1. Information We Collect

We collect information you provide directly to us, including:

• Account Information: Name, email address, organization name
• Authentication Data: Auth0 user ID, authentication tokens
• Usage Data: Prompts, experiments, data items, experiment results
• API Keys: Third-party LLM provider API keys (encrypted)
• Technical Data: IP address, browser type, device information
• Communication Data: Messages you send to us

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process your experiments and analyze results
• Authenticate your access to the service
• Send you technical notices, updates, and security alerts
• Respond to your comments, questions, and support requests
• Monitor and analyze usage patterns and trends
• Detect, prevent, and address technical issues
• Comply with legal obligations

3. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: All data is encrypted in transit using TLS/SSL
• API Key Protection: API keys are encrypted using Google Cloud KMS envelope encryption
• Access Controls: Role-based access control and authentication via Auth0
• Data Isolation: Organization-level data segregation
• Audit Logs: All encryption/decryption operations are logged via Cloud Audit Logs
• Infrastructure: Hosted on secure cloud infrastructure with regular security updates

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: Third-party vendors who assist in operating our service (Auth0, Google Cloud Platform)
• LLM Providers: Your prompts and data are sent to LLM providers (OpenAI, Anthropic, Google) based on your selections
• Legal Requirements: When required by law, subpoena, or other legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: Other parties when you explicitly consent

Within your organization, data is shared with team members according to their assigned roles and permissions.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide services. When you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes.

Some data may be retained in backup systems for up to 90 days after deletion. Anonymized or aggregated data may be retained indefinitely for analytics purposes.

6. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your data (subject to legal requirements)
• Portability: Export your data in a portable format
• Objection: Object to processing of your data
• Restriction: Request restriction of processing
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us through your account settings. We will respond to your request within 30 days.

7. Cookies, Analytics and Tracking

We use essential cookies and local storage to maintain your session and provide authentication. Auth0 may use cookies for authentication and security purposes.

Google Analytics 4 (GA4): We use GA4 to understand how visitors discover and use PromptProof. GA4 collects aggregated information such as country, language, device, browser, referrer, and interest categories. The identifier we send to GA4 is a pseudonymous numeric user ID — we never send your email address, name, or other personally identifying fields to Google.

Consent Mode v2: Until you press “Accept analytics” in the cookie banner, analytics and advertising storage are denied by default and GA only sends anonymous cookieless pings. You can opt back out at any time by clearing your site data for this domain, or by installing the official Google Analytics Opt-out Browser Add-on.

GDPR right to erasure: When you delete your account (or your organization is deleted), we automatically queue a GA4 user-deletion request for your pseudonymous user ID. Google completes the erasure within approximately 63 days.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those in your country. By using our service, you consent to such transfers.

9. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

10. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

Your continued use of the service after changes become effective constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us through your account settings.