← Back to home

Privacy Policy

Last updated: April 2026

Data We Collect

We collect the minimum data necessary to deliver the service:

  • Account information — name, username, email address
  • Workforce data — agent names, employee IDs, program data, contact volumes, average handling time (AHT)
  • Usage data — login timestamps, audit trail of actions performed within the application

How We Use Your Data

  • Service delivery — to provide and maintain the capacity planning tools you use
  • Capacity planning calculations — to compute FTE requirements, forecasts, and workforce metrics
  • Audit and security monitoring — to detect unauthorised access and maintain data integrity

Data Storage

All data is stored in a PostgreSQL database hosted on Render (US/EU regions). Data is encrypted at rest using AES-256 and encrypted in transit using TLS 1.2 or higher.

Multi-Tenant Isolation

Each organisation’s data is strictly isolated via a unique tenant identifier. No cross-tenant data access is possible. Your workforce data is never visible to other organisations.

Data Retention

  • Active account data — retained while your subscription is active
  • Audit logs — retained for 12 months
  • Deleted accounts — all associated data is purged within 30 days of account deletion

Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access — download a copy of all personal data we hold about you
  • Erasure — request deletion of your account and all associated data
  • Rectification — update or correct your profile information at any time
  • Data portability — export your data in JSON format

How to Exercise Your Rights

Contact your organisation administrator, or email us directly at privacy@capacity-planner.com. We will respond to all requests within 30 days.

Cookies

We use a single session cookie that is strictly necessary for authentication. We do not use tracking cookies, analytics cookies, or any third-party cookies.

Third-Party Sub-processors

  • Render.com — application and database hosting
  • GoDaddy — domain registration

No other third parties have access to your data. We do not sell, share, or transfer your data to any advertising or analytics providers.

Security

We implement industry-standard security measures including:

  • Bcrypt password hashing
  • JWT session encryption
  • Rate limiting on authentication endpoints
  • HTTPS everywhere (TLS 1.2+)
  • Content Security Policy (CSP) headers
  • Full audit trail of user actions

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via the application or email. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

For any privacy-related questions or concerns, contact us at privacy@capacity-planner.com.