Privacy Policy
Your privacy matters. Here's exactly what data we collect, why we need it, and how we protect it, explained in plain language.
What Data We Collect
We collect only what we need to provide PromptMaktaba's services. Here's the complete list:
| Data Category | Specific Information | Why We Collect It |
|---|---|---|
| Account Information | Email address, name | Create your account, send notifications, provide support |
| Payment Information | Credit card details (via Stripe, we never see them), billing address | Process subscription payments |
| Prompt Content | AI prompts you create, version history, tags | Store and organize your prompts, provide AI enhancement features |
| Usage Analytics | Pages visited, features used, time spent, device type | Improve our product, fix bugs, understand which features matter most |
| Technical Data | IP address, browser type, operating system | Security (detect fraud), troubleshooting, optimize performance |
How We Collect Data
Directly from You
- Account registration: Email and name (via Clerk authentication)
- Prompt creation: Content you write or paste into our editor
- Subscription signup: Billing information (via Stripe payment forms)
- Support requests: Email conversations with our support team
Automatically
- Cookies: Authentication (Clerk session), analytics (Google Analytics 4)
- Server logs: IP addresses, timestamps, HTTP requests (stored for 90 days)
- Error tracking: Anonymous crash reports (no personal data included)
From Third Parties
- Clerk (authentication): Verifies your identity, provides secure login
- Stripe (payments): Confirms successful payments, subscription status
- Azure OpenAI (AI features): Processes prompts for enhancement (opt-in only, we don't send your prompts unless you click "Enhance")
Analytics and Cookies (GDPR Consent)
We use Google Analytics 4 to analyze site usage and improve your experience. Here's exactly how it works:
Consent-Based Tracking
🍪 Consent Banner
On your first visit, a consent banner appears asking permission to use analytics cookies. Analytics tracking is completely blocked until you click "Accept". This complies with GDPR Article 6(1)(a) (consent as legal basis).
What We Track
- Page views: Which pages you visit, how long you stay
- Events: Sign-ups, prompt creations, feature usage (e.g., "AI enhance" clicks)
- Session data: Session duration, pages per session, bounce rate
- Device information: Browser type, operating system, screen resolution
- Approximate location: Country and city (derived from IP address, which we anonymize)
What We DON'T Track
- ❌ Prompt content: We never send your prompts to Google Analytics
- ❌ Email addresses: No personally identifiable information (PII)
- ❌ IP addresses: Automatically anonymized by Google Analytics
- ❌ Cross-site tracking: We don't use Google Ads or tracking pixels
Data Retention
Per GDPR data minimization requirements, we retain Google Analytics event-level data for 2 months. After this period, event-level data is automatically deleted. Aggregate metrics (e.g., total users, session counts) are retained indefinitely for business analytics.
Google Consent Mode v2
We implement Google Consent Mode v2, mandatory since March 2024 for EU/EEA traffic. This ensures:
- Default denied state: Analytics cookies blocked until you accept
- Granular control: Separate consent for analytics vs. advertising (we only use analytics)
- Persistent choice: Your consent decision is saved to localStorage
- Easy opt-out: Consent banner reappears if you clear cookies
Third-Party Data Sharing
Google Analytics is a third-party service operated by Google LLC. Data shared with Google:
- What's shared: Anonymized usage data (pages visited, events triggered, device type)
- Google's use: Process analytics data on our behalf (Data Processing Agreement in place)
- Google's privacy policy: policies.google.com/privacy
- No ad targeting: We don't use Google Ads, so your data isn't used for advertising
🔒 Your Control
You can manage analytics cookies at any time:
- Clear cookies: Delete site cookies in your browser settings (consent banner will reappear)
- Browser extensions: Use uBlock Origin, Privacy Badger, or similar ad blockers
- Google Analytics opt-out: Install the Google Analytics Opt-Out Browser Add-on
- Do Not Track: Enable Do Not Track in your browser (we respect this signal)
Why We Collect Data (Legal Basis)
Under GDPR, we must have a legal basis for processing your data. Here's ours:
| Data Type | Legal Basis | Purpose |
|---|---|---|
| Account information | Contract (necessary to provide service) | Create and manage your account, send login emails |
| Payment information | Contract + Legal obligation (tax records) | Process payments, comply with tax laws (7-year retention) |
| Prompt content | Contract (necessary to provide service) | Store your prompts, enable version history and sharing |
