Privacy Policy

1. Overview

This Privacy Policy explains how VanillaPM ("we", "us", or "our") collects, uses, stores, and shares personal information when you use the VanillaPM platform ("Service"). It applies to all users of the Service, including visitors to our website, registered account holders, and organisation members.

VanillaPM is the data controller for personal information processed under this Policy. Our contact details are set out in Section 13.

This Policy should be read alongside our Terms of Service. By using the Service, you agree to the collection and use of information in accordance with this Policy.

2. Data We Collect

2.1 Information you provide directly

Data	When collected	Purpose
Full name	Account registration	Identify you within the platform and to other project members
Email address	Account registration	Account authentication, email verification, notifications, and support communications
Password	Account registration	Account authentication — stored as a salted hash; we never store or transmit plaintext passwords
Project content	During Service use	Tasks, WBS nodes, risks, budget entries, stakeholders, and other data you create — stored to provide the Service
Contact form messages	When you contact us	Responding to your enquiry
Payment information	Paid plan subscription	Processed by our payment provider — we do not store card numbers

2.2 Information collected automatically

Data	Purpose
IP address	Security, fraud prevention, and approximate geolocation for legal compliance
Browser and device type	Diagnosing technical issues and optimising the interface
Pages visited and feature usage	Understanding how the Service is used to guide product improvements
Session tokens	Maintaining your authenticated session — stored as secure, HTTP-only cookies
Error logs	Identifying and fixing bugs and service issues

2.3 What we do not collect

We do not collect sensitive personal data (health, biometric, financial account details beyond billing, religious or political beliefs, etc.)
We do not use your project content for advertising, profiling, or machine learning training
We do not track you across third-party websites

3. How We Use Your Data

We use the information we collect to:

Provide the Service — create and manage your account, store your project data, and enable collaboration with your team
Authenticate and secure your account — verify your identity, detect suspicious activity, and enforce access controls
Send transactional communications — email verification, password resets, invitation notifications, and billing receipts
Provide customer support — respond to your enquiries and resolve technical issues
Improve the Service — analyse aggregated, anonymised usage patterns to understand which features are most valuable and guide product development
Comply with legal obligations — retain records required by law and respond to lawful requests from authorities

We do not use your personal information for advertising, and we do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4. Legal Basis for Processing

Where applicable privacy law requires a legal basis for processing personal information, we rely on the following:

Contract performance — processing necessary to provide the Service you have signed up for (account management, data storage, authentication)
Legitimate interests — processing for security, fraud prevention, product improvement, and service communications, where our interests are not overridden by your rights
Legal obligation — processing required to comply with applicable laws
Consent — where we rely on consent (e.g., optional marketing communications), you may withdraw it at any time

5. Data Sharing

5.1 Within the Service

Your name and email address are visible to other members of organisations and projects you belong to. Project content (tasks, risks, etc.) is visible to other members of the same project, subject to their assigned role and access level.

5.2 With service providers

We share data with trusted third-party service providers who help us operate the Service. These providers are bound by data processing agreements and may only use your data as instructed by us:

Cloud hosting and infrastructure — to store and serve the application and your data
Email delivery — to send transactional emails (verification, notifications, password resets)
Payment processing — to handle subscription billing; your payment card details are held by the payment processor, not by us
Error monitoring — to identify and diagnose technical failures

5.3 Legal disclosures

We may disclose personal information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business transfers

If VanillaPM is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

5.5 We do not sell your data

We do not sell, rent, trade, or otherwise share your personal information with any third party for their own commercial purposes.

6. Data Storage and Security

Your data is stored on servers located in [data centre region]. We implement industry-standard technical and organisational security measures, including:

All data in transit is encrypted using TLS 1.2 or higher
Passwords are stored as salted hashes using a strong one-way hashing algorithm
Access to production systems is restricted to authorised personnel and protected by multi-factor authentication
Database backups are encrypted and retained for 30 days
Regular security reviews of application code and infrastructure

No method of transmission or storage is 100% secure. While we work hard to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at notify@vanillapm.com.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specific retention periods:

Active account data — retained for the duration of your account
Project content — retained for the duration of your account and for 30 days after account closure
Authentication logs and security events — retained for 90 days
Billing records — retained for 7 years as required by applicable tax and accounting law
Support correspondence — retained for 3 years from the last interaction

After the applicable retention period, data is securely deleted or anonymised. Database backups are overwritten on a rolling 30-day cycle.

8. Cookies and Tracking

8.1 What we use

VanillaPM uses a minimal set of cookies strictly necessary to operate the Service:

Cookie	Type	Purpose	Duration
`sessionid`	Strictly necessary	Maintains your authenticated session	Session / configurable
`csrftoken`	Strictly necessary	Protects against cross-site request forgery	1 year

8.2 What we don't use

We do not use advertising cookies, tracking pixels, third-party analytics cookies, or any cookies that track you across other websites. We do not use Google Analytics, Facebook Pixel, or similar third-party tracking tools.

8.3 Managing cookies

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in and using the Service.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

Access — request a copy of the personal information we hold about you
Correction — request correction of inaccurate or incomplete information
Deletion — request deletion of your personal information (subject to legal retention obligations)
Portability — receive your data in a structured, machine-readable format
Restriction — request that we limit our processing of your personal information in certain circumstances
Objection — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at notify@vanillapm.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.

If you are in the EU or UK and believe we have not handled your personal information in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority.

10. Children's Privacy

The Service is not directed at children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with their information, please contact us at notify@vanillapm.com and we will delete it promptly.

11. International Data Transfers

VanillaPM operates globally. Your personal information may be transferred to and processed in countries other than the one in which you reside. When we transfer personal information internationally, we take steps to ensure that appropriate safeguards are in place to protect your information and comply with applicable data protection law, including using standard contractual clauses where required.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to your registered address and/or by a prominent notice within the Service at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes.

13. Contact and Data Controller

VanillaPM is the data controller for personal information collected through the Service. If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

VanillaPM

Email: notify@vanillapm.com

Contact form: vanillapm.com/contact

Contents