Privacy Policy

This Privacy Policy (this “Policy”) describes how YAMBO LTD, an Israeli private company (registration no. 515488054, registered office Hashizaf 221, Yanuv, Israel) (“Plnty”, “we”, “our”, or “us”), collects, uses, discloses, and protects personal data in connection with the Plnty creative platform (the “Service”). This Policy takes effect on June 1, 2026 and applies to all visitors of the Plnty website and registered users of the Service. Capitalized terms not defined in this Policy have the meanings given to them in the Terms of Service.

1. Data Controller

YAMBO LTD is the controller of personal data processed in connection with the Service for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the United Kingdom GDPR, and Israel’s Privacy Protection Law, 5741-1981 (the “PPL”), except where Plnty acts as a processor on behalf of a business customer under Section 13.

For all privacy inquiries and data-subject requests, contact Plnty at support@plnty.app. Postal address: Hashizaf 221, Yanuv, Israel.

2. Scope

This Policy applies to (a) visitors of the Plnty website at plnty.app and related properties; (b) registered users of the Service, whether on a free or paid tier; and (c) persons who contact Plnty by email or through support channels.

This Policy does not apply to (a) third-party websites linked from the Service, which are governed by their own privacy policies; or (b) personal data processed by Third-Party Model providers acting as independent controllers.

3. Categories of Personal Data

3.1. Information You Provide. Account information (name, email address, profile picture), collected through the identity provider you use to register or through email-and-password registration. Profile and survey responses you provide, such as your profession, industry or creative sector, company, and how you heard about Plnty. Billing information (name, billing address, payment method) collected by Polar, our payment processor. User Content, including prompts, references, files, project data, comments, and other materials. Communications you send to Plnty by email, support ticket, or feedback channel.

3.2. Information Collected Automatically. Device and connection data, including IP address, browser type, operating system, device identifiers, and timestamps. Usage data, including pages visited, features used, time spent in the Service, session activity, content you download or export, errors encountered, and performance metrics. Cookies and similar technologies, as described in Section 9.

3.3. Information from Third Parties. Authentication data from Google or GitHub when you sign in through those providers, including your email address and basic profile information. Subscription and payment-status information from Polar.

3.4. Data Not Collected. Plnty does not intentionally collect special categories of personal data (including health, biometric, or religious data). If you upload such data as part of User Content, Plnty treats it under your Account’s general privacy controls and does not use it for any other purpose. Plnty does not purchase personal data from data brokers and does not apply facial-recognition or biometric identification to User Content.

4. Purposes and Legal Bases

Pursuant to GDPR Article 6, Plnty processes personal data for the following purposes on the following legal bases:

4.1. Provision of the Service — Account creation, authentication, hosting of User Content, generation of Output, and billing. Processed on the basis of performance of contract using account information, User Content, and billing information.

4.2. Maintenance and security — uptime monitoring, abuse prevention, fraud detection, and content moderation. Processed on the basis of legitimate interest using device data, usage data, and moderation signals.

4.3. Legal compliance — tax records, sanctions screening, and responding to lawful requests from competent authorities. Processed on the basis of legal obligation using account, billing, and communications data.

4.4. Service improvement and business analytics — feature analytics, bug reports, error monitoring, and understanding usage patterns and our user base to operate and develop the business. Processed on the basis of legitimate interest using usage data, survey responses, and error reports.

4.5. Communications — transactional messages, service notices, and responses to support inquiries. Processed on the basis of performance of contract and legitimate interest using account information and communications.

4.6. Marketing communications — newsletters and product announcements. Processed on the basis of consent using your email address; you may withdraw consent at any time.

4.7. Public showcase of User Content — featured only with your express, separate opt-in consent.

4.8. Support and service operations — authorized Plnty personnel may access and view your User Content, including your boards, where reasonably necessary to provide support, to operate, secure, and debug the Service, to investigate suspected violations or unlawful activity, and to comply with law, as described in Section 6.7 of the Terms of Service. Such access follows the principle of least privilege (Section 10) and is limited to personnel with a need to access the relevant content. Processed on the basis of performance of contract and legitimate interest using account information and User Content.

Plnty does not use User Content to train any artificial intelligence or machine learning model, whether operated by Plnty or by any third party.

