← BackPrivacy Policy
Last updated: April 7, 2026
1. Who We Are
Prompturement ("we", "us", "our") operates the web application at prompturement.app (the "Service"). We act as the data controller for the personal data described in this policy.
For any privacy-related questions, data requests, or complaints, contact us at: contact@prompturement.app.
2. Legal Bases for Processing
We process your personal data under the following legal bases (GDPR Art. 6):
| Purpose | Legal Basis |
|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Payment processing and billing | Contract performance (Art. 6(1)(b)) |
| AI-powered document analysis | Contract performance (Art. 6(1)(b)) |
| Security logging and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails | Contract performance (Art. 6(1)(b)) |
| Terms of Service acceptance tracking | Legal obligation (Art. 6(1)(c)) |
3. Data We Collect
3.1 Account Data
- Name and email address — provided during registration.
- Password — stored as a bcrypt hash (12 salt rounds). We never store or have access to your plaintext password.
- MFA secrets — if you enable two-factor authentication, your TOTP secret is encrypted with AES-256-CBC at rest. Recovery codes are stored as SHA-256 hashes.
- Role — your permission level (user, viewer, admin).
3.2 Content You Provide
- Documents — contracts, RFQs, and other files you upload for AI analysis. These are processed by Azure Document Intelligence (OCR) and Google Gemini (AI analysis). Files are not stored permanently on disk — they are streamed through memory during processing.
- Chat messages and prompts — text you enter in AI tool interfaces.
- Supplier research data — project details, supplier notes, and discovery results.
- Slide deck content — topics, bullet points, and generated presentations.
- Roleplay sessions — negotiation simulation transcripts.
3.3 Usage and Billing Data
- Which AI tools you use, when, and how many credits are consumed.
- AI model used, prompt token count, completion token count (for billing accuracy).
- Subscription tier, status, and payment history.
- Stripe customer and subscription IDs. We do not store credit card numbers — all payment data is held by Stripe.
3.4 Security and Audit Data
- IP addresses — recorded in audit logs for logins, failed login attempts, MFA events, rate limit violations, and permission denials.
- User agent strings — recorded when you accept our Terms of Service.
- Audit log entries — timestamped records of security-relevant actions (login, logout, password reset, MFA enable/disable, account deletion).
- Failed login attempts — count and lockout status, used for account protection.
3.5 Cookies and Local Storage
| Name | Type | Purpose | Duration |
|---|
prc_session | Cookie (encrypted, HttpOnly, Secure, SameSite=Lax) | Authentication session | 7 days |
csrf_token | Cookie (SameSite=Lax) | CSRF attack prevention | Session (refreshed per page) |
ARRAffinity | Cookie | Azure load balancer routing | Session |
cookie_consent | localStorage | Remembers your cookie consent | Persistent |
theme | localStorage | Your light/dark mode preference | Persistent |
| Tool-specific caches | localStorage | Client-side caching of your own project data for faster loading | Persistent (cleared on logout) |
We do not use analytics, advertising, or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any similar third-party tracking service.
4. How We Use Your Data
- Service delivery — to operate the AI tools, process your documents, and display results.
- Authentication — to verify your identity, manage sessions, and enforce MFA.
- Billing — to calculate credit usage, process payments via Stripe, and manage subscriptions.
- Security — to detect and prevent unauthorized access, brute-force attacks, credential stuffing, and abuse.
- Transactional emails — to send account verification, password reset, and welcome emails via Azure Communication Services.
- Contact form — when you submit a contact form, your name, email, company, and message are emailed to us. We use this solely to respond to your inquiry.
We do not:
- Sell or rent your personal data to third parties.
- Use your data for advertising or profiling.
- Use your uploaded documents or content to train AI models.
- Share your data with third parties except as described in Section 6.
5. AI Data Processing
When you use our AI-powered tools, your input text and documents are sent to the Google Gemini API for processing. This is necessary to provide the Service.
- Data is transmitted over HTTPS (TLS 1.2+) with API key authentication via secure headers.
