1. Overview & Scope

1.1 Who We Are

Plathera is a product and brand of HaiBuilt Inc ("Plathera," "we," "us," or "our"), a software company that provides AI-powered project management solutions. Plathera is an AI-powered project management platform specifically designed for Engineering, Procurement, and Construction (EPC) projects. We revolutionize how teams manage complex infrastructure and construction projects through intelligent automation, predictive analytics, and seamless collaboration tools.

1.2 What This Policy Covers

This Privacy Policy describes how HaiBuilt Inc (DBA Plathera) collects, uses, stores, shares, and protects personal information and data when you:

  • Visit our public website at https://www.plathera.com (the "Website")
  • Request a product demo or contact us for information
  • Use the Plathera platform and services through your organization's tenant-specific subdomain (e.g., https://[your-organization].plathera.com)
  • Interact with our AI-powered features and intelligent agents
  • Communicate with us via email, support channels, or other means

This policy applies to all data processing activities conducted by Plathera in connection with our services.

1.3 Who This Policy Applies To

This Privacy Policy applies to the following categories of individuals:

  • Website Visitors: Anyone who visits plathera.com or views our marketing materials
  • Demo Requesters: Individuals who request product demonstrations or information about our services
  • Enterprise Client Administrators: Organization representatives who manage Plathera accounts and configurations
  • End Users: Individuals within client organizations who access and use the Plathera platform with various permission levels (System Administrators, Project Managers, Team Members)
  • Business Contacts: Individuals we communicate with in the course of business operations

1.4 Key Definitions

For purposes of this Privacy Policy:

  • "Personal Information" or "Personal Data" means any information relating to an identified or identifiable individual.
  • "Customer" or "Enterprise Client" refers to the organization that has contracted with Plathera to use our platform.
  • "End User" refers to individuals within a Customer organization who access the Plathera platform.
  • "Customer Data" means any data, content, or materials that Customers or End Users submit, upload, or input into the Plathera platform, including project data, documents, and files.
  • "Services" means the Plathera platform, including all features, AI agents, integrations, and related support services.
  • "Tenant" refers to an isolated instance of the Plathera platform dedicated to a specific Customer organization, accessible via a unique subdomain.
  • "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

1.5 Acceptance of This Policy

By accessing our Website, requesting a demo, or using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you are an End User accessing Plathera through your employer or organization, you should also review your organization's privacy policies, as they may have additional rights and responsibilities regarding your data.

If you do not agree with this Privacy Policy, please do not use our Website or Services.

2. Information We Collect

Plathera collects different types of information depending on how you interact with our Website and Services. We are committed to collecting only the information necessary to provide, improve, and secure our Services.

2.1 From Website Visitors

When you visit our public website at plathera.com, we may automatically collect technical information including pages you view and links you click, time spent on pages, referring website or source, navigation paths, browser type and version, operating system, device type, screen resolution, language preferences, time zone settings, and IP addresses for security and geographic insights (country/region level).

We may use analytics services (such as Google Analytics) to understand how visitors use our Website. These services may use cookies and similar technologies to collect aggregated usage statistics.

2.2 From Demo Requesters and Account Holders

When you request a product demonstration or contact us for information about Plathera, we collect: full name, work email address, company name, company size, job title or role, and any additional information you choose to provide. This information is used solely to respond to your inquiry, schedule demonstrations, and provide you with relevant information about our Services.

If your organization contracts with Plathera and you are provisioned as an End User, your organization's administrators may provide us with your name, email address, job title or role, department or team assignment, and user permission level.

Once you access the Plathera platform, we collect data about your activities to provide Services, improve functionality, and ensure security: login/logout times and session duration, features and tools accessed, actions performed, search queries within the platform, AI agent interactions and prompts submitted, collaboration activities, and user preferences and settings.

We do not collect or store payment card information directly. Payment terms and billing are handled through our service agreements and contracts with Enterprise Clients.

2.3 From Enterprise Clients

When an organization signs a contract with Plathera, we collect organization name and legal entity information, billing contact information, primary administrator contact details, contract terms and service agreement details, and tenant subdomain configuration.

This is the most sensitive category of data and is fully controlled by our Enterprise Clients. Customers and End Users may upload engineering documents, project data, construction documentation, procurement records, business data, proprietary information, and communication records. Plathera acts as a Data Processor for Customer Data. Our Customers are the Data Controllers who determine what data is uploaded and how it is used.

