Pluralize
Toggle menu

Privacy Policy

Last updated: 2026-04-27

This Privacy Policy explains how Pluralize ("we", "us", "the platform") collects, uses, shares, and protects personal data. It is written for two audiences: developers who sign up at pluralize.app to build apps on top of the platform, and tenants — the end-users of those apps whose accounts live in our infrastructure on behalf of the developer who built them.

The platform is operated by Pablo Llorens, a sole proprietor established in Spain. You can reach us at hello@pluralize.app.

Our two roles under the GDPR

Pluralize wears two GDPR hats depending on whose data is involved:

| Whose data | Our role | Lawful basis | | --- | --- | --- | | Developer accounts on pluralize.app | Data controller | Contract (Art. 6(1)(b)) and legitimate interest in operating the platform (Art. 6(1)(f)) | | Tenants signing into apps you build with Pluralize | Data processor acting on the developer's documented instructions | The developer is the controller and chooses their own lawful basis |

When we are a processor, the relationship is governed by our Data Processing Agreement, which is incorporated by reference into the Terms of Service and binds us as soon as you create an app.

What data we collect

From developers (we are controller)

  • Account identity — name, email address, hashed password, optional GitHub OAuth claims (login, primary email, avatar URL) when you sign in with GitHub.
  • Email verification timestamps — to satisfy the gate set by ADR 0005.
  • Billing data — your Stripe Connect account ID and the public metadata Stripe returns. Card numbers and bank details never touch our infrastructure; Stripe holds them as an independent controller.
  • App metadata — names, slugs, plan definitions, feature flags, allowed CORS origins, and any configuration you set in the dashboard.
  • Operational logs — IP address, user agent, and timestamps for sign-in, sign-up, password reset, and other security-relevant events. Retained for 90 days for fraud and abuse investigation.
  • Support correspondence — anything you send to hello@pluralize.app.

From tenants (we are processor)

  • Authentication identity — email address and a bcrypt hash of the password the tenant chose when signing up to your app.
  • Session metadata — IP address and user agent at sign-in, used for rate limiting and to populate the device list the tenant sees.
  • Custom records and files — anything your app stores via app.db.collection or uploads to Vercel Blob through our SDK. We do not inspect, index, or use this content for any purpose other than delivering it back to your app.

Why we use it

| Purpose | Categories used | Lawful basis | | --- | --- | --- | | Provide and operate the platform | All categories above | Contract (Art. 6(1)(b)) | | Bill you for paid plans | Account identity, billing data | Contract | | Detect and prevent abuse, fraud, and security incidents | Operational logs, session metadata | Legitimate interest (Art. 6(1)(f)) | | Send transactional email (verification, password reset, billing receipts) | Account identity, email | Contract | | Comply with tax, accounting, and legal obligations | Billing data, account identity | Legal obligation (Art. 6(1)(c)) |

We do not profile users for advertising, sell data to brokers, or share data with anyone outside the sub-processors listed below.

Retention

| Data | Retention | | --- | --- | | Active developer account | For as long as the account exists | | Closed developer account | 30 days then permanently deleted, except invoices kept for 6 years (Spanish tax law) | | Tenant accounts | Controlled by the developer; deleted on developer instruction or app deletion | | Session JWTs | 30 days from issue, or until revoked | | Operational logs | 90 days | | Email logs (Resend) | 30 days |

Sharing — sub-processors

We rely on a small number of carefully selected sub-processors to deliver the service. The current list is published at /legal/subprocessors and includes Vercel (hosting), Neon (Postgres database), Stripe (payments) and Resend (transactional email). Each is bound by its own DPA and compatible transfer mechanism.

International transfers

Some sub-processors are established in the United States. Where personal data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses (Decision 2021/914) plus supplementary measures such as encryption in transit and at rest. Where the receiving party is certified, we additionally rely on the EU–US Data Privacy Framework.

Security

Production data is encrypted in transit (TLS 1.2+) and at rest (AES-256 at the storage layer). Passwords are hashed with bcrypt. Session tokens are signed JWTs delivered as httpOnly, Secure, SameSite=Lax cookies. Access to production systems is limited to the operator and protected by hardware-backed multi-factor authentication. We log administrative actions and review them on a rolling basis.

Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten"), subject to lawful retention obligations.
  • Restrict or object to certain processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent where processing was based on consent.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD, aepd.es) or your local supervisory authority.

To exercise any of these, email hello@pluralize.app from the address on file. We respond within 30 days as required by Art. 12(3) GDPR. If your request relates to data we process on behalf of a developer (i.e. tenant data in an app built with Pluralize), please contact that developer first — they are the controller and we will forward your request to them on receipt.

Children

Pluralize is a B2B developer tool and is not directed at children under 16. We do not knowingly collect data from children. Developers building consumer apps on the platform are responsible for any age-related compliance their app requires.

Changes to this policy

Material changes will be announced in-dashboard and by email at least 30 days before they take effect. The change history will be visible in the public Git history of pluralize.app.

Questions? Email hello@pluralize.app — we'll route to the right person.