Plume and the GDPR

We take privacy very seriously and we are committed to protecting individuals’ Personal Data.


We believe Personal Data should stay personal.

To achieve that goal, we have been working on building a GDPR compliance program designed to strengthen the protection of EU Personal Data we process. This page explains how the GDPR impacts Plume and what steps we’ve taken to comply with applicable legal requirements.



As of May 25, 2018, the General Data Protection Regulation (“GDPR”) has replaced the Data Protection Directive 95/46/EC and applies directly in all countries of the European Union (“EU”). The GDPR is the most important EU data protection legislation to be enacted in decades and Plume has made its GDPR compliance efforts a priority.

The GDPR applies to companies processing Personal Data in the context of the activities of an EU entity or to companies offering of goods or services to individuals located in the EU.

Our parent company, Plume Design, Inc. is established in Palo Alto, California, U.S., but it may collect Personal Data of EU individuals when offering goods and services to individuals located in the EU. We also have subsidiaries in Slovenia, Poland and Switzerland, in the context of which we may process EU Personal Data.  In addition, the GDPR may apply to Plume when processing personal data on behalf of our customers established in the EU. 

To learn more about the steps we’ve taken to comply with the GDPR, please see below under “How does Plume comply with the GDPR?”.

Under the GDPR, “Personal Data” means any information that relates to an identified or identifiable individual. This includes not only name and contact details, but also any data that can be linked back to an individual, such as online identifiers (e.g., IP address, device unique IDs, cookie identifiers) and location data. To learn more about the Personal Data we process, please visit our Privacy Policy.

A “Data Controller” is the entity that determines the purposes (i.e., why) and means (i.e., how) of the data processing, whereas a “Data Processor” is the entity that acts on behalf and under the instructions of the Data Controller.  Plume can act both as a Data Controller or a Data Processor depending on the case:

  • Plume as a Data Controller: When we offer products and services directly to individuals, we act as a Data Controller. This is the case, for example, when an individual orders the Plume Pods on our website after seeing an ad about Plume. This is also the case, for example, when the individual has been redirected to Plume’s website by another company, such as an Internet Service Provider (“ISP”) with whom we may have a contract. The processing of Personal Data we perform as a Data Controller is described in our Privacy Policy.
  • Plume as a Data Processor: When we process Personal Data on behalf of our customers, such as ISPs, we act as a Data Processor. In these instances, the individual contracts with our customer (the Data Controller) and we process the Personal Data on their behalf. Depending on the case, the software and hardware may either be Plume-branded or customer-branded.  When we process EU Personal Data on behalf of a customer, we ask customers to sign our GDPR-compliant Customer Data Processing Addendum to comply with Article 28 of the GDPR.

Plume is committed to privacy and has implemented a GDPR compliance program. Here is an overview of the key steps Plume has taken to comply with the GDPR:

  • Data processing agreements: When we act as a Data Processor, we ask our customers to sign our GDPR-compliant Customer Data Processing Addendum which contains provisions required by Article 28 of the GDPR. In addition, we ask vendors processing Personal Data on our behalf or on behalf of our customers to sign our GDPR-compliant Vendor Data Processing Addendum.
  • Cross-border data transfers: We have certified our adherence to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to provide a legal ground for the transfer of Personal Data from the EU and Switzerland to the U.S. You can see our Privacy Shield certification here. To learn more about our commitment to comply with the Privacy Shield principles, please visit our Privacy Shield Privacy Policy.
  • Privacy policy: We have updated our Privacy Policy to comply with the GDPR and provide enhanced transparency to our consumers, including their new GDPR rights.  If you have any questions about our privacy practices, please write us an email at
  • Legal ground for the processing and consent: When we act as a Data Controller, we only process EU Personal Data based on a valid legal ground. For that purpose, we have updated our consent flow and offer EU individuals the opportunity to withdraw their consent. To learn more about the legal grounds on the basis of which we process EU Personal Data, please visit our Privacy Policy.
  • Cookies and similar technologies: We have implemented banners on our websites to obtain consent for the use of cookies and similar technologies.
  • Data security: We have implemented appropriate technical and organizational measures to protect the security of EU Personal Data.


This page is not intended to describe Plume’s processing of non-EU Personal Data. It is also not intended to provide legal advice. Please seek appropriate legal advice to ensure that your company complies with the requirements of the GDPR.