This Privacy Notice describes how Plexur ("we", "us", "our") collects, uses, retains, and discloses personal data in the course of providing the Plexur Platform. It applies to all customer-administrator users of the Plexur Portal and to end-users provisioned into customer tenants via SSO or SCIM.
If you are an EU resident, our Data Processing Addendum applies in addition to this notice — available on request from legal@plexur.ai. If you are a California resident, the CCPA/CPRA disclosures in §7 apply specifically to you.
1. Who we are
Plexur Inc. operates the Plexur Platform, a multi-tenant SaaS for Salesforce change intelligence and governance. We act as a data processor on behalf of customer organizations (the data controllers); our processing of end-user personal data is governed by our customer contracts and this notice.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account identity | email, display name, role (OWNER/ADMIN/MEMBER) | Customer admin during onboarding, or SCIM provisioning, or federated SSO |
| Authentication artifacts | password hash (only for non-SSO users), JWT subject claim, identity-provider alias (for SSO users) | Keycloak — our sole identity provider |
| Salesforce metadata + OAuth | encrypted OAuth tokens, instance URLs, Salesforce user IDs | Customer-initiated OAuth flow |
| Audit trail | IP address, user-agent, request paths, action timestamps, outcome | Generated by the Plexur gateway for authenticated requests |
| Operational metadata | sync run timestamps, error counts, file-change counts | Generated by the metadata-sync pipeline |
| Consent records | per-user opt-in/opt-out for telemetry, model improvement, marketing | Customer end-users via Portal Settings → Privacy |
We do not collect: payment card data (Stripe handles this), end-customer-of-customer PII (we process customer org metadata, not their downstream customers' data), biometric data, location data beyond IP, or device identifiers beyond user-agent.
3. Why we collect it (lawful basis)
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide the platform service per contract | Contract (Art. 6(1)(b)) |
| Audit logging for security + SOC2 compliance | Legitimate interest (Art. 6(1)(f)) |
| Service emails (system notices, billing) | Contract |
| Marketing emails (release notes, tips) | Consent (Art. 6(1)(a)) — opt-out per user |
| Aggregated analytics for product improvement | Consent — tenant or user opt-out |
| Model training (for AI features) | Consent — explicit opt-in required |
4. Who we share data with
We share personal data only with subprocessors under data-processing agreements equivalent to or stricter than this notice. Current subprocessors include Keycloak (self-hosted identity), AWS (infrastructure), Anthropic and OpenAI (LLM APIs — zero-retention tier), Stripe (payments), and Grafana/Prometheus (self-hosted observability). We do not sell personal data under any definition.
We may disclose personal data when legally required (subpoena, court order, law-enforcement request). Such requests trigger an internal legal-hold workflow that pauses any pending erasure.
5. How long we keep it
We use a declarative retention model — every PII column in our database has a documented retention policy. High-level categories:
| Category | Retention |
|---|---|
| Active customer account data | Lifetime of the customer relationship + 18 months in INACTIVE state after churn |
| Trial account data | 30 days after trial expiry, unless converted |
| Audit log records (full detail) | 7 years (SOC2 requirement) |
| Audit log records (aggregated, no PII) | Indefinite (anonymous statistics) |
| Invoice + payment records | 7 years (US tax retention requirement) |
| Verification + password-reset tokens | 24 hours |
| OAuth tokens | Lifetime of customer connection; revocation-triggered |
| DSAR export downloads | 30 days from generation |
| Consent records | Lifetime of user account + retention window above |
After the retention window, data is either hard-deleted (identity-class columns), pseudonymized (behavior-class — preserves analytics shape without identifying the subject), or secure-erased with audit trail (operational-class — encrypted secrets logged-as-hashed before NULL'ing).
Tenant offboarding follows a lifecycle state machine: ACTIVE → INACTIVE (soft, 18 months) or TRIAL → TRIAL_EXPIRED (30 days) before → PURGED (hard-delete with tombstone). Compliance-urgent erasure requests bypass the timer.
6. Your rights
Regardless of jurisdiction, you may exercise the following rights by submitting a request via Portal Settings → Privacy, by emailing privacy@plexur.ai, or (for customer-administrator-initiated requests) through the in-Portal Privacy admin UI:
- Access (GDPR Art. 15 / CCPA "right to know") — receive a machine-readable export of all data we hold about you
- Erasure (GDPR Art. 17 / CCPA "right to delete") — delete your data across all our systems
- Portability (GDPR Art. 20) — receive data in a structured, commonly-used format (JSON, signed)
- Rectification (GDPR Art. 16) — correct inaccurate data
- Restriction (GDPR Art. 18) — limit processing while a dispute is resolved
- Objection (GDPR Art. 21) — opt out of legitimate-interest processing
- Withdraw consent (GDPR Art. 7) — revoke any consent you've given
We respond within 30 days (GDPR Art. 12(3)). DSAR exports are typically generated within 60 seconds and delivered via a one-time secure download link.
If you ask us to delete your data, we will:
- Pause the deletion for 7 days (the "grace period") to catch accidental requests — you may cancel.
- After grace, execute the deletion across all our systems (saga pattern across 8 services).
- Email you a deletion certificate — a signed JSON manifest listing what was deleted, what was legally retained (invoices, audit shells), and the cryptographic signature of the manifest.
- Mark your tenant/account as
PURGED(tombstoned).
Compliance-urgent requests can skip the grace period via the --no-grace flag, which requires verifier sign-off and is fully audit-logged.
7. California (CCPA / CPRA) specifics
California residents have the rights enumerated in §6 above. Additionally:
- No sale of personal data — we do not "sell" personal information under §1798.140(t).
- No "sharing" for cross-context behavioral advertising under CPRA §1798.140(ah).
- Right to limit use of sensitive personal information — limited to model-training features, which require opt-in consent before activation.
- Authorized agent requests — accepted via privacy@plexur.ai with a signed power-of-attorney.
We are not required to disclose under §1798.130(a)(5) until our annual sales exceed the threshold; nevertheless we voluntarily provide DSAR exports to any California resident on request.
8. Security measures
- Encryption at rest — OAuth tokens, secrets, and user-credential artifacts use AES-256 PBKDF2 (100,000 iterations).
- Encryption in transit — TLS 1.2+ for all customer-facing endpoints.
- Audit logging — authenticated requests emit SOC2-aligned audit events (action, actor, target, outcome, IP, user-agent). 7-year retention with monthly aggregation thereafter.
- Access controls — JWT-bearer + per-tenant scope guards on every backend; OWNER/ADMIN role required for any privacy operation.
- Cross-tenant isolation — verified at every entry-point (gateway, controller, adapter). Cross-tenant requests return 404 (not 403) to avoid existence-disclosure.
- Penetration testing — third-party assessment planned ahead of GA, on a documented cadence thereafter.
9. Children
Plexur is a B2B platform; we do not knowingly collect data from anyone under 16. Customer organizations are responsible for ensuring their end-users meet our minimum-age requirement.
10. International transfers
Plexur is hosted in the United States. EU customer data transfers rely on Standard Contractual Clauses (SCCs) (EU Decision 2021/914) as included in our DPA. We do not currently offer EU-region data residency; an EU-region deployment is on the roadmap.
11. Changes to this notice
We will email customer-administrator users at least 30 days before any material change to this notice.
12. Contact
- General privacy inquiries: privacy@plexur.ai
- Data Protection Officer: dpo@plexur.ai (if appointed; otherwise the privacy@ address)
- Legal / DPA negotiations: legal@plexur.ai