Privacy Policy

Last updated: February 7, 2026

1. Introduction

LowerPlane, Inc. (“LowerPlane,” “we,” “our,” or “us”) operates a compliance automation platform that helps organizations achieve and maintain compliance with ISO 27001, SOC 2, HIPAA, GDPR, PCI-DSS, and other regulatory frameworks. We understand that the trust our customers place in us begins with how we handle their data.

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal data when you visit our website at lowerplane.com (the “Website”), use our compliance automation platform (the “Platform”), or otherwise interact with us (collectively, the “Services”). It applies to all individuals who access or use our Services, including account administrators, team members, and website visitors.

As a compliance automation company, we hold ourselves to the highest standards of data protection. We process personal data in accordance with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the United Kingdom Data Protection Act 2018, and other applicable data protection laws.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use our Services.

This Privacy Policy is a template provided for informational purposes. Consult with a qualified attorney for legal advice specific to your situation.

2. Definitions

The following terms, when capitalized in this Privacy Policy, have the meanings set forth below:

  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. With respect to Personal Data we collect directly from you, LowerPlane acts as the Data Controller.
  • “Data Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller. When our customers upload data to the Platform or connect integrations, LowerPlane acts as a Data Processor on their behalf.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Sub-processor” means any third-party Data Processor engaged by LowerPlane to assist in fulfilling its obligations with respect to providing the Services pursuant to the applicable agreement or this Privacy Policy.

3. Information We Collect

We collect information through various means depending on how you interact with our Services. The categories of Personal Data we collect are described below.

3.1 Account and Registration Data

When you create an account or register for our Services, we collect the following information:

  • Full name and professional title or role
  • Business email address
  • Company or organization name, size, and industry
  • Phone number (optional)
  • Password (stored in hashed form only)
  • Profile preferences and notification settings
  • Authentication data, including multi-factor authentication (MFA) enrollment

3.2 Billing and Transaction Data

When you purchase a subscription or make a payment, we collect:

  • Billing name and billing address
  • Invoice history and transaction records
  • Subscription plan details and usage tiers
  • Tax identification numbers where required by law

Payment card numbers and sensitive financial information are processed directly by our third-party payment processor (Stripe) and are never stored on our servers. We receive only a truncated card identifier (last four digits) and transaction confirmation details. Please refer to Stripe's Privacy Policy for information on how they handle your payment data.

3.3 Compliance and Business Data

In the course of using our Platform for compliance management, you or your organization may upload or generate the following data:

  • Evidence documents, including screenshots, configuration exports, log files, and other compliance artifacts
  • Policies, procedures, and other governance documentation created or managed through the Platform
  • Audit preparation materials, including readiness assessments and gap analysis results
  • Security questionnaire responses and vendor assessment data
  • Risk assessment records, including risk registers and treatment plans
  • Compliance status data across ISO 27001, SOC 2, HIPAA, GDPR, and PCI-DSS frameworks
  • Control implementation details and remediation tracking information

With respect to Compliance and Business Data, LowerPlane acts as a Data Processor on behalf of our customers (who are the Data Controllers). Our processing of such data is governed by the Data Processing Agreement (DPA) executed between LowerPlane and the customer.

3.4 Integration Data

When you connect third-party services to our Platform for automated evidence collection and continuous monitoring, we may receive the following data from those services:

  • Cloud Infrastructure Providers (AWS, Microsoft Azure, Google Cloud Platform): Security configuration data, resource inventories, access policies, CloudTrail logs, Security Hub findings, and compliance posture assessments
  • Identity and Access Management (Okta, Azure AD, Google Workspace): User directories, authentication logs, MFA enrollment status, and access review data
  • Code Repositories and DevOps (GitHub, GitLab, Bitbucket): Repository access controls, branch protection rules, code review configurations, and CI/CD pipeline security settings
  • Security Tools (Snyk, Wiz, CrowdStrike, Splunk): Vulnerability scan results, security posture scores, threat detection alerts, and endpoint protection status
  • HR and People Platforms (BambooHR, Gusto, Workday): Employee onboarding/offboarding status, security training completion records, and background check attestations
  • Communication and Productivity (Slack, Microsoft 365): Security configuration settings, data loss prevention policy status, and retention settings

We only collect data from integrations that you explicitly authorize and configure. The scope of data collected from each integration is limited to what is necessary for compliance evidence collection and monitoring. You can review and revoke integration permissions at any time through the Platform's integration settings.

