Privacy Policy

The data controller responsible for processing your personal data is:

We collect the following personal data about you:

• Email address — used for account creation and communication
• Password — encrypted and never stored in plain text
• Credit balance and transaction history — for account administration
• Payment information — processed exclusively by Stripe; we never see or store your card details
• IP address — for security and rate limiting purposes

We process your data for the following purposes:

• Creating and managing your user account
• Delivering our services (prompt optimisation and image generation)
• Processing payments and managing credits
• Account-related communication, including password reset
• Security and prevention of misuse

We process your personal data on the following legal grounds under the GDPR:

• Article 6(1)(b) — processing is necessary for the performance of a contract (delivery of our service)
• Article 6(1)(c) — processing is necessary to comply with a legal obligation (bookkeeping, invoicing)
• Article 6(1)(f) — processing is necessary for our legitimate interests (security and fraud prevention)

We retain your personal data for as long as your account is active. Transaction data is retained for 5 years in accordance with Danish bookkeeping legislation. If you request deletion of your account, we will delete your personal data within 30 days, unless we are legally required to retain it.

We share your data with the following data processors:

• Supabase — database hosting and authentication (EU-based servers)
• Stripe — payment processing (Stripe is PCI DSS certified)
• Google — AI-powered prompt optimisation and image generation via the Gemini API
• Vercel — web application hosting

We never sell your personal data to third parties and do not share it with anyone other than the data processors listed above.

Under the GDPR, you have the following rights:

• Right of access — you may request access to the personal data we hold about you
• Right to rectification — you may request correction of inaccurate data
• Right to erasure — you may request deletion of your data ("the right to be forgotten")
• Right to restriction — you may request that we restrict processing of your data
• Right to data portability — you may request your data in a structured, machine-readable format
• Right to object — you may object to processing based on legitimate interests

To exercise your rights, contact us at contact@promptflow.dk. We will respond to your request within 30 days.

PromptFlow uses only technically necessary cookies for authentication (session cookies). We do not use tracking cookies or third-party marketing cookies.

We apply industry-standard security measures, including encrypted data transmission (HTTPS), encrypted passwords, and secure token-based authentication. Access to personal data is restricted to authorised systems and personnel.

If you believe we are not processing your personal data correctly, you have the right to lodge a complaint with the Danish Data Protection Agency:

We reserve the right to update this privacy policy. Material changes will be communicated via email or a prominent notice on the site. The date at the top of this page indicates when the policy was last updated.