Privacy Policy

Effective date: 22 April 2026 (United Kingdom)

This Privacy Policy describes how 1414 Degrees Ltd, the data controller for Plasm (referred to as “we”, “us”, or “our”) collects, uses, stores, and shares personal data when you use Plasm’s websites, applications, and related services, including services that act as a hub for Model Context Protocol (MCP) tools, integrations, and (where offered) connections to third-party APIs and accounts.

Controller. The controller of your personal data is 1414 Degrees Ltd of [insert UK postal address]. For privacy enquiries, contact privacy@plasm.tools (or replace with your published contact if different).

This policy is provided for a UK-based audience and is intended to help you understand our practices in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It is not legal advice; you may wish to obtain professional advice for your own situation.

1. The service

Plasm provides or supports discovery, configuration, compilation, and/or connection of tool surfaces for use with AI agents, including over MCP, and may process data needed to operate accounts, authenticate users, run or proxy tool invocations, manage OAuth or other credentials for connected services, and keep the service secure and reliable. The exact feature set may change; where we introduce material new processing, we will update this policy or provide additional notice as appropriate.

2. Information we may collect

Depending on how you use Plasm, we may process:

• Account and identity data — e.g. name, email, organisation, and similar identifiers you provide when you register, subscribe, or contact us.
• Authentication and security data — e.g. session tokens, device or browser information, and security-related logs to protect accounts and detect abuse.
• Connection and authorisation data — when you connect third-party services, we may process metadata and tokens (e.g. OAuth) needed to maintain those connections in line with the permissions you grant. The third party’s own terms and privacy policy also apply to their services.
• Service, MCP, and technical usage data — e.g. timestamps, request and error information, tool or capability identifiers, and operational telemetry to run, secure, and improve the service, subject to the limits below.
• Content you provide — e.g. support messages, configuration you upload, or other voluntary submissions.
• Cookies and similar technologies — where we use them (including any analytics or preference cookies), we will describe categories and, where required, seek consent in line with the Privacy and Electronic Communications Regulations (PECR) and our cookie controls.

Tool and agent payloads. If your use of the service results in end-user, customer, or third-party personal data being transmitted through or processed by our systems (for example, arguments to tools or data returned from connected systems), you and your users remain responsible for ensuring you have a lawful basis and appropriate terms for that processing. We process such data only to provide the service in accordance with your instructions and this policy, and we do not use it for unrelated independent purposes unless we tell you otherwise and, where required, obtain consent.

3. Lawful bases (UK)

We rely on one or more of the following, depending on the processing:

• Contract — to provide the service and features you request.
• Legitimate interests — e.g. to secure the service, understand reliability and performance, prevent abuse, and improve features, balanced against your rights.
• Legal obligation — where the law requires us to retain or disclose data.
• Consent — where we ask for it (e.g. certain cookies or non-essential marketing communications). You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

4. How we use information

We use personal data to:

• create and administer accounts, subscriptions, and billing (where applicable);
• deliver, operate, and support MCP- and API-related tool functionality you enable;
• communicate with you (service messages, and, where consented, marketing);
• secure the service, prevent fraud, and meet legal and compliance requirements;
• analyse and improve the service in aggregate or pseudonymous form, where used.

Automated decision-making. We do not, as a default position, use solely automated decision-making that produces legal or similarly significant effects in relation to individuals, unless we say otherwise in a separate notice and, where required, offer a suitable human review process.

5. Sharing and sub-processors

We may share data with:

• hosting, infrastructure, and email providers that process data on our instructions;
• security and anti-abuse service providers as needed;
• connected third parties when you direct us to (e.g. to complete an API call you initiated);
• professional advisers and authorities where the law requires or allows.

A list of sub-processors may be published separately or made available on request. We use appropriate data processing terms with processors we appoint.

6. International transfers

We primarily store and process data in the UK and/or the European Economic Area. If we transfer personal data outside the UK, we will ensure appropriate safeguards (e.g. the UK International Data Transfer Addendum, UK IDTA, or other mechanisms approved under UK data protection law) and document them as required.

7. Retention

We retain personal data only as long as needed for the purposes in this policy, to meet legal, accounting, or reporting requirements, and to resolve disputes. Retention periods vary (e.g. account data for the life of the account; security logs for a limited period). We may delete or aggregate data sooner when no longer required.

8. Your rights

Under UK data protection law, you may have the right to:

• request access to your personal data;
• request rectification of inaccurate data;
• request erasure, restriction, or object to certain processing;
• request portability of data you provided, where applicable;
• lodge a complaint with the Information Commissioner’s Office (ICO).

To exercise these rights, contact privacy@plasm.tools. We may need to verify your request.

Representative. If we are required to appoint a UK or EU representative (for non-UK controllers), we will list those contact details here when applicable.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data, including in transit and at rest where we control those environments. No system is completely secure; you should also protect your credentials and devices.

10. Children

The service is not intended for use by children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us so we can take appropriate action.

11. Changes to this policy

We may update this policy from time to time. The effective date at the top will be revised and, where changes are material, we may also notify you by email or an in-service notice if we can reasonably do so. Continued use of the service after the effective date may be subject to the updated policy, as described in the notice we provide.

12. Contact

For privacy questions: privacy@plasm.tools
Postal: [insert UK address for the controller]