3.5 Usage and Analytics Data

We automatically collect certain information when you access and use our Services:

  • Device information, including device type, operating system, and browser type and version
  • IP address and approximate geographic location derived from IP address
  • Usage patterns, including pages visited, features used, time spent on the Platform, click paths, and search queries within the Services
  • Referring URL and exit pages
  • Date and time stamps of access and actions performed
  • Performance data, including page load times, errors encountered, and service availability metrics
  • Feature adoption and engagement metrics used to improve our Services

3.6 Communication Data

When you communicate with us, we collect:

  • Support tickets, including subject matter, content, and attachments
  • Live chat transcripts and chatbot interactions
  • Emails and other correspondence sent to or received from us
  • Feedback, survey responses, and product feature requests
  • Records of your communication preferences and consent to receive communications
  • Webinar and event registration details and attendance records

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires a lawful basis for processing Personal Data, we rely on the following legal bases:

4.1 Performance of a Contract

We process your Personal Data as necessary to perform our contractual obligations to you, including providing and maintaining the Platform, processing transactions, managing your account, and delivering customer support. This applies to Account and Registration Data, Billing and Transaction Data, and Communication Data.

4.2 Legitimate Interests

We process Personal Data where necessary for our legitimate interests or those of a third party, provided that such interests are not overridden by your data protection rights. Our legitimate interests include:

  • Improving, optimizing, and personalizing our Services and user experience
  • Detecting, preventing, and investigating security incidents, fraud, and abuse
  • Conducting analytics and research to develop new features and improve existing ones
  • Marketing our Services to prospective customers and sending relevant product information to existing customers
  • Ensuring network and information security across our infrastructure
  • Enforcing our terms of service and protecting our legal rights

4.3 Consent

In certain cases, we process your Personal Data based on your freely given, specific, informed, and unambiguous consent. This includes processing for marketing communications (where consent is required by applicable law), the use of non-essential cookies and tracking technologies, and participation in optional surveys or beta programs. You may withdraw your consent at any time by contacting us at privacy@lowerplane.com or by using the applicable opt-out mechanism. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

4.4 Legal Obligation

We process Personal Data where necessary to comply with a legal obligation to which we are subject. This includes retaining records for tax and accounting purposes, responding to lawful requests from regulatory authorities and law enforcement, and fulfilling data breach notification requirements.

5. How We Use Your Information

We use the Personal Data we collect for the following purposes:

5.1 Service Delivery and Operations

  • Provide, operate, and maintain the compliance automation Platform and all associated features
  • Process automated evidence collection from connected integrations and map evidence to compliance controls across ISO 27001, SOC 2, HIPAA, GDPR, and PCI-DSS frameworks
  • Generate compliance policies, risk assessments, readiness reports, and audit preparation materials
  • Manage your account, authenticate your identity, and process subscription payments
  • Deliver continuous compliance monitoring and send alerts for compliance status changes

5.2 Security and Fraud Prevention

  • Detect, investigate, and prevent unauthorized access, security incidents, and fraudulent activity
  • Monitor for suspicious behavior and enforce rate limits and access controls
  • Maintain audit logs of administrative actions and data access events
  • Protect the integrity, availability, and confidentiality of our Services and infrastructure

5.3 Analytics and Product Improvement

  • Analyze usage patterns and feature adoption to improve the Platform experience
  • Conduct research and development to build new features and enhance existing capabilities
  • Generate aggregated, anonymized benchmarking data and industry compliance insights
  • Perform A/B testing and measure the effectiveness of product changes

