Plan2Fund

Privacy Policy (GDPR)

Last updated: June 2026

Version: June 2026Provider: Kevin Kraushofer, operating under the name Plan2FundAddress: Margaretenstraße 138/1/14, 1050 Vienna, AustriaEmail: hello@plan2fund.ioCommercial Register: not registered in the commercial registerVAT ID: not available

1. Controller

The controller responsible for the processing of personal data is:

Kevin Kraushoferoperating under the name Plan2FundMargaretenstraße 138/1/141050 ViennaAustria

Email: hello@plan2fund.ioWebsite: https://plan2fund.io

Commercial Register: not registered in the commercial registerVAT ID: not available

If you have any questions about data protection or wish to exercise your rights, please contact us at: hello@plan2fund.io.

2. General Information on Data Processing

We process personal data exclusively in accordance with applicable data protection laws, in particular the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and other applicable regulations.

Personal data means any information relating to an identified or identifiable natural person, for example name, email address, IP address, user account, payment data, or content you enter into the app.

3. Purposes of Processing

We process personal data in particular for the following purposes:

  • Provision of the website and web app
  • Registration and management of user accounts
  • Authentication and session management
  • Creation, editing, and storage of projects, business plans, financial plans, and documents
  • Provision of AI-supported features
  • Export of documents as PDF, DOCX, or PPTX
  • Payment processing and invoice management
  • Communication, support, and answering inquiries
  • Security, abuse prevention, and error analysis
  • Compliance with statutory retention and documentation obligations
  • Creation of aggregated usage statistics

    • 4. Which Data We Process

    4.1 Account and Profile Data

    When you create an account, we process in particular:

  • Name
  • Email address
  • First name and last name, if provided
  • Password hash
  • User role, for example user or advisor
  • Language setting
  • Email verification status
  • Creation date and last activity

    • Processing is carried out to provide and manage your account and to enable the use of our services.

    Legal basis: Art. 6(1)(b) GDPR, insofar as the processing is necessary for the performance of a contract. For security-related data, Art. 6(1)(f) GDPR may also apply.

    4.2 Session and Security Data

    When you use our services, we process technical data, in particular:

  • Session tokens
  • IP address
  • User agent / browser information
  • Time of login and use
  • Security-relevant events

    • This data is necessary to log you in, protect your session, and prevent abuse.

    Legal basis: Art. 6(1)(b) GDPR for the provision of the services and Art. 6(1)(f) GDPR for security and abuse prevention.

    4.3 Project, Plan, and Document Data

    When you use Plan2Fund, we process the content you create or edit in the app. This may include in particular:

  • Project name and project description
  • Business idea, market information, and strategy content
  • Business plan and financial plan content
  • Document structure, chapters, tables, and charts
  • Exported documents
  • Editing status and payment status

    • This data is necessary to provide the core service of Plan2Fund.

    Legal basis: Art. 6(1)(b) GDPR.

    Please do not enter sensitive personal data into Plan2Fund unless this is necessary for the creation of your documents.

    4.4 Advisor and Customer Data

    If you use Plan2Fund as an advisor, you may manage customers or clients. In this context, the following data may be processed in particular:

  • Name and email address of customers
  • Company name
  • Assignment between advisor and customers
  • Project and document data of customers
  • Status information
  • Notes, if entered

    • If users use the platform as advisors, agencies, or companies for their own customers and enter personal data of these customers into the platform, Plan2Fund may act as a processor within the meaning of Art. 28 GDPR with regard to this customer data. In this case, the respective user or advisor remains the controller responsible for the lawfulness of the processing of this customer data.

    For advisors, agencies, or companies that use Plan2Fund to process personal data of their own customers, we provide a data processing agreement pursuant to Art. 28 GDPR in the Advisor account.

    Advisors are themselves responsible for ensuring that they are entitled to enter, process, and share personal data of their customers and that they inform these customers accordingly.

    4.5 AI Features and AI Processing

    Plan2Fund offers AI-supported features for the creation, improvement, and review of documents. When you use these features, content from your project, document sections, chat messages, setup inputs, and technical metadata may be transmitted to our AI service provider.

    We currently use:

  • Google Gemini API
  • Provider: Google
  • Processing: Global (no guaranteed EU processing)

    • The following data in particular may be transmitted to the AI service:

  • Your inputs into the AI assistant
  • Content from the editor
  • Project description and project context
  • Document structure
  • Sections that are to be created, improved, or reviewed
  • System and processing context required for generation

    • Processing is carried out to provide the AI features requested by you.

    Legal basis: Art. 6(1)(b) GDPR, as the AI feature is an integral part of the service used by you.

    We only transmit to the AI service the content that is necessary for the requested function. This reflects the principle of data minimisation pursuant to Art. 5(1)(c) GDPR.

    We locally store usage data relating to AI features, in particular:

  • User ID
  • Project ID
  • Type of AI action
  • Token count
  • Credit usage
  • Time of use

    • We use this data for billing, limitation, abuse prevention, error analysis, and improvement of the services.

    Legal basis: Art. 6(1)(b) GDPR for billing purposes and Art. 6(1)(f) GDPR for abuse prevention.

