Privacy Policy

1. Introduction

PromptVan ("we", "us", "our") operates the website at promptvan.com and associated services, including our CLI tool, MCP server, and API (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your data.

By using PromptVan, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Data We Collect

Account Data

When you create an account, we collect your email address, name, OAuth provider identifier (e.g. GitHub or Google), and registration date. This data is required to provide the Service and authenticate your identity.

Profile Data

You may optionally provide additional profile information including a display name, avatar, bio, specializations, and location. This data is displayed on your public profile and helps other users discover your work.

Content Data

We store prompts you create, including prompt metadata, version history, tags, and variables. This is the core data you produce while using PromptVan, and it is necessary to deliver the Service.

Usage Data

We collect aggregated usage metrics such as API call counts, pull/push operations, and feature interactions. This helps us understand how the Service is used and where to make improvements.

Technical Data

When you authenticate, we record your IP address (retained for 30 days), user agent string, and browser type. This data is used for security monitoring and abuse prevention.

Payment Data

Payment processing is handled by Stripe. We do not store your credit card number or full payment details on our servers. We retain only a reference to your Stripe customer ID and subscription status.

3. Data We Do NOT Collect

• Playground response content — AI responses generated in the Playground are processed in memory only and are not stored on our servers.
• Filled variable values — When you resolve a prompt with variables, the values you enter are processed client-side and are not transmitted to or stored by PromptVan.
• Your project code or local files — The CLI and MCP server operate locally on your machine. We do not access, read, or upload your local files or project code.

4. How We Use Data

• Provide and improve the Service — To operate PromptVan, deliver features, and develop improvements based on aggregated usage patterns.
• Authenticate and secure your account — To verify your identity, prevent unauthorized access, and detect fraudulent or abusive activity.
• Send service communications — To send essential emails related to your account, security alerts, and billing notifications.
• Optional marketing emails — With your explicit consent, we may send product updates and newsletters. You can unsubscribe at any time.
• Analytics — We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not collect personal data. All analytics data is anonymized and aggregated.

5. Legal Basis (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Contract performance — Processing necessary to provide the Service you have signed up for, including account creation, prompt storage, and service delivery.
• Legitimate interest — Processing necessary for security monitoring, fraud prevention, and service analytics, where our interests do not override your fundamental rights.
• Consent — Processing based on your explicit opt-in, such as marketing emails and optional analytics cookies. You may withdraw consent at any time.

6. Data Storage & Security

• Our primary database is hosted on Supabase in the EU (Frankfurt region).
• All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• API keys are stored as SHA-256 hashes. We never store plaintext API keys.
• We enforce Row-Level Security (RLS) on all database tables to ensure users can only access their own data.
• No personal data is transferred outside the EU for core service operations.

7. Data Retention

• Prompts and content — Retained until you delete them or delete your account.
• Authentication logs — Retained for 30 days, then automatically purged.
• Security logs — Retained for 6 months in anonymized form.
• Billing records — Retained for 7 years as required by applicable tax and accounting legislation.

8. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

• Right of access — Request a copy of your personal data in JSON format.
• Right to portability — Export all your data in ZIP or JSON format at any time from your account settings.
• Right to erasure — Delete your account at any time. There is a 30-day grace period during which you can reactivate, after which all data is permanently deleted.
• Right to rectification — Edit your profile information and content at any time through the Service.
• Right to object — Opt out of marketing emails at any time via the unsubscribe link or your account settings.

To exercise any of these rights, contact us at privacy@promptvan.com.

9. Third-Party Services

We use the following third-party services to operate PromptVan. Each has been selected with privacy in mind:

• Supabase (EU) — Database hosting and authentication.
• Stripe (US, with DPA) — Payment processing. Stripe is PCI DSS Level 1 compliant.
• Resend (US, with DPA) — Transactional email delivery.
• Anthropic (US, per API ToS) — AI model provider for the Playground feature.
• Vercel (EU + US) — Application hosting and edge delivery.
• Plausible (EU) — Privacy-friendly web analytics with no cookies or personal data collection.

10. Cookies

PromptVan uses only essential cookies required for the Service to function, including session cookies for authentication and CSRF protection. We do not use marketing, advertising, or third-party tracking cookies.

For full details, see our Cookie Policy.

11. Children

PromptVan is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@promptvan.com and we will promptly delete the information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact our Data Protection Officer at privacy@promptvan.com.