5.4 Communications

  • Send transactional communications, including account confirmations, invoices, security alerts, and compliance status notifications
  • Respond to your support inquiries, feedback, and feature requests
  • Deliver marketing communications about our products, services, events, and industry updates (where you have opted in or where permitted by applicable law)
  • Notify you of material changes to our Services, policies, or terms

5.5 Legal and Compliance Purposes

  • Comply with applicable laws, regulations, legal processes, and governmental requests
  • Enforce our Terms of Service, Data Processing Agreements, and other contractual obligations
  • Establish, exercise, or defend legal claims
  • Facilitate audits, including internal audits and audits conducted by our customers or their auditors

6. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Data. We share Personal Data only in the following circumstances:

6.1 Service Providers and Sub-processors

We share Personal Data with trusted third-party service providers who assist us in operating, maintaining, and improving our Services. These providers are contractually obligated to process Personal Data only on our behalf, in accordance with our instructions, and subject to appropriate confidentiality and security obligations. See Section 7 (Sub-processors) for further details.

6.2 Legal Requirements

We may disclose Personal Data if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or legal process served on LowerPlane; (b) protect and defend the rights or property of LowerPlane; (c) prevent or investigate possible wrongdoing in connection with our Services; or (d) protect the personal safety of users of our Services or the public. Where legally permitted, we will make reasonable efforts to notify affected Data Subjects before disclosing their Personal Data in response to a legal request.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other change of control, Personal Data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Website before your Personal Data is transferred and becomes subject to a different privacy policy. Any successor entity will be bound by the terms of this Privacy Policy with respect to Personal Data collected prior to the transfer.

6.4 With Your Consent

We may share your Personal Data with third parties when you have given us explicit consent to do so. For example, if you request that we share compliance reports or audit packages with your auditor or a prospective business partner, we will do so based on your express authorization.

6.5 Aggregated and De-identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you. This includes anonymized benchmarking data, industry compliance trends, and aggregated platform usage statistics. Such data is not considered Personal Data under applicable data protection laws.

7. Sub-processors

We engage the following categories of Sub-processors to assist in providing our Services. Each Sub-processor is bound by contractual obligations that require them to protect Personal Data in accordance with this Privacy Policy and applicable data protection laws.

  • Cloud Infrastructure and Hosting: Amazon Web Services (AWS) for compute, storage (S3), and database hosting (RDS). Data is hosted in secure, SOC 2-certified data centers.
  • Payment Processing: Stripe for processing subscription payments and managing billing. Stripe is PCI-DSS Level 1 certified.
  • Email Communications: Resend and/or SendGrid for transactional and marketing email delivery.
  • Error Tracking and Monitoring: Sentry for application error tracking and performance monitoring.
  • Analytics: Analytics tools for measuring website and Platform usage patterns to improve the user experience.
  • Customer Support: Support tools for managing customer inquiries, ticketing, and live chat.
  • Caching and Job Queue: Redis Cloud or Upstash for application caching and background job processing.

A complete and up-to-date list of our Sub-processors, including their names, purposes, and locations, is available upon request by contacting privacy@lowerplane.com. Enterprise customers may subscribe to receive advance notifications of any changes to our Sub-processor list as part of their Data Processing Agreement.

8. International Data Transfers

LowerPlane is headquartered in the United States. Your Personal Data may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your jurisdiction.

When we transfer Personal Data outside the EEA, the United Kingdom, or Switzerland, we implement appropriate safeguards to ensure that your Personal Data receives an adequate level of protection, including:

  • Standard Contractual Clauses (SCCs): We execute the European Commission-approved Standard Contractual Clauses with our Sub-processors and data transfer partners, including the UK International Data Transfer Addendum where applicable.
  • Adequacy Decisions: Where the European Commission or the UK Secretary of State has determined that a third country provides an adequate level of data protection, we may rely on such adequacy decisions.
  • Supplementary Measures: We conduct transfer impact assessments and implement supplementary technical and organizational measures where necessary to ensure the effectiveness of the transfer mechanism, including encryption of data in transit and at rest.
  • Data Localization (Enterprise): Enterprise customers may request data residency options to ensure their data is stored and processed within a specific geographic region (for example, EU-only hosting). Please contact our sales team for details on data localization capabilities.

