Privacy Policy

PRODUCTPLAN
GLOBAL PRIVACY NOTICE

ProductPlan, LLC and its affiliates respect your privacy and are committed to protecting your personal information. ProductPlan offers a roadmapping platform that includes integrated customer and product research capabilities (the “ProductPlan Platform”), and ProductPlan.ai, (“ProductPlan.ai”) an AI-powered product development tool (collectively, "ProductPlan," "we," "us," or "our").

This Global Privacy Notice ("Privacy Notice") describes the types of personal information we collect, how we use and share it, and the rights and choices you have with respect to your information. Our privacy practices may vary among the jurisdictions in which we operate to reflect local requirements. Jurisdiction-specific notices are provided in Section 10 below.

This Privacy Notice applies to

• Visitors to our websites, including www.productplan.com and productplan.ai
• Registered users and administrators of the ProductPlan platforms ("Platform Users"); and
• Individuals recruited to participate in research sessions conducted through the ProductPlan platform ("Research Participants").

If you are a current or former job applicant, employee, or contractor of ProductPlan, please contact us using the information in Section 11 for the applicable privacy notice governing your information.

NOTICE AT COLLECTION AND SUMMARY OF OUR PRIVACY PRACTICES

We recommend reviewing the full Privacy Notice below before using our products or services. This summary provides a brief overview only.

ProductPlan collects personal information including contact details, account credentials, platform usage data, and technical information from your device or browser. Through the ProductPlan platforms, we additionally collect professional profile data from LinkedIn (with your authorization), screener responses, voice recordings of AI-moderated research sessions, and AI-generated research summaries.

We process personal information to provide and improve our services, communicate with you, prevent fraud, conduct analytics, and comply with legal obligations. We do not use Research Participant session data to train or fine-tune AI models.

We share personal information with service providers, integration partners, and, where applicable, advertising and analytics vendors. Some of this sharing may constitute a “sale” or use for “targeted advertising” under applicable US privacy laws. You may opt out as described in Section 8 below.

We use Standard Contractual Clauses and other approved mechanisms for cross-border transfers of personal information from the European Economic Area, the United Kingdom, and other jurisdictions with data transfer restrictions.

TABLE OF CONTENTS

1. Types of Personal Information We Collect and Why
2. How We Collect Your Personal Information
3. How We Use Your Personal Information
4. How We Disclose Your Personal Information
5. International Transfer of Personal Information
6. How We Secure Your Personal Information
7. How We Retain Your Personal Information
8. Your Choices and Rights
9. Other Important Information
10. Jurisdiction-Specific Notices
11. Contact Us

1. TYPES OF PERSONAL INFORMATION WE COLLECT AND WHY

The table below describes the categories of personal information we collect across our products, who it relates to, examples of the specific data involved, and the purposes and legal bases for our collection and use. References to “legitimate interests” reflect our assessment that the processing benefits our business or users without overriding your privacy rights. Where a data type or use is specific to one of our products, we note that in the "Applies To" column.

Category

Applies To

Examples

Purpose and Legal Basis

Contact Information

All users and visitors

Full name, job title, company name, email address, phone number, mailing address

For example: information provided when creating an account, submitting a contact form, or signing up for marketing communications.

Legitimate interests: account management, responding to inquiries, service communications, marketing analytics.

Contract performance: delivery of services you have requested.

Account Credentials

Platform Users

Username, password (hashed and salted), SSO/OAuth tokens for third-party login.

For example: credentials created when registering for a ProductPlan account, or tokens issued by your identity provider (e.g., Google, Microsoft Azure AD).

Legitimate interests: securing access to platform accounts, preventing unauthorized use, maintaining platform integrity.

Business and Employment Information

Platform Users; Research Participants

Employer, department, job function, seniority level, professional background, industry, broker or professional license number where applicable.

For Research Participants: professional criteria used to qualify participants for research sessions.

Legitimate interests: service delivery, research participant qualification, platform personalization.

Contract performance: matching Research Participants to study criteria on behalf of platform subscribers.

Platform Content Data

Platform Users

Product roadmaps, strategic initiatives, OKRs, feature ideas, custom fields, notes, comments, prioritization scores, and other content entered into the ProductPlan platform.

This data belongs to the subscriber organization and is processed by ProductPlan as a data processor on behalf of the subscriber.

