Privacy Policy for PromptBuff

Last Updated: November 29, 2025

PromptBuff (“we”, “our”, “us”) operates the Chrome extension and the web application at https://prompt-ok.vercel.app (together, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use the PromptBuff extension and web application.

By installing or using the PromptBuff extension or web app you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.6 Payment Information (if applicable)

If you purchase credits or premium features:

• Payment processing is handled exclusively by Dodo Payments.
• Billing information (such as name and email) is collected directly by the payment processor.
• We do NOT store or process credit card numbers or other payment details.
• Payment history may be stored to manage your account and purchased credits.

For payment security and privacy details, refer to Dodo Payments' Privacy Policy.

1.1 Account Information

• Name and email address (collected via Google OAuth when you sign in).
• User ID (generated by our system).
• Authentication tokens (JWT) used to authenticate your session.

1.2 Prompt Data

• Original prompts you submit for enhancement.
• Enhanced prompts generated by our service.
• Timestamps and metadata for enhancement requests (e.g., date/time).

1.3 Usage & Diagnostics

• Number of enhancements performed, credits/usage remaining, and feature usage statistics.
• Browser type and extension version.

1.4 Local Storage

• Browser Extension: Data stored in chrome.storage.local such as JWT tokens and preferences.
• Web Application: Data stored in Browser localStorage for cookie consent preferences (`promptbuff-cookie-consent`) and session data.

1.5 What We Do NOT Collect

Browsing history, full AI conversation transcripts (unless explicitly submitted as a prompt), passwords, payment card details, precise geolocation, or other sensitive device data.

2. How We Use Your Information

We use collected information to:

• Provide and operate the prompt enhancement service.
• Authenticate and manage user accounts.
• Store and show your enhancement history and manage credits/limits.
• Improve features, fix bugs, and analyze usage via product analytics (e.g., PostHog) to enhance service quality.
• Comply with legal obligations.

We do not sell user data or share it with advertisers.

3. Data Storage, Retention & Security

Storage Locations

• Supabase — primary database for user profiles, enhancement history, and usage data.
• Vercel — hosting for the web application and backend endpoints.
• PostHog — product analytics and usage tracking (respecting your consent choice).
• chrome.storage.local — browser-side storage for tokens and preferences.

Retention Periods

• Account data: Retained while your account is active and for 30 days after a deletion request.
• Prompt history: Retained for 1 year or until account deletion.
• Usage logs: Retained for 90 days.
• Anonymized analytics: Retained indefinitely.

Retention

• Prompt history and usage data are retained while your account is active. You may request deletion of your account and data; details are in the “Your Rights” section below.
• We may retain anonymized or aggregated data after account deletion for analytics and product improvement.

Security Measures

• All network traffic is encrypted via HTTPS/TLS.
• Authentication is handled via secure JWTs.
• Database access is restricted to authorized backend services.
• We perform routine security reviews and apply standard safeguards to protect user data.

4. Third-Party Services & Data Flow

To operate the service we rely on third parties. The following describes how your data may flow to those parties:

• Google OAuth — used to authenticate users and obtain name/email. (Google's privacy policy applies.)
• Supabase — stores account data, prompts, and usage statistics. (Supabase privacy policy applies.)
• Vercel — hosts the web application and API endpoints. (Vercel privacy policy applies.)
• PostHog — provides product analytics and session recording for improving user experience. Data is collected only if you consent via our Cookie Banner. (PostHog privacy policy applies.)
• AI Provider(s) (for example OpenRouter or other model providers) — prompt text is sent from our backend to the AI provider to generate enhanced prompts. The AI provider processes the prompt and returns a response to our backend. The prompt text and model output may be temporarily handled by that provider; see the provider's privacy policy for details.

We do not share user data with advertisers or sell it to third parties. We will disclose data to third parties only to provide the service, for security or legal reasons, or with your consent.

5. Cookies and Tracking

• We use essential elements (like localStorage) to maintain authenticated sessions and remember your preferences (e.g., cookie consent).
• We use Product Analytics (PostHog) to understand how users interact with our service and to improve it. This may include session recording and usage metrics.
• Control: You can choose to accept or reject non-essential analytics cookies via the Cookie Banner displayed on your first visit. You can reset this preference at any time by clearing your browser data for our site.
• We do not use tracking cookies for third-party advertising.

6. User Rights and Choices

You have the following rights regarding your personal data:

• Access — request a copy of your account data and enhancement history.
• Rectification — request corrections to inaccurate data.
• Deletion — request deletion of your account and associated data.
• Export — request a machine-readable export of your data.
• Restriction & Objection — to the extent permitted by law, request restriction or object to processing.

To exercise any of these rights, contact: kapisnotthename@gmail.com. We will respond in accordance with applicable law.

7. GDPR & CCPA Compliance

GDPR (EU Users)

If you are located in the European Economic Area (EEA), legal bases for processing may include your consent, performance of a contract (providing the service), and our legitimate interests (improving the service). You may exercise GDPR rights (access, rectification, erasure, restriction, portability, objection) by contacting kapisnotthename@gmail.com.

CCPA (California Users)

California residents may request disclosure of categories of personal information collected, request deletion, and opt out of the sale of personal information. PromptBuff does not sell personal information.

8. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will take steps to delete such information.

9. Data Breach Notification

If a security breach affects your personal data, we will notify you and any applicable regulators as required by law and will take appropriate steps to mitigate the impact.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top of this page. For material changes, we may also notify users by email or in-app notification.

11. Contact Information

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

• Email: kapisnotthename@gmail.com
• Website: https://prompt-ok.vercel.app

12. International Data Transfers

Your data may be transferred to and processed in countries outside your home country, including the United States, where Supabase and Vercel operate. To protect your information, we rely on:

• Standard Contractual Clauses (SCCs) with service providers.
• GDPR‐compliant safeguards and protection measures.