You may obtain a copy of the Standard Contractual Clauses or other transfer safeguards we rely on by contacting us at dpo@lowerplane.com.

9. Data Security

Protecting your data is fundamental to our business. As a compliance automation platform, we implement comprehensive technical and organizational security measures that meet or exceed industry standards.

9.1 Encryption

  • All data in transit is protected using TLS 1.3 with strong cipher suites
  • All data at rest is encrypted using AES-256 encryption, including database storage, file storage (S3), and backups
  • Encryption keys are managed using dedicated key management services with automatic key rotation

9.2 Infrastructure Security

  • Our infrastructure is hosted on SOC 2 Type 2-certified cloud providers
  • Network segmentation and firewall rules restrict access to internal services
  • Automated vulnerability scanning and patch management across all infrastructure components
  • Distributed denial-of-service (DDoS) protection and web application firewall (WAF) deployed at the edge

9.3 Access Controls

  • Role-based access control (RBAC) enforced across all systems and services
  • Multi-factor authentication (MFA) required for all employees accessing production systems
  • Principle of least privilege applied to all internal access and service accounts
  • Regular access reviews and prompt deprovisioning upon employee departure

9.4 Monitoring and Incident Response

  • Comprehensive audit logging of all administrative actions, data access events, and authentication attempts
  • Centralized log management with real-time alerting for anomalous activity
  • Documented incident response plan with defined escalation procedures and communication protocols
  • Regular penetration testing conducted by independent third-party security firms

9.5 Employee Security

  • Background checks conducted for all employees with access to customer data
  • Mandatory security awareness training upon hire and on an annual basis
  • Confidentiality agreements executed by all employees and contractors
  • Regular phishing simulations and security education programs

9.6 Business Continuity

  • Automated daily backups with geographic redundancy and regular restoration testing
  • Documented disaster recovery procedures with defined recovery time and recovery point objectives
  • High-availability architecture with automatic failover capabilities

For more information about our security practices and certifications, please visit our Security page or contact security@lowerplane.com.

10. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention periods vary by data category:

  • Account and Registration Data: Retained for the duration of your active account and for 90 days following account termination or deletion request, after which it is permanently deleted.
  • Billing and Transaction Data: Retained for the duration of your active account and for a minimum of 7 years following the last transaction, as required for tax, accounting, and regulatory compliance purposes.
  • Compliance and Business Data: Retained for the duration of your active account. Upon account termination, this data is retained for 90 days to allow for data export, after which it is permanently deleted unless a longer retention period is agreed upon in your service agreement.
  • Integration Data: Retained for the duration of your active account and the active integration connection. Data is deleted within 30 days of disconnecting an integration, unless it has been incorporated into compliance evidence records.
  • Usage and Analytics Data: Retained in identifiable form for up to 24 months, after which it is anonymized or aggregated for long-term analytics.
  • Communication Data: Retained for the duration of your active account and for up to 3 years following account termination for support history and dispute resolution purposes.

Post-Termination Process: Upon account termination, we provide a 90-day grace period during which you may export your data using our built-in data export tools. After the grace period, data is scheduled for permanent deletion from all primary and backup systems. Deletion from backup systems may take up to an additional 30 days.

Legal Holds: Notwithstanding the above, we may retain Personal Data for longer periods where required by applicable law, regulation, or legal proceeding, or where retention is necessary to establish, exercise, or defend legal claims. Data subject to a legal hold will be isolated and protected from further processing until the hold is lifted.

11. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights with respect to your Personal Data. We are committed to honoring these rights and facilitating their exercise.

