PlanoryPlanory

Data Processing Agreement

Last updated: March 1, 2026

1. Parties

This Data Processing Agreement ("Agreement") is entered into between:

  • Controller: The customer entering into a service agreement with Planory ("Customer").
  • Processor: CrossNetApps ApS, Solbrinken 46, 2750 Ballerup, Denmark, CVR number 35680896 ("Planory").

This Agreement governs the processing of personal data by Planory on behalf of the Customer.

2. Subject Matter and Duration

This Agreement applies to Planory's processing of personal data for the purpose of providing its travel planning SaaS solution. It remains effective for as long as Planory processes personal data on behalf of the Customer.

3. Nature and Purpose of Processing

Planory processes personal data solely for the purpose of delivering its travel planning service, including account management, support, and operational functionality.

4. Types of Personal Data and Data Subjects

  • Types of Data: Email addresses, names, trip information, travel preferences, and other customer-provided content.
  • Data Subjects: The Customer's own users and contacts.

5. Processing Instructions

Planory will process personal data only according to the Customer's documented instructions as outlined in this Agreement.

6. Technical and Organizational Measures

Planory has implemented appropriate technical and organizational security measures, including:

  • Encryption of data in transit using HTTPS/SSL.
  • Strict access controls with authorization and MFA for database access.
  • Regular backups of critical data.
  • Monitoring and logging of system activities.
  • Hosting on Supabase with physical security and compliance certifications.

7. Sub-processors

Planory uses the following sub-processors:

  • Supabase (Hosting and database; data centers in EU)
  • Resend (Email services; hosted in EU)
  • Stripe (Subscription management; with appropriate EU data transfer mechanisms)
  • Vercel (Analytics; anonymized usage data for service improvement; hosted in EU)

Planory ensures that sub-processors are bound by data protection obligations equivalent to those set out in this Agreement.

8. International Data Transfers

All processing takes place within the EU/EEA. Where transfers outside the EU/EEA are necessary, Planory will rely on legally valid mechanisms such as Standard Contractual Clauses.

9. Assistance to the Controller

Planory shall assist the Customer, where reasonably possible, in ensuring compliance with GDPR obligations related to data subjects' rights, data breach notifications, data protection impact assessments, and consultations with supervisory authorities.

10. Data Breach Notification

Planory will notify the Customer without undue delay after becoming aware of any personal data breach.

11. Data Deletion and Return

Upon termination of the service, Customers can delete all their personal data directly via the platform. Planory does not retain any personal data after customer-initiated deletion.

12. Audits

Planory does not permit Customer-conducted audits. Instead, Customers may request relevant information to verify Planory's compliance with this Agreement.

13. Updates to this Agreement

Planory may update this Agreement to reflect changes in legislation or best practices. Notice of updates will be provided, and continued use of the services constitutes acceptance of the updated terms.

14. Liability

Planory shall not be held responsible for damages or liability arising from data breaches unless such breach is due to Planory's proven gross negligence or willful misconduct.

15. Contact Information

For any data protection inquiries, please contact: privacy@crossnetapps.dk

Effective Date: March 1, 2026

Data Processing Agreement | Planory