Microsoft Project Online retires September 30, 2026, migrate to a modern platform before it's too late.Start migration

Legal

Privacy Policy

Last updated: April 16, 2026

This Privacy Policy describes how Devsoft Solutions ("we," "us," or "our"), the company behind Onplana, collects, uses, discloses, and protects your personal information when you use the Onplana platform, website (onplana.com), and related services (collectively, the "Service").

1. Information We Collect

1.1 Information You Provide

  • Account information: Name, email address, and password when you create an account.
  • Organization data: Organization name, team members, and billing information.
  • Project data: Projects, tasks, comments, documents, and other content you create within the Service.
  • Payment information: Credit card and billing details processed securely by our payment processor (Stripe). We do not store full card numbers on our servers.
  • Communications: Information you provide when contacting support, submitting feedback, or responding to surveys.

1.2 Information Collected Automatically

  • Usage data: Pages visited, features used, and actions taken within the Service.
  • Device information: Browser type, operating system, device type, and screen resolution.
  • Log data: IP address, access times, referring URLs, and error logs.
  • Cookies and similar technologies: See our Cookie Policy for details.

1.3 Information from Third Parties

  • SSO providers: If you sign in via SAML or OIDC (e.g., Azure AD, Okta), we receive your name, email, and identity provider metadata.
  • Imported data: When you upload native .mpp files, import Microsoft Project XML exports (MSPDI), or connect to Microsoft Project Online via OData, we process the project data you choose to import.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send billing-related communications
  • Send product updates, security alerts, and support messages
  • Respond to your requests and provide customer support
  • Analyze usage patterns to improve features and user experience
  • Detect, prevent, and address security incidents and fraud
  • Comply with legal obligations

3. AI Data Processing

Onplana's AI features are powered by Anthropic's Claude and/or Azure OpenAI, selected per-organization by your admin. The chosen provider processes your project data to generate risk detection, plan generation, and other AI-powered recommendations. Important details:

  • Your data is not used to train AI models. Project data sent to AI providers is used solely to generate responses for your specific request.
  • AI processing occurs in real-time and data is not retained by AI providers beyond the duration of the request.
  • Bring your own AI (Enterprise): You can point Onplana at your own Azure OpenAI deployment, inference then stays entirely within your Azure tenant under your Microsoft data processing agreement.
  • You can disable AI features at any time without affecting core platform functionality.

4. Third-Party Integrations

When you connect a third-party service (Google, Microsoft, and other providers listed on our Integrations page) to your Onplana workspace, Onplana receives access tokens that allow us to access specific data from that service on your behalf. We request the narrowest scope necessary for each feature and store all tokens encrypted at rest using AES-256-GCM.

4.1 Google User Data

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we access:

  • Google Calendar (calendar.events.readonly): to display upcoming events alongside your Onplana tasks and project timelines.
  • Google Drive (drive.file): to attach files you explicitly select through the Drive file picker to Onplana tasks and projects. We do not scan, list, or access any file you have not explicitly chosen.
  • Google profile (openid, profile, email): to identify you when you sign in with Google.

How we use this data:

  • Calendar events and Drive file metadata are displayed only to members of the specific Onplana organization you authorized the connection for.
  • We do not sell, rent, or share Google user data with third parties for advertising.
  • We do not use Google user data to train artificial intelligence or machine-learning models.
  • We do not transfer Google user data except to comply with applicable law or as part of a merger, acquisition, or sale of assets, with user notice.

Where we store it:

  • Access tokens and refresh tokens: encrypted with AES-256-GCM and stored in our managed PostgreSQL database hosted on Microsoft Azure (West US region).
  • Cached calendar and file metadata: stored within your organization's tenant database and not shared across Onplana organizations.
  • All data in transit uses TLS 1.2 or higher.

How to disconnect and delete:

  • Click "Disconnect" on any integration from your Onplana Integrations page. Access tokens are revoked at Google within seconds; cached data is deleted within 24 hours.
  • You can also revoke Onplana's access directly at myaccount.google.com/permissions.
  • For complete account deletion, including all associated Google-derived data, contact privacy@onplana.com.

4.2 Microsoft User Data (via Microsoft Graph)

We access the following scopes when you connect a Microsoft account:

  • Outlook Calendar (Calendars.Read): to display meetings in your Onplana dashboard.
  • OneDrive (Files.ReadWrite.All or narrower, depending on feature): to attach files you select to Onplana tasks.
  • Microsoft profile (User.Read): to identify you when signing in with Microsoft.

Use, storage, and deletion practices for Microsoft data are identical to those described for Google user data above.