11.1 Rights Under GDPR (EU/EEA/UK)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation and the UK Data Protection Act 2018:

  • Right of Access (Article 15): You have the right to obtain confirmation as to whether we are processing your Personal Data and, if so, to access that data along with information about the purposes of processing, the categories of data concerned, and the recipients to whom the data has been or will be disclosed.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate Personal Data and, taking into account the purposes of processing, to have incomplete Personal Data completed.
  • Right to Erasure (Article 17): You have the right to request deletion of your Personal Data where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent and there is no other legal basis for processing, or where the data has been unlawfully processed.
  • Right to Restriction of Processing (Article 18): You have the right to request restriction of processing where you contest the accuracy of your Personal Data, where the processing is unlawful, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of our legitimate interests.
  • Right to Data Portability (Article 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance.
  • Right to Object (Article 21): You have the right to object to processing of your Personal Data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing without exception.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. LowerPlane does not currently engage in automated decision-making of this nature.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

11.2 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

  • Right to Know: You have the right to request disclosure of the categories and specific pieces of Personal Data we have collected about you, the categories of sources from which the data was collected, the business or commercial purposes for collection, and the categories of third parties with whom we share your data.
  • Right to Delete: You have the right to request that we delete Personal Data we have collected from you, subject to certain exceptions as provided by law.
  • Right to Opt-Out of Sale or Sharing: LowerPlane does not sell your Personal Data and does not share your Personal Data for cross-context behavioral advertising. Accordingly, there is no need to opt out of such activities.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying goods or services, charging different prices, providing a different level or quality of services, or suggesting that you will receive a different level or quality of services.
  • Right to Correction: You have the right to request that we correct inaccurate Personal Data that we maintain about you.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information to purposes necessary to provide the Services. LowerPlane collects sensitive personal information only as necessary to perform the Services and does not use it for purposes beyond what is expected.

11.3 How to Exercise Your Rights

You may exercise your privacy rights by any of the following methods:

  • Email: Send a request to privacy@lowerplane.com with the subject line “Privacy Rights Request.”
  • Platform Settings: Certain rights, such as data export and account deletion, can be exercised directly through your account settings in the Platform.
  • Data Protection Officer: Contact our DPO at dpo@lowerplane.com for questions or concerns about how your data is handled.

Verification: To protect your privacy and security, we will verify your identity before processing your request. We may ask you to confirm your identity through your account credentials, email verification, or by providing additional information that matches our records. If you are submitting a request on behalf of another individual, we will require written authorization from the Data Subject.

Response Times: We will acknowledge receipt of your request within 3 business days and respond substantively within the following timeframes:

  • GDPR requests: Within 30 days. This period may be extended by an additional 60 days for complex or voluminous requests, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period.
  • CCPA/CPRA requests: Within 45 days. This period may be extended by an additional 45 days where reasonably necessary, in which case we will provide notice of the extension.

All rights requests are processed free of charge, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request in accordance with applicable law.

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as web beacons, pixels, and local storage) to collect Usage and Analytics Data, remember your preferences, and enhance your experience with our Services.

The types of cookies we use include:

  • Strictly Necessary Cookies: Essential for the operation of our Services, including authentication, session management, and security features. These cookies cannot be disabled.
  • Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.
  • Analytics Cookies: Help us understand how visitors interact with our Website and Platform so we can measure and improve performance.
  • Marketing Cookies: Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns.

You can manage your cookie preferences through our cookie consent banner displayed upon your first visit to our Website, or at any time through your browser settings. For detailed information about the specific cookies we use, their purposes, and your choices, please refer to our Cookie Policy.

13. Third-Party Services and Links

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by LowerPlane. This includes the 375+ third-party integrations that customers may connect to the Platform for automated evidence collection and monitoring.

We are not responsible for the privacy practices, content, or security of any third-party services. The inclusion of a link or integration with a third-party service does not imply our endorsement of that service's privacy practices. We strongly encourage you to review the privacy policies and terms of service of any third-party service before connecting it to the Platform or providing your Personal Data to that service.