Plathera offers optional integrations with third-party platforms including Autodesk Construction Cloud (ACC), Procore, Microsoft SharePoint/Graph API, Single Sign-On (SSO) Providers, and Supabase. AI and machine learning services may include OpenAI, Anthropic (Claude), and Google Gemini, based on your organization's configuration and contract.

3. How We Use Information

We use information to provide, operate, and maintain the Plathera platform; to power AI agent operations, document processing, natural language processing, predictive analytics, workflow automation, and collaboration features; to communicate with you for service notifications, support, and onboarding; to analyze usage patterns and improve the platform; to protect our platform and users from threats and fraud; and to meet legal obligations.

Important: Analytics are performed on aggregated, de-identified data whenever possible. We do not sell or share individual usage data with third parties for their marketing purposes. We do not use Customer Data for training third-party AI models without explicit consent.

With appropriate consent, we may use contact information to share product updates, educational content, and event invitations. All marketing communications include clear unsubscribe options. Transactional and security-related communications cannot be opted out of.

4. How We Share Information

Plathera does not sell your personal information or Customer Data to third parties. We only share information in the limited circumstances described below, and we require our service providers to protect your data with the same level of care that we do.

4.1 With Service Providers and Subprocessors

Current subprocessors include Google Cloud Platform (GCP) for cloud infrastructure hosting; Supabase for database management, authentication services, and backend infrastructure (each Customer receives an isolated Supabase instance); OpenAI, Anthropic (Claude), and Google Gemini for AI capabilities based on your organization's configuration; and Autodesk Construction Cloud, Procore, Microsoft SharePoint/Graph API, and SSO Providers when enabled by the Customer.

A current list of all subprocessors is maintained and available upon request. We will notify Enterprise Clients of any changes to our subprocessor list in accordance with our service agreements.

4.2 With Enterprise Administrators and Authorized Users

Within your organization's Plathera tenant, data is shared according to access permissions configured by your administrators. System Administrators have full access to all data, users, and configurations. Project Managers have access to data for projects they manage. Team Members have access to projects and data they are assigned to. Your organization controls these permissions and data access.

4.3 For Legal Compliance and Law Enforcement

We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable laws, respond to valid legal processes, protect the rights, property, or safety of Plathera or our customers, enforce our Terms of Service, or detect and prevent fraud or security issues. For Enterprise Clients, whenever legally permissible, we will notify your organization before disclosing Customer Data in response to legal process. To date, we have not received any legal requests for Customer Data.

4.4 In Connection with Business Transfers or Mergers

If Plathera or HaiBuilt Inc is involved in a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar business transaction, personal information and Customer Data may be transferred to the acquiring or successor entity. You will be notified via email and/or prominent notice on our Website. The acquiring entity will be required to honor this Privacy Policy.

4.5 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you or your organization, for industry research, product development, and marketing purposes. This data does not contain any personally identifiable information or proprietary business data.

5. Cookies & Tracking Technologies

Plathera uses cookies and similar technologies to provide, secure, and improve our Services. We use essential/strictly necessary cookies required for authentication, security, load balancing, and session management. We use performance and analytics cookies, including Google Analytics (planned for plathera.com), to understand how visitors use our Website. We use functionality cookies to enable enhanced functionality and personalization. We may use targeting/marketing cookies on our public website to measure campaign effectiveness.

You can manage cookies through browser settings in all modern browsers. You can opt out of marketing cookies through LinkedIn and Google Ads settings. Disabling essential cookies will prevent you from logging into and using the Plathera platform.

Third-party services have their own privacy policies: Google Analytics: https://policies.google.com/privacy; Microsoft/Azure: https://privacy.microsoft.com/; LinkedIn: https://www.linkedin.com/legal/privacy-policy; Supabase: https://supabase.com/privacy.

6. Data Retention

Plathera retains personal information and Customer Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

For active Enterprise Clients, we retain all data indefinitely to support ongoing operations. System logs are retained for typically 12–24 months on a rolling basis. Enterprise Clients and authorized users can delete specific files, projects, or content at any time through the platform.

