Privacy Policy

Table of contents

1. Who we are
2. Data we collect
3. How we use your data and legal bases
4. Customer Content, BYOK, and our no-training commitment
5. Prohibited inputs
6. Sub-processors
7. Cookies and similar technologies
8. Data retention
9. Security
10. Your rights (GDPR / UK GDPR)
11. Your California rights (CCPA/CPRA)
12. Other US state privacy laws
13. International users
14. International data transfers
15. Children's privacy
16. Marketing communications
17. Platform administrator access
18. Changes to this policy
19. Contact

1. Who we are

PromptAssay ("PromptAssay," "we," "us") is a prompt engineering and evaluation workbench operated by [PLACEHOLDER: legal entity name], a [PLACEHOLDER: entity type] organized under the laws of [PLACEHOLDER: state/country of incorporation], with a principal place of business at [PLACEHOLDER: mailing address]. This Privacy Policy describes how we handle information in connection with the PromptAssay service, website, and public REST API (together, the "Service").

This policy is part of and incorporated into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

2. Data we collect

We collect the following categories of information:

• Account information. Email address, password hash (managed by our authentication provider; we never see your plaintext password), and, if you sign up via Google or GitHub, the basic profile fields those providers return (name, email, profile image URL, unique identifier).
• Workspace and membership data. Organization name, slug, member roles, invitations you send or accept.
• Customer Content. The prompts, prompt versions, folders, tags, fragments, test suites, test cases, evaluation results, annotations, and notes you author or upload. See Section 4 for how we handle this.
• BYOK provider keys. API keys you add for Anthropic, OpenAI, Google, or other supported providers. These are encrypted at rest using authenticated encryption bound to your workspace and are never returned to you in plaintext after creation.
• Usage metadata. For each AI feature call we record the provider, model identifier, action type, input and output token counts, estimated cost, latency, timestamp, and user identifier. We do not store the text of your prompts or the provider's responses in our usage logs.
• Product events. First-party telemetry about actions you take in the workbench (e.g., prompt created, version created, critique requested, playground run) recorded in our analytics_events table. These events contain identifiers and event types only — not the content of the prompts or outputs involved. They are used to operate free-tier quota counting, power admin dashboards, and diagnose feature-level bugs.
• Billing data. Plan, subscription status, renewal date, and the customer identifier assigned by our payment processor (Stripe). We never see or store full card numbers, expiration dates, or CVCs — those are handled entirely by Stripe.
• Email delivery data. Recipient address, template, delivery status, and retry metadata for transactional messages sent through Resend.
• Support and communications. Messages you send us by email and any information you choose to include in them.
• Public API usage. When you call /api/v1 endpoints we record the API key prefix, endpoint, timestamp, status code, and latency for rate limiting and debugging.
• Administrative audit records. When a PromptAssay platform administrator takes an action affecting your account (for example, an authorized impersonation session initiated for support), we record the administrator, action, target, timestamp, and a status snapshot in an append-only audit log.

We do not collect or log IP addresses, user-agent strings, or device fingerprints at the middleware layer as part of normal operation. Our hosting and infrastructure providers (Vercel, Supabase, Cloudflare upstreams) may log request metadata for security and reliability purposes — see Section 6.

3. How we use your data and legal bases

For users in the European Economic Area, the United Kingdom, or Switzerland, the GDPR / UK GDPR requires us to identify a lawful basis for each processing purpose.

We do not sell your personal information, and we do not use Customer Content to train any machine learning model. See Section 4.

4. Customer Content, BYOK, and our no-training commitment

You own your Customer Content. Prompts, prompt versions, fragments, test cases, evaluation results, annotations, and any other material you author in PromptAssay remain yours. Our rights in your Customer Content are limited to what is necessary to operate the Service for you, as described in the Terms of Service.

No training on Customer Content. PromptAssay does not train, fine-tune, or otherwise use your Customer Content to develop or improve any machine learning model — ours or anyone else's. There is no training pipeline in the platform. We do not aggregate Customer Content into datasets for our own model training, and we do not share Customer Content with any third party for that purpose. This commitment is also written into our Terms of Service as a contractual obligation, not just a stated practice.

How BYOK works. PromptAssay operates on a bring-your-own-key model. When you configure a provider (Anthropic, OpenAI, Google), you give us an API key you obtained from that provider. We encrypt the key at rest with authenticated encryption bound to your workspace, organization, provider, label, and key version. When you trigger an AI feature, our servers decrypt your key in memory, send the request (containing your prompt) directly to the provider's API under your key, receive the response, and return it to your browser. Provider responses are not persisted in our database; only token counts, model name, cost, and latency are recorded.

What the upstream provider does with your data is governed by that provider's own terms and privacy policy, not by PromptAssay. As of the Last Updated date above, the current commercial API terms of Anthropic and OpenAI state that content submitted through their APIs is not used to train their models by default. Google treats paid-tier Gemini API traffic the same way, but content submitted through Google's free-tier Gemini API may be used by Google for product improvement and model training. Because we cannot control which tier your API key belongs to, you should review your provider's current terms before using PromptAssay with a free-tier key. We do not warrant or guarantee any particular upstream provider's handling of your content.

