Privacy Policy

Last updated: August 5, 2025

Controller: This website/application Promptosaurus (accessible at Promptosaurus.app) is operated by Andy Goldschmidt, acting as a sole proprietor, as the data controller for any personal data processed. For any privacy-related inquiries, you can contact Andy Goldschmidt at the address provided in the Imprint below or via email at support@promptosaurus.app. We are based in Germany and comply with the EU General Data Protection Regulation (GDPR) and applicable German laws. We are committed to protecting your privacy. This policy explains what data we collect from users, how we use it, which service providers we use (and what data they handle), and your rights regarding your data. Please read it carefully. If you do not agree with this policy, please do not use our service.

Data We Collect and How We Use It

We only collect personal data that is necessary to provide and improve our services, to communicate with you, and to comply with our legal obligations. The data is collected directly from you when you register or interact with our site, or automatically through your use of the service. We outline the categories of data below:

Account and Registration Data (Supabase)

When you register an account on Promptosaurus, we collect personal information needed to create and maintain your account. This includes your email address and a password (which is stored in hashed form). We may also collect your name or username if you choose to provide it as part of your profile.

This data is collected via our backend service provider Supabase (Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992) and is necessary to create your account, authenticate you, and provide our services. Our Supabase project is configured to use Central European servers, ensuring that your account data remains within the European Union. We have a data processing agreement with Supabase ensuring your data is handled securely and in compliance with GDPR requirements.

We process this account data to perform our contract with you (provide the service) (GDPR Art. 6(1)(b)). Without this information, you cannot create an account or log in.

User Content and Service Data (Supabase)

If our service allows you to input or upload any content or data (e.g. information you enter into the app, files you upload, prompts you save), that content will be stored in our database hosted on Supabase's Central European servers. Any personal data you choose to include in such content will be processed on our behalf by Supabase within the EU. You remain in control of what information you include in this user content.

We will use any data you provide solely to operate the service for you and for no other purpose. The legal basis for processing user-provided content is typically performance of our contract (Art. 6(1)(b) GDPR), since we must process it to deliver the functionality you expect. We do not access or use your stored content except as necessary to provide the service, and we do not share it with any third parties except the service providers mentioned here who are needed to keep the service running.

Transactional Emails (Brevo)

When you perform certain actions like registering an account or resetting your password, we will send you transactional emails to facilitate that process (e.g. account activation link, password reset instructions). For this purpose, we collect your email address (and if needed, your name) and use a third-party email delivery service called Brevo (formerly Sendinblue) to send these emails.

Brevo processes your email address and the email content only to send the message on our behalf; it does not use this information for any independent purpose. Brevo is a GDPR-compliant email service based in France (Sendinblue SAS), and its servers for processing emails are located within the European Union. We have a data processing agreement with Brevo ensuring your email is handled securely and in compliance with privacy laws.

We send these emails to fulfill our contract with you (Art. 6(1)(b) GDPR), as they are necessary for account verification, password recovery, and similar essential communications. You do not receive any marketing or newsletter emails from us unless you explicitly opt-in (at present, we do not send marketing emails at all).

Customer Support Communications

If you contact us via email (or other provided support channels) with questions, feedback, or requests, we will collect whatever personal data you choose to provide in that communication (typically your email address and name, plus the contents of your message). We will use this information solely to respond to you and resolve your inquiry.

The legal basis for processing support communications is our legitimate interest in effectively responding to user queries and maintaining good customer service (Art. 6(1)(f) GDPR), or Art. 6(1)(b) if responding is necessary to perform our obligations to you. We will retain these communications for as long as necessary to address your issue and as required by our record-keeping obligations.

Website Access Logs and Infrastructure Data (Netlify)

Our website is hosted by Netlify, Inc. (2325 3rd Street, Suite 215, San Francisco, CA 94107, USA). Whenever you visit Promptosaurus.app, Netlify automatically logs certain information about the HTTP request. This includes data such as your IP address, browser type and version (user agent), the pages or URL requested, the date and time, and the referring site (if any).

Netlify stores these access logs for up to 30 days for the purpose of network operations and security analytics, after which the logs are deleted. These logs are used to monitor and ensure the reliability and security of the hosting service and are not combined with other identifying information. We (as the site owner) do not use these logs to identify individual visitors, and we do not access them except if needed to investigate technical issues or security incidents.

