Privacy Policy

This policy applies to all users of the Plainsheet platform, including visitors who browse without an account and registered users who create an account to access additional features. It covers information collected through our website, backend services, and any features of the platform.

When you create an account, we collect:

• Email address — used to create and identify your account, and to communicate with you about the service
• Password — stored in hashed, non-recoverable form; we never store your password in plain text
• Display name — if you choose to provide one
• Account preferences — such as theme, notification settings, and similar configuration choices

Creating an account is required to save filings, maintain a watchlist, and use personalized features. Core research features may be accessible without an account, but results will not persist between sessions.

When you use Plainsheet to research companies and filings, we store on our servers:

• Filings you analyze — which companies and specific filings (10-K, 10-Q, 8-K) you have looked up
• Extracted metrics and results — the financial data and signals generated from your filing analyses
• Watchlist — companies you have saved for ongoing tracking
• Comparison history — peer or year-over-year comparisons you have run

This data is stored in your account on our secure backend infrastructure so it persists across sessions and devices.

If you use the optional AI filing assistant, we transmit your questions — along with the relevant filing context — to our third-party AI provider to generate an answer. This feature is entirely optional. If you do not use it, no questions are sent anywhere.

Our infrastructure automatically processes the following technical data to operate, secure, and improve the service:

• IP address — used for rate limiting, abuse prevention, and approximate location for legal compliance purposes
• Request logs — timestamps, HTTP methods, and endpoints accessed
• Device and browser information — browser type, operating system, and screen resolution, used to optimize the interface
• Error and performance logs — used to identify and fix bugs

This data is used solely for security, reliability, and service improvement. It is not used to build advertising profiles.

We do not collect:

• Payment card numbers or bank account details (any future payment processing will be handled entirely by a certified third-party payment processor)
• Government-issued identification numbers
• Biometric data
• Precise geolocation data
• Information from your contacts, calendar, or other apps

• Creating and maintaining your account
• Storing and retrieving your saved filings, watchlist, and preferences
• Processing your research requests and returning results
• Enabling the AI assistant when you choose to use it
• Displaying relevant financial data and metrics

• Detecting, preventing, and investigating fraud, abuse, or security incidents
• Enforcing our Terms of Service
• Monitoring performance and diagnosing technical issues
• Analyzing aggregate, anonymized usage patterns to improve features

• Sending transactional emails — account verification, password resets, security alerts
• Service announcements — material changes to the platform, new features, or policy updates
• Responding to your support requests or inquiries

We do not send marketing or promotional emails without your explicit opt-in. If a marketing tier is introduced in the future, you will be given a clear choice before being enrolled.

We may use or retain data where necessary to comply with applicable laws, respond to lawful requests from government authorities, or protect our legal rights in a dispute.

We use the following categories of third-party providers to operate the service. Each receives only the minimum data necessary for their specific function:

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with a valid legal obligation, court order, or government request;
• Protect the rights, property, or safety of Plainsheet, our users, or the public;
• Detect, prevent, or address fraud, security, or technical issues; or
• Enforce our Terms of Service.

Where legally permitted, we will attempt to notify you of such requests before complying.

If Plainsheet is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the service before your data becomes subject to a materially different privacy policy.

• Encryption of data in transit using TLS (HTTPS)
• Encryption of sensitive data at rest
• Hashed, salted password storage — your password is never stored in readable form
• Rate limiting and abuse detection to prevent unauthorized access
• Access controls limiting which personnel can access user data

We do not use Google Analytics, Meta Pixel, or any other cross-site behavioral tracking tools. We do not serve advertising of any kind.

Some browsers transmit "Do Not Track" (DNT) signals. Because Plainsheet does not conduct cross-site behavioral tracking or advertising, DNT signals do not materially change how we operate. Under California law (CalOPPA), we disclose that we do not currently respond to DNT signals in a technically differentiated way — because we do not engage in the tracking activities DNT is designed to prevent.

For users in the European Economic Area (EEA) or United Kingdom, international transfers of your data are made under appropriate legal safeguards, which may include:

• Adequacy decisions by the European Commission recognizing equivalent protection in the destination country;
• Standard Contractual Clauses (SCCs) approved by the European Commission; or
• Other lawful transfer mechanisms recognized under GDPR or UK GDPR.

Our infrastructure and AI providers operate under their own GDPR-compliant transfer mechanisms. You may request details of the specific mechanisms applicable to any transfer by contacting us.

• Update your account information — you can edit your email address, display name, and preferences at any time from within your account settings
• Delete individual data — you can remove individual saved filings, watchlist entries, or comparison history from within the app
• Delete your account — you can permanently delete your account and all associated data from your account settings or by contacting us; deletion is completed within 30 days
• Opt out of the AI assistant — simply do not use the feature; no AI data is transmitted if you do not initiate a query
• Control transactional emails — while we require the ability to send essential account emails (security alerts, password resets), you can manage other notification preferences in your account settings

To exercise your California rights, email support@plainsheet.app with the subject line California Privacy Request. We will respond within 45 days. We may ask you to verify your identity before fulfilling a request.

To exercise any GDPR right, email support@plainsheet.app with the subject line GDPR Request. We will respond within 30 days and may ask you to verify your identity.

If we become aware that a child under 13 has provided us with personal information, we will promptly delete that information from our systems. If you are a parent or guardian and believe your child under 13 has created an account or otherwise submitted personal information, please contact us at support@plainsheet.app with the subject line Child Privacy. We will respond promptly and take appropriate corrective action.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR;
• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms;
• Follow applicable U.S. state breach notification laws, which typically require user notification within 30–72 days depending on the state; and
• Provide a clear description of the breach, the data involved, and the steps we are taking to address it.

Notifications will be delivered to the email address associated with your account and, where appropriate, posted prominently on the service.

We may update this Privacy Policy as the service evolves or as legal requirements change. We will indicate any change by updating the "Last updated" date at the top of this page. For material changes, we will make reasonable efforts to notify you — through the service interface, by email, or both — before the change takes effect.

Your continued use of the service after a change becomes effective constitutes acceptance of the revised policy. If you disagree with a material change, you may delete your account before it takes effect.

For any questions, concerns, or formal data requests, please use the appropriate subject line below so your message is routed correctly: support@plainsheet.app