You can revoke Onplana's access to your Microsoft account at myaccount.microsoft.com or via your organization's Microsoft 365 admin center.

4.3 Data Retention Summary

Data typeRetentionDeletion trigger
OAuth access tokensUntil disconnectImmediate on disconnect
OAuth refresh tokensUntil disconnectImmediate on disconnect
Cached calendar eventsUp to 24 hoursAutomatic rolling + 24h after disconnect
Cached file metadataUp to 24 hoursAutomatic rolling + 24h after disconnect
Connection audit record30 days after disconnectAutomatic after 30 days
Account and all derived data (on request)-Within 30 days of privacy@onplana.com request

5. How We Share Your Information

We do not sell your personal information. We share information only in these circumstances:

  • Service providers: We use third-party services for payment processing (Stripe), email delivery (Azure Communication Services), hosting (Microsoft Azure, West US), and analytics. For the full list with purposes, regions, and DPA references, see our Subprocessors page. These providers are contractually bound to protect your data.
  • Within your organization: Other members of your Onplana organization can see project data, team information, and activity within the organization scope.
  • Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.
  • With your consent: We may share information with third parties when you explicitly authorize it (e.g., enabling integrations).

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account or organization:

  • Project data is moved to soft-delete (Recycle Bin) for 30 days, then permanently deleted.
  • Account information is deleted within 90 days of account closure.
  • Backup copies are purged within 180 days.
  • Anonymized, aggregated usage statistics may be retained indefinitely.
  • FREE-tier inactivity deletion: per our Terms of Service section 7.3, FREE-tier organizations that remain inactive for 90 days are automatically deleted. Self-service data export is available at any time at Settings, Privacy, Export My Data.

7. Email Communications

Onplana sends the following categories of email:

Transactional emails (always sent, regardless of preferences):

  • Account confirmation, password reset, 2FA codes
  • Project notifications you've subscribed to in-app
  • Service-critical alerts (suspension, billing failures, security events)

FREE-tier onboarding emails (sent to new FREE-tier users in their first 30 days):

  • A welcome email on Day 1 of your account
  • A product-feature email on Day 10 (only if you have opted into marketing communications)
  • A check-in email on Day 25

FREE-tier inactivity emails (sent to inactive FREE-tier organizations, see our Terms of Service section 7.3 and the Free-tier policy):

  • A warning email after 45 days of inactivity
  • A suspension notice after 60 days
  • A deletion confirmation after 90 days

Legal basis: legitimate interest (GDPR Article 6(1)(f)). These communications are an inherent part of providing the FREE tier service. The Day 10 product-feature email is gated on explicit marketing consent because EU ePrivacy guidance classifies feature-promotion email as marketing; the other five lifecycle emails are direct service communications.

You can unsubscribe from the onboarding + inactivity sequence at any time via the link in each email footer, or in Settings, Notifications, Lifecycle emails. Unsubscribing only stops the lifecycle channel; transactional emails (password reset, 2FA, project notifications you subscribed to) continue regardless.

Marketing communications (only sent with explicit opt-in):

  • Product newsletters, webinar invitations, customer-success stories
  • Requires opt-in at signup or in Settings; can be revoked at any time.

We honor unsubscribe requests within 10 business days (CAN-SPAM Act compliance). California, Virginia, Colorado, Connecticut, and Utah residents: see our Do Not Sell or Share My Personal Information notice below.

8. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Access controls with role-based permissions and audit logging
  • Infrastructure hosted on SOC 2 compliant cloud providers
  • Two-factor authentication (TOTP) available for all accounts
  • IP allowlisting and session management for Enterprise plans

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal data (right to erasure)
  • Export your data in a portable format
  • Object to or restrict certain processing activities
  • Withdraw consent where processing is based on consent

To exercise these rights, email privacy@onplana.com. We will respond within 30 days.

9.1 Do Not Sell or Share My Personal Information (CCPA / VCDPA / CPA / CTDPA / UCPA)

California, Virginia, Colorado, Connecticut, and Utah residents have the right to opt out of the sale or sharing of their personal information. Onplana does not sell personal information.

We do engage in one form of sharing that may qualify as "cross-context behavioral advertising" under CCPA: as described in section 9.2 below, when you have explicitly opted into marketing communications, we may share a one-way hashed form of your email address with LinkedIn and Google Ads so those platforms can show you Onplana ads and identify users with similar profiles. This activity is limited to users who have given marketing consent and uses irreversible SHA-256 hashing, not plaintext addresses.

To exercise the right to opt out of any sale or sharing, including the ad-platform export described in section 9.2, email privacy@onplana.com with the subject line "Do Not Sell or Share". You may also use the unsubscribe link in any marketing email; revoking marketing consent automatically removes you from future ad-platform exports as well.