5. Sub-Processors

Plnty engages the following third-party processors (“Sub-Processors”) to operate the Service. Each Sub-Processor processes personal data only on Plnty’s instructions and is bound by a Data Processing Agreement aligned with GDPR Article 28.

• Cloudflare — edge compute (Workers) and object storage (R2). Processes User Content, request metadata, and IP addresses. Hosted on the global edge.
• Vercel — application hosting. Processes HTTP request metadata and IP addresses. Hosted in the United States.
• Supabase — database, authentication, and real-time sync. Processes account information, project data, and asset metadata. Hosted on AWS; region details available on request via support@plnty.app.
• Polar — payment processing as Merchant of Record. Processes name, email address, billing address, and payment status. Multi-region.
• Resend — transactional email delivery. Processes recipient email address and message body. Hosted in the United States.
• Sentry — client-side error reporting. Processes exception traces, IP address, user identifier, and browser metadata. Hosted in the United States or European Union (configurable).
• fal.ai — AI inference (multi-model aggregator). Processes prompts, uploaded images, and mesh files. Hosted in the United States.
• Replicate — AI inference (multi-model aggregator). Processes prompts, uploaded images, mesh files, and model parameters. Hosted in the United States.
• Tripo3D — AI inference (text-to-3D and image-to-3D). Processes prompts and images. Hosted in the United States and Asia.
• Meshy — AI inference (3D generation and retexturing). Processes prompts, images, and mesh files. Hosted in the United States.
• OpenRouter — large-language-model routing for text and vision. Processes prompts and conversation context. Hosted in the United States, routes globally.
• RunPod — GPU compute for real-time inference. Processes canvas frames (JPEG), prompts, and generation parameters. Hosted in the European Union (Romania).
• Google — sign-in identity provider (OAuth). Processes email address, name, and profile picture. Global.
• GitHub — sign-in identity provider (OAuth). Processes username and email address. Hosted in the United States.
• Are.na — reference image search proxy. Processes search queries without user identifiers. Hosted in the United States.

Plnty will provide reasonable advance notice of any material change to its Sub-Processors that affects how personal data is processed.

6. International Data Transfers

Plnty is established in Israel, which the European Commission has determined to provide an adequate level of data protection under Article 45 of the GDPR. Personal data may therefore be transferred from the European Economic Area to Israel on the basis of that adequacy decision.

Where personal data is transferred to a Sub-Processor located outside the European Economic Area or the United Kingdom, Plnty relies on Standard Contractual Clauses approved by the European Commission, the EU–US Data Privacy Framework where applicable, or another lawful transfer mechanism. For further information on Plnty’s cross-border transfer safeguards, contact support@plnty.app.

7. Retention

Plnty retains personal data only for as long as necessary for the purposes for which it was collected, in accordance with the following periods:

• Active Account data — retained for the duration of your Account.
• Account data following deletion — retained for 30 days, then permanently purged. Within this 30-day window, you may request Account restoration by contacting support@plnty.app.
• Generated assets following project deletion — retained for 30 days, then permanently purged from active storage and backups.
• Audit and security logs — retained for 12 months.
• Billing records — retained for the period required by applicable tax law (typically 7 years under Israeli law).
• Backup snapshots — retained for up to 30 days following deletion of the underlying data.
• Marketing subscriber records — retained until you unsubscribe.
• Anonymized aggregate analytics — retained indefinitely; once irreversibly anonymized, such data no longer constitutes personal data.

At the end of the applicable retention period, Plnty deletes or irreversibly anonymizes the data.

8. Your Rights

Under the GDPR, UK GDPR, Israeli PPL, and other applicable privacy laws, you have the following rights in respect of your personal data:

8.1. Access — the right to obtain confirmation as to whether personal data concerning you is being processed and to receive a copy of that data.

8.2. Rectification — the right to have inaccurate or incomplete personal data corrected.

8.3. Erasure — the right to have personal data deleted, subject to legal exceptions (including Plnty’s tax-record retention obligations).

8.4. Portability — the right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.

8.5. Restriction — the right to restrict processing in certain circumstances.

8.6. Objection — the right to object to processing based on legitimate interest, including for direct-marketing purposes.

8.7. Withdrawal of Consent — where Plnty relies on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

8.8. Complaint — the right to lodge a complaint with a supervisory authority (in Israel, the Privacy Protection Authority; in the European Union, the supervisory authority of your member state; in the United Kingdom, the Information Commissioner’s Office).