Contract performance: this is the core data necessary to deliver the ProductPlan service.

Legitimate interests: platform maintenance, security, backup, and aggregated/anonymized analytics to improve the platform.

Usage and Interaction Data

All users and visitors

Log-on activity, features accessed, search history within the platform, session duration, page views, click patterns, cursor movements, scrolling activity, and downloads.

For example: how users navigate the roadmap builder, which features are most frequently used, and performance metrics for individual sessions.

Legitimate interests: platform improvement, UX optimization, security monitoring, fraud detection, and aggregated analytics.

Where required by law: consent (for non-essential tracking technologies on our websites).

Integration Data

Platform Users

Data exchanged through third-party integrations you enable, including Jira, Slack, GitHub, Confluence, Microsoft Azure, Trello, and Zapier. This may include project metadata, ticket data, issue identifiers, and user identity tokens for authentication.

ProductPlan accesses only the data necessary to perform the integration you have configured.

Contract performance: integration delivery and workflow synchronization.

Legitimate interests: maintaining accurate, connected product data across your toolchain.

Research Participant Profile Data

Research Participants (ProductPlan Platform)

LinkedIn profile data (name, employer, job title, professional history, profile photo) obtained when you authenticate via LinkedIn prior to a research session.

Responses to screener questions used to verify you meet the study’s participant criteria.

Additional professional profile data from third-party enrichment sources.

Consent: your LinkedIn authentication constitutes consent to share the data transmitted via that login.

Legitimate interests: verifying participant qualifications on behalf of the research subscriber; maintaining a qualified participant database.

Contract performance: matching participants to study requirements.

Research Session Voice Recordings and Transcripts

Research Participants (ProductPlan Platform)

Audio recordings of AI-moderated research sessions, including your spoken responses.

Automated transcripts generated from those recordings.

Where enabled in the future, video recordings of research sessions.

Consent: we obtain your consent prior to recording any research session.

Contract performance: delivery of recorded and transcribed research sessions to the subscribing organization.

Legitimate interests: enabling AI moderation, quality assurance, and research output generation.

AI-Generated Research Outputs

Research Participants (ProductPlan Platform)

AI-synthesized summaries of session responses, highlight clips, behavioral observations, sentiment analysis, and actionable recommendations produced from your session data.

These outputs are delivered to the platform subscriber who commissioned the research study.

Session data and AI outputs are not used to train or fine-tune AI models.

Legitimate interests: service delivery; generation of research insights on behalf of the subscribing organization.

Contract performance: fulfillment of the research deliverable commissioned by the subscriber.

Payment and Financial Information

Platform Users (subscribers)

Billing contact name, address, and payment card information.

Note: ProductPlan uses a PCI-compliant third-party payment processor. We do not store raw payment card numbers on our systems.

Contract performance: processing subscription payments and managing billing.

Legal obligation: financial recordkeeping and tax compliance.

System and Device Information

All users and visitors

IP address, browser type and version, operating system, device model and identifiers, session logs, language settings, time zone.

For example: technical metadata collected automatically each time you visit our websites or use our platform.

Legitimate interests: security, fraud prevention, platform reliability, performance optimization, and aggregate usage analytics.

Inferences Drawn from Other Data

Website visitors; Platform Users

Behavioral profiles, usage preferences, and propensity scores inferred from your activity on our websites and platform.

For example: inferences about product feature interest based on usage patterns, used to personalize in-product recommendations.

Legitimate interests: service personalization, product improvement, marketing analytics.

Where required by law: consent for targeted advertising.

‍

2. HOW WE COLLECT YOUR PERSONAL INFORMATION

Directly from You. We collect personal information you provide to us directly, including when you:

• Create a ProductPlan account or register for ProductPlan.ai;
• Fill out web forms, contact forms, or chatbot interactions on our websites;
• Subscribe to our newsletter or marketing communications;
• Contact our customer support team by email, phone, or live chat;
• Register for a webinar, event, or certification program; or
• Authenticate via LinkedIn to participate in a ProductPlan research session.

‍

Through Your Use of Our Services. We automatically collect certain information as you interact with our websites and platforms, including:

• Technical data about your browser, device, IP address, and session activity;
• Platform usage data, including features accessed, content created or edited, and search activity within the platform;
• Integration activity when you connect third-party tools to your ProductPlan account; and
• Information collected through cookies and similar tracking technologies. For details, see our Cookie Policy.

