Privacy Policy | Promptable

Effective Date: November 3, 2025 Last Updated: November 3, 2025

1. INTRODUCTION

Welcome to Promptable. We are committed to protecting your privacy and being transparent about how we collect, use, and protect your information.

This Privacy Policy explains:

What information we collect
How we use your information
How we share your information
Your privacy rights
How we protect your information
How to contact us with privacy questions

By using Promptable, you consent to the data practices described in this Privacy Policy.

2. DATA CONTROLLER INFORMATION

Promptable Technologies, Inc. is the data controller responsible for your personal information.

Contact Information:

Email: privacy@promptable.us
Mailing Address: 92 Corporate Park, #C-231, Irvine, CA 92606, United States

Service Availability:

The Service is currently available to users in the United States only
We comply with applicable US federal and state privacy laws, including the California Consumer Privacy Act (CCPA)

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

When you create an account and use Promptable, you provide:

Required Account Information:

Email address - For account creation, login, and communications
Full name - To personalize your experience
Birth year and month (optional) - For age verification (must be 13+)
Use case - How you plan to use Promptable (e.g., education, business, personal)

Conditional Information (Based on Use Case Selection):

Industry - If you select business use case
Education level - If you select education use case
Company size - If you select business use case
Job role - If you select business use case
School type - If you select education use case

Alpha Testing Access (Temporary - Alpha Phase Only):

Invite code - Alpha invitation code entered during registration
Code reservation - Email address used to reserve an invite code (if applicable)
Code usage tracking - Linkage between invite codes and user accounts
Code status - Whether codes are available, reserved, used, or expired

We track invite code reservations and usage to manage alpha access. This data links your pre-registration email (if you reserved a code) to your account and will be deleted after the alpha phase concludes.

User-Generated Content:

Prompts - Text and structured prompts you create
Files - Documents, images, and other files you upload (subject to size and type limits)
Feedback - Comments, suggestions, and bug reports you submit
Profile information - Any optional profile details you provide

Security Data (Optional):

If you enable two-factor authentication (2FA), we securely store:

Two-factor authentication (2FA) secrets - Encrypted TOTP (Time-based One-Time Password) keys
Backup recovery codes - Hashed using industry-standard algorithms
2FA enablement status - Whether 2FA is active on your account
2FA activation timestamp - When you enabled 2FA

Security: TOTP secrets are encrypted at rest. Backup codes are hashed using bcrypt and cannot be reversed. We cannot recover your 2FA secrets if you lose access to your authenticator app—you must use backup codes or reset 2FA.

3.2 Information Collected Automatically

When you use Promptable, we automatically collect:

Activity Logs:

We log all user actions including:

Actions taken - View, create, update, delete operations
Timestamps - Date and time of each action (UTC)
IP addresses - Your device's IP address for each request
User agent strings - Browser type, version, and operating system
Session information - Session IDs and duration
Device information - Device type, screen resolution
Referrer information - Pages visited before and after

Purpose: Security monitoring, fraud prevention, service analytics, debugging, and legal compliance.

Retention: Activity logs are retained for 12 months; security-related logs for 24 months.

Session Management (Security Feature):

We provide an "Active Sessions" feature that collects:

Active session information - IP address, device type, browser, and operating system
Session activity timestamps - When sessions were created and last active
User agent string - Browser and device details

Purpose: This data allows you to view all devices where you're currently logged in and remotely terminate any session. This is a security tool designed to protect your account—for example, if you logged in on a public computer and forgot to log out, you can remotely end that session from your account settings.

You control your sessions: View and terminate any active session at any time from your account settings.

Retention: Session data is retained for 30 days and automatically deleted when sessions expire.