To exercise any of these rights, contact Plnty at support@plnty.app. Plnty will respond within 30 days as required by the GDPR; in complex cases, this period may be extended by an additional 60 days with notice. Plnty may verify your identity before fulfilling a request.

8.9. Account Deletion. You may delete your Account at any time through your Account settings. Deletion takes effect immediately; you may request restoration within 30 days by contacting Plnty. After the 30-day period, deletion is permanent.

8.10. Data Export. To request a copy of your personal data, contact Plnty at support@plnty.app. A self-service export may be added to Account settings in a future release.

9. Cookies and Tracking Technologies

The Service uses a limited number of cookies and similar technologies, falling into three categories:

9.1. Essential. Required for the Service to function (authentication, security, and core preferences). Essential cookies cannot be disabled.

9.2. Analytics. Plnty does not use third-party analytics cookies at launch. This Policy will be updated and a consent flow surfaced before any analytics cookies are introduced.

9.3. Marketing. None at launch. This Policy will be updated if marketing cookies are introduced.

Where applicable law requires consent for non-essential cookies (including in the European Economic Area and the United Kingdom), Plnty will surface a consent banner on first visit at the time such cookies are introduced.

10. Security

Plnty maintains administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, and destruction, including:

• encryption in transit (TLS) for all connections to the Service;
• encryption at rest for sensitive data in databases and object storage;
• access controls based on the principle of least privilege;
• row-level security in the database to prevent cross-tenant data access;
• audit logging of administrative actions;
• periodic review of code, dependencies, and configuration; and
• security assessments of Sub-Processors.

No security measure is infallible. In the event of a personal-data breach, Plnty will notify the affected data subjects and the competent supervisory authorities within the timeframes required by applicable law (typically 72 hours under GDPR Article 33).

11. Children’s Privacy

The Service is not directed at children below the age of digital consent in their jurisdiction (typically 13 to 16 years). Plnty does not knowingly collect personal data from children below this age. If you believe that a child has provided personal data to Plnty, contact support@plnty.app and Plnty will delete such data promptly.

12. Modifications

Plnty may modify this Policy from time to time. Where modifications are material, Plnty will provide notice by email or in-app at least 30 days before the modifications take effect, unless an immediate change is required by applicable law. The current version of this Policy is always available at plnty.app/legal/privacy; the “Last updated” date reflects the most recent revision.

13. Business Customers

If you access the Service as part of a team or enterprise subscription (when such offerings are available), the entity providing your access (the “Customer”) may be the controller of your personal data and Plnty acts as the processor. In that case, the Customer’s privacy policy may apply in addition to or in place of this Policy, and you should contact the Customer’s administrator for further information. This Section 13 does not apply at launch; the Service is offered on a business-to-consumer basis at launch.

14. Jurisdictional Provisions

14.1. European Economic Area and United Kingdom. The legal bases for processing are set out in Section 4 and the rights of data subjects are set out in Section 8. Israel benefits from the EU adequacy decision referred to in Section 6. Plnty will appoint a representative under GDPR Article 27 and UK GDPR Article 27 if and when EU or UK user volume requires it; until then, contact Plnty at support@plnty.app for any GDPR-related matter.

14.2. California (CCPA / CPRA). The categories of personal information collected and the purposes for which they are collected are set out in Sections 3 and 4. Plnty does not “sell” or “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA and CPRA. California residents may exercise the rights described in Section 8 by contacting support@plnty.app.

14.3. Brazil (LGPD). The legal bases for processing and the rights of data subjects map to the GDPR equivalents set out in Sections 4 and 8. Plnty’s privacy contact for LGPD purposes is support@plnty.app.

14.4. Israel (PPL Amendment 13). YAMBO LTD is the database controller for the purposes of the PPL. Plnty’s privacy contact is support@plnty.app. Plnty has not appointed a Data Protection Officer and will assess whether one is required as the user base and processing volume grow. Israeli residents may lodge complaints with the Privacy Protection Authority at the Ministry of Justice.

15. Contact Information

For all privacy inquiries, data-subject requests, security disclosures, abuse reports, and other privacy-related matters, contact Plnty at support@plnty.app.

YAMBO LTD (operating Plnty) Hashizaf 221, Yanuv Israel Company registration number: 515488054