Legal

Privacy Policy

Last updated: April 21, 2026

This Privacy Policy describes how Noble Nest sp. z o.o. (“we,” “us,” or “our”), operating the PlutoPro platform at plutopro.ai (the “Service”), collects, uses, shares, and protects your information when you use the Service.

Noble Nest sp. z o.o. is the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and Polish data protection law.

By using PlutoPro, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Data Controller

The data controller responsible for your personal data is:

Noble Nest sp. z o.o.
ul. Złota 75A, lok. 7
00-819 Warszawa, Polska
KRS: 0001108163
NIP: 5214071603
REGON: 528746191

For any privacy-related question or request, contact us at support@plutopro.ai with “Privacy Request” in the subject line. We respond within 30 days.

We have assessed whether a Data Protection Officer is required under Article 37 GDPR and concluded it is not — we do not carry out large-scale processing of special category data, nor large-scale systematic monitoring of data subjects. The controller remains directly responsible for all privacy matters.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials managed through our auth provider (Supabase Auth). If you sign up via a third-party provider (e.g., Google), we receive the profile information you authorise that provider to share.

2.2 Store and Product Data

When you connect an ecommerce store (Amazon, Shopify, or Etsy), PlutoPro imports product data including titles, descriptions, bullet points, prices, images, and related metadata. This data is used solely to generate social media content on your behalf. Store connection credentials (OAuth access and refresh tokens) are encrypted at the application layer using AES-256-GCM before storage and are additionally encrypted at rest by our database provider.

2.3 Amazon Selling Partner API Data

When you connect an Amazon Seller account, PlutoPro uses the Amazon Selling Partner API (SP-API) under roles you authorise. Specifically:

What we retrieve: active listings via the Reports API (GET_MERCHANT_LISTINGS_ALL_DATA) to discover the ASINs on your account, then per-ASIN catalog data via the Catalog Items API (titles, descriptions, bullet points, images, pricing, and brand metadata). We do not retrieve buyer personal information, order data, financial data, or any Personally Identifiable Information (PII) from Amazon.
Why we retrieve it: solely to generate social media content about your own products and to build the brand and product knowledge models that power your drafts.
How it is stored: your SP-API refresh token is encrypted using AES-256-GCM before insertion into our database. Catalog data is stored in your account's tenant-isolated records and is not shared across accounts.
How long we keep it: for as long as your Amazon connection is active. On disconnection or account deletion, SP-API refresh tokens and associated catalog data are purged in accordance with Section 6 (Data Retention).
Onward sharing: Amazon SP-API data is processed by Anthropic (Claude) and fal.ai solely as part of generating content on your behalf, under written sub-processor terms. It is never sold, shared for advertising, or used to train any AI model.

Our use of Amazon SP-API data complies with Amazon's Data Protection Policy and Acceptable Use Policy. If Amazon notifies us that a seller's authorisation has been revoked, we will stop processing that seller's data and purge SP-API tokens and data within the timeframes required by Amazon's policy.

2.4 Google Drive Data

If you connect Google Drive, we access only the specific folders you authorise. We import image metadata (filenames, dimensions) and image content for the purpose of mapping assets to your products. We do not access other files in your Google Drive.

2.5 Content Interaction Data

We collect your interactions with generated content — approvals, rejections, edits, and regeneration instructions — to improve content quality over time through our learning system. These signals are stored per-brand and are never shared across accounts.

2.6 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other sensitive financial information on our servers. We receive only a confirmation of your subscription status and billing metadata from Stripe.

2.7 Usage and Log Data

We automatically collect standard log data including IP addresses, browser type, pages visited, and timestamps. We use PostHog for product analytics and Sentry for error monitoring and crash reporting.

3. Legal Bases for Processing (GDPR)

Under Article 6 GDPR, we rely on the following legal bases for each category of processing:

Performance of a contract (Art. 6(1)(b)) — account creation, store connections, product ingestion, content generation, subscription billing. Processing is necessary to deliver the Service you requested.
Legitimate interests (Art. 6(1)(f)) — product analytics, error monitoring, fraud prevention, security logging, and improving content quality through aggregated feedback patterns within your account. We balance these interests against your rights and freedoms.
Consent (Art. 6(1)(a)) — non-essential cookies (PostHog analytics) and optional marketing communications. You may withdraw consent at any time.
Legal obligation (Art. 6(1)(c)) — tax record retention, accounting records, and responses to lawful requests from competent authorities.