Technical Information:

Cookies - As described in Section 11
Local storage - For user preferences and session management
Browser capabilities - JavaScript version, supported features
Network information - Connection speed, ISP (derived from IP)

Usage Analytics:

Feature usage - Which features you use and how often
Performance metrics - Page load times, error rates
Navigation patterns - How you move through the application
File upload statistics - Number and types of files uploaded

3.3 Information from Third-Party Sources

We may receive information about you from:

OAuth providers (if we implement social login) - Name, email, profile picture
Payment processors (if we implement payments) - Payment confirmation, but not credit card numbers
Anti-fraud services - Fraud risk scores based on IP addresses and device fingerprints

4. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

4.1 Provide the Service

Account Management - Create and manage your account (Supabase Auth)
Authentication - Verify your identity at login (email/password, 2FA)
Store Content - Save your prompts and files (Supabase database, Wasabi S3)
Process Files - Scan for viruses and malware (ClamAV)
Display Content - Show your prompts and files back to you
Enable Features - Provide prompt creation, editing, organization features
Export Data - Generate exports of your data upon request

4.2 AI-Powered Features

Core Features:

AI Prompt Generation - Generate optimized prompts using OpenAI GPT-5 Nano based on your specifications (optional feature)
File Context Understanding - Process uploaded files using OpenAI embeddings to provide context for prompt generation

Security Features:

Content Moderation - Detect prohibited content in user-generated content
Jailbreak Detection - Validate prompt generation requests for security vulnerabilities

Important: Your saved prompts in the prompt library are NOT processed through AI systems. Only new prompt generation requests and file uploads to the AI generator are sent to OpenAI. See Section 6 for complete details.

4.3 Security and Fraud Prevention

Monitor Activity - Detect suspicious behavior and unauthorized access
Prevent Abuse - Identify and block spam, fraud, and malicious activity
Rate Limiting - Prevent service abuse through excessive requests
Virus Scanning - Protect users from malware in uploaded files
Investigate Incidents - Respond to security breaches and user reports

4.4 Service Improvement

Analytics - Understand how users interact with features
Performance Monitoring - Identify slow pages and errors
Bug Tracking - Debug issues reported by users
Feature Development - Decide what features to build next
User Research - Conduct surveys and interviews (with consent)

4.5 Communications

Service Updates - Notify you of new features and changes
Security Alerts - Inform you of security issues affecting your account
Policy Updates - Notify you of changes to Terms of Service or Privacy Policy
Support Responses - Reply to your support requests
Marketing (opt-in) - Send promotional emails (you can unsubscribe anytime)

4.6 Legal Compliance

Respond to Legal Requests - Comply with subpoenas, court orders, and law enforcement requests
Enforce Terms - Investigate violations of our Terms of Service
Report Illegal Content - Report CSAM to NCMEC as required by law
Tax and Accounting - Maintain records for financial compliance (if we implement payments)
Data Retention - Comply with legal requirements to retain certain data

5. DATA SHARING AND THIRD-PARTY SERVICES

We share your information with third-party service providers necessary to operate Promptable. We require all vendors to protect your data and prohibit them from using your data for their own purposes.

5.1 Service Providers

Supabase (Database and Authentication)

What they do: Host our database and provide authentication services
Data shared: Account information, prompts, activity logs, all application data
Location: United States (with global distribution)
Data Processing Agreement: Yes
Privacy Policy: https://supabase.com/privacy
Purpose: Core infrastructure for storing and managing all application data

Wasabi (File Storage)

What they do: S3-compatible object storage for file uploads
Data shared: All files you upload
Location: United States (us-east-1 region)
Data Processing Agreement: Yes (executed)
Privacy Policy: https://wasabi.com/legal/privacy-policy/
Purpose: Secure, scalable storage for user-uploaded files
Encryption: Server-side encryption at rest

OpenAI (AI Processing)

What they do: Provide AI API for prompt generation, file embeddings, and security features
Models used: GPT-5 Nano (prompt generation), text-embedding-3-small (file processing), GPT-4 Omni (moderation)
Data shared:
- AI Prompt Generator inputs (task, audience, tone, format, criteria, constraints, context)
- File content uploaded to prompt generator (up to 8,000 chars per file)
- User-generated content (for moderation)
- Prompt generation requests (for jailbreak detection)
Location: United States (with EU data protection commitments)
Data Processing Agreement: Yes (executed)
Privacy Policy: https://openai.com/policies/privacy-policy
Usage Policy: https://openai.com/policies/usage-policies
Purpose: AI-powered prompt generation, file context understanding, content moderation, jailbreak detection (see Section 6 for full details)
AI Training: Your data is NOT used to train AI models (zero-data retention for training)
Retention: 30 days for abuse monitoring, then permanently deleted

Resend (Email Delivery)

