Privacy policy

Last updated: March 2026

1. Who we are

Planvex is operated by Spatial Connect Limited, a company registered in England and Wales (Company No: 16709989).

Contact: hello@spatialconnect.app Website: https://planvex.vercel.app

Spatial Connect Limited is the sole data controller for personal data processed through Planvex. Directors, employees, shareholders, consultants, and agents of Spatial Connect Limited are not data controllers in their personal capacity. Any data protection rights, requests, or complaints must be directed to the company as a legal entity, not to any individual.

2. What this policy covers

This policy explains what personal data we collect when you use Planvex, how we use it, who we share it with, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It also discloses specific data handling practices around our AI chat assistant, deep research feature, and MCP (Model Context Protocol) server, which are material to how your project data may be processed.

By using Planvex you confirm you have read this policy.

3. Data we collect

3.1 Account data

When you create an account we collect:

Your name, email address, GitHub username, and profile avatar, provided via GitHub authentication
A GitHub access token, used to access repositories you authorise for import or planning features (scope: repo)
Authentication tokens and session identifiers used to keep you signed in
Account preferences and settings

3.2 Project and content data

All content you create inside Planvex is stored in our database. This includes:

Project and workspace names
Personal names of account holders and team members referenced in tasks or assignments
Tasks: titles, descriptions, priorities, labels, assignments, status, effort estimates, comments
Specs: titles, descriptions, linked tasks
Notes: rich text content you write in the notes editor
Labels, folders, and any other organisational structure you create
File attachments or links you add to tasks or notes

3.3 AI conversation data

When you use the AI chat assistant:

Every message you send to the assistant is stored in our database
Every response the assistant generates is stored in our database
Conversation history is retained while your account is active and may be summarised ("compacted") or deleted for performance reasons
Messages are transmitted to Anthropic's API to generate AI responses, or to OpenRouter's API when the deep research feature is invoked (see section 5.1)

You are responsible for not including sensitive, confidential, or regulated information (such as financial data, health data, passwords, or third-party confidential information) in AI chat messages.

3.4 MCP access data

Planvex provides an MCP (Model Context Protocol) server that allows authenticated third-party AI tools to access your project data programmatically. When an MCP-connected tool accesses your data we log:

The tool or client identifier
The type of action performed (read, create, update, delete)
The timestamp of access
The resource type accessed (e.g. tasks, notes, epics)

These logs are retained for 90 days.

3.5 Technical and usage data

We and our infrastructure providers automatically collect:

IP address and approximate location derived from IP
Device type, operating system, and browser
Pages visited, features used, and interaction patterns within the app
Error and crash reports
API request logs

4. How we use your data

4.1 Legal bases

We process your data under the following legal bases:

Purpose	Legal basis
Creating and managing your account	Contract performance
Providing the Planvex service (task management, notes, specs)	Contract performance
Transmitting messages to the AI chat assistant	Contract performance
Fraud prevention and abuse detection	Legitimate interests
Service security and integrity monitoring	Legitimate interests
Improving and developing the service	Legitimate interests
Usage analytics (pages visited, features used)	Legitimate interests
PostHog/Intercom data for AI planning recommendations	Consent
Compliance with legal obligations	Legal obligation

Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests (see section 10).

4.2 Specific uses

We use your data to:

Authenticate you and maintain your session
Store and retrieve your project data on demand
Generate AI responses to your chat messages via the Anthropic API, or via OpenRouter's API for deep research queries
Enable third-party AI tools to access your data via MCP when you have authenticated them
Detect and prevent unauthorised access, abuse, and fraud
Debug errors and maintain service stability
Communicate service updates, security notices, and (where you have not opted out) product announcements

We do not use your data for advertising. We do not sell personal data.

5. AI features and data processing

5.1 AI features (Anthropic / Claude and deep research)

The Planvex AI chat assistant is powered by Anthropic's Claude API. When you send a message in the chat:

Your message, along with relevant conversation history and project context, is transmitted to Anthropic's servers in the United States
Anthropic processes this data to generate a response, which is then returned to Planvex and stored in your conversation history
Anthropic does not use data submitted via its API to train its models. We recommend reviewing Anthropic's privacy policy for their full retention practices
We have no control over Anthropic's internal data handling once data is transmitted to their API

Planvex also includes a deep research feature, available in both the AI chat assistant and via MCP. When deep research is triggered, your query and relevant context are transmitted to OpenRouter's API, which routes the request to one or more third-party AI model providers. The specific models used may vary as we update the composition to reflect the latest available models. You should assume that any data included in a deep research query may be processed by multiple AI providers.

You are solely responsible for what you include in AI chat messages. Do not include passwords, payment card data, medical records, legal privileged information, or any other sensitive or regulated data in AI conversations. Spatial Connect Limited accepts no liability for any consequences arising from such disclosures.

5.2 MCP server and third-party AI tool access

Planvex operates an MCP server that enables authenticated third-party AI tools - including Claude Code, Cursor, Gemini CLI, and ChatGPT - to read and modify your Planvex project data programmatically.

