PlanProve
Version 1.0 — Last updated: 14 April 2026
Make My Plan Ltd (company number 16887298) is the data controller for personal data collected through PlanProve ("we", "us", "our"). PlanProve is an online marketplace connecting homeowners seeking planning permission with qualified planning professionals.
This Privacy Notice explains what personal data we collect, why we collect it, the legal basis we rely on, how long we keep it, who we share it with, and your rights under UK GDPR and the Data Protection Act 2018.
This notice applies to:
When you create an account and use PlanProve as a homeowner, we collect:
When you register as a planning professional, we collect:
When you visit planprove.com, we automatically collect certain technical data including your IP address, browser and device type, referring URL, and pages visited. We use PostHog for analytics. Analytics cookies are only set with your prior consent - see Section 8.
UK GDPR requires us to have a lawful basis for each type of processing. We rely on the following:
| Purpose | Data used | Lawful basis | Applies to |
|---|---|---|---|
| Creating and managing your account | Name, email, password hash | Contract (Art. 6(1)(b)) | Applicants & Professionals |
| Connecting you with planning professionals / homeowners | Project details, profile, messages | Contract (Art. 6(1)(b)) | Both |
| Processing subscription payments | Billing email, Stripe payment token | Contract (Art. 6(1)(b)) | Professionals |
| AI Planning Assistant | Queries submitted, project context | Legitimate interests - improving planning outcomes (Art. 6(1)(f)) | Both |
| Platform analytics and improvement | Usage data, search logs, interaction data | Legitimate interests - product improvement (Art. 6(1)(f)) | Both |
| Sending service emails (account, project updates) | Email address | Contract (Art. 6(1)(b)) | Both |
| Marketing emails (newsletters, product news) | Email address | Consent (Art. 6(1)(a)) | Both |
| Security and fraud prevention | IP, device, activity logs | Legitimate interests - platform security (Art. 6(1)(f)) | Both |
| Legal obligations (accounting, tax records) | Billing records | Legal obligation (Art. 6(1)(c)) | Professionals |
We do not sell your personal data. We share data only with trusted third-party processors who act under our instruction, each subject to a Data Processing Agreement:
| Processor | Purpose | Location | Data shared |
|---|---|---|---|
| Supabase Inc. | Database hosting - all platform data | USA (SCCs in place) | All user and project data |
| Anthropic PBC | AI Planning Assistant processing | USA (SCCs in place) | Queries and project context submitted to the assistant |
| Stripe Inc. | Payment processing | USA (SCCs in place) | Billing email, payment token |
| Resend Inc. | Transactional and service email delivery | USA (SCCs in place) | Email address, message content |
| Vercel Inc. | Website hosting and deployment | USA / EU (SCCs in place) | Technical access logs, IP addresses |
| PostHog Inc. | Product analytics (with your consent) | EU (Ireland / Germany) | Usage data, session data, anonymised event data |
All transfers to processors in the USA are protected by Standard Contractual Clauses (SCCs) under UK GDPR Article 46.
We may also share data with: law enforcement or regulatory authorities where legally required; professional advisers (lawyers, accountants) under confidentiality obligations.
We do not keep personal data longer than necessary for the purpose for which it was collected:
| Data type | Retention period | Reason |
|---|---|---|
| Account and profile data | Duration of account, plus 30 days after deletion | Contract performance; time for account recovery |
| Project data and documents | Duration of account, plus 30 days after deletion | Contract performance |
| Billing and payment records | 7 years from transaction date | Legal obligation - HMRC / Companies Act |
| AI assistant conversation history | 90 days from last interaction | Legitimate interests - service quality |
| Analytics / usage data | Up to 7 years (in line with our analytics processor's retention policy) | Legitimate interests - product improvement |
| Search logs (identifying period) | 90 days | Legitimate interests, security and audit |
| Search logs (anonymised) | A further 9 months (12 months total from creation) | Legitimate interests, product analytics with personal identifiers removed |
| Security and access logs | 90 days | Legitimate interests - fraud prevention |
| Marketing consent records | Until consent withdrawn, plus 3 years | Legal obligation - demonstrating consent |
Search logs are personal data while they include your user identifier. After 90 days we remove your identifier from each search log row, keeping only the anonymised search content for aggregate product analytics. The fully anonymised rows are then deleted entirely after 12 months.
Under UK GDPR you have the following rights. To exercise any of them, contact us at info@planprove.com. We will respond within one month.
Right of access: You can request a copy of all personal data we hold about you (a Subject Access Request).
Right to rectification: You can ask us to correct inaccurate or incomplete data.
Right to erasure: You can request deletion of your data where we no longer have a legal basis to hold it. Note: billing records must be kept for 7 years.
Right to data portability: You can request your data in a machine-readable format via your account settings.
Right to restrict processing: You can ask us to pause processing your data while a complaint is investigated.
Right to object: You can object to processing based on legitimate interests (e.g. analytics). We will stop unless we have compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent (e.g. marketing emails, analytics cookies), you can withdraw it at any time.
Right to complain: You have the right to lodge a complaint with the ICO: ico.org.uk or 0303 123 1113.
PlanProve uses an AI Planning Assistant powered by Anthropic's Claude API. This assistant provides information and guidance about the UK planning system. It does not make automated decisions that have legal or similarly significant effects on you - it is an information tool only.
Queries you submit to the AI Planning Assistant are processed by Anthropic as a data processor acting under our instruction. We do not use this data to profile users or make automated decisions about eligibility for services.
We use the following categories of cookies:
| Category | Examples | Consent required? | Purpose |
|---|---|---|---|
| Strictly necessary | Supabase session cookie, Stripe session | No - essential for the site to function | Authentication, security, payment processing |
| Analytics | PostHog analytics cookies | Yes - opt-in consent required | Understanding how users use the platform to improve it |
You can manage your cookie preferences at any time via the cookie banner on our website.
We implement appropriate technical and organisational measures including:
In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay.
We may update this Privacy Notice from time to time. We will notify you of material changes by email or via a notice on the platform. The date at the top of this document reflects the most recent version.
For any questions about this notice or to exercise your rights:
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO):