Data Protection & GDPR Compliance Statement

Last Updated: 23 September 2025

This statement explains how Promatly AI complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU GDPR.

1. Who We Are (Controller)

Promatly AI is operated by Alaa Aldeen, who acts as the data controller for this Service.
Contact for data protection enquiries: support@promatly.com
A correspondence address will be provided on request when exercising your rights under UK GDPR.

2. What Personal Data We Process

2.1 Data You Provide

• Identity & Contact: Email, unique user ID (UID), and if using social sign-in, display name and profile photo.
• Billing: Plan tier and Stripe customer/subscription IDs. We do not store card numbers or CVC.
• Service Inputs: Prompts you submit and content generated for you (scores, suggestions, workflow JSON).

2.2 Data Generated by Use

• Usage Counters: Monthly counts of generations for enforcing plan limits and showing usage.
• Session Data: Authentication state (e.g., Firebase) to keep you securely signed in.
• Diagnostics & Logs: Minimal logs for security, reliability, and fraud/abuse prevention.
• Analytics (only if you consent): Privacy-friendly aggregated usage (e.g., GA4) to improve the Service.

3. Purposes & Lawful Bases

• Provide the Service (authentication, prompt processing, display results).
  Lawful basis: Performance of a Contract.
• Manage subscriptions & payments (plan upgrades, billing, receipts).
  Lawful basis: Performance of a Contract.
• Security & abuse prevention (rate limiting, incident detection).
  Lawful basis: Legitimate Interests (balanced against your rights).
• Legal compliance (tax/accounting, responding to lawful requests).
  Lawful basis: Legal Obligation.
• Analytics to improve usability and performance only after consent.
  Lawful basis: Consent.

4. Processors & Sub-processors

We use vetted providers under Data Processing Agreements and security commitments:

• Google Cloud / Firebase: Authentication and related hosting.
• MongoDB Atlas: Managed database hosting (encryption at rest).
• OpenAI: AI inference for prompts you submit.
• Stripe: Payments and subscription management (PCI DSS Level 1).
• Google Analytics (GA4, optional): Aggregated analytics, only if you consent.

We do not sell your personal data.

5. International Transfers

Where personal data is transferred outside the UK/EEA, we implement recognised safeguards (e.g., the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses), requiring recipients to protect personal data to equivalent standards.

6. Security Measures

• TLS for data in transit; encryption at rest in managed databases.
• Least-privilege access, audit logging, and rate limiting.
• Content Security Policy (CSP) with nonces; restricted script origins.
• CSRF protection for state-changing operations via X-CSRF-Token (token from /api/csrf-token).

7. Data Retention

We keep personal data only as long as necessary for the purposes above. If you delete your account, associated personal data is removed from live systems promptly (typical target < 30 days). Backups may persist briefly on rolling schedules. Aggregated or anonymised records (e.g., invoices) may be retained up to seven years to meet legal obligations.

8. Your Rights (UK/EU GDPR)

Subject to legal limits and verification, you can:

• Access your personal data and processing information.
• Rectify inaccurate or incomplete data.
• Erase personal data where appropriate (“right to be forgotten”).
• Restrict processing in certain circumstances.
• Port your data in a commonly used, machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent for analytics at any time (doesn’t affect prior lawful processing).

9. How to Exercise Your Rights

You can self-serve some requests in Account Settings:

• View plan/usage (/api/user/usage)
• Delete your usage data (/api/user/delete-data)
• Delete your account (/api/user/delete-account)

These require you to be signed in and to include a valid CSRF token (request from /api/csrf-token, send as X-CSRF-Token on POST). For Subject Access Requests, portability, or objections, email support@promatly.com. We respond without undue delay, and within one month.

10. Cookies & Consent

We use strictly necessary cookies/storage for secure sign-in and core features. Non-essential analytics are disabled by default and only enabled after your explicit consent (stored in a cookie such as promatly_consent via /api/consent).

Name	Type	Purpose	Retention
Firebase session	Strictly necessary	Secure sign-in/session continuity	Session (or per provider)
promatly_consent	Preference	Stores your analytics consent	Up to 12 months
_ga (if enabled)	Analytics	Aggregated usage insights	Up to 24 months

To change your choice, use your cookie banner or update via our endpoint: POST /api/consent with {"consent":"denied"}. If GA is loaded, we also send a runtime consent update to gtag.

11. Children’s Data

Our Service is not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us to request deletion.

12. Complaints

Please contact us first at support@promatly.com. You also have the right to complain to:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
https://ico.org.uk/concerns/

13. Changes to This Statement

We may update this page to reflect changes in law or our practices. Material changes will be highlighted here and, where appropriate, communicated in-product or by email.