Planopti/Privacy / NDA

Privacy Policy

Last updated: 1 March 2026

Commitment of Planopti SA

Client data (staff data, schedules, qualifications, absences, constraints, wishes, holidays) is never collected, transmitted, or accessible by Planopti SA, except for support interventions expressly requested and authorised by the client.

This commitment covers the entirety of the contractual relationship, from the pre-sales phase through to the end of the contract, and applies to all data entered, imported, generated, or stored by the Software.

This policy applies in addition to the software licence conditions and the GDPR policy. In case of contradiction, the terms most protective of the client prevail.

Technical architecture

The Software is fully installed on the client's infrastructure. The architecture guarantees complete isolation:

  • No outbound connection: the Software does not contact any external server. No "phone home", no online licence verification, no cloud synchronisation, no callback
  • Local database: all data is stored in a SQLite database, a single file on the client's server. No remote database, no replication
  • Isolated application: the software runs on-premise on the client's server. The client fully controls the network environment and firewall rules
  • Offline operation: the Software operates without internet access. The CP-SAT solver (Google OR-Tools) is embedded in the application. Updates are delivered as new versions, applied manually by the client's IT team

This architecture means that Planopti SA has, by design, no technical access to client data. Isolation is not an organisational promise: it is a technical impossibility.

Data processed by the Software

The Software processes the following categories of data, all stored locally on the client's server:

  • Staff: employee number, last name, first name, email, phone, contract type (permanent, temporary, part-time, seasonal, etc.), contractual hours, active/inactive status, functional group
  • Qualifications: certified functions per agent (multiple qualifications possible)
  • Slots: working time slots (start time, end time, duration in minutes)
  • Daily requirements: number of agents required per slot and per day
  • Constraints: fixed days, weekend exclusions, caps per qualification, minimum rest, restrictions per agent or group
  • Holidays: public holidays integrated into the calendar by country and region
  • Wishes: individual agent preferences (day preferences, slot preferences)
  • Absences: leave, sick leave, training, with approval workflow (pending, approved, refused)
  • Generated schedules: agent/slot/day assignments produced by the CP-SAT solver
  • Audit log: history of all operations with old and new state
  • Snapshots: complete database captures

The Software does not process any health data, biometric data, banking data, geolocation data, or data relating to ethnic origin, political opinions, or religious beliefs.

No telemetry

The Software contains no telemetry, analytics, or automatic reporting mechanism to Planopti SA or any third party:

  • No collection of usage statistics
  • No automatic error report submission
  • No tracking cookies in the Dashboard
  • No outbound network requests, verifiable by traffic inspection
  • No machine identifier or fingerprint transmitted

The client can verify this absence of telemetry by a network analysis of their infrastructure. The software requires no outbound firewall rules. This verification can be carried out by the client or by an independent third-party auditor.

Transparent technology

The optimisation engine integrated in the Software is CP-SAT from Google OR-Tools, distributed under the open-source Apache 2.0 licence. The source code is publicly available on the official Google repository.

CP-SAT is a deterministic constraint optimisation solver:

  • It contains no learning model (no generative AI, no machine learning)
  • It collects no data and produces no statistical inference about individuals
  • The same input data consistently produces the same result
  • It requires no internet connection to operate

Planopti's proprietary code (Dashboard, constraint modelling, business logic) is not open-source. Its confidentiality is protected by the licence conditions (Article 6 - Restrictions).

Support interventions

In case of a remote support intervention, the following protocol applies:

  • Access is granted only on explicit written request from the client
  • The connection is made via a secure channel (VPN or remote access tool approved by the client)
  • Access is limited to the duration of the intervention and revoked immediately afterwards
  • No personal data is extracted, copied, or transmitted during the intervention
  • An intervention report is provided to the client within 48 hours, detailing the actions taken and the data consulted
  • Planopti SA personnel carrying out the intervention are subject to a contractual confidentiality obligation

Alternatively, the client can generate an anonymised diagnostic report from the Dashboard and send it by email. This report contains only technical information (Software version, solver status, configuration parameters, technical logs) with no personal staff data.

The client may refuse any remote connection. In this case, support is provided exclusively through the exchange of diagnostic reports and patches.