When you connect a third-party integration, you authorize LowerPlane to access and retrieve data from that service in accordance with the permissions you grant. The third-party service's own privacy policy governs how that service handles your data outside of our Platform.

14. Children's Privacy

Our Services are designed for business use and are not directed to individuals under the age of 16. We do not knowingly collect, solicit, or maintain Personal Data from anyone under the age of 16 (or under the age of 13 in jurisdictions where the Children's Online Privacy Protection Act (COPPA) applies).

If we learn that we have collected Personal Data from a child under the applicable age threshold, we will take prompt steps to delete such data from our records. If you believe that we may have inadvertently collected Personal Data from a child under the applicable age threshold, please contact us immediately at privacy@lowerplane.com.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will take the following actions:

  • Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. If notification is not made within 72 hours, it will be accompanied by reasons for the delay.
  • Affected Individuals: Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay, as required by Article 34 of the GDPR.
  • Customer Notification: For data we process on behalf of our customers (as a Data Processor), we will notify the affected customer without undue delay and within the timeframe specified in the applicable Data Processing Agreement, enabling the customer to fulfill its own notification obligations.
  • Breach Documentation: We will document all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken, regardless of whether notification is required.
  • Cooperation with Authorities: We will fully cooperate with supervisory authorities and law enforcement agencies in their investigation of any data breach.
  • CCPA Compliance: For California residents, we will provide breach notifications as required by California Civil Code Section 1798.82.

Our incident response procedures are regularly tested and updated. Customers may request information about our incident response capabilities by contacting security@lowerplane.com.

16. Data Protection Officer

LowerPlane has appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with applicable data protection laws. The DPO is responsible for:

  • Monitoring compliance with the GDPR, national data protection laws, and our internal data protection policies
  • Advising on data protection impact assessments (DPIAs) and managing data protection risks
  • Serving as the point of contact for Data Subjects exercising their rights and for supervisory authorities
  • Overseeing the handling of data subject access requests and other privacy rights inquiries

Data Protection Officer

LowerPlane, Inc.

Email: dpo@lowerplane.com

You may contact the DPO directly with any questions or concerns regarding the processing of your Personal Data or the exercise of your rights under applicable data protection laws.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable laws, or our business operations. When we make changes, we will update the “Last updated” date at the top of this page.

Material Changes: For material changes that significantly affect how we collect, use, or share your Personal Data, we will provide at least 30 days' advance notice before the changes take effect. Notice will be provided through one or more of the following methods: (a) an email notification to the address associated with your account; (b) a prominent notice on our Website; or (c) an in-Platform notification.

Non-Material Changes: For non-material changes (such as clarifications, formatting updates, or corrections that do not alter the substance of the policy), we will update this page without providing individual notice.

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must discontinue your use of our Services and contact us to request deletion of your account and Personal Data.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Previous versions of this Privacy Policy are available upon request.

18. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data protection practices, please contact us using the information below:

General Privacy Inquiries

LowerPlane, Inc.

Email: privacy@lowerplane.com

Data Protection Officer

Email: dpo@lowerplane.com

Security Concerns

Email: security@lowerplane.com

Grievance Process

If you are not satisfied with our response to your privacy inquiry or complaint, you have the following recourse options:

  • Internal Escalation: You may escalate your complaint to our Data Protection Officer at dpo@lowerplane.com, who will conduct an independent review of your complaint and respond within 30 days.
  • Supervisory Authority (EU/EEA/UK): You have the right to lodge a complaint with the data protection supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
  • California Attorney General (CCPA): California residents may file a complaint with the California Attorney General's Office at oag.ca.gov/privacy.
  • Alternative Dispute Resolution: In certain circumstances, you may have the right to invoke binding arbitration as set forth in our Terms of Service.

We are committed to working with you to resolve any privacy concerns promptly and fairly. We value your trust and take every inquiry seriously.