Microsoft Project Online retires September 30, 2026 — migrate to a modern platform before it's too late.Start migration

Legal

Privacy Policy

Last updated: April 16, 2026

This Privacy Policy describes how Devsoft Solutions ("we," "us," or "our"), the company behind Onplana, collects, uses, discloses, and protects your personal information when you use the Onplana platform, website (onplana.com), and related services (collectively, the "Service").

1. Information We Collect

1.1 Information You Provide

  • Account information: Name, email address, and password when you create an account.
  • Organization data: Organization name, team members, and billing information.
  • Project data: Projects, tasks, comments, documents, and other content you create within the Service.
  • Payment information: Credit card and billing details processed securely by our payment processor (Stripe). We do not store full card numbers on our servers.
  • Communications: Information you provide when contacting support, submitting feedback, or responding to surveys.

1.2 Information Collected Automatically

  • Usage data: Pages visited, features used, and actions taken within the Service.
  • Device information: Browser type, operating system, device type, and screen resolution.
  • Log data: IP address, access times, referring URLs, and error logs.
  • Cookies and similar technologies: See our Cookie Policy for details.

1.3 Information from Third Parties

  • SSO providers: If you sign in via SAML or OIDC (e.g., Azure AD, Okta), we receive your name, email, and identity provider metadata.
  • Imported data: When you import Microsoft Project XML exports (MSPDI) or connect to Microsoft Project Online via OData, we process the project data you choose to import.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send billing-related communications
  • Send product updates, security alerts, and support messages
  • Respond to your requests and provide customer support
  • Analyze usage patterns to improve features and user experience
  • Detect, prevent, and address security incidents and fraud
  • Comply with legal obligations

3. AI Data Processing

Onplana's AI features are powered by Anthropic's Claude and/or Azure OpenAI, selected per-organization by your admin. The chosen provider processes your project data to generate risk detection, plan generation, and other AI-powered recommendations. Important details:

  • Your data is not used to train AI models. Project data sent to AI providers is used solely to generate responses for your specific request.
  • AI processing occurs in real-time and data is not retained by AI providers beyond the duration of the request.
  • Bring your own AI (Enterprise): You can point Onplana at your own Azure OpenAI deployment — inference then stays entirely within your Azure tenant under your Microsoft data processing agreement.
  • You can disable AI features at any time without affecting core platform functionality.

4. Third-Party Integrations

When you connect a third-party service (Google, Microsoft, and other providers listed on our Integrations page) to your Onplana workspace, Onplana receives access tokens that allow us to access specific data from that service on your behalf. We request the narrowest scope necessary for each feature and store all tokens encrypted at rest using AES-256-GCM.

4.1 Google User Data

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we access:

  • Google Calendar (calendar.events.readonly): to display upcoming events alongside your Onplana tasks and project timelines.
  • Google Drive (drive.file): to attach files you explicitly select through the Drive file picker to Onplana tasks and projects. We do not scan, list, or access any file you have not explicitly chosen.
  • Google profile (openid, profile, email): to identify you when you sign in with Google.

How we use this data:

  • Calendar events and Drive file metadata are displayed only to members of the specific Onplana organization you authorized the connection for.
  • We do not sell, rent, or share Google user data with third parties for advertising.
  • We do not use Google user data to train artificial intelligence or machine-learning models.
  • We do not transfer Google user data except to comply with applicable law or as part of a merger, acquisition, or sale of assets, with user notice.

Where we store it:

  • Access tokens and refresh tokens: encrypted with AES-256-GCM and stored in our managed PostgreSQL database hosted on Microsoft Azure (US region).
  • Cached calendar and file metadata: stored within your organization's tenant database and not shared across Onplana organizations.
  • All data in transit uses TLS 1.2 or higher.

How to disconnect and delete:

  • Click "Disconnect" on any integration from your Onplana Integrations page. Access tokens are revoked at Google within seconds; cached data is deleted within 24 hours.
  • You can also revoke Onplana's access directly at myaccount.google.com/permissions.
  • For complete account deletion, including all associated Google-derived data, contact privacy@onplana.com.

4.2 Microsoft User Data (via Microsoft Graph)

We access the following scopes when you connect a Microsoft account:

  • Outlook Calendar (Calendars.Read): to display meetings in your Onplana dashboard.
  • OneDrive (Files.ReadWrite.All or narrower, depending on feature): to attach files you select to Onplana tasks.
  • Microsoft profile (User.Read): to identify you when signing in with Microsoft.

Use, storage, and deletion practices for Microsoft data are identical to those described for Google user data above.

You can revoke Onplana's access to your Microsoft account at myaccount.microsoft.com or via your organization's Microsoft 365 admin center.

4.3 Data Retention Summary

Data typeRetentionDeletion trigger
OAuth access tokensUntil disconnectImmediate on disconnect
OAuth refresh tokensUntil disconnectImmediate on disconnect
Cached calendar eventsUp to 24 hoursAutomatic rolling + 24h after disconnect
Cached file metadataUp to 24 hoursAutomatic rolling + 24h after disconnect
Connection audit record30 days after disconnectAutomatic after 30 days
Account and all derived data (on request)Within 30 days of privacy@onplana.com request

5. How We Share Your Information

We do not sell your personal information. We share information only in these circumstances:

  • Service providers: We use third-party services for payment processing (Stripe), email delivery, hosting (AWS/Azure/GCP), and analytics. These providers are contractually bound to protect your data.
  • Within your organization: Other members of your Onplana organization can see project data, team information, and activity within the organization scope.
  • Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.
  • With your consent: We may share information with third parties when you explicitly authorize it (e.g., enabling integrations).

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account or organization:

  • Project data is moved to soft-delete (Recycle Bin) for 30 days, then permanently deleted.
  • Account information is deleted within 90 days of account closure.
  • Backup copies are purged within 180 days.
  • Anonymized, aggregated usage statistics may be retained indefinitely.

7. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Access controls with role-based permissions and audit logging
  • Infrastructure hosted on SOC 2 compliant cloud providers
  • Two-factor authentication (TOTP) available for all accounts
  • IP allowlisting and session management for Enterprise plans

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal data (right to erasure)
  • Export your data in a portable format
  • Object to or restrict certain processing activities
  • Withdraw consent where processing is based on consent

To exercise these rights, email privacy@onplana.com. We will respond within 30 days.

9. International Data Transfers

Your data may be processed in countries outside your country of residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for transfers outside the European Economic Area.

10. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us at privacy@onplana.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, for significant changes, by sending an email to the address associated with your account.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

  • Email: privacy@onplana.com
  • Company: Devsoft Solutions
  • Postal address: Registered office — address on request
  • EU representative (GDPR Art. 27): TBD
  • Website: devsoft.com