PRIVACY & COMPLIANCE
Customers own their data.
Movement data is encrypted in transit and at rest, logically isolated per organization, and used only as the customer permits.
Some assurances are inherited from our infrastructure providers; others are in progress. This page states which is which.
Last updated: June 2026
Four principles that shape how we handle data.
Security by design
Built in from the first sensor reading, not bolted on after.
Least privilege
People and systems access only what they need, nothing more.
Defense in depth
Multiple independent layers of protection rather than a single line of defense.
Transparency
We tell you what we do, how we do it, and where we are not there yet.
Data Ownership
Customers own the Movement Data Plantiga collects — biomechanics, anthropometrics, and anything generated through the platform. Plantiga's right to use that data is limited to providing and improving the service.
Aggregated use only
Any use of data for improving our platform is in aggregated, de-identified form. Individual athletes are not identifiable in the aggregated outputs we derive from your data.
Deleted on termination
When your agreement ends, Plantiga deletes the personally identifiable Movement Data it holds for your organization within 30 days.
Opt out of model training
You can opt your organization out of contributing data to model training entirely. Contact security@plantiga.com before onboarding to request this.
Data Protection Controls
Data moves from the Arc5Pro sensor through the app, into the platform, and into the Norman.ai engine. The following controls apply at each stage.
Encryption in transit
Network traffic between the Connect app, the platform, and the cloud is encrypted over HTTPS with TLS; the sensor-to-dock transfer is a direct physical connection. Unencrypted connections are not accepted.
Encryption at rest
All stored biomechanics and account data is encrypted at rest using AES-256, including databases, file storage, and backups.
Organization isolation
Each team, club, and organization is logically isolated, so one organization cannot see another's athletes or data.
AI summaries & sub-processors
Plantiga's own movement models (Norman.ai) run within the platform. Using the optional AI summarization features transmits personal information — including any athlete identifiers entered, such as names — to our AI sub-processor, Anthropic. Customers can avoid sending identifiers by using participant codes instead of names.
De-identification for research
Datasets are de-identified before any aggregate or research use, so insights can scale across a population without exposing individual athletes.
Data flow — from insole to cloud
Compliance
What is confirmed, what is inherited from our infrastructure providers, and what we do not currently support.
PIPEDA (Canada)
Plantiga is a Canadian company subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. PIPEDA governs how we collect, use, and disclose personal information.
GDPR (Europe)
For users in the European Economic Area, the Services are designed to comply with GDPR. Canada holds an adequacy decision from the European Commission under Article 45 of the GDPR, which covers transfers of personal data from the EEA to Canada. Where personal data is processed outside Canada — for example in the United States — Plantiga relies on appropriate transfer safeguards.
EEA residents have the following rights: access, rectification, erasure, objection to processing, restriction of processing, data portability, and the right to file a complaint with a supervisory authority. To exercise any of these rights, contact security@plantiga.com.
CCPA (California) & U.S. State Privacy Laws
Plantiga's practices are designed to comply with the California Consumer Privacy Act for California residents, including rights to know, delete, and opt out of sale of personal information. We do not sell personal data. As U.S. state privacy laws continue to expand, we monitor and adapt our practices to keep pace with applicable requirements.
COPPA (Children's Privacy)
Plantiga does not collect personal information from individuals under the age of 13, or below the age of consent in the applicable jurisdiction, whichever is higher. Our practices are designed to comply with the U.S. Children's Online Privacy Protection Act and applicable laws concerning children and the internet, including those applicable in the EEA.
Customers collecting data from minors are responsible for ensuring the appropriate consent requirements in their jurisdiction are met prior to any data collection.
HIPAA
Plantiga is not HIPAA certified, and whether HIPAA applies depends on how each customer uses the platform.
Plantiga supports data minimization: individuals can be created and tracked using a participant code, athlete ID, or other non-identifying key rather than a name. Used together with the customer's own practices to limit the identifiers they enter, this reduces the personal information Plantiga holds and can help keep movement data outside the scope of Protected Health Information (PHI).
Whether a given dataset is de-identified under HIPAA — for example under the Safe Harbor or Expert Determination standards — is a determination each customer should make with their own compliance team, because identifiers other than a name (such as dates linked to an individual, device identifiers, or a re-identification key the customer holds) can also bring data into scope.
Plantiga does not currently offer a Business Associate Agreement (BAA), and the platform is not intended for storing PHI; customers with PHI obligations should use the de-identified, code-based approach described above. This code-based, data-minimization approach is standard practice among the research institutions and clinical customers we work with. Customers with questions about HIPAA or PHI handling should contact security@plantiga.com before onboarding.
SOC 2
Plantiga is working toward a platform-level SOC 2 audit. In the meantime, significant security assurance is inherited from our infrastructure: Google Cloud Platform holds SOC 1, SOC 2, and SOC 3 certifications, and Stripe (payments) holds SOC 2 and PCI DSS Level 1. We are transparent that these certifications belong to our sub-processors, not to a direct audit of Plantiga's application layer.
Security is an ongoing priority — we continuously improve our controls as we work toward formal certification. Our completed security questionnaire is available on request at security@plantiga.com.
League data agreements — NBA, NFL, FIFA
Plantiga has signed a data agreement with the NBA and holds approved wearable status. As an approved NBA wearable, Plantiga adheres to the NBA's cybersecurity and data infrastructure standards. Plantiga is also approved for use within the NFL and with FIFA, and adheres to their respective data handling and athlete privacy standards.