What we retain when you run the AI features. We store (a) metadata about the call — provider, model, action type, token counts, cost, latency, timestamp, user, organization — used for billing, quota enforcement, and troubleshooting; and (b) any content you explicitly save, such as a test case input or expected output, a playground run you choose to pin, or a note you write. We do not silently capture and store prompt inputs or provider outputs outside of what you intentionally save.

5. Prohibited inputs

PromptAssay is a prompt engineering and evaluation tool. It is not designed, configured, or offered as a platform for processing personal data, protected health information, payment card data, government-issued identifiers, authentication credentials, or any other sensitive or regulated data category. You must not input such data into prompts, test cases, fragments, annotations, or any other field in the Service. For the full list of prohibited data types and prohibited uses, see the Acceptable Use Policy, which is the canonical source and is incorporated into these terms.

6. Sub-processors

We use the following sub-processors to operate the Service. The list below is non-exhaustive as to their sub-sub-processors but complete as to our direct relationships:

Upstream AI providers are not sub-processors in the traditional sense. When you configure an Anthropic, OpenAI, or Google API key under the BYOK model, calls made with that key are governed by the contract you hold directly with that provider. We facilitate the request on your instruction, but we do not add those providers to our sub-processor list because your relationship with them is not through us. Their current public terms and privacy policies are the authoritative source for how they handle API traffic.

Changes to sub-processors. We will provide at least 30 days' advance notice of any new sub-processor that will handle Customer Content or personal data, by updating this policy and emailing the primary contact on record for each paid workspace. Customers subject to a Data Processing Addendum may object to a new sub-processor on reasonable grounds, in which case we will work in good faith to find an alternative; if none is feasible, either party may terminate the affected subscription without penalty for the unused portion of the term.

7. Cookies and similar technologies

We use a small number of first-party cookies and signed tokens to operate the Service. For the complete inventory — including the name, purpose, duration, and category of each cookie, and how to manage non-essential cookies — see our Cookie Policy. We do not load any third-party tracking pixels, advertising tags, or client-side analytics scripts.

8. Data retention

We retain data only as long as necessary to operate the Service, meet our legal obligations, and resolve disputes. Specific retention periods are enforced by automated cleanup jobs:

When you delete your account, we permanently delete your account record, Customer Content, BYOK keys, and personal organizations. Residual references in the administrative audit log (for example, a record that a support administrator viewed your account on a specific date) are preserved in anonymized form so that our audit trail remains intact.

9. Security

We implement the following safeguards:

• Transport encryption: TLS 1.2 or higher for all connections to the Service
• Storage encryption: AES-256 at rest in our managed database; BYOK provider keys stored in Supabase Vault or encrypted with AES-256-GCM using authenticated additional data that binds the ciphertext to your workspace, organization, provider, label, and key version, so a ciphertext cannot be transplanted or replayed into a different context
• Tenant isolation: row-level security enforced at the database layer so that queries run under one workspace cannot read another workspace's data, with explicit org-id scoping as defense in depth
• Access control: role-based access (owner, admin, member) within each workspace
• Authentication: email + password with password hashing, plus Google and GitHub OAuth; optional multi-factor authentication is planned for a future release
• Audit trail: an append-only administrative audit log records every platform-administrator action against user data
• Backups: automated backups with point-in-time recovery through our database provider
• Dependency and vulnerability monitoring across our code and our sub-processors

No system is 100% secure, and no transmission method is perfectly private. If you suspect unauthorized access to your account, contact security@promptassay.ai [PLACEHOLDER: confirm security alias is monitored].

10. Your rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights over your personal data:

• Right of access (Art. 15). You can view your data in Account settings and request a complete export (see below).
• Right to rectification (Art. 16). Edit your profile in Account settings → Profile, or contact us to correct anything you cannot edit yourself.
• Right to erasure (Art. 17). Delete your account permanently in Account settings → Danger zone. Deletion is immediate and hard (not a soft delete), subject to the residual audit-log references described in Section 8.
• Right to restriction of processing (Art. 18). You can contact us to request restriction while we resolve a dispute about accuracy or legitimacy of processing.
• Right to data portability (Art. 20). Request a machine-readable export of your data via Account settings → Danger zone → Export your data. The export is produced as a ZIP of JSON files covering your profile, Customer Content, memberships, product events, usage metadata, and provider key metadata (the encrypted key material itself is excluded for security reasons). Exports are generated asynchronously and delivered via a signed download link; one export per day per user.
• Right to object (Art. 21). You can object to processing based on legitimate interests at any time; we will stop unless we have compelling legitimate grounds that override your interests.
• Right to withdraw consent. Where we rely on consent (for example, future marketing emails or non-essential cookies), you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint. You have the right to complain to your local data protection authority. We would appreciate the chance to address your concerns first, so please contact us before filing.

Response time. We will respond to verifiable data-subject requests within 30 days. For complex or high-volume requests, we may extend by up to two additional months and will notify you of the extension and reason.