What they do: Transactional email service for account notifications
Data shared: Email address, name, email content (service notifications only)
Location: United States
Data Processing Agreement: Yes (auto-executed upon signup)
Privacy Policy: https://resend.com/legal/privacy-policy
Purpose: Deliver account-related emails (verification, password reset, notifications)

ClamAV (Virus Scanning)

What they do: Open-source antivirus engine for file scanning
Data shared: Contents of uploaded files (for scanning only)
Location: Runs on our infrastructure (Fly.io)
Data Processing Agreement: N/A (open-source tool we operate)
Purpose: Scan uploaded files for viruses and malware
Retention: Files scanned in memory, not retained

Redis / Upstash (Caching and Session Storage)

What they do: In-memory data store for caching and sessions
Data shared: Session data, cached application data
Location: United States
Data Processing Agreement: Yes (auto-executed upon signup)
Purpose: Improve application performance and manage user sessions
Retention: Temporary (expires based on TTL settings)

Fly.io (Hosting Infrastructure)

What they do: Cloud hosting platform for our application servers
Data shared: All data transmitted through the application (continuous transfer for hosting)
Location: United States (with global edge locations)
Data Processing Agreement: Yes (executed)
Privacy Policy: https://fly.io/legal/privacy-policy/
Purpose: Host and run Promptable application servers

5.2 Analytics and Monitoring (If Implemented)

(Add if you implement these)

Google Analytics (if implemented) - Usage analytics
Sentry (if implemented) - Error tracking and monitoring
LogRocket (if implemented) - Session replay (with explicit consent)

5.3 Payment Processors (If Implemented)

(Add when you implement payments)

Stripe - Payment processing (PCI DSS compliant)

5.4 Data Processing Agreements (DPAs)

We have executed Data Processing Agreements (DPAs) with all service providers that process personal data on our behalf, ensuring full GDPR Article 28 compliance. These agreements ensure:

Data is processed only for specified purposes
Appropriate security measures are implemented
Sub-processors are disclosed and approved
Data breach notification procedures
Data deletion upon termination
Vendor compliance with applicable US privacy laws (CCPA/CPRA) and GDPR readiness

DPA Status - 100% Coverage:

✅ Supabase - DPA executed (database and authentication)
✅ Wasabi - DPA executed (file storage)
✅ OpenAI - DPA executed (AI processing)
✅ Resend - Auto-executed DPA (email delivery)
✅ Upstash - Auto-executed DPA (caching and job queue)
✅ Fly.io - DPA executed (hosting infrastructure)

Auto-Executed DPAs: Resend and Upstash use modern "auto-executed" DPAs that become effective upon account signup. These are fully GDPR-compliant and meet all Article 28 requirements.

5.5 Legal Disclosures

We may disclose your information to:

Law enforcement - In response to valid legal requests (subpoenas, court orders)
Government agencies - To comply with legal obligations
NCMEC - To report child sexual abuse material (CSAM) as required by law
Legal proceedings - To defend against legal claims or enforce our rights

We will notify you of legal requests unless:

We are legally prohibited from doing so
Notification would compromise an investigation
Emergency circumstances exist

5.6 Business Transfers

If Promptable is acquired, merged, or sells assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5.7 No Data Sales

We do not sell your personal information to third parties.

Under California law, "sale" has a specific definition. We do not sell your personal information as defined by CCPA/CPRA.

6. AI-POWERED FEATURES AND DATA PROCESSING

6.1 What AI We Use

Promptable uses OpenAI's API for two primary purposes:

Core Features: AI-powered prompt generation using GPT-5 Nano and file processing using text embeddings
Security & Safety: Content moderation and jailbreak detection

6.2 When AI Processes Your Data

We use OpenAI's API for the following purposes:

1. AI Prompt Generation (Core Feature)

This is our primary AI feature. When you use the AI Prompt Generator:

Your inputs are sent to OpenAI GPT-5 Nano, including:
- Task description
- Target audience
- Tone and style preferences
- Output format requirements
- Success criteria
- Constraints
- Additional context
- File content (if you uploaded files - see below)
OpenAI generates prompts based on your specifications
The generated prompts are returned to you and can be saved to your prompt library

Note: This feature is optional - you can manually create prompts in your prompt library without using AI generation.

