exists. Write to us and we will assemble it by hand.

We respond within one month. If a request is genuinely complex we may extend that by two further months, and we will tell you if so. There is no charge.

13. Cookies

Plarma uses four cookies. Every one of them is strictly necessary to sign you in and keep you signed in. There are no analytics, advertising or tracking cookies — which is why you have not seen a cookie banner. There is nothing to consent to.

Cookie Purpose Lifetime
plarma_at Keeps you signed in 30 minutes
plarma_rt Renews your session so you don't have to sign in constantly 30 days
mercureAuthorization Authorises the live connection that pushes new notifications to your browser 30 minutes
OAuth state cookie Protects the connect-a-tool flow against cross-site request forgery 5 minutes

Cloudflare, which serves our site, may set its own cookies for security and network purposes. See Cloudflare's privacy documentation for details.

14. Notice for California residents

We are almost certainly not a "business" as the CCPA/CPRA defines it — we are well below every threshold. We are giving you this notice anyway, because we would rather over-disclose than argue about who counts.

Categories of personal information we collect:

CCPA category What, in our case
Identifiers Email, name, hashed Google ID, account IDs at connected providers
Professional or employment-related information Notification content from workplace tools
Internet or electronic network activity Technical data about your use of the service
Sensitive personal information Account credentials (OAuth tokens); the contents of messages where we are not the intended recipient (e.g. Slack message previews)

Sources: you, and the providers you connect. Purposes: providing the service, security, error diagnosis — as described in section 6. Disclosure: to the infrastructure providers in section 8, for those business purposes only. Retention: the periods set out in section 10 apply to every category above.

We have not sold or shared personal information in the preceding 12 months, and we never have. "Sharing" here has its CCPA meaning of disclosure for cross-context behavioural advertising. We do no advertising at all. There is therefore no "Do Not Sell or Share My Personal Information" link, because there is nothing to opt out of.

We collect sensitive personal information only to provide the service you asked for — never to infer characteristics about you. Because we do not use it beyond that, the right to limit its use has nothing to bite on. We do not discriminate against anyone for exercising any right.

Your rights to know, delete, correct and opt out are honoured through the same routes as in section 12: Settings for deletion, support@plarma.com for everything else. As an online-only service, email is our single designated method. We will verify a request by matching it to your signed-in account.

15. Children

Plarma is not for children. You must be at least 16 to use it, or older if your country requires it. We do not knowingly collect data from anyone under that age. If you believe a child has an account, write to support@plarma.com and we will delete it.

16. Changes to this policy

If we change this policy materially, we will notify you in the app before the change takes effect. The "last updated" date at the top always reflects the current version. This policy is information about what we do, not a contract we ask you to re-accept — but if you are not comfortable with a change, you can delete your account at any moment.

17. Contact

Questions, requests, or complaints: support@plarma.com

[LEGAL ENTITY NAME], [ADDRESS]

EU representative (Art. 27 GDPR): [EU REPRESENTATIVE]

PPlarma
Join Plarma
© 2026 Plarma. All rights reserved. support@plarma.com Privacy Terms