    No storage of AI prompts or chat messages: We do not intentionally store complete AI prompts, chat messages, or AI responses in our database. Conversations exist only temporarily in memory during your session and are deleted when you switch or close the project. Only usage metadata (token count, credit usage, timestamp) is stored for billing purposes. Our technical infrastructure (server logs, error tracking) may temporarily process fragments of transmitted data for security, debugging, and abuse prevention. These logs are automatically overwritten according to our retention periods.

    Please do not enter special categories of personal data within the meaning of Art. 9 GDPR into AI inputs unless this is strictly necessary.

    Important notice: AI outputs may be erroneous or incomplete and do not constitute legal, tax, financial, or professional advice. Users are solely responsible for reviewing generated content before use, submission, or sharing.

    Google Gemini API – Paid Services: We use the Gemini API through a paid Google Cloud project. According to current Google terms, prompts and responses for Paid Services are not used to improve Google products. However, Google may process prompts and responses for a limited time for security, abuse detection, and compliance with legal obligations.

    4.6 Payment and Invoice Data

    We use Stripe for payments and subscriptions.

    Stripe Payments Europe, Ltd. / Stripe Group

    In connection with payments, the following data in particular is processed:

  • Name and email address
  • Payment status
  • Booked product or plan
  • Stripe customer number
  • Payment and invoice references
  • Invoice data
  • Technical payment metadata

    • Payment information such as credit card data is generally processed directly by Stripe and is not fully stored by us.

    Legal basis: Art. 6(1)(b) GDPR for payment processing and Art. 6(1)(c) GDPR for statutory retention obligations.

    4.7 Communication and Support

    If you contact us, we process the data you provide, in particular:

  • Name
  • Email address
  • Content of your message
  • Time of the inquiry
  • Any project- or account-related information

    • We use this data to process your inquiry and communicate with you.

    Legal basis: Art. 6(1)(b) GDPR if your inquiry is related to a contract or pre-contractual measures, and Art. 6(1)(f) GDPR for general support and communication purposes.

    We use Resend as an email service provider for emails.

    4.8 Transactional Emails

    We send transactional emails, for example:

  • Email verification
  • Password reset
  • Account and security notifications
  • Payment and invoice information
  • Product-related notifications
  • Support communication

    • We currently do not send newsletters or marketing emails. If this is introduced in the future, such emails will only be sent on the basis of separate consent where legally required.

    5. Cookies and Local Storage

    Plan2Fund uses only technically necessary cookies and local storage mechanisms that are required for the operation of the app and user authentication.

    5.1 Necessary Cookies

    We use the following necessary cookies:

  • Session cookie (pf_session) - For login and authentication (HttpOnly, Secure, SameSite=Strict)
  • Consent cookie (cookie_consent) - To store your cookie banner acknowledgment

    • These cookies are technically necessary for the operation of the website and app and are set without consent.

    Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

    5.2 Local Storage and Session Storage

    We use local storage or session storage to store certain technical states, for example:

  • Cookie consent acknowledgment
  • Onboarding or tour status
  • Temporary setup states
  • Language settings
  • Local UI settings

    • This storage serves user-friendliness and app functionality.

    5.3 Vercel Web Analytics

    We use Vercel Web Analytics to create aggregated usage statistics. Vercel Web Analytics is used without cookies and does not use any marketing cookies.

    In this process, technical access data such as IP address, user agent, referrer, URL path, timestamp, and device information may be processed and combined into aggregated statistics. We do not use this data to track individual users across websites.

    Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in improving the stability, performance, and functionality of our website and app.

    Please do not enter personal data into URL paths or URL parameters.

    5.4 No Marketing or Tracking Cookies

    We currently do not use marketing cookies, tracking pixels, or Google Analytics. If we introduce non-essential cookies or similar technologies in the future, we will obtain your consent beforehand.

    Specifically, we do not use:

  • Google Analytics or Google Ads
  • Facebook/Meta Pixel
  • Hotjar, PostHog, or similar tracking tools
  • Any third-party advertising or retargeting cookies

    • 6. Hosting, Database, and Technical Infrastructure

    We use technical service providers to provide our services. Where possible, we configure our services for processing within the EU.

    6.1 Hosting

    Our website and web app are provided via Vercel. Where possible, processing takes place via EU infrastructure, in particular Frankfurt, Germany.

    6.2 Database

    We use PostgreSQL via Neon.tech. According to the current configuration, the database is hosted in AWS Europe Central 1, Frankfurt, Germany.

    6.3 File and Export Processing

    Exported PDF, DOCX, and PPTX files are technically stored for as long as necessary for download, re-export, or account management. They can be overwritten by re-export or deleted as part of account/project deletion. An automatic deletion after a fixed period is currently not implemented. Users can delete projects and associated exports from their account. Upon account deletion, project-related usage data is deleted unless statutory retention obligations or legitimate interests, such as legal defense, prevent deletion. Payment and invoice data may be retained where legally required (e.g., tax retention periods).

