PRIVACY

How OpenPlan handles your data

OpenPlan is designed to be local-first and private by default. All project data — routes, phases, costs — lives in a SQLite database on your machine. Nothing is sent anywhere unless you explicitly enable Mesh sync.

The data OpenPlan collects (action, tokenized label, cost, anonymous UUID) is anonymized by design. Under LGPD Art. 12 and GDPR Recital 26, irreversibly anonymized data is not considered personal data. OpenPlan is designed to be outside the scope of both regulations.

Data controller

OpenPlan is developed and operated by Vinicius Leal. For privacy-related inquiries:

Data Protection Officer: Vinicius Leal — dpo@openplan.cc
Data Processing Location: Fly.io (US) / Turso (US)
Legal Basis: Legitimate interest (product analytics) — no consent required. Data is irreversibly anonymized before processing.

What the Mesh collects

When Mesh sync is enabled, the following data is sent to api.openplan.cc every 5 minutes. All fields are anonymized or non-identifying.

{
  "action": "implement",
  "expected_cost": 5000,
  "actual_cost": 4800,
  "outcome": "success",
  "project_type": "software"
}

Field	Example	Why
`action`	"implement"	Type of work done (implement, design, test, research, etc.)
`expected_cost`	5000	Estimated cost in seconds from the baseline pool
`actual_cost`	4800	Actual time spent, reported by the agent via `checkpoint()`
`outcome`	"success"	Whether the phase completed as expected
`project_type`	"software"	High-level category for baseline grouping
`session_id`	(random UUID)	Deduplication — random, not linked to your identity
`timestamp`	1781813523	When the event was created

Phase labels are tokenized before reaching the Mesh: lowercased, punctuation stripped, stop words removed, trimmed to 50 tokens. Raw labels never leave your machine.

What the Mesh does NOT collect

No source code. Not a single line. The server never reads your files.
No project names. Project names are local-only. The Mesh only sees project_type ("software").
No file paths. No directory structures, no file names.
No agent prompts or responses. The agent's conversation is never transmitted.
No raw phase labels. Labels are tokenized before sync.
No API keys or secrets. Your OPENPLAN_API_KEY is used only for API auth, never logged or stored in the calibration pool.

Identity

OpenPlan generates a random UUID on first run, stored locally. This UUID is used for personal bias tracking and Mesh attribution. It is not linked to your GitHub account, email, or any personal identifier. When you authenticate via GitHub OAuth, a separate API key is created. The Mesh associates calibration events with your identity UUID for bias tracking, but GitHub identity is only used for subscription management.

Your rights (LGPD / GDPR)

As an OpenPlan user, you have the following rights under LGPD and GDPR:

Access: Run openplan export to download all your calibration data in JSON or CSV format. Response within 15 days.
Correction: Since all data is anonymized cost events, correction is handled automatically by the server. Inaccurate checkpoints can be corrected via checkpoint(phase, correct=value).
Erasure: Run openplan account delete to delete all your calibration data from the Mesh and revoke your API key. Mesh data deletion completes within 30 days.
Portability: Use openplan export --format json to get your data in a machine-readable format.
Withdraw consent: Run openplan mesh off to disable Mesh sync. No further data is sent.

Data retention

Raw calibration events: Kept indefinitely in the Mesh pool. Events are irreversibly anonymized (tokenized labels, anonymous identity). More events improve baseline matching across projects.
Baselines (aggregates): Computed on a rolling 30-day window — industry standard per Datadog, Prometheus, and Sentry patterns. This balances responsiveness with statistical significance.
Local data: Retained indefinitely in your SQLite database. You control it completely — delete the openplan.db file to erase everything.
Mesh deletion: Run openplan account delete to remove all your data. Deletion completes within 30 days.

Data processing and international transfers

OpenPlan uses the following infrastructure:

Mesh API hosting: Fly.io (US) — processes calibration events. Standard Contractual Clauses (SCCs) in place with Fly.io for international data transfers.
Database: Turso (US) — stores calibration events, API keys, and subscription data.
MCP Server: Runs locally on your machine. No data leaves your environment unless Mesh sync is enabled.

Data Protection Officer

For any privacy-related inquiries, data subject access requests, or data deletion requests:

DPO: Vinicius Leal
Email: dpo@openplan.cc
Response time: Within 15 days (LGPD) or 30 days (GDPR)

Open source

Both the MCP server and the Mesh API are open source (MIT license). You can verify exactly what data is collected by reading the source:

MCP server source — TypeScript, runs locally
Mesh API source — Python FastAPI, runs on Fly.io
Database schema — routes, route_phases, calibration_events, correction_events, cost_baselines, completed_sequences, schema_version