- Google processes this data under their Gemini API Terms of Service. Under the paid API tier, Google states they do not use API inputs/outputs to train their models.
- We send only the minimum data required for analysis (document text, user prompts). We do not send your name, email, or account details to Google.
- AI responses are returned to you and may be stored in your workspace (Azure Cosmos DB) for your continued access.
6. Third-Party Processors
We share personal data only with the following processors, each under appropriate data processing agreements:
| Processor | Purpose | Data Shared | Location |
|---|
| Microsoft Azure | Infrastructure, database, email delivery | All Service data | West Europe |
| Google (Gemini API) | AI document analysis | Document text, prompts (no PII) | Global |
| Stripe | Payment processing | Email, subscription details | US/EU |
7. Data Storage and Security
Your data is stored on Microsoft Azure infrastructure in the West Europe region:
- Azure SQL Database — user accounts, usage logs, audit logs, billing data. Encrypted at rest via Transparent Data Encryption (TDE).
- Azure Cosmos DB — tool-specific workspace data (contracts, sessions, presentations). Encrypted at rest by default.
- Azure Communication Services — transactional email delivery only (no email content is stored).
Security measures include:
- All connections encrypted with TLS (HTTPS enforced via HSTS).
- Passwords hashed with bcrypt (12 salt rounds).
- MFA secrets encrypted with AES-256-CBC.
- Session cookies encrypted with AES-256 (iron-session), HttpOnly, Secure, SameSite=Lax.
- CSRF protection via signed double-submit tokens bound to user session.
- Content Security Policy (CSP) with nonce-based script execution.
- Account lockout after 5 failed login attempts (30-minute cooldown).
- Rate limiting on all API endpoints.
- Two-factor authentication (TOTP) available for all accounts.
- Parameterized database queries (SQL injection prevention).
- Input validation on all API endpoints (Zod schemas).
- Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin.
8. Data Retention
| Data Type | Retention Period |
|---|
| Account data | Until you delete your account |
| Workspace content (documents, analysis) | Until you delete the workspace or your account |
| Usage logs | 12 months from creation |
| Audit logs (security events) | 12 months from creation |
| Expired password reset / email verification tokens | Automatically deleted after 7 days |
| Stripe webhook events | Indefinite (event IDs only, for idempotency) |
| Password history hashes | Last 5 passwords (for reuse prevention) |
When you delete your account (via Settings), all your data is permanently deleted within a single transaction: user record, usage logs, audit logs, tokens, terms acceptances, promo codes, and all Cosmos DB workspaces/sessions/presentations. This is irreversible.
9. Your Rights
Under the General Data Protection Regulation (GDPR) and similar privacy laws, you have the following rights:
- Right of Access (Art. 15) — export all your data in JSON format via Settings > Export Your Data.
- Right to Rectification (Art. 16) — contact us to update inaccurate personal data.
- Right to Erasure (Art. 17) — delete your account and all data via Settings > Delete Account.
- Right to Data Portability (Art. 20) — download your data in machine-readable JSON format.
- Right to Restriction (Art. 18) — contact us to request processing restrictions.
- Right to Object (Art. 21) — contact us to object to processing based on legitimate interest.
- Right to Withdraw Consent — where processing is based on consent, you may withdraw at any time.
To exercise any right, email contact@prompturement.app. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
10. International Data Transfers
Your data is primarily stored in Azure's West Europe region. When you use AI tools, document content is transmitted to Google's Gemini API, which may process data outside the EU/EEA. This transfer is covered by Google's Standard Contractual Clauses (SCCs) and their compliance with applicable data protection frameworks. Stripe processes payment data in the US/EU under their own SCCs and DPA.
11. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly. If you believe a child has registered, contact us immediately.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, in accordance with GDPR Art. 33 and 34.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address and/or via a prominent notice in the Service at least 14 days before they take effect. The "Last updated" date at the top will be revised. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Contact
For all privacy-related inquiries, data subject access requests, or to report a concern: