Security & Trust

How we protect your data

A full account of our sub-processors, data retention practices, encryption standards, and breach notification obligations. Questions? Email hello@teamplot.com.

Sub-processors

TeamPlot uses the following third-party services to deliver the product. Each sub-processor is bound by data processing agreements and subject to appropriate safeguards.

Provider	Purpose	Data processed	Location
Anthropic	AI briefing generation	Activity metadata, signals, and work-item context when connected. No message content, no source code.	USA
Stripe	Payment processing	Billing details and subscription status only. TeamPlot never stores card data.	USA
Google LLC	OAuth & Calendar API	Calendar event titles, times, and attendee names for 1:1 detection.	USA
Microsoft Corporation	OAuth, Teams & Outlook APIs	Calendar metadata and messaging activity counts and timing.	USA / EU
Slack Technologies	Messaging API	Message counts, channel activity, and timing only. No message content.	USA
Atlassian	Jira Cloud API (optional)	Work tracking only: issue titles, keys, status, sprint, labels, assignees, timestamps. No issue descriptions or comments stored for signals.	USA / EU / AU
GitHub / GitLab / Azure DevOps	Code & review APIs	PR titles, commit counts, merge and review stats. GitLab: GitLab Issues metadata when work tracking is enabled (same OAuth as code). No source code or diffs.	USA / EU

Data retention

We retain only what is needed to deliver the service. Retention periods are summarised below.

Signal, activity & work-item metadata

Includes messaging, code, and Jira / GitLab Issues metadata when those integrations are connected. Retained for the duration of your active subscription. Deleted within 30 days of account closure or when the relevant integration is disconnected.

Calendar events

Retained for 30 days on a rolling basis. Only event titles, times, and attendee names are stored — never descriptions, notes, or links.

Message content

Never stored. An anonymous hash is retained solely for deduplication. Message text is discarded immediately after counting.

AI-generated briefings

Retained for your account lifetime to support your 1:1 history. Activity metadata passed to AI is never persisted by Anthropic under our agreement.

Account & billing data

Retained for 7 years after account closure for legal and tax compliance, in accordance with UK Companies Act obligations.

On account deletion

All personal data and activity records are removed within 30 days. You can request deletion at any time by emailing hello@teamplot.com.

Encryption & infrastructure

All data is protected in transit and at rest.

At rest

All stored data and OAuth tokens encrypted using AES-256.

In transit

All connections enforced over TLS 1.2 or higher. No unencrypted channels.

Access control

SAML 2.0 SSO supported. Role-based access within each workspace.

Breach notification

In the event of a personal data breach, we follow the obligations set out under UK GDPR and EU GDPR.

Supervisory authority — within 72 hours

We notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms.

Affected customers — without undue delay

Where a breach is likely to result in high risk to individuals, we notify affected customers directly and without undue delay, including the nature of the breach, data involved, and steps taken.

Security contact

To report a suspected vulnerability or security concern, email hello@teamplot.com. We aim to acknowledge all reports within one business day.

Data Processing Agreement

A Data Processing Agreement (DPA) is available to all customers and required for organisations subject to GDPR or UK GDPR. The DPA covers our obligations as a data processor, standard contractual clauses for international transfers, and sub-processor commitments.

Request a DPA

Email us and we'll return a signed DPA within two business days.

Request DPA →

What we access → Privacy Policy →