11. Your California rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the following rights:

• Right to know what personal information we collect about you, the sources, the purposes for which we use it, and the categories of third parties with whom we share it. Section 2 and Section 6 of this policy describe this.
• Right to delete personal information we hold about you, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing. PromptAssay does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
• Right to limit the use of sensitive personal information. We do not use or disclose sensitive personal information beyond what is necessary to provide the Service.
• Right to non-discrimination for exercising any of these rights. We will not deny service, charge different prices, or provide a different quality of service because you exercised a privacy right.

To exercise a California right, use the self-serve options in Account settings or email privacy@promptassay.ai. We may need to verify your identity before responding. You can designate an authorized agent to act on your behalf by providing written authorization that we can reasonably verify.

12. Other US state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other US states with comprehensive privacy laws have rights substantially similar to those described in Section 11: access, correction, deletion, portability, and the right to opt out of targeted advertising, the sale of personal data, and certain profiling. PromptAssay does not engage in targeted advertising, does not sell personal data, and does not use personal data for automated profiling that produces legal or similarly significant effects. To exercise your state rights, use the self-serve options or email privacy@promptassay.ai.

13. International users

PromptAssay is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and in any jurisdiction where our sub-processors operate.

We recognize that users may be subject to local data protection laws including, without limitation, Japan's Act on the Protection of Personal Information (APPI), India's Digital Personal Data Protection Act (DPDPA), South Korea's Personal Information Protection Act (PIPA), Australia's Privacy Act and Australian Privacy Principles, Brazil's Lei Geral de Proteção de Dados (LGPD), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). We apply the baseline standard of data protection described in this policy to all users regardless of location. Users in these and similar jurisdictions may have additional rights under their local law and should contact privacy@promptassay.ai for jurisdiction-specific requests; we will respond as required by applicable law.

By using the Service, you consent to the transfer, storage, and processing of your information in the United States.

PromptAssay does not specifically target or market the Service to users in jurisdictions where providing it would require local data residency, a locally established entity, or a government license (including, at present, the People's Republic of China). If you are located in such a jurisdiction, the Service is not offered to you and you should not create an account.

14. International data transfers

Where we transfer personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland to the United States or another third country, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as the transfer mechanism, or on your explicit consent where that is the appropriate basis. Our Data Processing Addendum incorporates the SCCs by reference. We assess each sub-processor's ability to provide an essentially equivalent level of protection to that required by the transferring jurisdiction and apply supplementary measures (encryption, access restrictions, audit logging) where needed.

15. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe that a child under 16 has provided us with personal information, contact privacy@promptassay.ai and we will promptly delete the information. Users of the Service represent and warrant that they are at least 16 years old, or the age of digital consent in their jurisdiction if higher.

16. Marketing communications

Transactional messages are required for service operation — invitations, payment notices, security alerts, policy-change notices, exports, and similar operational emails cannot be opted out of while your account is active, because they form part of the Service we are contractually obligated to provide.

Marketing communications are opt-in. PromptAssay does not currently operate a marketing email list. If and when we launch one (via our email service provider), subscription will be strictly opt-in, each message will include a one-click unsubscribe link, and a preference center will be available in Account settings. This policy will be updated before any marketing emails are sent.

17. Platform administrator access

For customer support, incident response, and investigation of suspected Acceptable Use Policy violations, authorized PromptAssay platform administrators may access user workspaces via an impersonation mechanism. We take this seriously and impose technical safeguards beyond what is typical in the industry:

• Every impersonation session is recorded in an append-only administrative audit log with timestamp, administrator identity, target user, and action.
• Impersonation sessions are time-limited.
• Platform administrators cannot decrypt or use customer BYOK provider API keys during an impersonation session. The encryption layer refuses to return key material in an impersonation context, and all LLM feature calls are blocked server-side by an explicit guard. This means an administrator cannot issue AI requests under your provider account or bill against your provider balance, even if they have legitimate support access to your workspace.
• Impersonation is blocked for billing actions (charging your payment method, changing your subscription), account deletion, and BYOK key management.
• A small allowlist of support-critical write actions is permitted during impersonation and is explicitly enumerated in our internal rules.

You can request a copy of the audit log entries relating to your account by emailing privacy@promptassay.ai.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we update the "Last updated" date at the top and, for material changes, notify you via email and require in-app re-acceptance before you can continue using the Service. Non-material changes (corrections, clarifications, stylistic edits) are published without re-acceptance. Every version is recorded in our internal privacy_policy_versions table so we can prove which version was in force at any given time.

19. Contact

For privacy questions or to exercise your rights, contact privacy@promptassay.ai.

For security-related reports (suspected unauthorized access, vulnerability disclosure) contact security@promptassay.ai [PLACEHOLDER: confirm security alias is monitored].

For all other legal matters, contact legal@promptassay.ai [PLACEHOLDER: confirm legal alias is monitored].

Postal mail: [PLACEHOLDER: legal entity name], [PLACEHOLDER: mailing address].

EU/UK representative (if appointed): [PLACEHOLDER: to be designated if and when required by Art. 27 GDPR].

See also our Terms of Service, Acceptable Use Policy, Cookie Policy, and Data Processing Addendum.