From Third-Party Sources. We may receive personal information about you from third parties, including:

• LinkedIn Corporation, when you authenticate via LinkedIn to participate in ProductPlan research sessions, including your public profile data transmitted at the time of authentication;
• Third-party data enrichment providers, which supplement our participant database with additional professional profile information;
• Your employer or the organization that holds a ProductPlan subscription, when they provision you as an authorized user on the platform;
• Integration partners (such as Jira, Slack, or GitHub) when you connect those tools to your ProductPlan account; and
• Analytics and advertising partners, consistent with our Cookie Policy.
• Third-party research panel providers, who may refer or introduce qualified research participants to studies conducted through our platform. These providers do not receive participant data back from us and have no access to our platform or systems.

When we receive personal information about you from third parties and combine it with information we already hold, this Privacy Notice governs the combined information.

3. HOW WE USE YOUR PERSONAL INFORMATION

We use personal information for the following purposes, consistent with the legal bases described in Section 1:

• Provision of Services. To create and manage your account, deliver platform features, process payments, fulfill integration requests, conduct research sessions on behalf of subscribing organizations, and respond to your requests and inquiries.

• Security and Fraud Prevention. To authenticate users, maintain secure sessions, detect and prevent fraudulent or unauthorized activity, and protect the integrity of our systems and data.

• Communication and Customer Support. To communicate with you about your account, respond to support requests, send transactional and service-related notifications, and, where you have consented or we otherwise have a lawful basis, send promotional communications.

• AI Moderation and Research Analysis (ProductPlan). To conduct AI-moderated research sessions on behalf of subscribing organizations, generate transcripts and AI-synthesized summaries, and deliver research outputs and insights. Session recordings, transcripts, and AI-generated outputs are delivered exclusively to the subscribing organization that commissioned the study. This data is not used to train or fine-tune AI models, whether proprietary to ProductPlan or provided by third-party AI vendors.

• Platform Improvement and Development. To analyze aggregated and anonymized usage data, conduct product research, test new features, and improve platform functionality and user experience. We do not use identifiable Platform Content Data (such as your roadmaps or strategic initiatives) for these purposes without your consent.

• Advertising and Marketing. To market our services, conduct targeted advertising and retargeting, measure campaign effectiveness, and send promotional updates where permitted. See our Cookie Policy for details on how tracking technologies are used for advertising purposes.

• Research and Benchmarking. To conduct surveys, user experience studies, and aggregate benchmarking analysis. Results are used in anonymized or aggregated form only.

• Compliance with Legal Obligations. To comply with applicable laws, respond to lawful requests from government authorities, enforce our agreements, and protect our legal rights.

• Anonymization and Aggregation. To de-identify or aggregate personal information for internal analytics, trend reporting, and product development. Once information is de-identified, we maintain it in that form and do not attempt to re-identify it. We pass these obligations to vendors that process de-identified data on our behalf.

4. HOW WE DISCLOSE YOUR PERSONAL INFORMATION

Affiliates and Subsidiaries. We share personal information among ProductPlan’s affiliated entities and subsidiaries to support business operations, compliance, customer support, and service delivery.

Service Providers and Vendors. We disclose personal information to vendors who perform services on our behalf, such as cloud hosting, IT support, data analytics, payment processing, email marketing, and customer relationship management. These vendors are contractually required to use personal information only as necessary to perform services for us and to maintain appropriate security measures. 
Subscribing Organizations (Research Results). AI-generated research outputs, session summaries, highlight clips, and associated participant-attributed data are delivered to the organization that commissioned the research study. Subscribers are subject to contractual obligations limiting their use of this data.

Integration Partners. When you connect third-party tools (such as Jira, Slack, GitHub, Confluence, Azure, Trello, or Zapier) to your ProductPlan account, we exchange data with those partners as necessary to perform the integration you have configured.

Advertising and Analytics Partners. We share certain technical data, such as device identifiers, IP addresses, and usage activity, with advertising networks and analytics providers for purposes of targeted advertising, retargeting, and performance measurement. Some of this activity may constitute a “sale” or use for “targeted advertising” under applicable US privacy laws. See Section 8 for your opt-out rights.