2. File Processing with Embeddings

When you upload files to the AI Prompt Generator:

File content is sent to OpenAI's Embeddings API (text-embedding-3-small model)
Purpose: Generate semantic embeddings to understand file context
Content processed: Up to 8,000 characters of text content per file
File types: Text files are processed as-is; PDFs show placeholder text
Embeddings storage: Embeddings are NOT stored in our database - they are generated per request and discarded after use

Then, the file content is also sent to GPT-5 Nano along with your other inputs to provide context for prompt generation.

3. Content Moderation

User-generated content may be checked against OpenAI's moderation policies to detect:

Prohibited content (hate speech, violence, illegal content)
Terms of Service violations
Content that could harm users or the platform

4. Jailbreak Detection

Prompt generation requests are validated for security vulnerabilities:

Attempts to bypass AI safety measures are detected and blocked
This protects both you and the platform from malicious prompts

Important Distinction:

✅ Prompt generation requests (your inputs to the AI generator) ARE sent to OpenAI
✅ File uploads (to the AI generator) ARE sent to OpenAI
❌ Saved prompts (in your prompt library) are NOT sent to OpenAI - they are stored securely in our Supabase database

6.3 What Data Goes to OpenAI

Data sent to OpenAI includes:

For AI Prompt Generation (GPT-5 Nano):

✅ Task description, target audience, tone, format, success criteria, constraints, additional context
✅ File content (up to 8,000 characters per file) if you upload files to the prompt generator
✅ Your prompt generation request metadata (timestamp, request ID)

For File Embeddings (text-embedding-3-small):

✅ File content (up to 8,000 characters per file)

For Security Features:

✅ User-generated content when being moderated (content moderation)
✅ Prompt generation requests (jailbreak detection)

Data NOT sent to OpenAI:

❌ Saved prompts in your prompt library (only new generation requests)
❌ Files you upload to your library (only files uploaded to the AI generator)
❌ Your account information (name, email, profile)
❌ Your activity logs
❌ Your authentication credentials

6.4 Data Protection with OpenAI

We have a Data Processing Agreement (DPA) with OpenAI that guarantees:

✅ Your data is NOT used to train AI models - Zero-data retention for training purposes
✅ Secure processing - All data encrypted in transit (TLS 1.3) and at rest (AES-256)
✅ Geographic processing - Data processed in the United States
✅ Breach notification - OpenAI will notify us of any data breaches within required timeframes
⚠️ Data retention for abuse monitoring - OpenAI retains API request data for 30 days for abuse and misuse monitoring, then it is deleted

Why OpenAI retains data for 30 days:

To monitor for API abuse and Terms of Service violations
To detect and prevent harmful content generation
To comply with legal requirements for service providers
After 30 days, your data is permanently deleted from OpenAI's systems

You can review OpenAI's data usage policies at: https://openai.com/policies/usage-policies

6.5 Opting Out of AI Processing

AI Prompt Generation (Optional Feature):

The AI Prompt Generator is entirely optional
You can create and manage prompts manually in your prompt library without using AI
Simply skip the AI generator and create prompts directly

File Uploads:

If you don't want your files processed by OpenAI:
- Do not upload files to the AI Prompt Generator
- Use the manual prompt creation interface instead

6.7 Future AI Features

We may introduce additional AI features in the future. If we do:

We will notify you and update this Privacy Policy
You will be able to opt-out of optional AI features
We will maintain the same data protection standards

7. DATA RETENTION

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

Data Type	Retention Period	Reason
Account Data	Until you delete your account (+ 30-day recovery period)	Provide Service, account recovery
Prompts	Until you delete them (+ 30-day recovery period)	Provide Service, account recovery
Uploaded Files	Until you delete them (+ 30-day recovery period)	Provide Service, account recovery
Activity Logs	12 months	Security monitoring, fraud prevention, analytics
Security Logs	24 months	Incident investigation, compliance
DSAR Request Logs	24 months	CCPA compliance requirement
DMCA Takedown Records	Indefinitely	Legal compliance, repeat infringer policy
Billing Records (if applicable)	7 years	Tax and accounting regulations
Deleted Account Logs	30 days	Account recovery period
Anonymized Analytics	Indefinitely	Service improvement (cannot identify you)

7.2 Account Deletion

When you delete your account:

Day 0-30 (Recovery Period):