The legal basis for this processing is our legitimate interest (Art. 6(1)(f) GDPR) in maintaining the security and performance of our website. Netlify acts as a data processor on our behalf under a Data Processing Agreement, which means Netlify only processes the data according to our instructions and GDPR requirements.

Netlify may use some cookies or similar technologies on our site for service functionality (e.g. routing, caching), but our site itself does not use cookies for advertising or track you across other sites (see Cookies section below).

Analytics Data (Plausible Analytics)

We use Plausible Analytics (a privacy-focused analytics service provided by Plausible Insights OÜ, Estonia) to gather anonymous statistical information about how our website is used. Plausible is designed to be a GDPR-compliant, privacy-first analytics tool. Importantly, Plausible does not collect any personal data about you and does not use any cookies or persistent identifiers on your device.

The data Plausible collects is strictly limited to essential, aggregate web metrics:

Page URL: which page on Promptosaurus was visited (query parameters are ignored except for campaign referral parameters like utm_source).
HTTP Referrer: the website that referred the visitor (e.g. a link from another site).
Browser & Operating System: the type of browser and OS used, derived from the user agent string (the full user agent text is immediately discarded).
Device type: e.g. Desktop or Mobile (also derived from the user agent).
Approximate Location: the visitor's city/region and country, which Plausible derives from the IP address for geostatistics, but does not store the IP address itself. The location is not more precise than city level.
Visit timestamp and duration: times of page views to understand visit frequency (Plausible only tracks aggregate daily unique visits, not a full browsing session trace).

This information is aggregated and anonymized. For example, Plausible uses a technique to count unique visitors by generating a new random identifier each day based on a hash of the visitor's IP and user agent, salted daily. This means no persistent or personal identifier is ever stored, and it's impossible for us or Plausible to track an individual over multiple days. Raw IP addresses and exact user agents are never saved to disk.

All analytics data is stored on servers in Germany (hosted by Hetzner, a European provider) and transmitted through an EU-based CDN (Bunny.net in Slovenia). No analytics data ever leaves the EU or is sent to any third-party beyond Plausible's two sub-processors (Hetzner and Bunny). We (the website) retain full ownership and control of the analytics data; Plausible does not share it with anyone or use it for any secondary purpose.

The analytics insights we see are purely statistical (for example, total page views, aggregate referral sources, etc.), and cannot be used to identify any individual visitor. Because we do not collect personal data for analytics, and do not use cookies, we do not prompt for cookie consent for analytics.

We rely on our legitimate interest in understanding website traffic and improving our service (Art. 6(1)(f) GDPR) as the legal basis for using Plausible Analytics. This has minimal impact on user privacy due to Plausible's anonymization measures. You have the right to object to this data processing (see Your Rights below), though we reiterate that no identifiable information is collected.

Cookies and Tracking Technologies

We do not use any tracking cookies or third-party tracking pixels on Promptosaurus. The only cookies or similar technologies in use are those that are strictly necessary for the functioning of the service:

Authentication tokens: Our authentication system (Supabase) uses a secure token stored in your browser's local storage to keep you logged in. This is used solely for functional purposes (to maintain your session) and not for tracking.
Netlify functional cookies: Netlify's platform may place essential cookies for technical purposes such as load balancing, routing, or detecting changes for caching. These cookies are strictly necessary for the website to function properly and do not involve advertising or cross-site tracking.
Analytics: Our analytics (Plausible) runs without any cookies or local storage and does not profile you.

Because we do not set any non-essential cookies, we do not display a cookie consent banner. By using our site, you are not being tracked by cookies. You can configure your browser to block or delete cookies; however, please note that if you block the authentication token storage, you might not be able to log in or stay logged in. Aside from that functional requirement, our site remains fully functional without any tracking cookies.

How We Share Data (Recipients of Personal Data)

We do not sell or trade your personal data. We only share your data with third parties to the minimum extent necessary to operate our service, and always under protective agreements. The external services we use (our processors) have been described above. Here is a summary of how data may be shared:

Supabase (Supabase Inc., Singapore)

Acts as our cloud platform for database, user authentication, and file storage. Our Supabase project uses Central European servers, ensuring all data processing occurs within the EU. We have signed Supabase's Data Processing Addendum, which means Supabase only processes our users' data under our instructions and in compliance with GDPR. Supabase does not access or use our users' content for any purpose other than delivering the services.