Legal, Regulatory, and Compliance Disclosures. We will disclose personal information to law enforcement, regulatory authorities, or courts as required by applicable law, to enforce our agreements, or to protect the rights, property, or safety of ProductPlan, our users, or others.

Corporate Transactions. In the event of a merger, acquisition, sale of assets, restructuring, or other corporate transaction, personal information may be disclosed to relevant parties during the evaluation or execution of that transaction. In such cases, any acquiring entity will be required to honor the commitments made in this Privacy Notice.

With Your Consent or at Your Direction. We will share your personal information in other ways when you direct us to do so or have given your consent.

5. INTERNATIONAL TRANSFER OF PERSONAL INFORMATION

ProductPlan is headquartered in the United States. When we transfer personal information from the European Economic Area (EEA), the United Kingdom (UK), Canada, or other jurisdictions that impose restrictions on cross-border data transfers, we rely on one or more of the following mechanisms to ensure your information receives an adequate level of protection:

• Standard Contractual Clauses (SCCs). We rely on the European Commission’s approved Standard Contractual Clauses as our primary mechanism for transfers of personal information from the EEA and UK to the United States and other third countries.
• Binding Corporate Rules (BCRs). Where applicable, we may rely on approved Binding Corporate Rules for intra-group transfers of personal information.
• Adequacy Decisions. Where the European Commission or UK Information Commissioner’s Office has issued an adequacy decision for the recipient country, we may rely on that decision.
• Other Recognized Mechanisms. We may rely on other lawful transfer mechanisms recognized under applicable data protection law, including derogations for specific situations as permitted by GDPR Article 49 where no other mechanism is available.

For more information about the safeguards we use for international data transfers, or to request a copy of applicable transfer agreements, please contact us using the information in Section 11.

6. HOW WE SECURE YOUR PERSONAL INFORMATION

ProductPlan implements industry-standard administrative, technical, and physical safeguards to protect personal information from accidental or unlawful loss, alteration, unauthorized access, disclosure, or destruction.

Our security measures include, but are not limited to: SOC 2 Type II attestation, with annual audits; encryption of data at rest using AES-256 block-level storage; encryption of data in transit using TLS 1.2 or higher; hosting within Amazon Web Services (AWS) secure data centers (us-east-1 region) via the Heroku cloud platform; access controls limiting employee access to personal information on a need-to-know basis; and monitoring and logging of system access and activity.

No transmission of information over the Internet can be guaranteed to be completely secure. Accordingly, while we take reasonable steps to protect your personal information, we cannot guarantee the security of data transmitted to or from our Services. Any transmission is at your own risk. If you believe your credentials have been compromised, please notify us immediately at security@productplan.com.

7. HOW WE RETAIN YOUR PERSONAL INFORMATION

ProductPlan retains personal information for as long as is reasonably necessary to fulfill the purposes described in this Privacy Notice, for as long as your account remains active, or as required by applicable law. We will retain and use any personal information to the extent necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and as otherwise described in this Privacy Notice. In some circumstances we may anonymize or aggregate personal information so that it can no longer be associated with you. We may retain and use anonymized or aggregated data indefinitely for research, analytics, and service improvement purposes, without further notice.

8. YOUR CHOICES AND RIGHTS

Depending on where you are located and the nature of our relationship with you, you may have the rights described below regarding your personal information. We will not discriminate against you for exercising any privacy right available to you under applicable law.

• Access. You have the right to request confirmation of whether we process your personal information and to receive a copy of that information.

• Correction. You may request that we correct inaccurate or incomplete personal information we hold about you. Platform Users may also update certain information directly within their account settings.

• Deletion. You may request that we delete your personal information. We will honor your request unless we have a lawful basis to retain the information, such as compliance with a legal obligation or defense of a legal claim.

• Objection and Restriction. You may object to certain processing of your personal information, including processing based on legitimate interests or for direct marketing purposes. You may also request that we restrict our processing while we investigate your concerns.

• Data Portability. Where processing is based on your consent or a contract with you, and is carried out by automated means, you may request a copy of your personal information in a structured, machine-readable format.

• Withdrawal of Consent. Where our processing is based on your consent (for example, consent to receive marketing communications or consent to voice recording during a research session), you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

• Marketing Opt-Out. You may opt out of promotional communications at any time by using the unsubscribe link in any marketing email or by contacting us at compliance@productplan.com. We may continue to send you service-related and transactional communications.

