Your privacy is important to us. It is Red Bourbon LLC’s policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across:
Our websites, including https://plot.app and any other domains we own and operate; and
Our cloud-based productivity software and related services (collectively, the “Service”), marketed under the Plot brand (“Plot”).
“Personal information” means any information about an identified or identifiable natural person. This includes information about you as a person (such as your name, address, and contact details), your devices, payment details, and information about how you use a website or online service.
In the event our site or Service contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy to understand how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our site or Service.
This policy is effective as of Nov 13th, 2025.
Last updated: Nov 13th, 2025
This Privacy Policy applies to:
Visitors to our websites (including https://plot.app).
Users and customers of our SaaS productivity platform and related services.
Individuals who contact us, subscribe to our communications, or interact with us in other ways described in this policy.
In addition to “personal information”, our Service involves:
Workspace Content:
Any data, documents, files, text, images, media, tasks, projects, comments, attachments, and other materials that you or your authorized users upload, store, or create in your Plot workspace or account in the Service.
You (or your organization) retain ownership of Workspace Content. We process it solely for the purposes of providing and maintaining the Service, as described in this policy and in our Terms of Service. Workspace Content is treated as confidential information.
Where Workspace Content includes personal information (for example, information about your team members or your own customers), we generally act as a data processor on your behalf under data protection laws, and you (or your organization) are the data controller.
Information we collect falls into two broad categories: voluntarily provided and automatically collected.
This refers to any information you knowingly and actively provide when using our websites or the Service, including when you:
Create an account or user profile.
Set up an organization, workspace, or team.
Purchase a subscription or other services.
Contact us via email, support forms, or other channels.
Subscribe to newsletters or marketing communications.
Provide feedback, respond to surveys, or participate in promotions.
Use interactive features of the Service.
This may include:
Account and contact details
Name
Email address
Role / job title
Organization name
Billing contact details
Billing and payment details
Billing address
Tax/VAT information
Payment details (processed via third-party payment providers such as Stripe; we do not store full payment card numbers on our own servers).
Support and communication content
Messages you send to support
Feedback and feature requests
Other communications you send us.
Workspace Content
We may automatically collect certain information when you use our websites or the Service.
Log Data
When you visit our website or use the Service, our servers may automatically log standard data provided by your web browser or client. This may include:
IP address
Browser type and version
Device type and operating system
Pages, screens, or features accessed
Time and date of access
Referring URL
Time spent on pages or in the app
Error messages or crash logs.
This information is used primarily for security, performance monitoring, debugging, and improving the Service.
Device Data
We may collect data about the device you use to access the Service, such as:
Device type
Operating system and version
Unique device identifiers
Approximate geo-location (based on IP address or similar).
Data collected may depend on your device and software settings. You should check your device and browser documentation to learn what information is shared.
Cookies and Similar Technologies
We use cookies and similar technologies to:
Operate and secure the Service.
Remember your preferences and session.
Analyze usage to improve our websites and the Service.
Support marketing and measurement activities (for example, via Meta, Reddit, and TikTok ad platforms).
For more information, please see our Cookie Policy.
We only collect and use your personal information when we have a legal basis to do so. Depending on your jurisdiction, this may include:
Your consent.
The performance of a contract with you (e.g. providing the Service).
Our legitimate interests (e.g. improving the Service, securing our systems, communicating with you about changes).
Compliance with legal obligations.
We only collect personal information that is reasonably necessary for the purposes described in this policy.
We may collect, hold, use, and disclose information for the following purposes:
Create and manage user accounts and workspaces.
Provide Plot’s core productivity features (e.g. tasks, projects, collaboration, comments).
Store and process Workspace Content on your behalf and at your direction.
Operate and maintain the underlying infrastructure (servers, databases, backups, monitoring).
Manage subscriptions, invoices, and payments.
Handle billing questions and billing-related correspondence.
Payment processing itself is carried out by third-party payment providers such as Stripe, who may process your personal information in accordance with their own privacy policies.
Respond to support requests and technical issues.
Notify you of Service updates, changes to terms, and important security or operational notices.
Communicate with you about your account, billing, or changes to the Service.
Analyze usage and performance (in aggregate or de-identified form).
Debug and monitor the stability and security of the platform.
Research and develop new features and improvements.
Run A/B tests and experiments to improve UX and performance.
We may use tools such as PostHog (hosted in the EU), Fathom Analytics, and UserJot to better understand how the Service is used and to improve it. The exact configuration and data collected by these tools can vary; we aim to minimize personal data wherever possible and use privacy-focused configurations where available.
Send you emails about new features, announcements, and offers.
Run advertising and retargeting campaigns on platforms such as Meta (Facebook/Instagram), Reddit, and TikTok, which may use cookies and similar technologies.
Conduct surveys or collect feedback.
You can opt out of marketing communications at any time (see “Your Rights and Choices” below). This does not affect important service-related or transactional emails.
