Privacy Policy

Who we are

PluggedIn Advisory is a professional services firm headquartered in the United States, serving clients globally. References to “PluggedIn,” “we,” or “us” in this policy refer to PluggedIn Advisory.

If you have questions about this policy or our data practices, contact us at hello@plugedin.ai.

Information we collect

We collect information in three ways. We do not buy or rent personal information from third-party data brokers.

1. Information you give us directly

This is the bulk of what we hold:

• Contact form submissions: name, email, company, role, the audience you identify with, your message, and the urgency you indicate.
• Chat conversations: the messages you send to our assistant and the assistant's replies, plus any name, email, company, or context you share during the chat.
• Discovery-call requests: name, email, company, role, audience, situation summary, and proposed times.
• Lead captures: name, email, and a brief situation summary if you ask us to follow up later.

2. Information collected automatically

• IP address: hashed (SHA-256) before storage for rate-limiting purposes only. We do not retain raw IP addresses.
• User-agent string: the technical identifier sent by your browser (e.g., browser version, operating system). Stored with each chat conversation for diagnostic purposes.
• Referring URL (optional): the page on our site you came from when starting a chat.

We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any other third-party analytics or advertising trackers.

3. Cookies and similar technologies

We use a minimal set of strictly necessary technologies:

• Session storage (browser-side, not a cookie): the chat assistant uses sessionStorage to persist your conversation across page reloads in the same browser tab. Cleared when you close the tab.
• Admin authentication cookie: a single HTTP-only, same-site, secure cookie used only on the/admin surface for authorized PluggedIn personnel. Not present on visitor-facing pages.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No consent banner is required because we do not set non-essential cookies.

How we use your information

• To respond to your inquiry, schedule discovery calls, and follow up on leads.
• To deliver advisory services if you become a client (per the engagement letter, not this notice).
• To prevent abuse — IP rate limiting on the contact form and chat endpoint.
• To improve the chat assistant — reviewing conversations to refine its responses, with PII anonymized when used for training-set examples.
• To meet legal obligations when we have them.

Lawful basis (GDPR): we process your information under legitimate interest (responding to website inquiries you initiated), contract (when you become a client), and legal obligation (when applicable).

AI and your data

We use AI tools in our delivery work and in the website chat assistant. Our AI posture is documented in detail on our AI Principles page. The short version that applies to website visitors:

• The website chat assistant runs on PluggedIn-managed infrastructure. Your conversation is processed under our approved enterprise data controls.
• Retention is disabled where the underlying tool allows it. Client data is not used for model training where contractually covered.
• Inference runs through approved enterprise AI infrastructure with retention and model-training disabled at the contract level — not through consumer AI endpoints. Engagement-specific provider configurations are documented in writing during scoping.
• We retain conversation transcripts to follow up on bookings and leads, refine the assistant, and for legitimate-interest review. See retention below.

Who we share with

We share information only with the following categories of recipients:

• Service providers: a transactional email provider (Resend) for sending you confirmations and routing leads to our intake. Resend is bound by a data-processing agreement.
• Legal recipients: when required by law, subpoena, or other valid legal process, and only the minimum necessary to comply.
• Successors: in the event of a merger, acquisition, or sale of substantially all assets, your information may transfer to the successor under the same protections in this policy.

We do not sell your personal information. We do not share it with advertising platforms, data brokers, or third parties for their own marketing purposes.

How long we keep your information

• Active conversations and active leads: kept while the relationship is active and for a reasonable follow-up window.
• Abandoned conversations (no activity for 30 days): auto-archived after 90 days.
• Confirmed client engagements: subject to the retention terms in the engagement letter, typically 7 years for tax and audit records.
• Hashed IP addresses: rolled out of the rate-limit cache within 24 hours.

You can request earlier deletion at any time. See Your rights.

How we protect your information

• The site is served over HTTPS with HSTS preload and strict transport security.
• Database files containing visitor information have restrictive filesystem permissions and live on full-disk-encrypted hosts.
• Admin access is gated behind authentication with HTTP-only, same-site, secure cookies.
• API endpoints have per-IP rate limits and honeypot fields to deter abuse.
• We follow a documented incident-response procedure if information is exposed inadvertently.

No system is perfectly secure. If you believe your information has been compromised, contact us at hello@plugedin.ai.

Your rights

Under GDPR (EU/UK), CCPA/CPRA (California), and similar state laws, you have rights over your personal information. We honor these rights for all users regardless of where you reside:

• Access — ask what we hold about you and receive a copy.
• Correction — ask us to correct inaccurate information.
• Deletion — ask us to delete your information (subject to retention obligations for active engagements and tax records).
• Portability — receive your information in a structured, commonly used format.
• Objection — object to our processing of your information.
• Opt out of sale or sharing — not applicable because we do not sell or share for advertising.
• Non-discrimination — we will not deny service, charge different prices, or provide a different quality of service for exercising these rights.

To exercise any of these rights, use the form below or email hello@plugedin.ai with the subject line “Data Request” and the action you want. We respond within 30 days. We may need to verify your identity before acting on the request.

If you are in the EU/UK, you also have the right to lodge a complaint with your local data protection authority.

International transfers

If you are located outside the United States, your information will be processed in the United States. We rely on standard contractual clauses (or successor mechanisms) where required for transfers from the EU/UK. For clients with data-residency requirements, we can scope engagements to operate within specific geographies — see AI Principles or contact us during scoping.

Children

Our services are not directed to children under 13, and we do not knowingly collect information from them. If you believe we have inadvertently received information from a child, contact us and we will delete it.

Changes to this policy

We update this policy when our practices change. The “Last updated” date at the top of the page reflects the most recent revision. Material changes will be surfaced in a banner on the site for 30 days after publication. Active clients are notified directly of changes that affect their engagement.

Contact us

Privacy questions, complaints, or data requests: hello@plugedin.ai.

Mailing address:
PluggedIn Advisory
30 N Gould St, Suite #58023
Sheridan, WY 82801
United States