Privacy Policy

Last updated: April 12, 2026

1. Introduction

Planim ("we", "us", "our") operates the website time.planim.app and the Planim Time desktop applications (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data.

2. Information We Collect

Account Information

When you create an account, we collect your email address. We use a passwordless authentication system based on one-time codes (OTP), so we do not store passwords.

Session Data

We use a single strictly necessary session cookie to keep you signed in. It contains an opaque session identifier with a 30-day time-to-live (TTL) and is the only cookie we set. This cookie is essential for authentication and cannot be disabled while you are using the Service. We do not use tracking cookies, advertising pixels, or third-party analytics.

Payment Information

Subscription payments are processed entirely by Lemon Squeezy, our merchant of record. We do not collect or store credit card numbers, billing addresses, or other payment details on our servers. We receive and store subscription status, plan type, and transaction identifiers from Lemon Squeezy via webhooks.

Workspace Information (Team Plans Only)

If you subscribe to a Team plan, we store your workspace identifier (e.g., your Jira site URL) and the list of team members bound to that workspace for seat management. This data is not collected for Free or Pro accounts.

Theme Preference

Your light/dark theme preference is stored in your browser's localStorage and never sent to our servers.

3. How We Use Your Information

  • Authentication: send one-time login codes to your email and maintain your session.
  • Subscription management: activate, renew, or cancel your subscription and manage license seats.
  • License verification: confirm that your account has a valid subscription when the desktop app checks in.
  • Service communication: send transactional and marketing emails related to your account and the Service.

4. Third-Party Services

We share data with the following third-party services only as necessary to operate the Service:

  • Lemon Squeezy (lemonsqueezy.com) — payment processing and subscription management. Lemon Squeezy acts as the merchant of record and handles all payment data under their own privacy policy.
  • Resend (resend.com) — transactional email delivery. We send your email address to Resend solely for the purpose of delivering one-time login codes.

We do not sell, rent, or share your personal data with any other third parties.

5. Desktop Application

Planim Time desktop apps are local-first. Your time tracking data, worklogs, and application settings are stored on your device. The desktop app communicates with our server only for:

  • User authentication (one-time login via device authorization flow).
  • Subscription status checks (periodic, lightweight API calls using your account credentials).

API credentials for third-party trackers (Jira, Asana, and similar) that you connect to the desktop app are stored exclusively in your operating system's secure credential store — macOS Keychain, Windows Credential Manager, or the Linux Secret Service (libsecret/GNOME Keyring/KWallet). These credentials are never transmitted to our servers and never written to plaintext configuration files.

When the desktop app contacts our servers for license validation and seat enforcement, it sends: your workspace identifier (e.g., your Jira instance URL) and the tracker type (e.g., jira). When you have a Jira connection configured in the app, it additionally sends your Jira account identifier and display name. These identifiers are used on Team plans to count occupied seats and to display team membership in the dashboard; on personal plans they identify your account against your subscription.

We do not collect or transmit your time tracking data, worklog entries, or any content from your connected project management tools (Jira, Asana, etc.).

6. Data Retention

We retain your account data for as long as your account is active. If you request deletion of your account, we will remove your personal data within 30 days, except where we are required to retain it by law or to resolve disputes.

7. Data Security

We protect your data using industry-standard measures:

  • All connections are encrypted via HTTPS/TLS.
  • Desktop app third-party API tokens are stored in the operating system's native keychain, never in plaintext.
  • Session tokens are hashed before storage.
  • Lemon Squeezy webhook payloads are verified using HMAC signatures.
  • We use passwordless authentication (OTP), eliminating risks associated with password storage and reuse.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and personal data.
  • Export your data in a portable format.

To exercise any of these rights, contact us at [email protected].

If you believe your rights have been violated, you may lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti, poverenik.rs). Users in the EU/EEA may also contact their local data protection authority.

9. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy, contact us at [email protected].