Your account is soft-deleted
You can recover your account by logging in
Your data is not accessible to other users
Your data is retained for recovery

After 30 Days (Permanent Deletion):

Your account is hard-deleted
Your personal data is permanently removed from production systems
Backups are overwritten within 90 days
Some data may be retained as described above (logs, legal records, anonymized data)

7.3 Legal Retention Requirements

Some data must be retained longer for legal compliance:

CCPA/CPRA: Consumer request logs for 24 months
Tax Laws: Financial records for 7 years (if applicable)
DMCA: Copyright records indefinitely
Legal Holds: Data subject to litigation or investigation

7.4 Right to Request Deletion

You can request deletion of your data at any time by:

Using the account deletion feature
Emailing privacy@promptable.us

We will respond within 45 days as required by applicable law.

8. YOUR PRIVACY RIGHTS

As a user of Promptable, you have important privacy rights. We are committed to honoring these rights and making it easy for you to exercise them.

8.1 Rights Under CCPA/CPRA (California Users)

If you are a California resident, you have the following rights:

Right to Know

Know what personal information we collect, use, disclose, and sell (we don't sell)
How to exercise: Email privacy@promptable.us
Response time: 45 days (may extend 45 more days)

Right to Access

Request specific pieces of personal information we've collected about you
How to exercise: Use data export feature or email privacy@promptable.us
Response time: 45 days

Right to Delete

Request deletion of your personal information
How to exercise: Use account deletion or email privacy@promptable.us
Response time: 45 days
Exceptions: May retain for legal compliance, fraud prevention, security

Right to Correct

Correct inaccurate personal information
How to exercise: Account settings or email privacy@promptable.us
Response time: 45 days

Right to Opt-Out of Sale

We do not sell your personal information, so no opt-out is necessary
Verification: We will never sell your data

Right to Limit Use of Sensitive Personal Information

Limit use of sensitive personal information (if we collect it)
How to exercise: Email privacy@promptable.us

Right to Non-Discrimination

You will not be discriminated against for exercising your rights
We guarantee: Same service quality regardless of rights exercised

8.2 Exercising Your Rights

How to Submit a Request:

Email: privacy@promptable.us with subject "Privacy Rights Request"
Include:
- Your full name
- Email address associated with your account
- Specific right you want to exercise
- Description of your request

Verification:

We will verify your identity before processing requests
May require you to log in or confirm email address
For California residents: Must verify identity to reasonable degree of certainty

Authorized Agents (California):

You may authorize someone to submit requests on your behalf
We require written authorization from you
Agent must provide proof of authorization

Response Times:

CCPA requests: 45 days (may extend 45 more)
Other state law requests: As required by applicable law
We will notify you if we need more time

No Fee:

Requests are free
We may charge a reasonable fee for manifestly unfounded or excessive requests

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies

Cookies are small text files stored on your device that help websites remember information about your visit.

9.2 Cookie Consent

We use a Cookie Consent Manager to obtain your consent before placing non-essential cookies. When you first visit Promptable:

A cookie banner appears
You can accept all, reject all, or customize preferences
Essential cookies are always active (required for Service to function)
Optional cookies require your consent

9.3 Types of Cookies We Use

Essential Cookies (Always Active)

These cookies are necessary for the Service to function:

Cookie Name	Purpose	Duration
`session`	Maintain your login session	Session (deleted when you close browser)
`csrf_token`	Protect against cross-site request forgery attacks	Session
`consent`	Remember your cookie preferences	12 months

Analytics Cookies (Opt-In)

These cookies help us understand how you use the Service:

Cookie Name	Purpose	Duration
`analytics_id`	Track usage patterns and feature adoption	12 months
`session_replay`	Record sessions for debugging (if implemented)	Session

Current Status: We do NOT currently implement any analytics tracking. We collect your analytics consent preference in preparation for future implementation of PostHog analytics. If and when we implement analytics tracking, we will:

Only collect analytics data if you have explicitly opted in
Use PostHog (privacy-focused, GDPR-compliant analytics platform)
Notify you before beginning data collection
Allow you to opt out at any time from your privacy settings

You can update your analytics consent preference at any time, even though no analytics data is currently being collected.

