Privacy Policy

Last updated: 16 May 2026

This policy explains, in plain language, what personal data Plumpio handles, why, and what choices you have. Plumpio is a safe family messenger — built for the whole family, including young children — so we collect as little as we can and we encrypt what families say to each other so that we cannot read it. Plumpio is currently in a closed friends beta.

The data controller is the operator of Plumpio. For any privacy question, or to exercise your rights, contact [email protected] . This is also our dedicated contact point for regulators and law-enforcement authorities.

Family Members

Plumpio is built around one adult — the family Owner — and the people that adult adds. The Owner is the parent or guardian and is the party we contract with. Everyone else in a family — the children, a co-parent, and contacts such as grandparents, relatives and family friends — are family members added by the Owner, not separate customers of ours.

Children's data. A child never signs up themselves. The parent creates the child's profile (a nickname and a cartoon avatar) and the child sets up a passkey on their device so they can sign in without a password. We do not collect a child's real name, phone number, email address, precise location, or any behavioural or advertising profile. We never use any child's data for advertising or profiling, and we never sell data. Children's personal data is processed only on the basis of the parent's consent under Article 8 GDPR, which the parent gives at sign-up. A parent can withdraw that consent at any time by deleting the family.

The parent as gatekeeper. Because the Owner chooses and approves every person a child can talk to, there is no public directory, no friend search, and no way for a child to be contacted by a stranger through Plumpio. Identity is a chosen nickname plus an opaque, single-purpose invitation link — there are no phone numbers anywhere in the product.

What we collect and why

  • Owner / co-parent account: email address (for sign-in recovery and important service notices), the chosen family name, and the public part of the passkey credential. Lawful basis: performance of our contract with the Owner (Article 6(1)(b) GDPR).
  • Children and contacts: a nickname, a chosen avatar, and the public part of a passkey credential. Lawful basis for children: parental consent (Article 8 GDPR). Lawful basis for adult contacts: our legitimate interest in operating a closed, parent-controlled circle (Article 6(1)(f) GDPR).
  • Parental-consent record: the timestamp of the Owner's consent and the IP address it was given from, kept as evidence that consent was given (Article 7(1) GDPR). Lawful basis: compliance with our legal obligation and our legitimate interest in being able to demonstrate lawful processing.
  • Connection metadata: which family members share a conversation, when conversations and accounts were created, message timestamps, and the size of media files. We see this because we route messages; we do not see their content. Lawful basis: performance of the contract and our legitimate interest in running the service reliably and safely.
  • Subscription data: plan, seat count, billing status and invoice references held by us; full payment-card data is handled by Stripe and never reaches our servers. Lawful basis: performance of the contract and our legal obligation to keep accounting records.
  • Push-notification subscription: if a parent enables notifications, the browser push endpoint, so we can alert them about messages. Lawful basis: performance of the contract.
  • Technical request data: IP address and user-agent at the moment of a request, used only for rate-limiting, abuse prevention and security. Lawful basis: our legitimate interest in keeping a children's service safe.
  • Moderation reports: if a parent formally reports a message their child flagged, the reported content the parent chose to send us, kept as a safety and legal record.

We do not run any analytics or tracking in the beta. If we ever add product analytics, it will be a privacy-respecting, cookie-free tool, and this policy will be updated first.

What we cannot see — end-to-end encryption

Every message, sticker, voice note and image is end-to-end encrypted. It is encrypted on the sending device and can only be decrypted on the receiving family members' devices. Our message server stores only the encrypted form (ciphertext), and media files are stored as encrypted blobs whose key never leaves the end devices. We, our hosting provider and our storage provider see only ciphertext.

Because the server does not hold message content in any readable form, end-to-end encrypted message content cannot be exported. A data export from Plumpio contains your account information and connection metadata, and an explicit notice that message content is end-to-end encrypted and therefore not held by us and not exportable. This is a privacy feature, not a gap. For parent and relative accounts we keep an encrypted backup of the keys that unlock message history, so history can be restored when you set up a new device; that backup is encrypted with a one-time recovery code shown to you at setup and never sent to us, so we still cannot read it. Children's accounts have no recoverable backup by design — if a child's device is lost, that child's history is gone and a re-enrolled child starts fresh.