• Opt-Out of Sales and Targeted Advertising. Some of our data sharing activities may constitute a “sale” of personal information or use for “targeted advertising” under applicable US privacy laws. You may opt out of this processing by contacting us as described below.

• Global Privacy Control (GPC). We honor Global Privacy Control (GPC) signals transmitted by your browser as a valid request to opt out of the sale or sharing of personal information.

• Appeals. If you reside in Virginia, Colorado, Connecticut, Texas, Oregon, or another jurisdiction that provides a right to appeal a privacy rights decision, you may appeal our response by replying to the communication you received from us and providing additional supporting information. We will respond within the timeframe required by applicable law.

How to Exercise Your Rights. To submit a privacy rights request, you may email us at compliance@productplan.com or by writing us at the address below.

We may ask you to verify your identity before fulfilling a request. You may also authorize an agent to submit a request on your behalf, subject to our verification requirements. We will respond within the timeframe required by applicable law. If we are unable to fulfill a request in whole or in part, we will explain why.

9. OTHER IMPORTANT INFORMATION

Privacy Notice Changes. We may update this Privacy Notice periodically to reflect changes in our practices, services, or applicable law. We will post any revised notice on this page and update the “Last Updated” date at the top. If we make material changes, we will notify you by email (if we have your email address) or by a prominent notice on our website. We encourage you to review this Privacy Notice periodically.

Children Under 16. Our Services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at compliance@productplan.com and we will promptly delete that information.

Automated Decision Making and Artificial Intelligence. ProductPlan uses artificial intelligence and machine learning in the following ways:

• AI-Moderated Research Sessions (ProductPlan). ProductPlan’s AI moderator conducts and facilitates research sessions with participants, asking dynamic follow-up questions and analyzing responses in real time to generate insights and summaries. This AI moderation operates on behalf of the subscribing organization and does not produce decisions that have legal or similarly significant effects on Research Participants.
• Platform Recommendations and Analytics. ProductPlan may use automated systems to generate in-platform recommendations, prioritization suggestions, and usage-based insights for Platform Users. These systems support, but do not replace, human decision-making by your product team.
• No AI Model Training on Session Data. Research session recordings, transcripts, and AI-generated outputs are not used to train or fine-tune AI models. Session data remains confidential to the subscribing client organization.

Where required by applicable law, including the EU General Data Protection Regulation (GDPR) and the EU AI Act, we ensure that our automated systems are documented, explainable, and subject to human oversight. If you have questions about automated processing that affects you, or wish to request human review, please contact us using the information in Section 11.

Cookie Policy. We use cookies and similar tracking technologies on our websites. For detailed information about the types of cookies we use, your consent choices, and how to manage your preferences, please refer to our Cookie Policy.

Conflict Between This Privacy Notice and Our Terms of Service. Where there is a conflict between this Privacy Notice and an explicit provision of our Terms of Service or a separate data processing agreement, this Privacy Notice will govern with respect to the processing of personal information.

10. JURISDICTION-SPECIFIC NOTICES

This section supplements the Privacy Notice above with jurisdiction-specific information. Please review both this section and the rest of the Privacy Notice together. If you have questions about which rights apply to you, please contact us.

European Economic Area (EEA) and United Kingdom (UK). If you are located in the EEA or the UK, the following additional information applies.

• Data Controller. ProductPlan, LLC acts as the data controller for personal information collected from EEA and UK residents through our websites and, with respect to Research Participants, through the ProductPlan platform. Where Platform Content Data is processed on behalf of a subscribing organization, ProductPlan acts as a data processor and the subscriber is the data controller.

• Legal Bases for Processing. We process personal information on the following legal bases under GDPR Article 6: (a) performance of a contract (Article 6(1)(b)); (b) compliance with a legal obligation (Article 6(1)(c)); (c) our legitimate interests, where not overridden by your rights (Article 6(1)(f)); and (d) your consent, where required (Article 6(1)(a)). We process special category data, including voice recordings, on the basis of explicit consent (Article 9(2)(a)) or as otherwise permitted by applicable law.

• Your Rights. EEA and UK residents have the rights described in Section 8 above, as well as the right to lodge a complaint with a supervisory authority. Contact details for EU supervisory authorities are available at https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm. The UK Information Commissioner’s Office (ICO) can be reached at https://ico.org.uk/.