What MCP access means:

When you authenticate a third-party AI tool via the Planvex MCP server, that tool gains the ability to read your tasks, epics, notes, and comments, and to create and update that data on your behalf
The data accessed by the tool is transmitted to and processed by the third-party AI provider operating that tool (e.g. Anthropic for Claude Code, Google for Gemini CLI, OpenAI for ChatGPT)
Each third-party provider's own privacy policy governs how they handle data accessed via their AI tools

Your responsibilities:

You are responsible for deciding which AI tools to authenticate via MCP
You are responsible for revoking MCP access from tools you no longer use or trust
Once you grant a tool MCP access, Spatial Connect Limited cannot prevent that tool from reading or acting on your data until you revoke access

Our liability:

Spatial Connect Limited is not responsible for:

How third-party AI tools use, retain, or disclose data they access via MCP
Any data modifications (including accidental deletions or overwrites) made by third-party AI tools acting with your granted permission
Breaches, leaks, or misuse of data by third-party AI tool providers
Any actions taken by AI tools during autonomous AI agent operation, including downstream actions outside Planvex (such as code commits, command execution, or infrastructure deployment) based on data obtained from the Service

If you believe an MCP-connected tool has acted improperly, revoke its access immediately and contact hello@spatialconnect.app.

5.3 PostHog and Intercom integrations (optional)

You may optionally connect your PostHog analytics account and Intercom support account to enhance AI planning recommendations. When connected:

Your PostHog API key and Intercom access token are stored in your browser's local storage only and are not retained on Planvex's servers
When you use the AI planning assistant, Planvex queries your PostHog and Intercom accounts to retrieve analytics data and support conversation summaries
This data is transmitted to Anthropic's API or, where deep research is invoked, to OpenRouter's API, as context for generating recommendations (see section 5.1)
You are solely responsible for ensuring you have the right to share data from these platforms, including any personal data of your own users or customers that may be contained within them
You can disconnect at any time by removing your API keys from the integration settings in the planning assistant

5.4 Autonomous AI agent operation

AI tools connected via the MCP server may operate autonomously or without active human supervision. When AI tools operate in this mode:

Actions taken by AI tools during autonomous operation (including creating, modifying, or deleting project data) are treated as actions taken by the user who authenticated the tool
Spatial Connect Limited has no ability to monitor, interrupt, or reverse actions taken by autonomous AI tools during operation
Any downstream actions taken outside the Service by AI tools (such as code commits, command execution, or infrastructure deployment) based on data obtained from Planvex are the sole responsibility of the user who authenticated the tool
Users are solely responsible for the accuracy, completeness, and legality of all project data accessed by MCP-connected AI tools during autonomous operation

Spatial Connect Limited is not responsible for any loss, damage, or unintended outcome arising from autonomous AI agent operation, regardless of the duration or scope of the autonomous session.

5.5 Regulated industries and compliance

Planvex is a general-purpose project management tool and is not designed, intended, or certified for use in regulated environments (including healthcare, financial services, defence, or critical infrastructure) where AI-driven decisions have legal or compliance implications. If you use Planvex in such environments, you are solely responsible for ensuring all AI-generated outputs are independently verified by qualified personnel and for complying with all applicable regulatory obligations. Spatial Connect Limited is not liable for regulatory violations, compliance failures, or fines arising from use of Planvex in regulated contexts.

6. Data sharing and third-party processors

We share your data with the following third-party service providers who act as data processors on our behalf:

Processor	Purpose	Location
Supabase	PostgreSQL database, authentication, row-level security	United States
Cloudflare Workers	Backend API hosting and execution	United States / global
Vercel	Frontend hosting and content delivery	United States / global
Anthropic	AI chat response generation	United States
OpenRouter	Deep research AI model routing	United States
Stytch	OAuth authentication for Claude.ai and Gemini CLI MCP connections	United States
GitHub	GitHub Sign-In authentication	United States

We also share data with:

Third-party AI tools: only the project data you have explicitly authorised via MCP. The scope is determined by the permissions you grant.
Legal and regulatory authorities: where required by applicable law, court order, or to protect the rights, property, or safety of Spatial Connect Limited or others.

We do not share your data with advertisers, data brokers, or any other parties not listed above.

7. International data transfers

Some third-party processors operate infrastructure in the United States. International transfers of personal data are made under appropriate safeguards in accordance with UK data protection law.

8. Data retention

Data type	Retention period
Account data (name, email, settings)	While your account is active; accounts inactive for 12 consecutive months may be deleted
Project data (tasks, epics, notes, comments)	Until deleted by you, or until account deletion or 12 months of inactivity
AI conversation history	While your account is active; older messages may be compacted (summarised and replaced) or deleted
MCP access logs	90 days from creation
Technical and usage logs	Up to 12 months

Account deletion: You can delete your account directly from your account settings, or by emailing hello@spatialconnect.app. Once deleted, all personal data associated with your account - including tasks, epics, notes, AI conversations, and MCP access logs - will be permanently deleted within 30 days. Some residual data may persist briefly in backups, which are purged on their normal rotation schedule.