Detect and prevent malicious, fraudulent, or illegal activity.
Protect the security and integrity of our systems and users.
Monitor for suspicious patterns and abuse.
Comply with applicable laws, regulations, and legal processes.
Enforce our Terms of Service and other agreements.
Resolve disputes or defend our legal rights.
We may combine voluntarily provided and automatically collected information with publicly available or third-party data (for example, to infer your locale for language or currency), to provide a better experience and keep the Service secure and relevant.
You (or your organization) retain all rights to Workspace Content. We do not claim ownership of Workspace Content.
We access and process Workspace Content solely for the following purposes:
To provide, maintain, and operate the Service at your direction.
To troubleshoot, support, and improve the Service (for example, to investigate a support ticket you explicitly authorize us to look into).
To ensure security, prevent abuse, and detect technical issues.
To comply with applicable law or a valid legal request.
We do not:
Use your Workspace Content for our own marketing.
Publish Workspace Content publicly.
Sell Workspace Content to third parties.
Use Workspace Content to train generalized machine-learning or AI models for our own benefit or for third parties, unless we have your explicit, separate consent.
We treat Workspace Content as confidential and apply appropriate technical and organizational measures to protect it from unauthorized access, disclosure, alteration, or destruction.
Access to Workspace Content within our organization is limited to personnel who need it to perform their job functions (for example, support or operations staff responding to a ticket), and such access is logged where technically feasible.
We may provide optional features that use artificial intelligence (AI), including large language models (LLMs), to help you with tasks such as:
Drafting, summarizing, or transforming content.
Generating suggestions or explanations.
Providing in-product help or assistance.
These features may be powered by:
OpenAI
Anthropic
OpenRouter (which can route to different third-party model providers)
or other similar providers acting on our behalf.
When you use AI/LLM features, the inputs and context you provide (which may include personal information or Workspace Content) may be sent to:
Our own systems; and/or
Third-party AI or LLM service providers.
This may include:
Text you enter as a prompt.
Relevant context needed to complete the request (for example, a task description, project metadata, or related content you explicitly or implicitly include).
Minimal account metadata needed to operate the feature (for example, language or workspace ID).
We aim to minimize the amount of data shared with AI/LLM providers and only send what is reasonably necessary to fulfill your request.
Third-party AI providers may temporarily store data to:
Provide the response you requested.
Operate, secure, and monitor their services.
Detect abuse and misuse.
Where feasible, we configure these providers so that data you send through AI features is not used to train or improve their generalized models. However, each provider’s policies and technical configurations may differ; please review the privacy policies and terms of OpenAI, Anthropic, OpenRouter, and any other listed providers for details of their practices.
We do not use your personal information or Workspace Content to train or fine-tune general-purpose AI/ML models for our own benefit or for third parties, unless:
You have given explicit, informed consent; or
The data is fully anonymized and aggregated such that it cannot reasonably be used to identify you or your organization.
We may use aggregated or de-identified usage data (for example, feature usage statistics) to improve the Service and the effectiveness of AI-assisted features.
If we ever introduce a feature that would use non-anonymized Workspace Content for model training, we will present a clear, separate consent mechanism and make participation optional.
When we collect and process personal information, and while we retain this information, we apply commercially reasonable technical and organizational measures to protect it from loss, theft, unauthorized access, disclosure, copying, use, or modification.
Our Service and primary infrastructure are hosted in the United States. We use reputable hosting and infrastructure providers and take steps to secure communications (for example, using TLS/HTTPS) and restrict access to our systems.
However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we strive to protect your information as much as reasonably possible.
You are responsible for:
Selecting a strong password and keeping it confidential.
Managing user access and permissions within your organization’s account.
Ensuring that you do not make sensitive information publicly available via the Service unless you intend to.
We keep personal information only for as long as is reasonably necessary for the purposes described in this policy, including:
While your account or subscription is active.
For the duration of any ongoing relationship or enquiry.
As required by legal, accounting, or reporting obligations.
When personal information is no longer required, we will delete it or anonymize it, unless we are legally required or permitted to retain it longer (for example, for tax or audit purposes).
For Workspace Content, retention is primarily controlled by you (or your organization) via the Service. When you delete Workspace Content or close your account, we will delete or anonymize associated data within a reasonable period, subject to backups and legal obligations.
We do not direct our Service to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, please contact us so we can delete it.
We may disclose personal information to:
A parent, subsidiary, or affiliate of Red Bourbon LLC.
Third-party service providers that help us operate the Service, including:
Hosting, storage, and infrastructure providers
Analytics and product analytics providers (e.g. PostHog, Fathom Analytics, UserJot)
Email and marketing platforms (e.g. Bento)
Payment processors (e.g. Stripe)
Customer support tools
AI/LLM providers (e.g. OpenAI, Anthropic, OpenRouter)
Advertising and measurement partners (e.g. Meta, Reddit, TikTok) where we use their pixels or similar technologies for campaigns and retargeting, in accordance with their own policies.
