Plutton

Privacy Policy

Last updated: May 2026

This Privacy Policy explains how 7Lakes LLC, operating as Plutton, collects, uses, and protects your personal data. We are committed to compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

1. Data Controller

The data controller responsible for your personal data is: 7Lakes LLC — [email protected] — 16192 Coastal Hwy, Lewes, DE 19958, USA. As a US-based company, we transfer personal data to and from the European Union under Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data is protected to GDPR-equivalent standards.

2. What Data We Collect

We collect and process the following categories of personal data:

  • Account data: your name, email address, and hashed password. Collected at registration. Purpose: authentication and account management.
  • Billing data: your subscription plan and payment history processed by LemonSqueezy. We never store your full payment card details.
  • Client and invoice data: names, emails, addresses, service descriptions, and payment records you enter for your own clients. Purpose: providing the billing management service to you.
  • Usage data: pages visited, features used, and session duration, collected via Google Analytics with IP anonymization enabled. Purpose: improving the platform.
  • Technical data: browser type, operating system, and approximate location derived from anonymized IP. Purpose: security, fraud prevention, and performance optimization.

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under GDPR Article 6:

  • Performance of contract (Art. 6(1)(b)): Account creation, authentication, delivering the billing management service, and processing your subscription.
  • Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and improving the service using anonymized technical data.
  • Legal obligation (Art. 6(1)(c)): Retaining transaction records as required by applicable US federal and state law.
  • Consent (Art. 6(1)(a)): Placing Google Analytics cookies. You may withdraw this consent at any time via the cookie banner.

4. Third-Party Data Processors

We use the following sub-processors who handle data on our behalf. Each is bound by data processing agreements ensuring GDPR-compliant handling:

  • Railway.app (USA) — Application hosting. EU data transfers governed by Standard Contractual Clauses (SCCs).
  • Neon / PostgreSQL (USA) — Encrypted relational database. EU data transfers governed by SCCs.
  • LemonSqueezy (USA) — Subscription management and payment processing. Payment card data is processed by LemonSqueezy directly and never stored by Plutton. SCCs in place.
  • Google LLC (USA) — Analytics via Google Analytics 4 with IP anonymization. Analytics data is not linked to your personal account. SCCs in place.
  • Cloudflare Inc. (USA) — Bot protection (Turnstile CAPTCHA) and CDN. SCCs in place.
  • Resend (USA) — Transactional email delivery (invoices, notifications). SCCs in place.

5. International Data Transfers

Your data may be transferred to and processed in the United States by 7Lakes LLC and the sub-processors listed above. All such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), ensuring an adequate level of protection for your personal data.

6. Data Retention

We retain your personal data only as long as necessary:

  • Account and billing data: for the duration of your active subscription plus 5 years to meet applicable legal record-keeping obligations.
  • Client and invoice data you create: retained while your account is active. You may delete individual records or your entire account at any time.
  • Analytics data: 26 months (Google Analytics minimum retention setting).
  • Session cookies: 30 days from last login.
  • After account deletion: all personal data is permanently deleted within 30 days, except records required by applicable law.

7. Your Rights

Regardless of your location, you have the following rights. To exercise any of them, contact us at [email protected]. We will respond within 30 calendar days.

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data where no legal obligation requires us to retain it.
  • Right to restriction: Request that we limit processing of your data while a dispute is pending.
  • Right to data portability: Receive your data in a structured, machine-readable format (JSON/CSV export available from your dashboard).
  • Right to object: Object to processing based on legitimate interest, including direct marketing.
  • Automated decision-making: We do not make automated decisions that produce legal or similarly significant effects on you.

8. Data Security

We implement the following technical and organizational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Passwords are hashed using bcrypt and never stored or transmitted in plain text.
  • Database access is restricted to authenticated application servers via private networking.
  • We conduct regular security reviews of our codebase and infrastructure.
  • In the event of a data breach affecting your rights, we will notify you within 72 hours as required by GDPR Article 33.

9. Contact

For privacy questions, to exercise your rights, or to report a concern: [email protected] — 7Lakes LLC — 16192 Coastal Hwy, Lewes, DE 19958, USA. We respond to all inquiries within 30 calendar days.