Privacy Policy

Last updated: April 2026

Plume ("we", "us", or "our") operates the Plume platform at plumeseo.com. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service, in compliance with the EU General Data Protection Regulation (GDPR).

Data Controller

The data controller responsible for your personal data is Plume, operated from Paris, France. For any questions regarding data processing, contact us at privacy@plumeseo.com.

Information We Collect

We collect the following categories of personal data:

• Account information: your name, email address, and hashed password when you sign up.
• Content data: the keywords, sub-keywords, client profiles (audience, industry, tone, reading level), questionnaire answers, and articles you generate through the platform.
• Payment information: billing is handled entirely by Stripe. We store your Stripe customer ID and subscription ID, but never your card details.
• Technical data: IP addresses and request logs for security and rate-limiting purposes.
• Analytics data: page views, feature usage, and conversion events via Google Analytics 4 (only with your consent).
• Attribution data: UTM parameters (source, medium, campaign) captured at signup to understand how you found us.
• Google Search Console data: if you connect your Google Search Console account, we store encrypted OAuth tokens and fetch search performance data (clicks, impressions, position) for your articles.
• Preferences: your chosen interface language and saved form defaults.

How We Use Your Information

• To provide and operate the Plume platform, including AI content generation.
• To process payments and manage your subscription via Stripe.
• To enforce usage limits and detect abuse.
• To improve the service and fix issues.
• To analyze site usage and conversion patterns (with your consent, via Google Analytics 4).

Lawful Basis for Processing (GDPR Art. 6)

We process your personal data under the following legal bases:

• Performance of a contract (Art. 6(1)(b)): account creation, content generation, billing, and subscription management are necessary to deliver the service you subscribed to.
• Consent (Art. 6(1)(a)): analytics cookies (Google Analytics 4) are only activated after you explicitly accept cookies via our consent banner. You may withdraw consent at any time by clearing your cookies.
• Legitimate interest (Art. 6(1)(f)): security logging, rate limiting, and abuse detection to protect the platform and its users.

Data Storage

Your account and content data is stored in an encrypted database hosted on Render (US-based infrastructure). Generated files are stored temporarily in server memory and are not retained long-term. We use industry-standard security practices including bcrypt password hashing, encrypted OAuth tokens, and secure session cookies.

Third-Party Services

We share personal data with the following third-party processors, each of which processes data under their own privacy policies:

• Stripe (payment processing): handles all billing. We never store your card details. Stripe Privacy Policy
• Anthropic (Claude API) (AI content generation): your keywords, article context, and questionnaire answers are sent to Anthropic's API for content generation and quality auditing. Anthropic Privacy Policy
• Perplexity (Sonar API) (fact verification): your keywords and article context are sent to Perplexity for automated web-based fact-finding. Perplexity Privacy Policy
• Firecrawl (SERP analysis): your target keywords are sent to Firecrawl for search engine results analysis. Firecrawl Privacy Policy
• Google Analytics 4 (site analytics, consent-gated): page views, user properties, and conversion events are collected only after you accept analytics cookies. Google Privacy Policy
• Google Search Console (search performance, user-initiated): if you connect your account, we access search performance data via Google's API. Google Privacy Policy

International Data Transfers

Some of our third-party processors (Anthropic, Perplexity, Firecrawl, Stripe, Google) are based in the United States. Data transfers to the US rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) as required by GDPR Chapter V. By using Plume, you acknowledge that your data may be processed in the United States under these safeguards.

Data Retention

Your account and content data is retained for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where retention is required by law (e.g., billing records for tax compliance, retained for up to 10 years as required by French law). Security logs (IP addresses) are retained for a maximum of 12 months.

Cookies & Analytics

We use the following cookies:

• Session cookie (essential): keeps you logged in. HTTP-only, Secure, SameSite=Lax. This cookie is strictly necessary for the service to function and does not require consent.
• Cookie consent cookie (essential): remembers your cookie preference. Expires after 1 year.
• Google Analytics cookies (analytics, consent-required): set only after you click "Accept" on our cookie banner. Used to understand site usage patterns. Not used for advertising. You may reject these cookies or withdraw consent at any time by clearing your browser cookies.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): request correction of inaccurate personal data.
• Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Art. 18): request that we limit how we use your data.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interest.
• Right to withdraw consent: where processing is based on consent (analytics cookies), you may withdraw at any time by clearing your cookies.

To exercise any of these rights, contact us at privacy@plumeseo.com. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with the French data protection authority: CNIL (Commission Nationale de l'Informatique et des Libertes), www.cnil.fr.

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority (CNIL) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you without undue delay (GDPR Article 34).

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Material changes will be communicated by email to registered users.

Contact

For privacy questions or data requests: privacy@plumeseo.com