Functional Cookies (Opt-In)

These cookies enhance your experience:

Cookie Name	Purpose	Duration
`preferences`	Remember your settings (theme, language)	12 months

We do NOT use:

Advertising cookies
Third-party tracking cookies
Cross-site tracking

9.4 Local Storage

We use browser local storage for:

User interface preferences (theme, sidebar state)
Cached data (improve performance)
Draft content (autosave your work)

Local storage persists until you clear your browser data or delete your account.

9.5 Managing Cookies

Control Cookies Through:

Our Cookie Consent Manager - Change preferences anytime at https://promptable.us/cookie-preferences
Browser Settings - Disable cookies in browser preferences
- Chrome: Settings → Privacy → Cookies
- Firefox: Settings → Privacy → Cookies
- Safari: Preferences → Privacy → Cookies
Browser Extensions - Use privacy-focused extensions

Impact of Disabling Cookies:

Essential cookies: Service won't work properly
Analytics cookies: We won't collect usage data
Functional cookies: Preferences won't be saved

9.6 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how to respond to DNT signals. We do not respond to DNT signals at this time.

10. DATA SECURITY

We implement industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction.

10.1 Technical Security Measures

Encryption:

In Transit: TLS 1.3 encryption for all data transmitted between your device and our servers
At Rest: AES-256 encryption for data stored in databases (Supabase)
File Storage: Server-side encryption for files stored in S3 (Wasabi)
Backups: Encrypted backups with separate encryption keys

Access Controls:

Authentication: Secure password hashing (bcrypt/Argon2)
Two-Factor Authentication (2FA): Available for all users
Session Management: Secure session tokens with automatic expiration
Role-Based Access Control (RBAC): Limits who can access what data

Application Security:

CSRF Protection: Tokens prevent cross-site request forgery
SQL Injection Protection: Parameterized queries
XSS Protection: Input sanitization and output encoding
Content Security Policy (CSP): Restricts resource loading
Rate Limiting: Prevents brute force and DoS attacks
DDoS Protection: Fly.io provides DDoS mitigation

Malware Protection:

ClamAV Virus Scanning: All uploaded files scanned automatically
Quarantine: Infected files isolated and prevented from spreading
Regular Updates: Virus definition database updated daily

10.2 Operational Security Measures

Personnel:

Limited employee access to personal data
Background checks for employees with data access
Confidentiality agreements for all employees
Security training for all team members

Infrastructure:

Secure hosting with Fly.io (SOC 2 Type II compliant provider)
Database backups every 24 hours
Disaster recovery procedures
Regular security audits

Monitoring:

24/7 automated monitoring for security incidents
Intrusion detection systems
Log analysis for suspicious activity
Vulnerability scanning
Audit Log Redundancy - Activity logs use a dead letter queue system to ensure durable audit trails even if primary logging fails. Failed log insertions are queued for retry via BullMQ background jobs to maintain complete audit records.

10.3 Data Breach Response

In the Event of a Data Breach:

Within 72 Hours:

Assess the breach and affected data
Contain the breach
Notify California Attorney General (if 500+ CA residents affected)
Notify Federal Trade Commission if required

Direct Notification to You:

If the breach creates high risk to your rights and freedoms
Via email to your registered address
Include:
- Nature of the breach
- Categories of data affected
- Likely consequences
- Measures we've taken
- Recommendations for you (e.g., change password)

Report Breaches: If you discover a security vulnerability, report it immediately to security@promptable.us. We have a responsible disclosure policy and will not take legal action against good-faith security researchers.

10.4 Your Security Responsibilities

You are responsible for:

Keeping your password confidential
Using a strong, unique password
Enabling two-factor authentication (highly recommended)
Not sharing your account
Logging out from shared devices
Reporting unauthorized access immediately

10.5 Limitations

No system is 100% secure. Despite our security measures:

Data transmission over the internet has inherent risks
Your device security affects overall security
Third-party service providers have their own security practices
We cannot guarantee absolute security

If you have concerns about security, contact security@promptable.us.

11. CHILDREN'S PRIVACY

11.1 Age Requirement

Promptable is intended for users aged 13 years and older. We do not knowingly collect personal information from children under 13.

11.2 Age Verification

During account creation, we collect your birth year to verify you meet the age requirement. If you indicate you are under 13, you will not be able to create an account.