4. How We Use Your Information

We use the information we collect to:

Provide the Service — import your products, generate social media content, and deliver drafts for your review
Improve content quality — use your feedback signals (approvals, edits, rejections) to learn your brand preferences and generate better content over time within your own account only
Process payments and manage your subscription through Stripe
Send transactional emails (account confirmations, billing receipts, sync notifications)
Monitor and improve the reliability, security, and performance of the Service
Respond to your support requests and communicate with you about the Service

We do not use your product data, store data, Amazon SP-API data, or generated content to train AI models. Your data is processed solely to deliver the Service to you.

5. Sub-Processors and International Transfers

PlutoPro uses the sub-processors listed on our Sub-Processors page to deliver the platform. We share only the minimum data each sub-processor needs to perform its function.

Some of these sub-processors are located in the United States. Where data is transferred outside the European Economic Area, we rely on the EU Standard Contractual Clauses (SCCs) published by the European Commission (Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework. We assess each transfer for supplementary technical and organisational measures in line with the Schrems II ruling.

We do not sell your personal data, share it with advertisers, or use it for any purpose other than delivering the Service.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

Account data — retained while your account is active
Product, content, and store-connection data — retained while your account is active; deleted immediately via database cascade on account deletion
Encrypted credentials (OAuth tokens, SP-API refresh tokens) — deleted immediately on disconnection of the source or account deletion
Audit logs — automatically deleted after 90 days by a scheduled process
Analytics and error-monitoring data — retained per PostHog and Sentry default retention policies (see their privacy policies)
Financial and tax records — retained for the period required by Polish accounting and tax law (currently 5 years)

When you delete your account, we delete or anonymise your personal data within 30 days. Residual copies may persist in encrypted backups for up to 30 additional days before rolling off, after which they are permanently unavailable.

7. Your Rights

7.1 Rights under the GDPR (EU / EEA / UK users)

You have the following rights regarding your personal data:

Access (Art. 15) — request a copy of the personal data we hold about you
Rectification (Art. 16) — request correction of inaccurate personal data
Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”)
Restriction (Art. 18) — request we stop processing while a concern is resolved
Portability (Art. 20) — request a machine- readable copy of data you provided
Objection (Art. 21) — object to processing based on legitimate interests
Withdraw consent (Art. 7) — for processing based on consent, without affecting the lawfulness of processing before withdrawal
Lodge a complaint with a supervisory authority — in Poland, the Urząd Ochrony Danych Osobowych (UODO, uodo.gov.pl); you may also contact the supervisory authority of your EU member state of residence

7.2 Rights under the CCPA/CPRA (California users)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of any sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

7.3 How to exercise your rights

You can delete your account directly from the account settings page; this triggers immediate deletion of your personal data in accordance with Section 6. For access requests, data exports, and all other rights, email support@plutopro.ai with “Privacy Request” in the subject line. We respond within 30 days. We may ask you to verify your identity before fulfilling a request.

8. Data Security

We implement technical and organisational measures appropriate to the risk, including:

Store connection credentials (OAuth tokens, SP-API refresh tokens) are encrypted at the application layer using AES-256-GCM before storage, and are additionally encrypted at rest by our database provider
All data in transit is encrypted via TLS/HTTPS
Database access is controlled through Row-Level Security (RLS) policies that enforce account-level data isolation — your data is never accessible to other tenants
We maintain structured audit logs of significant actions for security monitoring, retained for 90 days
Application infrastructure is hosted on Vercel and Supabase, both of which operate ISO 27001 / SOC 2-aligned controls
Encryption keys are stored in the hosting provider's secret manager and are not accessible to the application database

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously improve our controls.

9. Cookies

PlutoPro uses cookies to operate the Service. We categorise them as follows:

9.1 Essential Cookies

These cookies are required for authentication and session management. They cannot be disabled.

sb-* (Supabase) — authentication session tokens. Expire when the session ends or after the configured session lifetime.
pluto-cookie-consent — records your cookie preference (accepted or declined). Expires after 1 year.

9.2 Analytics Cookies

These cookies are only set if you accept cookies via our consent banner. They help us understand how the Service is used so we can improve it.

ph_* (PostHog) — product analytics including page views, feature usage, and session recording. PostHog cookies expire after 1 year.

We do not use advertising cookies, tracking pixels, or third-party ad networks. We do not sell your data to advertisers. You can change your cookie preference at any time by clearing your browser cookies and revisiting the site.

10. Children's Privacy

PlutoPro is a business tool not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes that affect your rights, we will notify you via email.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Noble Nest sp. z o.o.
ul. Złota 75A, lok. 7, 00-819 Warszawa, Polska
support@plutopro.ai