Netlify (Netlify Inc., USA)

Acts as our hosting/CDN provider. Website access logs containing IP addresses and technical data are stored by Netlify for 30 days. We have a Data Processing Agreement with Netlify that includes Standard Contractual Clauses for transfers to third countries. Netlify is bound by contract to only process data for providing the hosting service and does not sell your data.

Plausible (Plausible Insights OÜ, Estonia)

Provides analytics as a processor. In our case, the data shared with Plausible does not include personal identifiers (no direct personal data is sent). Plausible receives the limited web analytics data (as described above) when your browser loads the script. Plausible employees or systems could technically see aggregated visitor statistics, but not any personal identifiers, and they operate under a strict privacy policy and DPA.

They also only use EU-based processors (Hetzner and Bunny) and no data goes to any third-party ad networks. Plausible will not share any of our site's analytics data with anyone.

Brevo (Sendinblue SAS, France)

Our email service provider for transactional emails. When we need to send you an email, your email address (and email content) is transmitted to Brevo's service. Brevo is a processor that sends the email and stores records of sent emails. Brevo's infrastructure is in the EU. They do not use recipient emails for anything other than delivering our communications. We have a DPA with Brevo as well.

Other Service Providers

If in the future we integrate any additional service providers (for example, a payment processing service like Stripe for handling payments, or other cloud services), we will update this policy accordingly. For now, aside from the above, we do not share personal data with any other third parties.

If you make a payment on our site (if we introduce paid plans), your payment details would be processed directly by a third-party payment processor (e.g. Stripe) – we would not see or store your full credit card information. Such processors would be responsible for your payment data under their own privacy policies. We would only receive confirmation of payment and basic billing info.

Legal Requirements

In rare cases, we may need to disclose information to third parties if required by law, regulation, legal process, or governmental request. For example, to respond to a court order or law enforcement demand, or to exercise or defend our legal rights. We will only do so to the extent such disclosure is lawfully required or permitted.

Other than the above, no third parties receive your personal data. In particular, we do not share or sell your information to advertisers or social media platforms. We do not engage in any profiling or automated decision-making that would have legal effects on you.

International Data Transfers

We are based in the European Union (Germany), and we endeavor to store and process data within the EU whenever possible. The majority of your personal data is processed and stored within the EU:

EU-Based Processing:

Supabase: Our Supabase project uses Central European servers, ensuring user data and account information remains within the EU.
Plausible: All analytics data is kept within the EU (Germany/Slovenia).
Brevo: Based in France with EU servers, so no third-country transfers occur.

US Transfers:

Netlify: Website access logs may be transferred to the US. We have a Data Processing Agreement with Netlify that includes Standard Contractual Clauses for transfers to third countries, providing contractual guarantees equivalent to EU data protection standards.

If you have questions about international data transfer, you can contact us.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law. This section summarizes how long different types of data are kept:

Account Information

If you have an account with us, we will retain your account data for as long as your account is active. You may delete your account or request deletion at any time, in which case we will erase or anonymize your personal data associated with the account within 30 days of your request.

Currently, our practice (aligned with Supabase's policies) is to retain basic account information for approximately 30 days after account deletion to ensure we can recover data in case of accidental deletion. After that period, or upon your explicit request for immediate deletion, the data is permanently deleted from our active systems. Backup copies may persist for a limited time beyond deletion (up to 90 days), but are protected and eventually overwritten.

User Content

Any content or data you have stored in the service will be retained while your account is active. If you delete specific content or your account, we will delete the content from our primary database promptly (subject to the same 30-day grace period in backups). If you request a complete purge of your data, we will do so immediately, except for any data we are required to keep by law.

Transactional Email Logs

Our email provider (Brevo) may keep logs of emails sent (including recipient, time, and status) for up to 12 months for troubleshooting delivery issues and compliance purposes. We do not retain your email communications indefinitely on our side; support emails you send to us will be stored in our email account as long as needed to manage our correspondence, typically no longer than 2 years.