Have compliance documentation requirements? Contact support@plantiga.com.
Infrastructure & sub-processors
Plantiga relies on the third-party sub-processors below to deliver the service. Any certifications listed belong to those providers and describe the environments your data is processed in — not an audit of Plantiga's own application.
| Sub-processor | Purpose | Certifications & safeguards |
|---|---|---|
| Google Cloud Platform | Cloud hosting, databases, storage, and ML compute | SOC 1 / SOC 2 / SOC 3 · ISO 27001 · GDPR DPA · AES-256 at rest |
| Sentry | Application error & performance monitoring | SOC 2 Type II · GDPR DPA |
| Anthropic | AI-generated language summaries | SOC 2 Type II · API inputs not used to train models |
| Stripe | Payment processing | PCI DSS Level 1 · SOC 2 |
| Mailchimp | Email and customer communications | GDPR DPA in place |
| Mender | Over-the-air device firmware updates | Firmware and device data only — no athlete movement data |
Operational Security
Access controls
MFA is required for access to production systems, including cloud infrastructure, code repositories, and internal tooling. Production access follows least-privilege and access events are logged in internal audit records. No contractors have access to production data.
Backups & recovery
Data backups are managed within Google Cloud Platform, which provides automated, redundant storage. Backups are encrypted at rest with AES-256.
Vulnerability management
Automated dependency scanning runs on every deployment to detect known vulnerabilities in third-party libraries before they reach production.
Incident response
Plantiga has a documented incident response plan. We notify affected customers without undue delay — and no later than 72 hours — after becoming aware of a data breach affecting their Movement Data, consistent with the commitments in our Terms of Service.
Team & Internal Security
Security at Plantiga is a team-wide practice, not just an infrastructure concern. The following standards apply to every employee.
Onboarding & offboarding
Every new employee completes security training at onboarding — covering phishing and social-engineering awareness, handling sensitive data, secure communication, and Plantiga's internal security policies. When someone leaves, their access and credentials are promptly revoked across all systems.
Password management
All employees are required to use a password manager. Credentials are unique and strong across every service. Passwords are never stored in browsers, spreadsheets, shared documents, or reused across accounts.
Multi-factor authentication
MFA is required for employees across critical systems — cloud infrastructure, code repositories, internal tooling, and communication platforms — so a compromised password alone is not enough to reach a production system.
Device security
All company devices are required to have full-disk encryption and screen-lock enabled. Sensitive data is never handled over personal accounts or unencrypted services.
Least-privilege access
Employees are granted access only to the systems and data required for their role. Access to production data is limited to a small number of technical and support staff, and all access is logged in internal audit records.
Separation of environments
Development and production environments are strictly separated. Development work never touches live customer data. Changes are tested in isolation before being promoted to production, reducing the risk of unintended exposure or data loss.
Vulnerability Disclosure
To report a security vulnerability, email support@plantiga.com. We acknowledge all reports within two business days. Please allow reasonable time to remediate before public disclosure. Researchers are credited publicly with their permission.
Frequently Asked Questions
-
Customers own the Movement Data collected — biomechanics, anthropometrics, and everything generated through the platform. Plantiga's right to use it is limited to providing and improving the service, and any such use is aggregated and de-identified. We don't sell personal data.
-
Data is stored and processed on Google Cloud Platform. As stated in our Privacy Policy, data may be stored and processed in countries outside of Canada, including in the United States, depending on which GCP infrastructure is used. Plantiga does not currently guarantee data residency within a specific geographic region. EEA customers: Canada's EU adequacy decision under Article 45 of the GDPR covers EEA-to-Canada transfers. If specific data residency is a hard requirement for your organization, contact support@plantiga.com before onboarding.
-
Plantiga is not yet SOC 2 certified at the application level, and we are working toward that audit. Substantial security assurance is inherited from our infrastructure providers — Google Cloud Platform (SOC 1/2/3) and Stripe (SOC 2, PCI DSS Level 1) — but we are transparent that those certifications apply to our sub-processors, not to Plantiga's platform directly. Our completed security questionnaire is available on request at support@plantiga.com.
-
Yes. On termination of the agreement — or on request at any time — Plantiga deletes the personally identifiable Movement Data it holds for your organization within 30 days. Aggregated or de-identified data that can no longer be linked to an individual may be retained. To request deletion, contact support@plantiga.com.
-
No. Plantiga does not sell personal data to any third party. Any aggregated, de-identified use for research or model improvement is described in our Terms of Service, and organizations can opt out by contacting us before onboarding.
-
Yes. Participants can be created and tracked using only an assigned study or participant ID. No name, date of birth, or other personal identifier is required. This is a common approach for IRB-approved research studies and institutions with strict data minimization requirements.
-
As a Canadian company, Plantiga is subject to PIPEDA and is designed to comply with GDPR for European users — Canada's EU adequacy decision means EEA-to-Canada data transfers are permitted without additional mechanisms. Our practices are also designed to comply with CCPA for California residents and COPPA for data involving minors. A Data Processing Agreement (DPA) is available on request.
Questions about our security?
Contact us directly. We share our completed security questionnaire on request and can provide additional documentation for procurement and compliance reviews.
AES-256 encrypted at rest · TLS encrypted in transit · Per-organization isolation · Customers own their data