    7. Recipients and Processors

    We use the following categories of service providers:

  • Hosting and infrastructure providers
  • Database providers
  • AI service providers
  • Payment service providers
  • Email service providers
  • Analytics and performance services

    • 7.1 Service Provider Overview

    Where these providers process personal data on our behalf, corresponding data processing agreements pursuant to Art. 28 GDPR are in place. In the event of possible transfers outside the EEA, appropriate safeguards are used, in particular standard contractual clauses pursuant to Art. 46 GDPR.

    7.2 Data Processing for Advisors (Art. 28 GDPR)

    For advisors, agencies, or companies that use Plan2Fund to process personal data of their own customers, we provide a data processing agreement (AVV) pursuant to Art. 28 GDPR.

    The AVV is available directly in your Advisor account under Settings → Data Processing Agreement. You can review and accept it digitally within the platform. The AVV can also be provided upon request.

    View DPA: plan2fund.io/legal/dpa

    The AVV includes: (1) Main agreement with processing purpose and scope, (2) Annex 1: Description of processing activities, (3) Annex 2: Technical and organizational measures (TOMs), (4) Annex 3: List of sub-processors (Vercel, Neon, Google Gemini, Stripe, Resend).

    8. Transfers to Third Countries

    We make efforts to configure services so that personal data is processed within the EU or the European Economic Area wherever possible.

    Some providers are based outside the EU or may process data outside the European Economic Area as part of support, maintenance, security, or group company structures. In such cases, we ensure that appropriate safeguards are in place, in particular:

  • Adequacy decisions of the European Commission
  • Standard contractual clauses pursuant to Art. 46 GDPR
  • Additional technical and organizational safeguards, where required

    • 9. Retention Period

    We store personal data only for as long as necessary for the respective purposes or as long as statutory retention obligations exist.

    The currently intended retention periods are:

  • Account data: until deletion of the account, unless statutory retention obligations prevent deletion
  • Project and plan data: until deletion by the user or until account deletion, plus up to 30 days backup or recovery period
  • Exported PDF, DOCX, and PPTX files: Exported files are technically stored for as long as necessary for download, re-export, or account management. They can be overwritten by re-export or deleted as part of account/project deletion.
  • AI usage logs: Until deletion of the user account. Usage data is deleted when you delete your account.
  • Session data: generally 7 to 30 days
  • Contact and support emails: up to 12 months after the last communication, unless longer retention is required for legal defense or contract fulfillment
  • Payment, invoice, and tax-relevant documents: 7 years or longer, where legally required
  • Advisor customer data: until deletion by the advisor or until termination of the respective account, unless statutory obligations prevent deletion

    • Backups may continue to exist for a limited period for technical reasons before they are overwritten or deleted.

    Users may request deletion of their account or individual projects by emailing hello@plan2fund.io. Where corresponding functions are provided in the app, data may also be deleted or exported directly there.

    10. Data Security

    We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration, or disclosure.

    These include in particular:

  • Encrypted transmission via HTTPS
  • Secure password storage using hashing
  • Access restrictions
  • Role-based permissions
  • Session protection
  • Technical logging for abuse prevention
  • Regular review of security-relevant processes

    • Despite all measures, no transmission over the internet can be guaranteed to be completely secure.

    11. Your Rights

    Under the GDPR, you have in particular the following rights:

  • Right of access pursuant to Art. 15 GDPR
  • Right to rectification pursuant to Art. 16 GDPR
  • Right to erasure pursuant to Art. 17 GDPR
  • Right to restriction of processing pursuant to Art. 18 GDPR
  • Right to data portability pursuant to Art. 20 GDPR
  • Right to object pursuant to Art. 21 GDPR
  • Right to withdraw consent pursuant to Art. 7(3) GDPR
  • Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR

    • You can exercise your rights by contacting us at hello@plan2fund.io.

    If you have a user account, you can edit, export, or delete certain data directly in the app.

    12. Right to Lodge a Complaint with the Supervisory Authority

    You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

    For Austria, the competent authority is in particular:

    Austrian Data Protection AuthorityBarichgasse 40-421030 ViennaAustria

    Phone: +43 1 52 152-0Email: dsb@dsb.gv.atWebsite: https://www.dsb.gv.at

    13. Minors

    Plan2Fund is exclusively directed at persons aged 18 and older, as well as companies, founders, advisors, and organizations. Persons under the age of 18 may not use our services.

    If we become aware that personal data of persons under the age of 18 has been processed, we will delete this data unless statutory obligations prevent deletion.

    14. Automated Decision-Making

    We do not make exclusively automated decisions within the meaning of Art. 22 GDPR that produce legal effects concerning you or similarly significantly affect you.

    AI features support the creation and editing of content. The user is responsible for reviewing, using, and submitting the generated content.

    15. Changes to this Privacy Policy

    We may amend this Privacy Policy if our services, legal requirements, or technical processes change.

    The current version is available on our website. In the event of material changes, we will inform you in an appropriate manner.

    16. Contact

    If you have any questions about data protection or wish to exercise your rights, please contact us at:

    Kevin Kraushoferoperating under the name Plan2FundMargaretenstraße 138/1/141050 ViennaAustria

    Email: hello@plan2fund.io

    Quick Navigation:

    Terms & ConditionsImpressumContact Us