Privacy Policy
Last updated: January 2025
Overview
Plaxt ("we", "our", or "us") is a media scrobbling service that syncs watch activity from media servers to tracking services. This policy explains how we collect, use, and safeguard your personal data.
"Personal data" means any information that identifies or can be used to identify you, such as your email address, authentication tokens, or watch history.
Data Controller
The data controller for personal data collected through Plaxt is the operator of Plaxt, based in the European Union. For data protection inquiries, contact us at [email protected].
Information We Collect
Account Information
When you create an account, we collect your email address and password (stored securely using industry-standard hashing).
Connected Services
When you connect media servers (Plex, Emby, Jellyfin) or tracking services (Trakt, Simkl), we store authentication tokens required to sync your watch history. These credentials are encrypted at rest. For certain integrations, you may provide session cookies or other credentials to enable history sync.
Watch Activity
We process your watch events (play, pause, stop) to sync them to your chosen tracking services. We store minimal metadata about sync events for debugging and to show your sync history.
Payment Information
Payments are processed by Stripe. We do not store credit card numbers or full payment details. Stripe may collect information as described in Stripe's Privacy Policy.
Legal Basis for Processing
Under the GDPR, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Performance of contract |
| Syncing watch history between services | Performance of contract |
| Processing payments | Performance of contract / legal obligation |
| Service updates and security notifications | Legitimate interest |
| Security logging and abuse prevention | Legitimate interest |
| Responding to support requests | Legitimate interest |
Data Security
We implement industry-standard measures to protect your data:
- All data is encrypted in transit using TLS
- Sensitive credentials are encrypted at rest using AES-256-GCM
- Passwords are hashed using Argon2
- JWT-based authentication with secure token handling
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Data Sharing
We do not sell or share your personal information for advertising purposes. We share data only with:
- Connected services — Your watch data is sent to tracking services you explicitly connect (Trakt, Simkl)
- Payment processor — Stripe processes payments on our behalf
- Infrastructure providers — Our hosting providers process data on our behalf under data processing agreements
International Data Transfers
Our servers and primary infrastructure are located in the European Union. When you connect third-party services (such as Plex, Trakt, or Simkl), your watch data may be transmitted to those services' servers, which may be located outside the EU/EEA. These transfers are necessary to perform the service you requested (GDPR Article 49(1)(b)). We do not control the data practices of those third-party services; please review their respective privacy policies.
Data Retention
We retain your data according to the following schedule:
- Account data — Retained while your account is active
- Authentication tokens — Retained until you disconnect the service
- Sync event logs — Retained for up to 1 year
- Application logs — Retained for up to 90 days
- Backups — Retained for up to 30 days
When you delete your account, we remove your personal data without undue delay, except where retention is required for legal obligations, dispute resolution, or enforcement of our agreements.
Your Rights
European Economic Area (GDPR)
If you are in the EEA/UK, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate or incomplete data
- Erasure — Request deletion of your personal data
- Data portability — Receive your data in a structured, machine-readable format
- Restriction — Request limited processing of your data
- Object — Object to processing based on legitimate interest
- Withdraw consent — Where processing is based on consent, withdraw it at any time
You also have the right to lodge a complaint with your local data protection authority. We will respond to requests within one month as required by GDPR.
California (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell or share personal information as defined by the CCPA/CPRA. To exercise your rights, contact us at the email below.
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.
Children's Privacy
Plaxt is not intended for users under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.
Cookies
We use essential cookies only for authentication and session management. We do not use third-party tracking cookies or advertising cookies.
Third-Party Services
Plaxt integrates with third-party media servers and tracking services. You are responsible for ensuring you have the right to connect third-party services and share data with them. Plaxt is not affiliated with or endorsed by any third-party service provider. We recommend reviewing the privacy policies and terms of service of any third-party service you connect.
Third-Party Links
Our service may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policy of any website you visit.
Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email or through the service. Continued use after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this privacy policy, want to exercise your data rights, or have a data protection concern, contact us at: [email protected]