| Usage analytics | Legitimate interest (improve our product) | Understand which features users love, fix bugs, optimize performance |
| AI enhancement requests | Consent (you click "Enhance" button) | Send your prompt to Azure OpenAI for improvement suggestions |
How We Use Your Data
Essential Operations
- Account management: Authenticate logins, send password resets, manage subscriptions
- Service delivery: Store prompts, sync across devices, enable collaboration
- Billing: Process payments, send invoices, handle refunds/disputes
- Customer support: Respond to questions, troubleshoot issues, fix bugs
Product Improvements
- Analytics: Understand which features are used most, identify pain points
- A/B testing: Test new features with subsets of users (anonymized data)
- Performance monitoring: Optimize page load times, reduce errors
What We DON'T Do
- ❌ Sell your data: We never sell personal information to third parties
- ❌ Train AI on your prompts: Azure OpenAI doesn't use your data to train models
- ❌ Show targeted ads: We don't run advertising networks
- ❌ Share with data brokers: Your data stays with us and our service providers
Who We Share Data With
We share your data only with trusted service providers who help us run PromptMaktaba:
| Third Party | What They Do | Data Shared |
|---|---|---|
| Clerk (Authentication service) | Secure login, password management, multi-factor authentication | Email, name, login timestamps |
| Stripe (Payment processor) | Process credit card payments, manage subscriptions, handle refunds | Email, billing address, payment method (encrypted) |
| Supabase (Database hosting) | Store your prompts, manage user data, provide realtime sync | All account data, prompt content, usage history |
| Azure OpenAI (AI enhancement) | Improve your prompts with AI suggestions (opt-in only) | Prompt content (ONLY when you click "Enhance") |
| Google Analytics 4 (Usage analytics) | Track page views, feature usage, user flows (anonymized, consent-based) | Pages visited, device type, session duration, events (sign-ups, feature usage) - NO personally identifiable information |
🔒 Data Processing Agreements
All service providers sign Data Processing Agreements (DPAs) committing to GDPR and CCPA compliance. They cannot use your data for their own purposes.
How We Protect Your Data
We use industry-standard security measures to protect your information:
Encryption
- In transit: TLS 1.3 encryption for all data sent between your browser and our servers
- At rest: AES-256 encryption for data stored in our database (Supabase)
- Passwords: Hashed with bcrypt (Clerk manages this, we never see your password)
Access Controls
- Row-Level Security (RLS): Database policies ensure you can only access your own prompts
- Authentication tokens: Short-lived JWT tokens expire after 1 hour
Monitoring & Response
- Automated scanning: Daily vulnerability scans on all infrastructure
- Intrusion detection: Real-time alerts for suspicious activity
- Incident response plan: If a breach occurs, we'll notify affected users within 72 hours (GDPR requirement)
How Long We Keep Your Data
We keep your data for specific timeframes based on legal requirements and business needs:
| Data Type | Retention Period | Why This Long? |
|---|---|---|
| Account data | 7 days after deletion request | Grace period for accidental deletions (you can restore your account) |
| Payment history | 7 years | Tax compliance (IRS requirement for business records) |
| Prompt content | 7 days after deletion request | Grace period for accidental deletions (same as account data) |
| Usage analytics (Google Analytics 4) | 2 months (event-level data) | GDPR data minimization compliance. Aggregate metrics (user counts, sessions) retained indefinitely for business analytics. |
| Server logs | 90 days | Security monitoring, troubleshooting, fraud detection |
| Support emails | 2 years | Reference for recurring issues, quality assurance |
📧 Deletion Requests
You can request immediate deletion by emailing privacy@promptmaktaba.com. We'll confirm deletion within 3 business days.
Your Rights Under GDPR (Europe)
If you're in the European Economic Area (EEA), you have these rights under GDPR:
1. Right to Access (Article 15)
Request a copy of all personal data we hold about you. We'll provide it in a machine-readable format within 30 days.
2. Right to Rectification (Article 16)
Correct inaccurate information (e.g., update your name or email in Account Settings).
3. Right to Erasure / "Right to Be Forgotten" (Article 17)
Request deletion of your personal data. We'll delete it within 7 days (except payment records kept for tax compliance).
4. Right to Restrict Processing (Article 18)
Ask us to temporarily stop processing your data (e.g., while disputing its accuracy).
5. Right to Data Portability (Article 20)
Download your prompts in JSON format and transfer them to another service.