11.3 Parental Rights

If you are a parent or guardian and believe your child under 13 has provided us with personal information, contact us immediately at privacy@promptable.us. We will:

Verify the claim
Delete the account and associated data
Prevent future access

11.4 COPPA Compliance

We do not collect personal information from children under 13, so COPPA does not apply to our Service. If we decide to offer services to children under 13 in the future, we will:

Obtain verifiable parental consent
Provide parental notice and control
Limit data collection to what's necessary
Update this Privacy Policy

12. ALPHA TESTING PRIVACY

12.1 Alpha User Agreement Consent

As an alpha tester, you are required to accept the Alpha User Agreement in addition to our Terms of Service and Privacy Policy. We track your consent to the Alpha User Agreement, including:

Acceptance status - Whether you have accepted the agreement
Acceptance date and time - When you consented
IP address - Your IP address at time of consent
Agreement version - Which version of the Alpha User Agreement you accepted

This consent is tracked separately from other consents and is specific to the alpha testing phase. When the alpha phase ends, this consent requirement will be removed.

12.2 Additional Data Collection During Alpha

During the alpha testing period, we collect additional data to improve Promptable:

Enhanced Analytics:

Feature usage tracking - Which features you use, how often, how long
Performance metrics - Page load times, error rates, slow queries
User flows - How you navigate through the application
Diagnostic logs - Detailed error messages and stack traces

Optional Data Collection:

Session recordings - Video replay of your sessions (with explicit consent)
User interviews - Feedback sessions (by invitation only)
Surveys - Questionnaires about your experience

12.3 Purpose of Enhanced Data Collection

This data is used solely to:

Identify and fix bugs
Improve performance and usability
Prioritize feature development
Validate product-market fit

12.4 Alpha Data Retention

Enhanced alpha testing data is:

Retained for 90 days after the alpha period ends
Used only for product improvement
Not sold or shared with third parties
Deleted when no longer needed

12.5 Opting Out

You can opt out of optional analytics while still participating in alpha:

Manage your cookie preferences at any time
Analytics cookies can be disabled through cookie settings
Essential cookies required for core functionality will remain active

12.6 Transition to Beta/Production

When we transition from alpha to beta or production:

We will update this Privacy Policy
We will notify you of any changes
Enhanced data collection may be reduced or discontinued
You'll have the option to continue or export your data

13. STATE-SPECIFIC PRIVACY RIGHTS

13.1 California Residents (CCPA/CPRA)

See Section 8.1 for detailed California privacy rights.

Additional California Disclosures:

Categories of Personal Information Collected (12-Month Look-Back):

Identifiers (name, email, IP address)
Commercial information (usage data, if payments implemented)
Internet activity (browsing history on our site, search history within app)
Geolocation data (derived from IP address)
Inferences (preferences derived from usage)

Categories of Sources:

Directly from you
Automatically from device
From third-party services (OAuth providers, if implemented)

Business Purposes:

Provide the Service
Security and fraud prevention
Service improvement
Communications
Legal compliance

Categories of Third Parties Data Shared With:

Service providers (Supabase, Wasabi, OpenAI, Resend, Fly.io)
Law enforcement (when legally required)

Sales of Personal Information:

We do NOT sell personal information
We do NOT share for cross-context behavioral advertising

Retention Periods:

See Section 7 for detailed retention periods

Contact:

Privacy requests: privacy@promptable.us
California Attorney General complaints: privacy@oag.ca.gov

13.2 Virginia Residents (VCDPA)

Virginia residents have similar rights to California residents:

Right to access
Right to correct
Right to delete
Right to data portability
Right to opt-out of targeted advertising (we don't do targeted ads)
Right to opt-out of profiling for decisions with legal/significant effects

Exercise rights: Email privacy@promptable.us Response time: 45 days (may extend 45 more days) Appeals: If we deny your request, you may appeal by replying to our response

13.3 Colorado Residents (CPA)

Colorado residents have similar rights to California and Virginia residents, including:

Right to opt-out of targeted advertising
Right to opt-out of sale of personal data (we don't sell)
Right to opt-out of profiling

Exercise rights: Email privacy@promptable.us Colorado Attorney General: complaints can be filed at coag.gov

13.4 Other U.S. States

Many other U.S. states have enacted comprehensive privacy laws. We extend similar privacy rights to residents of all U.S. states, regardless of legal requirements.