Our employees, contractors, and related entities who need access for operational purposes.
Our existing or potential agents, business partners, or investors (in aggregated or anonymized form where possible).
Courts, tribunals, regulatory authorities, and law enforcement officers, as required by law or to establish, exercise, or defend legal rights.
An entity that acquires all or substantially all of our business or assets, as part of a merger, acquisition, or similar transaction.
We endeavor to ensure that third parties use personal information only as necessary to provide services to us and in a manner consistent with this Privacy Policy and applicable law.
The personal information we collect may be stored and processed in the United States and other countries where we or our partners, affiliates, and third-party providers maintain facilities. For example:
Our core infrastructure is in the US.
We use PostHog hosted in the EU for certain analytics.
Other providers may process data in the EU, US, or other regions, depending on their infrastructure.
These countries may have data protection laws that differ from those of your country. Where required by law (for example, for transfers from the European Economic Area), we implement appropriate safeguards (such as standard contractual clauses or equivalent measures) to protect personal information transferred internationally.
Your rights may vary depending on your jurisdiction, but generally include:
Access: You can request details of the personal information we hold about you.
Correction: You can request that we correct any inaccurate or incomplete information.
Deletion: You can request deletion of personal information, subject to legal exceptions.
Restriction: You can request that we limit how we process your information in certain cases.
Objection: You can object to certain processing (such as direct marketing) at any time.
Data portability: Where applicable, you can request a copy of your personal information in a machine-readable format.
You can also:
Withdraw consent where processing is based on consent (this will not affect past processing).
Manage your email preferences and unsubscribe from marketing communications via the link in our emails or by contacting us.
To exercise these rights, please contact us using the details in the Contact Us section.
If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.
We use cookies and similar technologies to collect information about you and your activity across our websites. Cookies allow us to:
Keep you logged in.
Remember your preferences.
Understand usage patterns and improve our content and the Service.
Support advertising and measurement via platforms such as Meta, Reddit, and TikTok.
You can usually configure your browser to refuse some or all cookies, or to delete cookies that have already been set. Some features of the Service may not function properly if cookies are disabled.
Please refer to our Cookie Policy for more details.
If we (or our assets) are acquired, or in the unlikely event that we go out of business or enter bankruptcy, user data (including personal information and Workspace Content) may be transferred to a third party as part of the transaction. The acquiring entity will be required to respect this Privacy Policy or a successor policy that offers substantially similar protections, to the extent permitted by law.
Our websites and Service may contain links to external sites not operated by us. We have no control over the content and policies of those sites and cannot accept responsibility or liability for their privacy practices. You should review their privacy policies before providing any personal information.
For:
For:
Our legal bases for processing personal information under the GDPR may include:
Consent: Where you have given us consent (e.g. marketing communications, certain cookies).
Contract: Where processing is necessary for the performance of a contract (e.g. to provide the Service, handle billing).
Legitimate interests: For purposes such as improving the Service, maintaining security, and communicating with you about changes, where these interests are not overridden by your rights and freedoms.
Legal obligations: Where processing is necessary to comply with laws and regulations.
Your GDPR rights (access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint) are described in Section 12 above.
Where the disclosure of your personal information is solely subject to Australian privacy laws, you acknowledge that some third parties may not be regulated by the Privacy Act or the Australian Privacy Principles. If they engage in acts that contravene those principles, they may not be directly accountable under that Act, and you may not be able to seek redress under that Act. We will nevertheless take reasonable steps to ensure such third parties protect your personal information in a manner consistent with this policy.
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA, including:
Right to know what categories of personal information we collect, use, and disclose.
Right to access specific pieces of personal information we hold about you.
Right to delete certain personal information, subject to exceptions.
Right to non-discrimination for exercising your rights.
We do not “sell” personal information as defined under the CCPA. If our practices change, we will update this policy and provide appropriate opt-out mechanisms.
To exercise your CCPA rights, please contact us using the details below.
Some browsers include a “Do Not Track” (DNT) setting. There is no widely adopted standard for DNT, and at this time, we do not respond to DNT signals. We continue to review developments and will update our approach if standards emerge.
We may update this Privacy Policy from time to time to reflect changes in our business, the Service, or applicable laws. When we make material changes, we will update the “Last updated” date at the top of this page and, where legally required, notify you through the Service or by email.
If required by law, we will seek your consent or provide you with an opportunity to opt in or out of new uses of your personal information.
For any questions, requests, or concerns regarding your privacy or this policy, you can contact:
Red Bourbon LLC
Attn: Privacy
Email: abraham@redbourbon.co
If you want, next step I can do a tiny separate “Data Processing Addendum” that plugs into this (and your ToS) specifically for EU customers and clarifies the controller/processor split and SCCs/transfer safeguards in more legalese.