9.2 Retargeting & Lookalike Audiences (LinkedIn, Google Ads)

If you have given explicit marketing consent (typically via the marketing-email opt-in during signup or the Day 10 in-app prompt), Onplana may include your email address in audience lists shared with our paid advertising platforms, currently LinkedIn Matched Audiences and Google Ads Customer Match. Two important properties:

  • We share a SHA-256 hash, not your plaintext address. Each platform receives a 64-char hexadecimal hash of your normalized email. The hash is one-way: the platform cannot derive your plaintext address from it. If your address matches a hash they already have on file, you become eligible to be shown Onplana ads; otherwise the hash is discarded by the platform after the retention window.
  • The lookalike step happens platform-side. Once the platform has matched your hash, it may use its own internal signals to find users with similar profiles and serve them Onplana ads. Onplana never sees the lookalike audience members or their personal data.

Opting out: revoke marketing consent (unsubscribe from any marketing email, or emailprivacy@onplana.com) and you will be excluded from all future audience exports. We cannot retroactively remove your hash from a list a platform already received, but the platforms' own retention windows (typically 540 days for LinkedIn, periodic refresh for Google) mean the hash drops out of active matching automatically once we stop including you in subsequent exports.

Users who have NOT given marketing consent are never included in these exports. Freebie tool users who only submitted an email to unlock a report, without converting to a signed-up account that opted into marketing, are never exported. Signed-up users who unsubscribed from marketing are never exported.

9.3 Follow-up emails after using a free tool

When you submit your email to unlock a report from any of Onplana's free tools (Schedule Health Check, Migration Preview, PMO Maturity Assessment, Resource Heatmap, Resource Leveler, Migration Cost Calculator, Status Report Writer, AI Gantt, Project Online Inventory Checklist), you'll receive:

  • One email with your report — sent immediately after you complete the unlock form. This is the report you asked for; it's the whole point of submitting your address.
  • A short follow-up series — typically 3 to 5 emails over the following 2 to 4 weeks, containing tips and patterns related to the same topic (resource overallocation, MS Project migration, schedule health, etc.). The exact number depends on which tool you used: 3 emails for AI Gantt / Resource Leveler / Resource Heatmap / Migration Cost Calculator / Status Report Writer, 4 emails for PMO Maturity Assessment / Project Online Inventory Checklist, 5 emails for Schedule Health Check and Migration Preview.

Why we send them: the follow-up series is the most efficient way for us to share related tactics, gotchas, and edge cases that didn't fit in the report itself. Under EU GDPR Article 6(1)(f) we rely on legitimate interest as the lawful basis — you explicitly requested the report and reasonably expect related follow-up communications about the same subject for a short window. Under US CAN-SPAM the series complies via per-email unsubscribe headers and the unsubscribe link in every footer.

How to stop them: click "Unsubscribe" in the footer of any follow-up email, or click the one-click unsubscribe affordance your mail client surfaces (Gmail and Apple Mail render this natively because we ship RFC 8058 List-Unsubscribe headers). Either way, you'll be removed from the series immediately. Unsubscribing from a follow-up series is independent of any account-level marketing consent you may set separately if you later sign up for an Onplana account.

What we do NOT do with these submissions:

  • We do not share your address with third parties (see section 9.2 — only signed-up users with explicit marketing consent are eligible for hashed-email export to ad platforms).
  • We do not retain your uploaded files past the documented retention window (24 hours for Schedule Health Check uploads, 90 days for analysis snapshots — see section 7).
  • We do not enroll you in unrelated marketing campaigns (newsletters, webinars, surveys) without separate consent. The follow-up series is scoped to the topic of the tool you used.

10. International Data Transfers & Subprocessors

Your data may be processed in countries outside your country of residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for transfers outside the European Economic Area. For the full list of subprocessors Onplana engages, their purpose, data category, and region, see our Subprocessors page, updated whenever the list materially changes, per GDPR Art. 28(2).

11. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us at privacy@onplana.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, for significant changes, by sending an email to the address associated with your account.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

  • Email: privacy@onplana.com
  • Company: Devsoft Solutions
  • Postal address: 141 Traction St, Unit 2011, Greenville, SC 29611, USA
  • EU representative (GDPR Art. 27): TBD
  • Website: devsoft.com

We use strictly-necessary cookies to operate this site (sign-in, anti-spam). With your consent, we also use Google Analytics 4 (anonymized IP) to understand which pages are useful. No ad tracking. See our Cookie Policy and Privacy Policy.