Privacy Policy

1. Who we are

PromptMan is operated by Healcy.App UG (haftungsbeschränkt), registered at Amtsgericht Göttingen under HRB 208164.

Registered address: Anna-Zammert-Allee 4, 37073 Göttingen, Germany

Contact for privacy matters: privacy@promptl.app

Under GDPR, Healcy.App UG is the data controller for personal data collected through PromptMan and promptman.app.

2. What data we collect

•

Account data

When you create an account, we collect your email address and a hashed password. If you sign in via a third-party provider, we receive basic profile information from that provider.

•

Usage data

We collect data about how you interact with the app, including features used, session duration, and error events. This data is pseudonymous and tied to a user ID, not your name.

•

Prompt content

The prompts you save are stored in our database and synced across your devices. We do not read, analyze, or use your prompt content for any purpose other than providing the sync service.

•

AI Enhance data

When you use the AI Enhance feature, your prompt text is sent to OpenAI's API for processing. OpenAI receives only the prompt text you submit for enhancement, not your account information. See Section 5 for details.

•

Device and technical data

We collect your operating system, app version, and general device type for debugging and compatibility purposes. We do not collect device identifiers that could be used to track you across apps.

•

Payment data

Subscription payments are handled by RevenueCat and Apple/Google. We do not receive or store your credit card or payment details.

3. How we use your data

We use the data we collect to:

• Provide, maintain, and sync the PromptMan service across your devices

• Process and fulfill your subscription

• Send transactional emails (account confirmation, password reset)

• Detect and fix bugs and errors

• Understand aggregate usage patterns to improve the product

We do not sell your personal data. We do not use your data for advertising.

4. Legal basis for processing (GDPR)

If you are located in the European Economic Area, we process your data on the following legal bases:

•

Contract performance (Art. 6(1)(b) GDPR)

processing necessary to provide the service you signed up for, including account management and sync

•

Legitimate interests (Art. 6(1)(f) GDPR)

analytics and error tracking to maintain and improve the service

•

Legal obligation (Art. 6(1)(c) GDPR)

where required by applicable law

•

Consent (Art. 6(1)(a) GDPR)

for any optional processing where we request your consent

5. Third-party service providers

We share data with the following processors to operate the service. Each is bound by a Data Processing Agreement with us.

Processor	Purpose	Data shared	Location
Supabase	Database and authentication	Account data, prompt content	USA (SCCs)
OpenAI	AI Enhance feature	Prompt text submitted for enhancement	USA (SCCs)
RevenueCat	Subscription management	User ID, purchase events	USA (SCCs)
PostHog	Product analytics	Pseudonymous usage events	EU / USA (SCCs)
Sentry	Error tracking	Error logs, device info	USA (SCCs)
Hostinger	Web hosting	Web traffic logs	EU

SCCs means Standard Contractual Clauses approved by the European Commission, which serve as the legal mechanism for transferring data to the United States.

We do not use any other analytics platforms, advertising networks, or data brokers.

6. Data retention

We retain your account data and prompt content for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it longer for legal or accounting obligations (typically up to 10 years for financial records under German commercial law).

Usage and analytics data is retained in pseudonymous form for up to 24 months.

7. Your rights

If you are in the EEA or UK (GDPR/UK GDPR):

You have the right to:

• Access the personal data we hold about you

• Correct inaccurate data

• Delete your data ("right to erasure")

• Restrict or object to certain processing

• Receive your data in a portable format

• Withdraw consent at any time where processing is based on consent

• Lodge a complaint with your supervisory authority (in Germany: the Landesbeauftragte für den Datenschutz Niedersachsen)

If you are in California (CCPA/CPRA):

You have the right to:

• Know what personal information we collect and how we use it

• Delete your personal information

• Opt out of the sale or sharing of your personal information (we do not sell or share your data)

• Non-discrimination for exercising your rights

California residents may designate an authorized agent to make a request on their behalf. We will respond to verified requests within 45 days.

To exercise any of these rights, contact us at privacy@promptl.app. We will respond within 30 days for GDPR requests and 45 days for CCPA requests.

8. Children

PromptMan is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at privacy@promptl.app and we will delete it.

9. Security

We use industry-standard measures to protect your data, including encryption in transit (TLS) and at rest. Access to production systems is restricted to authorized personnel. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by a notice in the app at least 14 days before the changes take effect. The date at the top of this page reflects the current version.