What we can see — metadata we do not try to hide

We are honest about the limits of encryption. As the operator we can see, and a lawful order could compel us to produce, connection metadata: who is a member of which conversation, when accounts and conversations were created, message timestamps, and the size of media files. We cannot see the content of any message, voice note or image. Children's home IP addresses are not exposed to contacts during calls, because calls are always relayed through our own server rather than connecting devices directly.

Where data is stored

Our application database, the message server and the call relay run on single-tenant servers we operate in Germany (Hetzner, EU). Encrypted media blobs and our content-delivery and DNS are provided by Cloudflare, using EU-jurisdiction storage. We do not transfer personal data outside the EU/EEA except to our payment processor where strictly necessary to take payment.

Third-party data processors

We keep third parties to a minimum. We use the following processors, each of which publishes its own data processing addendum:

  • Stripe — payment processing and billing. Stripe receives the data needed to take payment and issue invoices (for example billing name, card details entered directly with Stripe, country for VAT). Stripe retains transaction and invoice records under its own legal retention obligations; when a family is deleted we cancel the subscription, but we cannot delete the records Stripe is legally required to keep.
  • Cloudflare — content delivery, DNS, and EU-jurisdiction object storage (Cloudflare R2) for the encrypted media blobs. Cloudflare sees only encrypted traffic and encrypted blobs, never message content in readable form.
  • Brevo (Sendinblue SAS, France) — sending of system email: the address-verification message a parent receives at sign-up and the account-recovery message for adult accounts. Brevo receives the recipient's email address and the contents of those messages; it never receives message content, and because children have no email address no child's data reaches it. Email is processed within the EU.

We do not use advertising networks, social-media plugins, or third-party analytics trackers anywhere in Plumpio.

No cookie or consent banner

We do not show a cookie banner or a consent pop-up, because Plumpio only uses strictly necessary local storage. We store a sign-in session token and, on the device, the encryption keys needed for end-to-end encryption. Both are essential for the service to work at all and store nothing on your device for tracking or advertising. Storage that is strictly necessary to deliver a service the user has asked for is exempt from the consent requirement under the ePrivacy rules, so no banner is shown and the app is usable immediately. See our Cookie/Storage Notice for the exact list.

How long we keep data

  • Account and family data: for as long as the family account exists.
  • Encrypted media blobs (voice notes, images): automatically deleted after 30 days.
  • Encrypted text messages and connection metadata: kept while the account is active, deleted when the family is deleted.
  • Parental-consent record (timestamp and IP): kept while the Owner's account exists, as evidence of lawful processing.
  • Billing records held by Stripe: retained by Stripe under its own legal obligations; we cannot delete those.
  • Moderation reports: retained as a safety and legal record.

Your rights

Under the GDPR you can ask for access to your personal data, correction, erasure, restriction, and you can object to processing based on legitimate interests. The Owner can exercise the family's right to erasure by deleting the whole family. Children and contacts do not have an email with us; their rights are exercised through the parent who manages the family.

During the closed beta these rights are fulfilled by a manual operator process. To request deletion of your family, or an export of the personal data we hold about your account, email [email protected] from the Owner's registered address. We will fulfil deletion and export requests within 30 days. An export is provided as a structured file containing account details, the parental-consent record (for the Owner), and a list of conversations with the other party's nickname and creation time. It deliberately does not include message content, voice notes, images or stickers, because those are end-to-end encrypted and not held by us in readable form; the export file states this in plain text.

You also have the right to lodge a complaint with your national data-protection supervisory authority.

Changes

We will post any change to this policy on this page and update the date at the top. The beta may bring changes; material changes affecting children's data will be made clear to the Owner.