Privacy Policy | PromptForge

Last updated: February 12, 2026

This Privacy Policy explains how Mavity (doing business as PromptForge), a sole proprietorship registered in the Netherlands (KvK number: 99733684), collects, uses, stores, shares, and protects your personal data when you use our service at https://promptforge-app.com/ (the "Service").

We act as the data controller under the General Data Protection Regulation (GDPR). We take your privacy seriously and process your data lawfully, fairly, and transparently.

By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

Contact for privacy questions: [email protected].

We do not have a Data Protection Officer (DPO).

1. Personal Data We Collect

We collect only the personal data necessary to provide the Service. This includes:

Data You Provide Directly

Email address
Chosen display name (username)
Password (hashed – we never store plaintext)
OAuth tokens (for Google sign-in)

Payment & Subscription Data

Stripe reference IDs (stripeCustomerId, stripeSubscriptionId) – we do not store full payment card details
Subscription plan, status, billing period dates

Technical & Usage Data

IP address
Browser/device information (user agent)
Session tokens (with expiration)
API usage logs (monthly aggregated request count per user, last reset timestamp)
Timestamps (account creation, updates, last used API key)

User Content

Prompts and their version history (text-based AI prompt templates you create)

We do not collect special categories of data (e.g., health, race), perform automated decision-making/profiling, or use your data for marketing/newsletters.

Data is collected via:

Account signup (email/password or Google OAuth)
Stripe checkout
Your use of the Service (automatic logging)

2. Purposes & Legal Bases for Processing

We process your data for these purposes, based on these GDPR legal bases:

Purpose	Legal Basis (GDPR Article)	Explanation
Account creation & authentication	Contract (Art. 6(1)(b))	To provide access to the Service
Service delivery (storing/organizing prompts, API access)	Contract (Art. 6(1)(b))	Core functionality of the Service
Billing & subscription management	Contract (Art. 6(1)(b))	To process payments via Stripe
Support & abuse prevention	Legitimate interests (Art. 6(1)(f))	To respond to inquiries and protect the Service (balanced against your rights)
Security & technical operation (e.g., rate limiting, sessions)	Legitimate interests (Art. 6(1)(f))	Essential for secure, reliable operation

We do not use your data for marketing or analytics beyond service needs.

3. Sharing & Third-Party Processors

We share data only with trusted processors who help deliver the Service:

Google (authentication) – processes OAuth tokens for Google sign-in; governed by Google's Privacy Policy
Stripe (payments) – processes payment data; we only store references
Vercel (hosting & infrastructure)
Neon.tech (database)
Resend (transactional emails, e.g., password reset)

These processors are bound by Data Processing Agreements (DPAs) or equivalent terms. Google, Vercel, Neon, and Resend provide standard DPAs incorporating safeguards.

4. International Data Transfers

Some processors (Google, Vercel, Neon.tech, Stripe, Resend) may transfer data outside the EEA (e.g., to the US). We rely on:

EU-U.S. Data Privacy Framework (where certified)
2021 EU Standard Contractual Clauses (SCCs) incorporated into our processor agreements
Other appropriate safeguards under GDPR Chapter V

This ensures your data receives equivalent protection. For more details on our processors' safeguards, see their privacy policies/DPAs.

5. Data Retention

We keep your data only as long as necessary:

Account & subscription data: Until you delete your account (immediate hard delete on request, with cascade deletion of related data like prompts, API keys, sessions, and usage logs)
API usage logs: Retained while your account is active (no automatic purge of old months)
Sessions: Expire automatically (but no forced cleanup of expired records)
Payment references: Kept as long as needed for billing (Stripe handles full payment data retention)

After account deletion, data is immediately removed (except Stripe records, which remain per their policy).

6. Security Measures

We protect your data with industry-standard measures, including:

Hashed passwords (bcrypt) with strong requirements
SHA-256 + peppered hashing for API keys (never stored in plaintext; shown once)
Rate limiting & 429 responses on abuse
Session tokens with expiration
Bearer token auth for API
User-scoped access controls
Encryption at rest/transit where provided by our processors
Cascade delete on account removal

In case of a data breach posing high risk to your rights, we will notify you and the Autoriteit Persoonsgegevens within 72 hours (where required).

7. Cookies

We use essential cookies to operate the Service (e.g., keeping you signed in). For full details on which cookies we use, their purposes, durations, and how to manage them, please see our Cookie Policy.

8. Your GDPR Rights

You have these rights under GDPR:

Access, rectification, erasure ("right to be forgotten"), restriction
Data portability
Object to processing (where based on legitimate interests)
Withdraw consent (where applicable – not primary here)

To exercise any right, email us at [email protected]. We respond within one month (extendable if complex). No fee unless requests are excessive.

You can also complain to the Dutch supervisory authority: Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).

9. Children

The Service is not directed at children under 13. Users must be at least 13 years old (per our Terms of Service). For users under 16, parental/guardian consent may be required under GDPR – we rely on you to ensure this.

10. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified by email at least 30 days in advance. Continued use means acceptance.

11. Online Dispute Resolution

If you are a consumer in the EU, Norway, Iceland, or Liechtenstein, you may use the European Online Dispute Resolution (ODR) platform to resolve disputes related to online purchases: https://ec.europa.eu/consumers/odr.

12. Contact Us

Questions or concerns? Email [email protected].