Analytics Data

The analytics data collected by Plausible is aggregated and does not personally identify users, so retention is not tied to personal profiles. We have access to the aggregate analytics in our Plausible dashboard for up to 2 years to analyze trends, but this data contains no personal identifiers. Plausible's design resets visitor identifiers daily and never stores raw IP or user agent, so identifiable data is instantly discarded.

Logs

Netlify's access logs containing IP addresses are kept for 30 days and then automatically deleted. We do not separately store these logs outside of Netlify's system. Any security logs or application logs we maintain in our backend (e.g. Supabase logs) are kept only for short periods (typically 7-30 days) for troubleshooting purposes.

Legal Requirements

In certain cases, we might need to retain data for longer if required for legal compliance. For example, records of transactions or consents might be kept for statutory retention periods. Also, if a legal dispute arises, we may retain relevant data until the issue is resolved. In all cases, we will either delete or anonymize data once it is no longer needed.

After the applicable retention period expires, we will either delete the personal data or anonymize it (so it can no longer be associated with you). If deletion is not immediately possible (for instance, because the data is stored in backup archives), we will ensure the data remains securely stored and isolated from any active use until it can be deleted.

Legal Bases for Processing

Under the GDPR, we must have a valid legal basis for each use of personal data. We generally rely on the following legal grounds:

Performance of a Contract (Art. 6(1)(b) GDPR)

We process personal data that is necessary to provide you with our service. This includes account registration data, authentication, and any data you input that we store and process to fulfill the features of our app. When you register and agree to our terms, a contract is formed, and we must process your data to deliver what we promised. Likewise, sending essential account-related emails (verification, password reset) and providing customer support are considered part of performing our obligations to you.

Legitimate Interests (Art. 6(1)(f) GDPR)

We process certain data for our legitimate interests, in a way that does not override your privacy rights. This includes:

Maintaining the security and functionality of our website (e.g. Netlify access logs, which are necessary to prevent abuse and debug technical issues).
Understanding and improving how our site is used (analytics via Plausible), which is done in a privacy-preserving manner.
Responding to user-initiated communications and inquiries (it's in our interest and yours that we answer your support requests).
If necessary, enforcing our terms and preventing fraud or illegal activities related to our service.

When relying on legitimate interests, we ensure that our interest is not outweighed by your rights and interests. For example, for analytics, we use an anonymized tool to minimize any impact on your privacy, aligning with GDPR's focus on data minimization. For website logs, the data is automatically deleted after 30 days and is used solely for security and performance purposes.

Consent (Art. 6(1)(a) GDPR)

In general, we do not process your personal data based on consent, except potentially in scenarios where you have a genuine choice. For instance, if in the future we introduce a newsletter or optional features, we would ask for your consent. You would then have the right to withdraw that consent at any time. Currently, since we do not send promotional emails or use tracking cookies, consent is not a basis we rely on. If you have explicitly consented to something, you can withdraw it by contacting us, and we will honor that request.

Legal Obligation (Art. 6(1)(c) GDPR)

If we are under a legal obligation to retain or disclose data (for example, tax laws requiring us to keep invoices, or a court order), we will process data as needed to comply. This is a limited basis and applies only to specific legal requirements, which will be clear from context.

If we ever need to process your data for a purpose that is incompatible with the original purposes stated, we will seek your consent or provide necessary notice and justification as required by law.

Your Rights as a Data Subject

If you are in the European Union (or otherwise subject to GDPR or similar laws), you have certain rights regarding your personal data. We are committed to upholding these rights. They include:

Right of Access

You have the right to request confirmation of whether we are processing personal data about you, and if so, to obtain a copy of the data we hold about you, as well as information about how we use it. This includes the right to ask for a summary of the categories of data, the purposes of processing, and the third parties with whom we share it.

Right to Rectification

If any personal data we have about you is incorrect or incomplete, you have the right to have it corrected or updated without undue delay.

Right to Erasure

You have the right to request that we delete your personal data (the "right to be forgotten"). We will honor such requests so long as the data is no longer needed for the purposes for which it was collected and we have no other legal obligation to retain it. For example, you can delete your account, and we will remove personal data associated with it (subject to limited backups as noted above). There are some exceptions to erasure (e.g., if we must keep certain data for legal claims or compliance, we will let you know).