9. Cookies

We use the following categories of cookies:

Essential cookies (no consent required):

Authentication session tokens - required to keep you signed in
Security cookies - CSRF protection and fraud prevention
Preference cookies - storing your display settings

Usage analytics (opt-out available):

We collect anonymised data on pages visited and features used to understand how the app is used and improve it. This is server-side logging tied to your authenticated session, not a cookie. We rely on legitimate interests as the legal basis. You can opt out at any time in your account settings.

We do not use advertising or tracking cookies.

10. Your rights under UK GDPR

Under UK GDPR you have the right to access, correct, delete, restrict, or port your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time.

To delete your account or export your data, use the tools in your account settings. For all other rights requests, email hello@spatialconnect.app. We will respond within one month. If you are unsatisfied, you can complain to the ICO at ico.org.uk.

11. Data breach notification

In the event of a personal data breach:

We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, where required under UK GDPR Article 33
We will notify affected users by email where the breach is likely to result in a high risk to their rights and freedoms
We will maintain an internal record of all data breaches, including those not required to be reported

12. Automated decision-making

The Planvex AI assistant may generate suggestions for task prioritisation, effort estimation, project planning, and other project management decisions. All such suggestions are advisory only. No automated processing within Planvex produces decisions that have legal effects on you or similarly significant effects. All decisions about your project data and workflows remain entirely under your control. Spatial Connect Limited is not liable for any loss, damage, or business impact arising from decisions or actions you take based on AI-generated suggestions or analysis, whether from the Planvex AI assistant or from a third-party AI tool accessing Planvex via MCP. This includes decisions or actions taken during autonomous AI agent operation, and any downstream consequences of actions taken outside the Service (such as code commits, command execution, or infrastructure deployment) based on data or recommendations obtained from the Service.

13. Children

Planvex is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will delete their data without notice. If you believe a child under 16 has created an account, please contact hello@spatialconnect.app.

14. California residents (CCPA)

We do not sell personal information as defined under the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA). We do not share personal information for cross-context behavioural advertising.

15. Third-party service disclaimer

Spatial Connect Limited is not responsible for:

Data breaches, outages, or security incidents at Supabase, Anthropic, OpenRouter, Cloudflare, Vercel, Stytch, or any other third-party processor
Changes to third-party service terms, pricing, or availability that affect the Planvex service
Discontinuation of any third-party service that Planvex depends upon

Where a third-party processor suffers a breach that affects your data, we will notify you as required by UK GDPR Article 34, but our liability is limited as set out in section 17.

16. Service changes

Planvex is currently offered as a free early-access product. We may at any time:

Change, restrict, or remove features
Introduce paid subscription tiers or change pricing
Discontinue the service, in whole or in part

We will endeavour to give reasonable notice of significant changes where practicable, but we are not obligated to do so. Continued use of the service following any change constitutes acceptance of that change.

17. Limitation of liability

To the fullest extent permitted by applicable law:

No indirect damages. Spatial Connect Limited shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or in connection with your use of Planvex, including but not limited to loss of data, loss of profits, loss of business, or loss of goodwill, even if we have been advised of the possibility of such damages.
Direct damages cap - free tier. For users who have not paid for Planvex during the 12 months preceding the claim, our total aggregate liability to you for direct damages shall not exceed £50 (fifty pounds sterling).
Direct damages cap - paid tier. For users who have paid for Planvex, our total aggregate liability to you for direct damages shall not exceed the total amount you have paid to us in the 12 months preceding the event giving rise to the claim.
Third-party processor failures. We are not liable for any loss, damage, or liability arising from failures, outages, data breaches, or misconduct by any third-party processor including Supabase, Anthropic, OpenRouter, Cloudflare, Vercel, or Stytch.
AI recommendations and tool actions. We are not liable for any loss, damage, or liability arising from: (a) decisions or actions you take based on AI-generated suggestions, recommendations, or analysis produced by the Planvex AI assistant or planning tools; or (b) actions taken by third-party AI tools that have been granted MCP access with your authorisation.

Nothing in this policy excludes or limits liability for:

Death or personal injury caused by Spatial Connect Limited's negligence
Fraud or fraudulent misrepresentation by Spatial Connect Limited
Any liability that cannot be excluded under applicable law, including statutory rights under the Consumer Rights Act 2015

18. Changes to this policy

We may update this privacy policy at any time. Where we make material changes we will update the "Last updated" date at the top of this document. We may also notify you by email or display a notice within the Service for material changes. Continued use of Planvex after any change constitutes acceptance of the updated policy.

We recommend checking this page periodically.

19. Contact and complaints

Data controller: Spatial Connect Limited Flat 38 Trinity Tower, 28 Quadrant Walk, London, E14 9JW Email: hello@spatialconnect.app

Right to complain to the ICO: If you are not satisfied with how we handle your data or respond to your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would ask that you contact us first at hello@spatialconnect.app before escalating to the ICO, so we have the opportunity to address your concern directly.