Plext Privacy Policy

Account Information:

• Name and display name
• Email address
• Password (hashed and stored by our authentication provider, Supabase)
• Profile information from third-party sign-in providers (e.g., Google), when you use them

Workspace and Content:

• Workspaces you create or join, and your role within them
• Plexes (topic-scoped channels) and their configuration
• Notes and the metadata fields associated with them
• Invitations you send or accept
• MCP tokens and agent connections you authorize

Communications:

• Messages you send to us through support channels
• Feedback and feature requests
• Contact form submissions

Payment Information (paid plans only):

• Payment card information, processed and stored by our payment processor Stripe — we do not store full card details on our servers
• Billing address and transaction history

Device Information:

• Device type and operating system
• Browser type and version
• IP address
• Language preferences and time zone

Usage Information:

• Pages and features you access within the Service
• Workspaces, plexes, and notes you view or edit
• Search queries within Plext
• MCP calls and other API activity, including which agent made each call
• Frequency and duration of your sessions

Location Information:

• Approximate location derived from IP address

Authentication Providers:

• Basic profile information (name, email, avatar) from third-party sign-in providers when you use them

Payment Processor:

• Subscription status and payment confirmations from Stripe

Connected Agents:

• When you authorize an AI coding agent (via MCP or another integration), that agent may send content to Plext on your behalf — including notes, metadata, and queries it writes into your workspace

• Create and maintain your account and workspaces
• Store, index, and serve your notes and metadata to you and your authorized agents
• Authenticate MCP clients and route API requests
• Process subscriptions and send receipts
• Personalize your dashboard and in-product experience

• Monitor performance, reliability, and errors
• Detect and prevent fraud, abuse, and security incidents
• Debug issues and provide customer support
• Develop and test new features using aggregated, de-identified usage data

We do not train foundation models on Your Content.

• Send transactional messages (sign-in links, password resets, invites, subscription receipts, security alerts)
• Respond to your support requests
• Send product updates and announcements (you can opt out of non-essential marketing emails at any time)

• Comply with applicable laws and respond to lawful requests
• Enforce our Terms of Service and protect the rights, property, and safety of Plext, our users, and the public

We share information with vendors who perform services on our behalf, under contractual confidentiality and data protection obligations:

• Supabase — authentication and user management
• Neon — Postgres database hosting
• Stripe — payment processing for paid plans
• Resend — transactional and product email delivery
• Cloud hosting and infrastructure providers
• Analytics and error-monitoring providers (aggregated operational data only)

Content you create in a workspace — notes, plex configurations, your name and avatar — is visible to other members of that workspace according to the visibility settings you choose (default, public, or private plexes), and to any AI agents you or your workspace admins have authorized to connect.

When you connect a third-party AI agent (e.g., Claude Code, Cursor, Codex, Windsurf) to your workspace, that agent reads and writes content through our MCP endpoints. The operator of that agent — not Plext — governs how the agent processes and handles data on its side. Please review the privacy policy of any agent you authorize.

We may share information in connection with a merger, acquisition, financing, reorganization, or sale of assets. Your information would remain subject to this Privacy Policy unless you are notified and consent to a new one.

We may disclose information if we reasonably believe it is necessary to comply with law or legal process, to enforce our Terms, or to protect the rights, property, or safety of Plext, our users, or others.

We may share aggregated or de-identified information that cannot reasonably be used to identify you, such as platform usage statistics and trends.

We may share information with kGrid Inc. affiliates and subsidiaries for shared business operations.

We do not sell your personal information and we do not share it with advertisers for cross-context behavioral advertising.

We retain your information for as long as necessary to:

• Provide the Service to you and your workspace members
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Prevent fraud and abuse

• Account and Workspace Content: Retained while your account and workspaces are active; deleted (or anonymized) after account deletion, subject to backup retention.
• Usage and MCP Logs: Retained for up to 18 months for security, debugging, and analytics, then aggregated or deleted.
• Support Communications: Retained for up to 3 years.
• Payment Records: Retained as required by applicable tax and financial regulations (typically up to 7 years).

After account or workspace deletion, your information may persist in encrypted backup systems for up to 90 days before being permanently removed. Aggregated, de-identified data may be retained indefinitely.

You can request a copy of your personal information, or export your notes and workspace data in a portable format.

Most profile and workspace information can be updated directly in your account settings. For other corrections, contact us.

You can delete individual notes, plexes, workspaces, or your entire account from within the Service, or request deletion by contacting us. We may retain certain information for legal compliance, fraud prevention, and backup recovery.

You can object to certain processing (e.g., direct marketing) or request that we restrict how we use your information.

You can withdraw consent for processing that requires it. Withdrawing consent for core features may mean you cannot use Plext.

You can control:

• Marketing emails — opt out using the unsubscribe link in any marketing email
• Notification preferences — manage in your account settings

Contact us at privacy@plext.ai. We will verify your identity before processing your request.

Cookies are small text files stored on your device that help us provide and improve the Service.

• Essential Cookies: Required for authentication, security, and session management
• Functionality Cookies: Remember your preferences and recent workspace
• Analytics Cookies: Help us understand usage patterns in aggregate

Most browsers let you block or delete cookies. Disabling essential cookies may prevent the Service from working.

We implement reasonable technical and organizational measures to protect your information:

• Encryption of data in transit (TLS)
• Encryption of data at rest
• Secure authentication via Supabase
• Scoped MCP tokens with per-workspace access
• Limited employee access on a need-to-know basis
• Payment processing by Stripe (PCI-DSS compliant)

Security is a shared responsibility. You should:

• Choose a strong, unique password
• Keep login credentials and MCP tokens confidential
• Only authorize agents you trust to access your workspace
• Revoke tokens and agent access when no longer needed
• Report suspicious activity immediately

No system is completely secure. If you believe your account has been compromised, contact us immediately.

In the event of a data breach affecting your personal information, we will notify you as required by applicable law, describe the nature of the breach and the steps we are taking, and provide guidance on how to protect yourself.

We may update this Privacy Policy to reflect changes in our practices, new features, changes in law, or user and regulator feedback.

For material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you through the Service or by email

Continued use after the changes become effective constitutes acceptance of the updated Privacy Policy.

• Right to Know the categories and specific pieces of personal information we collect, the sources, our purposes, and with whom we share it
• Right to Delete your personal information, subject to certain exceptions
• Right to Correct inaccurate personal information
• Right to Opt-Out — we do not sell your personal information or share it for cross-context behavioral advertising
• Right to Non-Discrimination for exercising your privacy rights

Submit a request by emailing privacy@plext.ai. We will verify your identity before processing your request and respond within 45 days (extendable by another 45 days if necessary).

We process your personal data based on:

• Contract: to provide the Service to you
• Consent: where you have given clear consent for specific processing
• Legitimate Interests: for our legitimate business purposes, where not overridden by your rights
• Legal Obligation: to comply with applicable laws

You have the right to:

• Access your personal data
• Rectify inaccurate personal data
• Erase your personal data ("right to be forgotten")
• Restrict processing of your personal data
• Object to processing
• Data portability
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority

For GDPR-related requests, contact:

• Email: legal@plext.ai
• Address: 455 Market St Ste 1940, PMB 381476, San Francisco, California 94105-2448 US

Contact us using the information in Section 13. We will respond within one month (extendable by up to two additional months for complex requests).