Right to Restriction of Processing

In certain circumstances (for instance, if you contest the accuracy of your data, or if you object to our processing and we are evaluating that request), you can ask us to restrict processing of your data (meaning just store it but not use it).

Right to Object

You have the right to object to processing that is based on our legitimate interests on grounds relating to your particular situation. If you object, we will consider whether our legitimate grounds override your rights and freedoms. You also have an absolute right to object to any processing for direct marketing (though we currently do not process your data for marketing purposes).

Regarding analytics: if you object to our use of Plausible analytics (legitimate interest), we will work with you to exclude your visits from our analytics, though note that our analytics cannot "track" you personally in any case due to Plausible's anonymization design.

Right to Data Portability

For data you have provided to us and that we process by automated means under consent or contract (e.g., account data), you have the right to request a common electronic format of that data so you can transfer it to another provider. We can provide a JSON or CSV export of the personal data in your account upon request.

Right not to be subject to Automated Decisions

We do not engage in automated decision-making (like profiling) that produces legal or similarly significant effects. If that ever changes, you would have rights in relation to such decisions, including the right to human intervention.

Right to Withdraw Consent

If we process any data based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing we conducted prior to withdrawal.

Right to Complaint

If you believe we have processed your data unlawfully or not complied with your rights, you have the right to lodge a complaint with a data protection supervisory authority. For instance, if you are in Germany, you can contact the data protection authority of your Bundesland, or if in another EU country, the authority in that country. We would, however, appreciate the chance to address your concerns directly before you do this – you can always contact us at support@promptosaurus.app, and we will do our best to resolve any issue.

To exercise any of these rights, please contact us via email or mail (see the contact information at the end of this policy). We may need to verify your identity to process certain requests (to ensure we don't disclose data to the wrong person). We will respond to requests within one month, as required by GDPR, unless the request is complex (in which case we might extend by a further two months, but we would inform you of this). Please note that these rights are not absolute – there are conditions and exceptions in the law. But we will inform you if we are unable to fulfill a request due to an exemption.

Data Security

We take appropriate technical and organizational security measures to protect your personal data from unauthorized access, loss, alteration, or destruction. This includes:

Encryption of data in transit: Our site is only available over HTTPS, so data you send to us or we send to you is encrypted in transit.
Secure password handling: We never store passwords in plain text; they are securely hashed using industry-standard methods.
Reputable cloud providers: We use established cloud providers (Supabase, Netlify, etc.) that have their own strong security practices and certifications. For example, Supabase stores data on secure servers with encryption at rest and implements measures to prevent unauthorized access, and Plausible's servers are located in secure European data centers.
Limited access to personal data: Only authorized personnel have access to the data, and access is restricted to what is necessary. We typically interact with your data only to troubleshoot issues or handle your support requests.
Regular updates and patches: We keep our software and dependencies up to date to mitigate vulnerabilities. Plausible's code is open source and widely audited, which adds transparency to the security of analytics data.
Secure backups: We perform periodic backups of essential data to prevent accidental loss, and those backups are secured with encryption. Backup retention is limited to necessary periods and old backups are securely destroyed.
Breach response procedures: We have procedures in place to detect, investigate, and respond to potential data breaches within the timeframes required by GDPR (72 hours to authorities, without undue delay to affected individuals).

However, no system is 100% secure. In the unlikely event of a data breach that affects your personal data, we will notify you and the appropriate authorities as required by law within the specified timeframes.

Children's Privacy

Our service is not intended for children under the age of 16. We do not knowingly collect personal information from anyone under 16 years old. If you are under 16, please do not use this site or provide any personal data. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly. If you are a parent or guardian and suspect your child has provided personal data to us, please contact us so we can investigate and take appropriate action.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services or legal obligations. When we make changes, we will revise the "Last updated" date at the top of this policy. If the changes are significant, we may also provide a more prominent notice (such as by email notification to registered users or a banner on our site).

We encourage you to review this Policy periodically for any updates. Continued use of the service after an update constitutes your acceptance of the changes. If you do not agree with any update, you should stop using our service and you may request that we delete your personal data.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: support@promptosaurus.app
Postal Mail:
Andy Goldschmidt
Schweriner Straße 16
23896 Walksfelde
Germany

We will be happy to assist you and address any concerns you have about your privacy.