← Back to Plume
Privacy Policy
Last updated: March 16, 2026
In short: Plume collects only what it needs to personalise your news feed. We don't sell your data, we don't track you across websites, and we don't use third-party analytics. You can delete your account and all associated data at any time.
1. Data controller
The controller responsible for processing your personal data is:
Devly B.V.
KVK (Chamber of Commerce): 89687175
Email: privacy@plumenews.com
Plume News ("Plume", "we", "us") is a personalised news reader available on iOS, Android, and the web at app.plumenews.com. This policy explains what data we collect, why, and how you can control it.
2. What data we collect
| Category | Data | Purpose | Lawful basis |
|---|
| Account |
Name, email address, profile photo URL |
Identify you and display your profile |
Contract performance (Art. 6(1)(b) GDPR) |
| Authentication |
Sign-in provider type (Apple, Google, email), provider identifier |
Let you sign in securely |
Contract performance (Art. 6(1)(b) GDPR) |
| Reading activity |
Articles you open, skip, save, or read; time spent; scroll depth |
Personalise your "For You" feed |
Legitimate interest (Art. 6(1)(f) GDPR) |
| Feed impressions |
Which articles appeared in your feed and how long they were visible |
Measure engagement to improve recommendations |
Legitimate interest (Art. 6(1)(f) GDPR) |
| Interest profile |
Topic tags with weights, interest embedding vector |
Power the recommendation algorithm |
Legitimate interest (Art. 6(1)(f) GDPR) |
| Subscriptions |
Which RSS sources you follow |
Deliver articles from your chosen sources |
Contract performance (Art. 6(1)(b) GDPR) |
| Saved articles |
Articles you bookmark |
Let you access saved articles later |
Contract performance (Art. 6(1)(b) GDPR) |
3. What we do NOT collect
- IP addresses — may be temporarily logged by our web server for security and operational purposes, but are not stored in our application database or used for tracking
- Device identifiers — no IDFA, device UUID, or fingerprinting
- Location data — no GPS or geolocation
- Cookies — we do not use cookies
- Cross-site tracking — we do not track you outside of Plume
- Third-party analytics — no Google Analytics, no Segment, no Mixpanel, no tracking pixels
4. How we use your data
Your data is used exclusively to provide and improve the Plume service. The lawful basis for each type of processing is listed in the table above.
- Personalisation: Your reading activity and interest profile are used to rank articles in your "For You" feed. Every article you read, skip, or save adjusts the algorithm. This processing is based on our legitimate interest in providing a useful personalised service. You can object to this at any time by resetting your interest profile or deleting your account.
- Authentication: Your email and sign-in provider details are used to let you sign in and link multiple sign-in methods. This is necessary to perform our contract with you.
- Emails: We send transactional emails only — sign-in magic links and account-linking confirmations. We do not send marketing emails or newsletters.
5. How personalisation works
Plume uses an embedding-based recommendation system. When you interact with articles, we compute a mathematical representation (a vector) of your interests. This vector is compared against article vectors to find content you're likely to enjoy. We also maintain topic tags (like "technology" or "sports") with positive or negative weights based on your reading patterns.
You can view all your learned interests in the Interests tab. You can remove any interest at any time. You can also reset your entire interest profile from your Profile page.
6. Data sharing
We do not sell your data. We do not share your personal data with third parties for advertising or marketing purposes.
We use the following third-party services strictly for core functionality:
- Apple / Google — for authentication only, when you choose to sign in with these providers. Apple and Google are US-based companies; any transfer of personal data to them occurs on the basis of the European Commission's Standard Contractual Clauses (SCCs).
- Resend (resend.com) — to deliver sign-in magic link emails. Resend is a US-based company; personal data (your email address) is transferred on the basis of the European Commission's Standard Contractual Clauses (SCCs).
7. Data storage and security
- All data is stored in a PostgreSQL database on servers located in Europe
- All connections use TLS/HTTPS encryption in transit
- Magic link tokens are hashed with SHA-256 before storage — plaintext tokens are never stored
- JWT authentication tokens expire after 30 days
- On iOS, your authentication token is stored in the device Keychain (encrypted, accessible only when the device is unlocked)
- On the web, your authentication token is stored in browser localStorage
8. Data retention
- Account data is retained as long as your account exists
- Magic link tokens expire after 15 minutes and are cleaned up
- Interaction history is retained to maintain your interest profile
- When you delete your account, all data is permanently removed (cascading deletion across all tables)
9. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — your interests, saved articles, and reading patterns are all visible within the app. You can also request a full export by contacting us.
- Right to rectification (Art. 16) — you can update your profile information at any time.
- Right to erasure (Art. 17) — delete your account and all associated data at any time from your Profile page.
- Right to restriction of processing (Art. 18) — you can request that we restrict processing of your data in certain circumstances (e.g. while we verify accuracy of data you contest).
- Right to data portability (Art. 20) — request a machine-readable copy of the data you provided to us.
- Right to object (Art. 21) — you can object to processing based on legitimate interest (e.g. personalisation). You can also remove individual interests from the Interests tab or reset your entire interest profile.
- Right to lodge a complaint — if you believe your rights have been violated, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
To exercise any of these rights, contact us at privacy@plumenews.com. We will respond within 30 days.
10. Automated decision-making
Plume uses automated processing to personalise your "For You" feed based on your reading activity and interest profile. This processing does not produce legal effects or similarly significant effects — it only determines which news articles are shown to you and in what order. You can view, adjust, or fully reset your learned interests at any time from the Interests tab or your Profile page.
11. Children's privacy
Plume is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. We will notify you of material changes via email or an in-app notification at least 14 days before they take effect. Non-material changes (such as typo corrections or formatting) will be reflected by updating the "Last updated" date at the top.
13. Contact
If you have questions about this privacy policy or your data, contact us at privacy@plumenews.com.