When an Enterprise Client's service agreement expires or is terminated, we notify the primary account contact and administrators. You have 90 days from the termination date to export and retrieve all Customer Data. Following this grace period, all Customer Data is permanently deleted from our active systems. We may retain certain data beyond the 90-day period when required by law, including financial records required for tax or accounting purposes (typically 7 years).

When data is scheduled for deletion, it is first soft-deleted and removed from active systems and user access, then hard-deleted after a brief retention period (typically 30 days), then purged from backups as those backup snapshots expire, using secure disposal methods including overwriting or cryptographic erasure.

7. Security Measures

Protecting your data is one of our highest priorities. All data transmitted between your device and Plathera servers is encrypted using TLS 1.2 or higher. All stored data is encrypted at rest using AES-256 or equivalent encryption standards. All backups are encrypted both during transfer and while stored.

Our infrastructure is protected by network-level firewalls, DDoS protection through Google Cloud Platform, network segmentation for customer tenant isolation, intrusion detection, and regular patching. We enforce granular role-based access controls with System Administrator, Project Manager, and Team Member permission levels.

Plathera employees have extremely limited access to Customer Data. No default access is granted — support access requires a specific support ticket, explicit written authorization from the Customer's Account Administrator, access limited to the minimum data necessary to resolve the specific support issue, and full audit logging of all access. All internal access to Customer Data is logged and auditable.

In the event of a data breach, we will notify Enterprise Clients within 72 hours of becoming aware of the breach (GDPR compliance), notify Individual End Users as required by applicable laws, and notify regulatory authorities as required by law.

We are working toward obtaining SOC 2 Type II and ISO 27001 certifications. If you discover a security vulnerability, please report it to security@plathera.com.

8. International Data Transfers

By default, Plathera infrastructure is hosted on Google Cloud Platform (GCP) in the Western United States. Enterprise Clients can choose to have data stored in specific geographic regions including the United States, European Union (for GDPR compliance), United Kingdom, Canada, Asia-Pacific, and other regions as requested and technically feasible.

When personal data is transferred internationally, particularly from the European Economic Area (EEA), the United Kingdom, or Switzerland, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) and supplementary security measures including encryption in transit (TLS 1.2+), encryption at rest (AES-256), and access controls limiting who can access transferred data.

We incorporate the 2021 EU Standard Contractual Clauses into our Data Processing Agreements. Plathera (HaiBuilt Inc) is working toward certification under the EU-US Data Privacy Framework (DPF) and UK Extension to the EU-US DPF. Until DPF certification is complete, we rely on Standard Contractual Clauses for EU-US and UK-US data transfers.

For questions about data regions, contact legal@plathera.com or your account representative.

9. Enterprise Data Responsibilities

When your organization uses the Plathera platform, you (the Enterprise Client) are the Data Controller for personal data of your End Users and all Customer Data in your Plathera tenant. As the Data Controller, your organization is responsible for ensuring a lawful basis to collect and process personal data, informing your End Users about how their data will be processed, obtaining necessary consents, minimizing data collection, managing data subject rights requests, and providing privacy notices to employees and team members about Plathera's processing.

Plathera acts as a Data Processor when processing Customer Data on behalf of Enterprise Clients. We process data solely to provide the Plathera platform and Services as described in our service agreement, and commit to following your processing instructions, maintaining confidentiality, implementing appropriate security measures, managing subprocessors with your authorization, assisting with data subject rights requests, notifying you of any data breach, and deleting or returning Customer Data upon termination.

We will provide 30 days' advance notice before engaging any new subprocessor that will process Customer Data. If you object to a new subprocessor on reasonable data protection grounds, you may notify us in writing within the 30-day notice period.

10. Data Processing Addendum (DPA)

A Data Processing Addendum (DPA) is a legal agreement that supplements our main service agreement and governs how Plathera processes personal data on behalf of Enterprise Clients, designed to ensure compliance with GDPR, CCPA/CPRA, and other applicable privacy laws. A DPA is particularly important for EU/EEA/UK organizations, organizations processing EU residents' data, and US organizations subject to CCPA.

Enterprise Clients can request a DPA by contacting your account representative or emailing legal@plathera.com with your organization name, primary contact information, and any specific compliance requirements. We aim to provide DPA templates within 5 business days of request.

