Plotline

Privacy notice

Last updated: 1 May 2026

1. Data controller

The data controller within the meaning of the GDPR is the operator of Plotline. Full contact details are listed in the Imprint.

2. Data we process

Plotline only processes personal data to the extent required to operate the service. The data falls into the following categories:

2.1 Account and sign-in

When you create an account or sign in via magic link or Google OAuth, we process:

  • Email address (required for authentication)
  • Display name and avatar URL (when provided via OAuth)
  • Profile ID (internal, anonymous)
  • Language preference

2.2 Waitlist

When you join the waitlist via the sign-up form, we process:

  • Email address
  • Language preference
  • Browser user-agent (for spam mitigation)
  • Source of the request (e.g. “homepage”)
  • Timestamp of the sign-up
  • Timestamp and verbatim wording of the consent given

2.3 Profile and organisation data

While using the application you may optionally provide a display name, company name, and language preference. None of these are required to use the core service.

2.4 Server access logs

Our hosting provider Vercel automatically collects:

  • IP address (truncated after a short period)
  • Date and time of the request
  • Referrer URL
  • HTTP status and bytes transferred

2.5 Error reports

We use Sentry for diagnostics. The data sent comprises stack traces and anonymised browser metadata. Personal content is stripped before transmission (see lib/sentry/scrub.ts).

3. Legal basis (Art. 6 GDPR)

  • Performance of contract (Art. 6(1)(b)) — to provide the account and the service.
  • Consent (Art. 6(1)(a)) — for waitlist sign-up and beta-update emails.
  • Legitimate interest (Art. 6(1)(f)) — for server access logs (abuse prevention) and anonymised error reports (service stability).

4. Recipients and processors

We engage the following processors within the meaning of Art. 28 GDPR. A data processing agreement is in place with each.

  • Supabase (database and authentication; EU region)
  • Vercel (hosting and server logs; EU region)
  • Sentry (error tracking; EU region)
  • Google (OAuth sign-in and web fonts; only if used)

5. Retention periods

  • Account data: until you delete the account.
  • Waitlist: until you withdraw consent or the waitlist closes.
  • Server logs: up to 30 days.
  • Error reports: up to 90 days.

6. Your rights

You have the right to:

  • Access the data we hold about you (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase data (“right to be forgotten”, Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time, with effect for the future (Art. 7(3))
  • Lodge a complaint with a supervisory authority (Art. 77)

Please direct any request to the contact address listed in the Imprint.

7. Cookies

We use only strictly necessary or preference cookies:

  • EP_THEME — stores your light/dark mode preference.
  • NEXT_LOCALE — stores your language preference.
  • Supabase session cookies — required to keep you signed in.

We do not use third-party tracking or advertising cookies.

8. Updates

We update this notice when the underlying processing changes. The date of the latest change appears at the top of this page.