Canada. If you are a Canadian resident, we process your personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Your personal information may be transferred to and processed in the United States and other countries, where it may be subject to the laws of those jurisdictions.

You have the right to access your personal information and to request correction of any inaccuracies. To make a request or to ask questions about our privacy practices, please contact us as described in Section 11. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

United States

• Sales and Targeted Advertising. ProductPlan engages in certain activities that may constitute a “sale” of personal information or use for “targeted advertising” (or “sharing” in California) under applicable US privacy laws, including the sharing of certain technical identifiers and usage data with advertising and analytics partners. In the past year, this has included contact details, online identifiers, IP addresses, non-precise geolocation data, and information derived from your use of our Services. You may opt out as described in Section 8.
• State Consumer Privacy Rights. Residents of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have the right to access, correct, and delete personal information, the right of personal information portability, the right to opt out of sales and targeted advertising (called a "share" in California), and, except in California, the right to opt out of profiling that results in legal or similarly significant effects on you.

Residents of California, Delaware, Minnesota, and Oregon may request additional information about our personal information processing, including about the other parties we disclose personal information to.

When we use profiling that results in legal or similarly significant effects on you, residents of Minnesota have the additional right to question the results of such profiling, be informed about the reasons the profiling resulted in a particular decision, ask what actions they could take to obtain a different result in the future, and request correction of information used for the profiling and a subsequent re-evaluation.

Maryland residents have additional rights under the Maryland Online Data Privacy Act (MODPA), which imposes stricter requirements than most other state laws. We collect and process sensitive personal information only with your consent where required under MODPA, and we limit our collection and use of personal information to what is reasonably necessary for the purposes described in this Privacy Notice. Maryland residents may also opt out of any processing of sensitive personal information, and may request that we limit our use of personal information to purposes compatible with the context in which it was collected.

Nevada residents who prefer not to receive marketing calls may be placed on our internal opt-out list by contacting us as set forth in Section 11, or by contacting the Nevada Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington St., Suite 3900, Las Vegas, NV 89101; telephone: (702) 486-3132; email: AGCinfo@ag.nv.gov.

To exercise any of these rights, please follow the instructions provided in Section 8 above.

California. California residents may also exercise their rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The following table cross-references California’s personal information categories to the categories described in Section 1 of this Privacy Notice.

California Personal Information Category

Corresponding Categories in This Notice

Identifiers

Contact Information; Account Credentials; System and Device Information

Personal Information (Cal. Civ. Code § 1798.80(e))

Contact Information; Business and Employment Information; Payment and Financial Information

Commercial Information

Payment and Financial Information

Internet or Network Activity

Usage and Interaction Data; System and Device Information

Audio / Electronic Data

Research Session Voice Recordings and Transcripts

Professional or Employment Information

Business and Employment Information; Research Participant Profile Data

Inferences

Inferences Drawn from Other Data

California residents may request certain information regarding our disclosure of personal information to third parties for their own direct marketing purposes (“Shine the Light” request) by contacting us as described in Section 11.

Illinois Biometric Information.  The Illinois Biometric Information Privacy Act (BIPA) governs the collection, use, and retention of biometric information, including voice data and facial geometry. When we collect voice recordings in Illinois in connection with ProductPlan research sessions, we comply with BIPA’s requirements, including providing prior written notice, obtaining written consent before collection, and adhering to a defined data retention and destruction schedule.

Video and facial capture features are not yet active. A BIPA-compliant written consent process will be implemented before these features are enabled in Illinois.

11. CONTACT US

If you have questions, comments, or complaints about this Privacy Notice or our privacy practices, or if you wish to exercise your privacy rights, please contact us using the following information:

Inquiry Type

Contact Information

General Privacy Inquiries

compliance@productplan.com

Security Issues

security@productplan.com

Privacy Rights Requests (DSAR)

compliance@productplan.com

EU/UK Data Protection Inquiries

compliance@productplan.com

You may also contact us by postal mail at:

ProductPlan, LLC

Attn: Legal / Privacy

555 17th Street

15^th Floor

Denver Colorado 80202

We will respond to your inquiry or request within the timeframe required by applicable law. For EEA and UK residents, if we are unable to resolve your concerns, you have the right to lodge a complaint with your local data protection authority.