States with privacy laws include:

Connecticut, Utah, Montana, Oregon, Texas, Delaware, Tennessee, Iowa, Indiana, Nebraska, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Rhode Island

If you are a resident of any U.S. state, you may exercise privacy rights by contacting privacy@promptable.us.

14. CHANGES TO THIS PRIVACY POLICY

14.1 Updates

We may update this Privacy Policy from time to time to reflect changes in:

Our data practices
Legal requirements
Service features
User feedback

14.2 Notification of Changes

For Material Changes:

We will notify you at least 30 days in advance
Notification via email to your registered address
Notification through the Service (banner or popup)
Updated "Last Updated" date at the top of this policy

For Non-Material Changes:

We will update the "Last Updated" date
You can review the latest version anytime at https://promptable.us/privacy

14.3 Your Acceptance

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes acceptance of the changes.

If you do not agree with the revised Privacy Policy:

Stop using the Service
Delete your account before the effective date
Contact us with concerns: privacy@promptable.us

14.4 Previous Versions

You can request previous versions of this Privacy Policy by emailing privacy@promptable.us.

15. CONTACT US

15.1 Privacy Questions

For questions about this Privacy Policy or our data practices:

Email: privacy@promptable.us Response time: Within 5 business days

15.2 Data Protection Officer (if applicable)

Email: dpo@promptable.us

15.3 Privacy Rights Requests

To exercise your privacy rights (access, delete, correct, etc.):

Email: privacy@promptable.us Subject: "Privacy Rights Request" Include: Your name, email, specific request

15.4 Security Issues

To report security vulnerabilities or data breaches:

Email: security@promptable.us Response time: Within 24 hours

15.5 General Support

For non-privacy questions:

Email: support@promptable.us

15.6 Mailing Address

Promptable Technologies, Inc. 92 Corporate Park, #C-231 Irvine, CA 92606 United States

16. REGULATORY COMPLAINTS

16.1 California Privacy Enforcement

If you believe we have violated your privacy rights under California law, you may file a complaint with:

California Attorney General

Privacy Enforcement Unit
Email: privacy@oag.ca.gov
Website: https://oag.ca.gov/privacy

16.2 Federal Trade Commission

For general privacy and consumer protection concerns, you may contact:

Federal Trade Commission (FTC)

Website: https://www.ftc.gov/
Report: https://reportfraud.ftc.gov/
Phone: 1-877-FTC-HELP (1-877-382-4357)

17. ACKNOWLEDGMENT

BY USING PROMPTABLE, YOU ACKNOWLEDGE THAT:

You have read and understood this Privacy Policy
You consent to the collection, use, and disclosure of your information as described
You understand your privacy rights and how to exercise them
You understand the Service is available to US users only
You understand the risks associated with alpha software
You understand how AI processes feedback data
You understand your data may be retained even after account deletion (for legal compliance)
You agree to activity logging including IP addresses

If you do not agree to this Privacy Policy, do not use Promptable.

Last Updated: November 3, 2025 Version: 1.0 (Alpha) Effective Date: November 3, 2025

APPENDIX A: GLOSSARY

Personal Data / Personal Information: Information that identifies, relates to, or can be linked to you.

Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).

Data Controller: Entity that determines purposes and means of processing personal data (Promptable Technologies, Inc.).

Data Processor: Entity that processes personal data on behalf of the controller (our service providers).

CCPA/CPRA: California Consumer Privacy Act / California Privacy Rights Act.

DPA: Data Processing Agreement between controller and processor.

PII: Personally Identifiable Information (information that identifies you).

Personal Data: Information that identifies, relates to, or can be linked to you.

APPENDIX B: DATA MAPPING

Data Flow Summary:

USER → PROMPTABLE → THIRD PARTIES

Account Data → Supabase (database)
Files → Wasabi (S3 storage) → ClamAV (virus scan)
Emails → Resend (email delivery)
Activity → Supabase (logs) → Fly.io (hosting)

Data Categories by Sensitivity:

High Sensitivity:

Account credentials (password hashes)
IP addresses
File contents

Medium Sensitivity:

Email addresses
Names
Prompts

Low Sensitivity:

Birth year
Use case
Activity timestamps