Skip to main content
Planpath
Get Started

Privacy Policy

Last updated: 22 May 2026

1. Who we are

Planpath (“we”, “us”, “our”) is a business-to-business telecoms marketplace operated by Planpath. We are the data controller for the personal data described in this policy.

If you have questions about how we handle your data, contact us at support@planpath.co.uk.

2. Data we collect

We collect personal data in the following ways:

2.1 Data you provide directly

  • Early access registration: name, business email address, and optionally your company name.
  • Account creation: name, email address, job title, and organisation details (company name, size, industry, address).
  • Requirements and proposals: telecoms requirement specifications, proposal details, and negotiation messages you submit through the platform.
  • Payment information: processed securely by Stripe. We do not store card numbers or payment credentials on our servers.

2.2 Data collected automatically

  • Authentication data: encrypted session tokens stored in secure, HTTP-only cookies to keep you signed in.
  • Analytics data (anonymous, before consent): page views and basic interaction events are recorded by PostHog in memory only, without setting cookies or writing to your browser’s local storage. These events use a temporary in-session identifier that is discarded when you close the tab.
  • Analytics data (identified, after consent): if you accept analytics cookies or sign in, PostHog upgrades to persistent storage and may associate events with your account or a returning-visitor identifier. Google Analytics events (via Google Tag Manager) are only collected after consent.
  • Approximate location: your IP address is used to derive country-level location for fraud prevention and to confirm you are visiting from within our UK service area. The IP address itself is not retained after derivation. We rely on legitimate interests for this minimal pre-consent processing (see section 3).
  • Session replay data: anonymised recordings of platform usage collected via PostHog to identify friction and improve the product. All on-screen text and input values are masked, and no personally identifiable information is captured — the replay shows page structure, mouse movements, clicks, scrolls, and navigation only. Recordings are retained for 30 days. See the Cookie Policy for the legitimate-interests basis.
  • Error data: application errors and performance traces collected via Sentry. All user text is masked by default and no personally identifiable information is sent automatically. Sentry additionally captures a session replay only when an error occurs, with the same text masking applied.
  • Device and browser information: browser type, operating system, and screen resolution.

3. Lawful basis for processing

Under UK GDPR, we process your data on the following bases:

  • Contract: to provide the marketplace service you have registered for, including matching requirements with providers, processing proposals, and managing your account.
  • Legitimate interests: to improve our platform, detect errors, prevent fraud, and communicate service updates. We balance our interests against your rights and only process data where the impact on you is minimal. We rely on this basis for three specific cases that operate without consent: (a) measuring how visitors arrive at and move through our marketing pages using anonymous, in-memory analytics that set no cookies and write nothing to your device; (b) deriving country-level location from your IP address so we can serve our UK-only marketplace and prevent fraud; and (c) recording anonymised session replays with all text and input values masked so we can identify friction and improve the product. We have completed a Legitimate Interests Assessment for each. You can object to any at any time by contacting us.
  • Consent: for marketing communications, non-essential cookies, and persistent analytics that identify you across visits. You can withdraw consent at any time.
  • Legal obligation: to comply with applicable laws, including tax and financial record-keeping requirements.

4. How we use your data

  • Operating and improving the marketplace platform.
  • Matching customer requirements with suitable providers.
  • Processing lead purchases and payments via Stripe.
  • Sending transactional emails (account confirmations, requirement updates, proposal notifications) via Resend.
  • Analysing platform usage to improve features and performance.
  • Detecting and resolving technical errors.
  • Preventing fraud and ensuring platform security.

5. Who we share your data with

We share personal data only where necessary:

  • Service providers (marketplace): when a provider purchases a lead, they receive the requirement details you submitted. Providers cannot see your personal details until a lead is purchased.
  • Infrastructure partners: Supabase (database and authentication, EU-hosted), Vercel (hosting), Stripe (payments), Resend (email), Sentry (error monitoring), and PostHog (analytics, EU-hosted).
  • Google: anonymised analytics data via Google Tag Manager and Google Analytics 4.

We do not sell your personal data. We do not share it with third parties for their own marketing purposes.

6. International data transfers

Some of our infrastructure partners are based outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), and we only transfer data to countries with adequate levels of protection or to organisations with appropriate contractual protections.

7. How long we keep your data

  • Account data: retained while your account is active, then deleted within 90 days of account closure.
  • Early access registrations: retained until the platform launches and you either create an account or request deletion.
  • Requirement and proposal data: retained for the duration of the contract lifecycle plus 6 years for legal and financial record-keeping.
  • Anonymous analytics events (pre-consent, in-memory): the in-session identifier is discarded as soon as you close the tab. Country-level location derived from your IP is retained alongside the event; the IP address itself is not stored.
  • Identified analytics events (post-consent): aggregated and anonymised after 26 months.
  • Session replays (PostHog): automatically deleted after 30 days.
  • Error logs and error-triggered replays (Sentry): automatically deleted after 90 days.

8. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (subject to legal retention requirements).
  • Restrict processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where consent is the lawful basis.

To exercise any of these rights, email support@planpath.co.uk. We will respond within one month.

9. Security

We take appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), row-level security on our database, secure HTTP-only authentication cookies, and role-based access controls. Payment processing is handled by Stripe, which is PCI-DSS Level 1 certified.

10. Cookies

We use cookies and similar technologies to operate the platform and analyse usage. For full details, see our Cookie Policy.

11. Children

Our platform is designed for business use and is not directed at individuals under 18. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The “last updated” date at the top reflects the most recent revision.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO — please reach out to support@planpath.co.uk first.