Legal

GDPR Compliance

Plato Tribune is a SaaS platform that generates AI-powered SEO content clusters and auto-publishes them to our customers’ WordPress sites. This page explains how we comply with the EU General Data Protection Regulation (GDPR).

Last updated: June 2026

Our commitment

We treat data protection as a core feature, not an afterthought. Privacy-by-design and privacy-by-default principles guide how we build and operate Plato Tribune.

We process personal data lawfully, fairly and transparently, and only for the purposes described in our Privacy Policy and this page.

Our roles: controller vs processor

For account, billing and marketing data relating to our direct customers, Plato Tribune acts as the data controller and decides why and how that data is processed.

For the content we generate and the data we publish to your WordPress sites on your behalf, we act as a data processor, processing data only on your documented instructions.

Lawful bases for processing

We rely on contract performance to provide the service you signed up for, including account management and publishing to your sites.

We rely on legitimate interests for product analytics, fraud prevention and service security, and on consent for optional marketing communications, which you can withdraw at any time.

Where the law requires it, for example for tax and accounting records, we rely on legal obligation.

Your data subject rights

Under the GDPR you have the right to access, rectification, erasure, restriction of processing, data portability, and objection to processing.

You may also object to automated decision-making and withdraw any consent you have given at any time, without affecting prior lawful processing.

To exercise any of these rights, contact us through our contact page. We respond within one month and may ask you to verify your identity first.

Sub-processors

We rely on a small number of vetted sub-processors to deliver the service: Stripe (billing), Vercel (hosting), MongoDB (database), Keycloak (authentication) and our AI model providers (content generation).

Each sub-processor is bound by a data processing agreement with confidentiality and security obligations consistent with the GDPR.

International transfers

Where personal data is transferred outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and apply supplementary technical measures such as encryption.

We assess each transfer to ensure your data continues to receive an essentially equivalent level of protection.

Data retention and deletion

We keep personal data only for as long as necessary for the purposes it was collected, or as required by law.

When you close your account we delete or anonymise your personal data within a defined period, except where retention is legally required. WordPress credentials are deleted when you disconnect a site.

Breach notification

We maintain an incident response process to detect, contain and assess personal data breaches.

Where a breach is likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours and inform affected individuals without undue delay.

Data protection contact

For any privacy question, request or complaint, contact our data protection team through our contact page.

You also have the right to lodge a complaint with your local data protection supervisory authority.