Our DPA commits Plathera to: processing Customer Data only according to your documented instructions; implementing and maintaining appropriate security measures; notifying you of security incidents or data breaches within 72 hours; engaging subprocessors only with your prior authorization; assisting with data subject rights requests; executing Standard Contractual Clauses for transfers outside the EEA; allowing for audits and inspections; and returning or deleting Customer Data upon termination with a 90-day grace period for data export.

In the event of any conflict, the DPA takes precedence over the Privacy Policy for data protection matters. Material changes to the DPA require mutual written agreement.

11. Your Privacy Rights

Important Note for Enterprise End Users: If you are an employee or contractor accessing Plathera through your organization's account, your organization (the Data Controller) is primarily responsible for handling your privacy rights requests. Contact your organization's privacy officer, HR department, or designated contact. We will assist your organization in fulfilling such requests as outlined in Section 9.

11.1 Rights Under GDPR (EEA/UK Residents)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the GDPR or UK GDPR provides you with: the right to access a copy of your personal data; the right to rectification of inaccurate or incomplete data; the right to erasure ("right to be forgotten") in certain circumstances; the right to restrict processing; the right to data portability; the right to object to processing (including for direct marketing); rights related to automated decision-making; and the right to lodge a complaint with a supervisory authority.

EU/EEA Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en. UK Supervisory Authority: Information Commissioner's Office (ICO) — https://ico.org.uk/.

11.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the CCPA and CPRA provide you with: the right to know what personal information we collect; the right to delete personal information we have collected; the right to correct inaccurate personal information; and the right to opt-out of sale or sharing.

We Do Not Sell Your Personal Information. Plathera does not sell personal information to third parties for monetary consideration. We will not provide discriminatory treatment for exercising your CCPA/CPRA rights.

11.3 Other Regional Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut, Utah, Montana, and other states with comprehensive privacy laws have rights including access, correction, deletion, portability, and opt-out from targeted advertising and profiling. We commit to honoring privacy rights requests from residents of all states with applicable privacy laws.

11.4 How to Exercise Your Rights

For website visitors and demo requesters, submit privacy rights requests to privacy@plathera.com with subject line "Privacy Rights Request," your full name and email address, the specific right you wish to exercise, and sufficient detail to allow us to locate your information.

For Enterprise End Users, contact your organization's HR, legal, or privacy team first as they are the Data Controller. Your organization's Account Administrator will submit authorized requests to us on your behalf. We cannot process privacy rights requests from individual End Users without authorization from their organization's Account Administrator.

We will acknowledge your request within 5 business days and provide a substantive response within 30 days (with possible extension to 60 days for complex requests). If we cannot fulfill your request, we will explain why and advise on your right to appeal.

You may designate an authorized agent to submit privacy rights requests on your behalf. Authorized agents should email privacy@plathera.com with proof of authorization, the specific request being made, and contact information for both agent and consumer.

12. Changes and Updates to This Policy

Plathera may update this Privacy Policy from time to time to reflect changes to our business practices, new features, changes in applicable privacy laws, or new technologies or security measures. For material changes, we will provide 30 days' advance notice via email notification to primary contacts and Account Administrators, in-platform notification for active users, and a prominent notice on our website.

By continuing to use our Website or Services after the effective date of an updated Privacy Policy, you acknowledge and accept the updated terms. Material changes will apply prospectively from the effective date. We will not retroactively change how we handled data collected under previous versions of the Privacy Policy without obtaining your consent or as required by law.

We maintain an archive of previous versions of this Privacy Policy. You can request access to previous versions by contacting privacy@plathera.com.

13. Contact Information

HaiBuilt Inc (DBA Plathera) is in the process of designating a Privacy Officer or Data Protection Officer (DPO). Until designated, privacy matters should be directed to privacy@plathera.com, monitored by our legal and compliance team.

Physical Address:
HaiBuilt Inc, DBA Plathera
2108 N St., Ste N
Sacramento, CA 95816
United States of America

Email Contacts:

  • General Information: info@plathera.com
  • Privacy Matters: privacy@plathera.com — for privacy questions, data subject rights requests, and privacy-related concerns
  • Legal and Compliance: legal@plathera.com — for Data Processing Agreements, Standard Contractual Clauses, and legal compliance matters
  • Security Issues: security@plathera.com — for reporting security vulnerabilities, suspected data breaches, or security concerns
  • Data Retention: data-retention@plathera.com — for data retention policy questions or custom retention schedule requests