PlanningLeads
Trust & Security

Built to be trusted with your data

Plain-English detail on how we secure your account, your API keys and the data — and how to report a vulnerability. No jargon, no hand-waving.

Encrypted in transit

Every request is served over HTTPS with HSTS enforced (TLS 1.2+). A strict Content-Security-Policy, X-Content-Type-Options, frame and referrer policies are set on every response.

API keys you control

Keys are hashed (SHA-256) at rest and shown once — we can't see them after creation. They're scoped to your own tier (never admin), revocable anytime, and rate-limited so a leaked key can't hammer the service.

Signed webhooks

Every webhook is signed with HMAC-SHA256 (X-PL-Signature) so you can verify it came from us, delivered only over HTTPS to public hosts, with retries and auto-disable on repeated failure.

Payments handled by Stripe

Card payments are processed entirely by Stripe (PCI-DSS Level 1). Your card details never touch — and are never stored on — our servers. Manage or cancel your subscription anytime from the Stripe billing portal.

Privacy by design

We serve organisation- and area-level construction intelligence only — never homeowner or individual personal data. PII passes through a single server-side gate (default-deny), and a GDPR erasure/objection request suppresses a subject across every read path.

EU-hosted, official sources

Infrastructure is hosted in the EU. The data is re-used from official public sources under Ireland's PSI / Open Data licence — assembled and enriched, never fabricated, with source links provided.

Responsible disclosure

Found a security issue? We want to hear about it. Email security@planningleads.ie with details and steps to reproduce, and please give us reasonable time to fix it before disclosing publicly. Our machine-readable policy is published at /.well-known/security.txt (RFC 9116).

Standards & references

  • GDPR — lawful re-use of public-sector information; organisation/area-level only; erasure & objection honoured. See our Privacy Notice.
  • Ireland PSI / Open Data licence — the planning data is official public-sector information, re-used with attribution.
  • Stripe (PCI-DSS Level 1) — all card processing; we never see or store card data.
  • RFC 9116 — published security.txt for coordinated disclosure.

We don't claim certifications we don't hold. This page describes measures actually in place; for a data-processing agreement (DPA) or security questionnaire, contact hello@planningleads.ie.

Questions about security or data?

We're happy to walk you (or your IT team) through it.