Audit and traceability

The Software includes an audit log that automatically records all operations performed in the Dashboard:

  • Creation, modification, and deletion of staff, slots, requirements, constraints, holidays, wishes
  • Approval and refusal of absences
  • Solver runs with parameters and resolution status (OPTIMAL, FEASIBLE, INFEASIBLE)
  • Manual schedule modifications (old shift, new shift, agent, day)
  • Data exports and snapshot creation
  • Dashboard logins (authentication)

This log is stored locally in the SQLite database and can be consulted from the Dashboard with filtering and pagination. It allows the client to trace any action and meet their own compliance obligations (GDPR, nFADP, internal audit, labour inspection).

Snapshots allow the complete state of the database to be captured at a given moment and restored if necessary.

Sub-processors

Planopti SA does not use any sub-processor for the processing of client data within the Software. The on-premise deployment means that no data passes through a third-party service.

The only third-party services used by Planopti SA concern:

  • Website hosting (planopti.io): data collected via the contact form is hosted with a provider located in Switzerland or the European Economic Area
  • Email: email exchanges with clients and prospects pass through servers located in Switzerland or the EEA

No sub-processor has access to the data stored in the Software deployed at the client's premises.

Data collected via the website

The planopti.io website may collect:

  • Contact form: last name, first name, email address, company, role, message. This data is used exclusively to respond to the request and manage the commercial follow-up
  • Navigation data: pages viewed, visit duration, browser type. This data is anonymised and used solely to improve the website

No third-party tracking cookies are used. No third-party analytics tool (Google Analytics, Meta Pixel, etc.) is integrated. The website contains no advertising tracking pixel.

Visitors may request the deletion of their contact data at any time by writing to [email protected].

Retention

Contact data (website): retained for twenty-four (24) months after the last exchange, then permanently deleted. The client or prospect may request early deletion at any time.

Software data: stored locally on the client's server, under their exclusive responsibility. Planopti SA holds no copy of this data. The retention period is determined by the client according to their own retention policy and applicable regulations.

Support data: intervention reports are retained by Planopti SA for the duration of the maintenance contract plus twelve (12) months. They contain no personal staff data of the client.

Upon end of contract, the client retains all their data (SQLite database, Excel exports, snapshots). Planopti SA deletes the client's contact data within three (3) months, unless legally required to retain it.

Security incident

On-premise deployment means that the security of the infrastructure and data is the client's responsibility (firewall, access control, backups, password policy).

In case of discovery of a vulnerability in the Software:

  • Planopti SA notifies all affected clients within 72 hours
  • A patch is delivered as an update as soon as possible
  • A security bulletin details the vulnerability, its potential impact, and corrective measures

If a support intervention reveals a security incident on the client's infrastructure, Planopti SA immediately informs the client. Planopti SA has no obligation to notify authorities regarding the client's data, this responsibility resting with the client as data controller.

Non-disclosure commitment

Planopti SA formally undertakes to:

  • Never resell, transfer, or share the data of its clients or prospects with third parties, in any form, whether free of charge or for payment
  • Never carry out commercial profiling, statistical analysis, or benchmarking on client data
  • Never use data accessible during support interventions for purposes other than the intervention itself
  • Never communicate the name, logo, or data of its clients without their prior written consent, including for commercial reference purposes
  • Never integrate into the Software any mechanism allowing access to, copying, or transmission of data without the client's knowledge

This commitment applies to all Planopti SA personnel, including directors, employees, interns, and any contractors. Any collaborator having access to confidential information is subject to a contractual confidentiality clause.

This commitment survives the end of the contractual relationship for a period of five (5) years, in accordance with Article 8 of the licence conditions.

International clients

On-premise deployment simplifies regulatory compliance for clients operating in different jurisdictions:

  • No cross-border transfer: data remains on the client's server, in the country of operation. No standard contractual clauses (SCC), no adequacy decision required
  • GDPR (European Union): the client is the data controller. Planopti SA acts as processor only in the context of occasional support interventions, covered by a DPA. See the GDPR policy
  • nFADP (Switzerland): same logic. The DPA covers both regulatory frameworks
  • Other jurisdictions: the on-premise model is compatible with most data protection regulations (LGPD Brazil, POPIA South Africa, PDPA Singapore, etc.) as data never leaves the client's perimeter

The Software contains no cryptographic components subject to export restrictions. The CP-SAT solver is a publicly available open-source component.

Contact

For any questions regarding privacy, data protection, or to exercise your rights:

Planopti SA
Geneva, Switzerland
[email protected]

Response time: maximum 15 business days.