What we collect, why, and how to get it back.
Plenfi processes dealership lead data and operator account data. This notice lays out what we touch, why we touch it, and how to exercise your rights under GDPR and CCPA. We will tighten the wording with counsel before general availability — flag anything that reads as vague.
Who this notice covers — and what counts as Plenfi.
Plenfi is an operator console for dealership business-development centres (BDCs). This notice covers the marketing website, the operator console at app.plenfi.com, and the AI-mediated communications layer that powers email, SMS, voice, and web-chat interactions on behalf of dealership customers (each a “dealership”).
It applies to three groups of people: (a) dealership operators who sign in and use the console; (b) consumer leads whose contact details and inquiries are processed on a dealership’s behalf; and (c) visitors to plenfi.com.
Plenfi acts as a data processor for the lead and message data inside a dealership’s tenant — the dealership is the controller and decides what to collect and why. Plenfi is the controller for its own marketing site, operator account data, and product telemetry.
What we actually collect — and what we don’t.
Operator account data. Name, work email, dealership affiliation, role, hashed password, session tokens, last-login metadata.
Lead and conversation data on behalf of dealerships. Lead contact details (name, email, phone), vehicle interest, inbound and outbound message content across email, SMS, voice, and web chat, transcripts of AI-mediated replies, lead status, appointment timestamps, and any notes a rep types in.
Marketing-site interactions. Form submissions on plenfi.com (access-request form), the IP and user-agent associated with that submission, and minimal analytics — no third-party advertising or cross-site tracking cookies.
System logs. Per-request logs (URL, status, duration, anonymised IP), AI safety-pipeline outcomes (whether a guardrail fired), webhook signature outcomes, and rate-limit events. Used for security and reliability — not for profiling individuals.
What we do not collect today. Payment card numbers, financial-account details, health data, government IDs, biometric identifiers. The product handles name / contact / vehicle interest only.
Why we hold each kind of data.
To deliver the service the dealership signed up for: route lead messages, generate brand-safe replies, schedule appointments, surface the inbox to the rep handling the lead.
To run the AI safety pipeline: prompt assembly per tenant, guardrails (no APR quotes, no trade-in dollar quotes, brand deflection, only-facts-provided), HTML sanitisation, suppression-list checks. The security page details which file enforces each control.
To meet regulatory and contractual obligations: SMS keyword compliance (STOP / START / HELP via TwiML), webhook-signature enforcement, audit-grade logging of consent and opt-out events.
To improve reliability and security: incident investigation, rate-limit tuning, abuse detection on widget origins.
Plenfi does not sell personal information, and does not “share” personal information for cross-context behavioural advertising (CCPA). Operator and lead data is not used to train third-party foundation models.
GDPR lawful bases at a glance.
Performance of a contract — the operator console, message routing, appointment scheduling, and other core features required to deliver the service the dealership signed up for.
Legitimate interests — security, fraud prevention, abuse detection, rate-limiting, audit logging, and minimal product analytics. Balanced against the rights and freedoms of the data subjects involved.
Consent — for any optional analytics or marketing communications beyond transactional emails. Where Plenfi relies on consent it is captured explicitly and may be withdrawn at any time without affecting prior processing.
Legal obligation — to retain certain compliance and consent records (e.g. SMS opt-in / opt-out) for the period required by applicable carrier and consumer-protection rules.
How long things stick around.
Operator accounts — for the life of the account plus a short wind-down window after closure to honour outstanding requests or disputes.
Lead and conversation data — held for as long as the dealership’s tenant keeps it. A dealership can request deletion of individual leads at any time via the operator console or via a verified DSAR (see “Your rights”).
Marketing-site form submissions — up to twenty-four months from submission, then deleted or aggregated.
Security and audit logs — typically up to twelve months; longer for compliance-critical events (e.g. SMS opt-in / opt-out records).
Backups — encrypted; recycled on a rolling schedule. Deletion requests propagate from primary stores on completion of the next backup-rotation cycle.
Controls in place today — without overclaiming.
Multi-tenant isolation is enforced by per-owner_id keying across every table touched by customer-facing flows, with Postgres row-level security on top.
Webhooks are signature-enforced in production (Twilio HMAC, SendGrid Inbound, BRIDGE_SECRET on the voice WebSocket). Production rejects unsigned or invalid signatures.
AI guardrails strip ungrounded claims, escape user-controlled lead fields, and route SMS keywords through TwiML so STOP recipients always get acknowledgement.
Two-tier rate limiting at the middleware and per-route layer. Strict security headers + a default-deny content-security policy.
What is not in scope today: SOC 2, HIPAA, PCI. The security page documents the gaps honestly; we revisit as the product matures.
GDPR and CCPA — the same toolbox, plain language.
Under GDPR (EU/UK), you may request access, correction, erasure, restriction, portability, and objection. You may also lodge a complaint with your supervisory authority.
Under the CCPA (California), you may request to know, delete, correct, and limit the use of sensitive personal information. Plenfi does not sell or “share” personal information for cross-context behavioural advertising; there is therefore no “Do Not Sell or Share” mechanism beyond the existing deletion right.
How to submit a request. Email [email protected] from the address tied to the data (or, for consumer leads, the address or phone number used with the dealership). Plenfi will verify the request, route it through the admin DSAR endpoint, and respond within thirty (30) days for GDPR and forty-five (45) days for CCPA. Complex requests may be extended once with written notice.
Free of charge for reasonable requests. We may decline or charge a fair fee for requests that are manifestly unfounded or excessive, with a written explanation.
Authorized agents. Agents acting on a consumer’s behalf must provide written, signed permission and verifiable proof of identity.
AI-generated replies and what stays human.
Plenfi composes drafts of replies to consumer leads using a constrained AI safety pipeline. Drafts are dealership-branded, fact-bounded, and stripped of ungrounded claims before they leave the system.
Automated decisions with legal or similarly significant effects are not made by Plenfi. AI does not approve credit, set pricing, deny service, or take binding action on behalf of a dealership. A dealership representative remains the decision-maker for any commercially material step (financing, trade-in valuation, contract signing).
Consumer leads can request human review of any AI-generated message they received by emailing [email protected] or replying to the message thread.
Where data sits and how it crosses borders.
Plenfi’s primary processing region today is the United States. Some subprocessors operate globally and may process data outside the EU/UK.
For transfers out of the EEA/UK, Plenfi relies on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK addenda with each subprocessor that handles personal data outside an adequacy region.
A list of current data-residency regions and subprocessors is available on request to [email protected].
Not for under-16s.
Plenfi is built for dealership operators, not minors. We do not knowingly collect personal information from anyone under sixteen (16). If you believe a minor has provided information through a dealership using Plenfi, email [email protected] and we will delete it.
If we change this notice.
Material updates to this notice will be flagged on the marketing site and emailed to active operators at least thirty (30) days before they take effect, unless a sooner change is required by law.
Past versions are kept on file. Ask [email protected] for a copy of an earlier version if you need one.
Reach a human. We respond.
Email [email protected] for data-rights requests (export, deletion, correction). For anything else use [email protected].
Security disclosures · [email protected]