6. Right to Object to Processing (Article 21)
Opt out of usage analytics or marketing emails (we don't send promotional emails, only transactional ones).
📧 How to Exercise Your Rights
Email privacy@promptmaktaba.com with your request. We'll respond within 30 days (GDPR requirement).
🇪🇺 Supervisory Authority Complaints
If you believe we've violated GDPR, you can file a complaint with your local data protection authority. Find your authority at edpb.europa.eu.
📋 Data Controller Contact
PromptMaktaba, Inc. is the data controller for your personal information. Contact us at privacy@promptmaktaba.com for any data protection inquiries.
Your Rights Under Australian Privacy Act 1988 (APP)
As an Australian-registered company, we comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Here are your key rights:
1. Right to Access (APP 12)
Request access to your personal information we hold. We'll provide it within 30 days in a commonly used format.
2. Right to Correction (APP 13)
Request correction of inaccurate, out-of-date, incomplete, or misleading personal information. We'll update it within a reasonable timeframe.
3. Right to Erasure
Request deletion of your personal data. We'll delete it within 7 days (except payment records kept for tax compliance under Australian law).
4. Data Breach Notification (NDB Scheme)
If an eligible data breach occurs that is likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) within 30 days, including recommendations for protective steps you should take.
5. Security Safeguards (APP 11)
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorized access, modification, or disclosure through military-grade encryption and row-level security.
6. Transparency (APP 1)
We maintain a clear and up-to-date privacy policy (this document) and handle complaints in accordance with APP requirements.
📧 How to Exercise Your Rights
Email privacy@promptmaktaba.com with your request. We'll respond within 30 days.
🇦🇺 Complaints to OAIC
If you believe we've violated the Privacy Act, you can file a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
Your Rights Under CCPA (California)
If you're a California resident, you have these rights under CCPA:
1. Right to Know
Request details about what personal information we collect, how we use it, and who we share it with. We'll provide this information within 45 days.
2. Right to Delete
Request deletion of your personal information. We'll delete it within 7 days (except records required by law, like tax documents).
3. Right to Opt-Out of Sale
We don't sell your data. We never have, and we never will. Period.
4. Right to Non-Discrimination
You won't be denied service, charged different prices, or receive lower quality if you exercise your CCPA rights.
📧 How to Exercise Your Rights
Email privacy@promptmaktaba.com with your request. We'll verify your identity and respond within 45 days (CCPA requirement).
📋 Categories of Personal Information (CCPA Disclosure)
- Identifiers: Email, name, IP address
- Commercial information: Subscription plan, payment history
- Internet activity: Pages visited, features used, timestamps
- Geolocation data: Approximate location (city-level, from IP address)
- Professional information: Job title (if you provide it)
🤝 Sources of Personal Information
We collect personal information from: (1) Directly from you (account registration, prompts), (2) Automatically (cookies, server logs), (3) Third parties (Clerk, Stripe).
🎯 Business Purposes for Collection
We collect personal information for: (1) Service delivery (store prompts, manage accounts), (2) Payment processing, (3) Customer support, (4) Product improvement (analytics), (5) Security and fraud prevention.
👥 Categories of Third Parties We Share With
Service providers only: Clerk (auth), Stripe (payments), Supabase (database), Azure OpenAI (AI features), Google Analytics (analytics). We do NOT share with advertisers, data brokers, or affiliates.
Cookie Policy
We use cookies to keep you logged in and understand how you use our product.
| Cookie Type | Purpose | Can You Opt Out? |
|---|---|---|
| Essential Cookies (Clerk session cookies) | Keep you logged in, remember your authentication state | ❌ No (required for the service to work) |
| Analytics Cookies (Google Analytics 4) | Understand which features you use, how long you spend on pages, analyze user behavior | ✅ Yes - GDPR Consent Required: A consent banner appears on your first visit. Analytics tracking is blocked until you click "Accept". You can reject at any time. |
🍪 How to Opt Out of Analytics Cookies
- Browser settings: Block third-party cookies in Chrome, Firefox, Safari, or Edge
- Google Analytics opt-out: Install the Google Analytics Opt-Out Browser Add-on
- Privacy-focused browsers: Use Brave or Firefox with Enhanced Tracking Protection
Last updated: November 11, 2025
Changes: Added comprehensive Google Analytics 4 disclosure, GDPR Consent Mode v2 implementation details, and updated data retention periods