Plain
Plain
Select languageEN
Sign inGet started

Updated: 1/9/2025

Privacy policy

Our privacy policy

1. Who We Are

This policy covers two related companies:

  • Plain Technologies ApS (CVR: 44257963) — operates the platform, manages user accounts, and acts as data controller for platform and account data
  • Plain Insurance ApS (CVR: 44929546) — a wholly owned subsidiary of Plain Technologies ApS, acting as data controller for insurance product and policy data

Both companies are registered in Denmark and are jointly responsible for certain processing activities where their purposes overlap. In accordance with GDPR Article 26, the essence of our arrangement is: Plain Technologies ApS is responsible for platform access and account management; Plain Insurance ApS is responsible for insurance intermediation and policy administration. Both companies apply the same data protection standards and you may exercise your rights against either entity.

We are certified to ISO 27001, the international standard for information security management.

Contact us: Plain Technologies ApS Algade 31, 9000 Aalborg C, Denmark [email protected]

2. What Data We Collect

Information you provide

  • Name, address, email address, and phone number
  • Company information (CVR number, industry, company size)
  • Employee information including roles, job functions, and work types — collected to determine the correct insurance coverage and retained for the duration of the policy
  • Payroll and headcount information
  • Account credentials
  • Payment information (processed by Stripe — see Stripe's privacy policy)

Information collected automatically

  • IP address, browser type, and device information
  • Usage and log data (pages visited, timestamps, error reports)
  • Cookies and similar tracking technologies

See our Cookie Policy for further details.

3. Why We Process Your Data

We only process your personal data where we have a valid legal basis under GDPR.

Creating and managing your account Legal basis: Contract (Article 6(1)(b))

Determining appropriate insurance coverage Legal basis: Contract (Article 6(1)(b))

Policy administration for the duration of coverage Legal basis: Contract (Article 6(1)(b))

Processing payments Legal basis: Contract (Article 6(1)(b))

Customer support Legal basis: Contract / Legitimate interest (Article 6(1)(f))

Fraud prevention and security Legal basis: Legitimate interest (Article 6(1)(f))

Regulatory compliance and record keeping Legal basis: Legal obligation (Article 6(1)(c))

Marketing communications Legal basis: Consent (Article 6(1)(a))

A note on employee and occupational data

When you purchase workers' compensation insurance or similar products, we collect information about your employees' roles and job functions. This information is used to determine the correct product and pricing from our insurance carriers, and is retained for the lifetime of the policy. While this does not constitute special category data under GDPR Article 9, it is occupationally sensitive and is treated with the same level of care. It is never used for any purpose beyond insurance intermediation and policy administration.

No automated decision-making

We do not use automated decision-making or profiling to make decisions about you or your employees. Pricing is determined by our insurance carriers based on the information you provide. We do not perform independent risk scoring.

No claims processing

We do not process insurance claims. Claims are handled directly by the relevant insurance carrier. We do not receive or store claims data, including any health or disability information that may arise in that process.

We do not sell your personal data.

4. How Long We Keep Your Data

Insurance policy and transaction records Retained for 5 years after policy expiry.

Account and platform data Retained for 5 years after account closure.

Payment records Retained for 5 years under the Danish Bookkeeping Act.

Marketing consent records Retained until consent is withdrawn, plus 2 years.

Security and access logs Retained for 12 months.

When data is no longer required, it is securely deleted or anonymised in accordance with our ISO 27001-certified data disposal procedures.

5. How We Store and Protect Your Data

Your data is stored on Microsoft Azure infrastructure located in EU data centres. We do not transfer your personal data outside the European Economic Area.

As an ISO 27001 certified organisation, we maintain a formal Information Security Management System (ISMS) covering:

  • Encryption of data in transit and at rest
  • Access controls and role-based permissions
  • Regular security audits and risk assessments
  • Incident response and breach notification procedures

Data breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify Datatilsynet within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

6. Who We Share Your Data With

We only share your data where necessary to deliver our services or meet legal obligations.

Insurance carriers Placing and administering your insurance coverage.

Stripe Payments Europe Ltd Payment processing.

Microsoft Azure (EU) Cloud infrastructure and data storage.

Plain Technologies ApS / Plain Insurance ApS Shared within the group as necessary to deliver services.

Datatilsynet / Finanstilsynet Where required by law or regulation.

All third-party processors are bound by data processing agreements under GDPR Article 28. They may not use your data for their own purposes.

We do not share your data with marketing partners or data brokers.

7. Cookies and Tracking

We use cookies for security, functionality, and analytics. You can manage your preferences at any time via our cookie settings.

We do not use cookies for targeted advertising or cross-site tracking.

See our full Cookie Policy for further details.

8. Your Rights

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your data, subject to legal retention obligations
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — at any time for any processing based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, please visit plain.insurance/personal-data or email [email protected]. We will respond within 30 days.

Complaints

If you believe we are handling your data unlawfully, you have the right to lodge a complaint with:

Datatilsynet (Danish Data Protection Authority) datatilsynet.dk +45 33 19 32 00

9. Children

Our services are intended for business customers only. We do not knowingly collect data from individuals under the age of 18.

10. Changes to This Policy

We will update this policy as necessary to reflect changes in our practices or applicable law. Material changes will be communicated by email or a prominent notice on the platform. The date at the top of this page reflects the most recent update.

11. Contact and Data Protection Officer

Data Protection Officer Plain Technologies ApS Algade 31, 9000 Aalborg C, Denmark [email protected]