How we protect your data — and honestly: what we do and don't do as a startup. For customers, partners and testers.
Last updated: 5 May 2026
Hosting, functions and database run in Europe (Belgium + EU multi-region). No US transfer outside sub-processors under SCC.
OAuth tokens for Google, Microsoft, Zoom and Mollie are encrypted before they hit the database — with a key the browser never sees.
All traffic over HTTPS, automatic certificate rotation, HSTS enforced.
Owner / admin / member / viewer. Validated server-side via Firestore Security Rules and API middleware — not just hidden in the UI.
Access, portability and deletion are self-service — no queue, no ticket.
Every admin action is kept for 2 years with IP, user-agent and purpose — for us and for you in a breach investigation.
TLS 1.3 for all browser-server traffic. HSTS enforced. Certificates rotated automatically by Google.
Firestore encrypts everything by default. We add AES-256-GCM on top of OAuth refresh tokens (Google, Microsoft, Zoom, Mollie) — a database dump yields no working calendar access.
Firebase Auth with JWT ID tokens. Every protected API route verifies the token server-side before any data is returned.
API middleware checks your role; Firestore Security Rules enforce it again at SDK level. Cross-tenant data leakage is structurally impossible.
Sliding-window per IP/key on contact form, public booking, promo validation, account export and delete. Promo-code brute-force is blocked after 20 attempts per minute.
Stripe webhooks are cryptographically verified with a runtime-rotatable signing secret. Mollie is validated via a callback fetch to their API — we never trust the body.
Sentry only captures technical stack traces. Email addresses are stripped via a beforeSend hook prior to send. Authorization headers, cookies and request bodies are dropped.
Pleney runs entirely on Google Cloud / Firebase, with the main components in the EU.
| Component | Location | Notes |
|---|---|---|
| Static + SSR (Firebase Hosting) | EU multi-region CDN | TLS 1.3, HSTS, auto cert |
| Cloud Functions (Node 20) | europe-west1 (Belgium) | Container-isolated |
| Cloud Firestore | eur3 (EU multi-region) | Encrypted at rest, TLS in transit |
| Firebase Authentication | Google identity infra | JWT tokens, server-side verified |
| Firebase Storage | europe-west1 | Logos, uploads — content-type filter |
For components we don't build ourselves we use these third parties. All GDPR-compliant; sub-processor changes are announced in advance.
| Partner | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Hosting, authentication, Firestore, Storage, Functions | EU (Frankfurt + multi-region) |
| Stripe | Subscription payments | EU / US (under SCC) |
| Mollie | Booking payments (iDEAL, credit card) | Netherlands (EU) |
| Resend | Transactional email (confirmation, reminder) | EU |
| Sentry | Error monitoring (technical traces only, no PII) | EU (Frankfurt) |
| Google Analytics 4 | Anonymised usage stats (consent only) | EU / US (under SCC) |
| Google Calendar / Microsoft 365 / Zoom | Optional calendar integrations (only after explicit user connect) | EU / US (under SCC) |
Most rights are self-service in the dashboard. For the rest we respond within 24 business hours.
Request a full copy of your data anytime via Dashboard → Account → Export data. JSON format, OAuth tokens are redacted.
Update your profile, business data and contact info yourself via Settings.
Click 'Delete account' in Dashboard → Account. We immediately revoke your OAuth connections, anonymise your name in bookings, and the actual purge follows within 30 days.
The export from Access is directly reusable — JSON with a machine-readable structure.
Email info@sharpcreations.nl — we respond within 24 hours on business days.
Not satisfied? You can lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) or your local DPA.
Honest about what a beta-stage micro-SaaS does and doesn't offer. For enterprise customers the don't-list is a topic of conversation.
Using Pleney for your own customers? Then you're the controller and we're the processor. For that relationship we offer a standard data processing agreement based on the EU model clauses.
Request DPAOn a breach with risk to your rights and freedoms we notify the Dutch Data Protection Authority within 72 hours and, if applicable, you via email and a dashboard banner. Detection via Sentry / audit log → scope assessment → notification.
Suspect or confirmed? security@pleney.net
Found a vulnerability? Thank you — report it and we'll fix it.
Acknowledgement within 48 hours, weekly status updates until resolved. No bug bounty (yet), but a hall-of-fame mention on request.
Or check /.well-known/security.txt
Pleney is in public beta. Our technical security is solid; formal certifications follow customer demand.
What data we collect, how we process it and which cookies we use.