Privacy Policy
1. Introduction
Plumsense (“we”, “our”, “us”) offers IoT-based monitoring and analytics services to supply chain, healthcare, and industrial customers (“Services”). We value your privacy and are committed to protecting personal information collected in connection with our Services. This Privacy Policy describes what information we gather, why we collect it, how we use it, who we share it with, and the data subjects’ choices and rights.
Scope: This policy refers to Plumsense’s processing of personal data relating to users of our goods and services.
2. Key Definitions
Personal data refers to any information about a recognised or identifiable individual.
Processing: Any operation on personal data (collection, storage, use, transfer, and destruction).
Controller / Processor: As the controller, we establish the purposes and methods of processing. Plumsense serves as a processor when a customer specifies the purposes/means for which Plumsense processes on their behalf.
Special category data / Sensitive data, such as health data. Extra safeguards apply. Relevant law: GDPR, UK guidelines, India DPDP Act, and, for US healthcare situations, HIPAA.
3. Data We Collect
We only collect the information needed to provide and improve Services. Typical categories:
Account and contact information includes name, business email, phone number, organisation, and billing address.
Device and telemetry data include sensor readings (temperature, humidity, shock), device IDs, timestamps, GPS or position coordinates if enabled by the customer, device health metrics, and firmware version.
Usage and logs include service usage logs, IP addresses, software logs, and problem reports.
help and communications include help enquiries, chat transcripts, and customer feedback.
Payment and billing information include payment method details (which are retained by our payment processor), invoices, and VAT/tax information.
HR and recruitment: CVs and interview notes for job seekers (where relevant).
Health data: When a client uses our Services to monitor health-sensitive products (for example, vaccines or biological samples), the data may be considered health-related. We process such data only with greater protections and as requested by the customer (who is normally the controller).
4. How we gather data.
Directly from you (forms, support, and account creation).
Our platform receives data from linked devices and sensors.
From customers (when they upload data or set up monitoring).
From third parties, if legally permissible (e.g., payment processors, public sources).
5. Lawful basis and processing purposes
We process personal data for a variety of objectives, including service provision and maintenance, customer assistance, billing, security and fraud protection, product improvement, research and development, regulatory compliance, and marketing (when consented). Our lawful basis varies depending on the context and may include contract performance, legitimate interests, compliance with legal duties, and consent when required. When we process health or other special category data, we do so only when there is a clear legal basis or when the client has given us permission, and suitable protections are in place.
6. When Plumsense is a processor
Where our customer directs the processing of personal data, the customer is the controller, and Plumsense serves as the processor. In such cases:
We only process based on written instructions.
To protect data, we use technical and organisational methods such as encryption and access controls.
We shall sign into a Data Processing Agreement (DPA) with the customer, outlining security, sub-processing, audit, and breach requirements.
7. Security Measures
We use appropriate technical and organisational safeguards to protect personal data, such as network security, encryption in transit and at rest for sensitive fields, role-based access controls, logging and monitoring, frequent vulnerability testing, and a written incident response strategy. For healthcare deployments, we provide configuration choices that address industry-specific security requirements. Customers must ensure the secure configuration of edge devices and networks.
8. International Transfers
When personal data is transferred outside of its country of origin (for example, telemetry routed to cloud servers in other jurisdictions), we use appropriate safeguards such as standard contractual clauses, data transfer agreements, or rely on applicable adequacy decisions, depending on the jurisdiction and law. We will advise customers about specific transfer mechanisms in our DPA.
9. Changes to This Policy
We can modify our Privacy Policy to reflect changes in the law, technology, or our services. Material changes will be posted along with an updated effective date.
