Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Polish Act on Personal Data Protection of 10 May 2018, and other applicable EU and Polish data protection laws.

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

• Email address
• Full name
• Company/brand name (if provided)
• Account preferences and settings

2.2 Service Usage Data

• Brand and competitor configurations
• Prompts and questions you create for monitoring
• AI response data and visibility metrics
• Competitor mention data including mention frequency, positioning, and contextual excerpts from AI responses
• Source citation data including URLs, domain names, and automatic source categorization (e.g., review platforms, forums, news sites)
• Service interaction logs (features used, timestamps, etc.)
• AI-generated insights and your interactions with recommendations

2.3 Technical Data

• IP address
• Browser type and version
• Device information
• Operating system
• Referring URLs

2.4 Payment Data

Payment processing is handled by our payment processor. We do not store credit card numbers, CVV codes, or full payment details. Payments are processed in compliance with PCI-DSS standards.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

• Performance of Contract (Art. 6(1)(b)): Processing necessary to provide you with our AI visibility monitoring services, manage your account, and deliver the features you subscribed to.
• Legitimate Interest (Art. 6(1)(f)): Processing for product analytics, security monitoring, fraud prevention, and service improvement, where our interests do not override your fundamental rights.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with tax laws, accounting regulations, and other legal requirements applicable in Poland and the EU.
• Consent (Art. 6(1)(a)): For optional marketing communications, which you can withdraw at any time.

4. How We Use Your Data

We use your personal data for the following purposes:

• Providing and operating our AI visibility monitoring services
• Managing your account and subscription
• Sending service-related notifications (visibility reports, alerts)
• Responding to support requests and inquiries
• Analyzing product usage to improve our services (via privacy-respecting analytics)
• Ensuring service security and preventing fraud
• Complying with legal and tax obligations
• Sending marketing communications (only with your consent)

5. Sub-Processors and Third-Party Services

We work with carefully selected third-party service providers (sub-processors) who process personal data on our behalf. All sub-processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance.

We prioritize EU-based data storage wherever possible. In cases where data may be transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions (e.g., EU-US Data Privacy Framework for certified US providers).

6. AI-Powered Insights and Data Processing

PromptScout offers AI-powered insights that help you understand your brand's visibility and generate strategic recommendations.

6.1 What Data Is Processed

To generate insights, we send the following aggregated data to OpenAI's API:

• Your brand name
• Competitor names you are tracking
• Source domains and citation statistics
• Mention frequency and positioning statistics

We do NOT send:

• Raw AI response texts
• Your personal information (name, email)
• Your prompts or query text
• Context snippets or verbatim quotes

6.2 Legal Basis

Processing for AI insights is based on Performance of Contract (GDPR Art. 6(1)(b)) as part of delivering paid subscription features.

6.3 Data Retention for Insights

Generated insights are stored in our EU database (Supabase Frankfurt) and retained while your account is active. Insights are refreshed periodically (approximately every 7 days) and you can manually regenerate them at any time.

6.4 OpenAI's Data Handling

OpenAI processes requests under their API Terms of Service and does not use API data to train their models. See OpenAI's privacy policy at openai.com/policies/privacy-policy.

7. AI Response Data and Third-Party AI Providers

As part of our service, we query AI assistants (ChatGPT, Gemini, Google AI Overview, Perplexity AI, Microsoft Copilot, Claude) with the prompts you configure. This involves sending your configured prompts to third-party AI providers:

7.1 AI Providers and Data Transfers

When we query these AI providers on your behalf, we send only the prompt text you configured. We do not send your personal data (name, email) to AI providers. These providers process queries under their respective privacy policies and data processing agreements.

The AI responses we receive may contain mentions of your brand, competitors, and source citations. We automatically extract and categorize this information to provide you with visibility analytics. This competitive intelligence data is stored securely and accessible only to your team.

7.2 How We Store AI Responses

The responses we receive from AI providers are:

• Stored securely in our EU-hosted database (Supabase Frankfurt)
• Associated only with your account and team
• Used solely to provide visibility analytics and historical tracking
• Not shared with other users or third parties
• Protected by row-level security ensuring strict data isolation

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data we hold.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction: Request that we limit how we process your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format or request transfer to another controller.
• Right to Object: Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent: Withdraw consent at any time for processing based on consent.

To exercise any of these rights, contact us at lukasz@promptscout.app. We will respond to your request within 30 days as required by GDPR.

8.1 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. For users in Poland, the competent authority is:

If you are located in another EU/EEA country, you may also contact your local data protection authority.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Polish supervisory authority (UODO) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
• Document all breaches, including facts, effects, and remedial actions taken

10. Data Retention

We retain your personal data only as long as necessary:

• Account data: Retained while your account is active, deleted within 30 days of account deletion request.
• Service usage data: Retained while your account is active, deleted with account.
• Billing/invoice data: Retained in accordance with applicable tax regulations (typically 5-7 years as required by law).
• Analytics data: Aggregated analytics retained for service improvement.

11. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies (PostHog EU): Help us understand how you use our service. PostHog EU stores data in Frankfurt, Germany and provides privacy-respecting analytics. These require your consent.

We do not use advertising cookies or share data with advertising networks. For detailed information about the specific cookies we use and how to manage your preferences, please see our Cookie Policy.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Row-level security (RLS) ensuring data isolation between accounts
• Regular security audits and vulnerability assessments
• Access controls limiting data access to authorized personnel
• Secure authentication with password hashing and optional 2FA

13. International Data Transfers

We primarily store and process data within the European Union (EU/EEA). When data must be transferred outside the EU/EEA, we ensure adequate protection through: Standard Contractual Clauses (SCCs) approved by the European Commission, transfers to countries with adequacy decisions, or the EU-US Data Privacy Framework for certified US providers.

14. Children's Privacy

PromptScout is a business service not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email and by posting the updated policy with a new "Last updated" date. Continued use of our service after changes constitutes acceptance of the updated policy.

16. Contact Us

For any questions about this Privacy Policy, your personal data, or to exercise your rights, please contact us: