Data Protection and GDPR Compliance Statement

Last Updated: 14 September 2025

Version: 2.0

1. Introduction and Scope

Promatly AI ("we", "us", "our", "the Service") is profoundly committed to the principles of data protection and privacy. This statement provides a detailed overview of our data processing operations and our compliance framework with respect to the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") and the retained EU law version of the GDPR as it applies in the United Kingdom by virtue of the Data Protection Act 2018 ("UK GDPR").

This document serves as a formal declaration of our data processing activities, the legal bases for these activities, and the rights afforded to you, our user ("Data Subject"), under these regulations. It applies to all personal data processed by us in the provision of our AI prompt engineering and workflow generation services.

2. Data Controller Identification

For the purposes of the UK GDPR and EU GDPR, the legal entity responsible for determining the purposes and means of processing your personal data (the "Data Controller") is:

[Your Company's Legal Name, e.g., Promatly AI Ltd.]
[Your Company's Registered Address, Street, City, Postal Code, United Kingdom]
Company Registration Number: [Your Company Number as registered with Companies House]

Our designated representative for all data protection matters is our Data Protection Officer (DPO), who can be contacted directly for any inquiries, requests, or concerns related to your personal data: supporty@promatly.com.

3. Lawful Basis for Data Processing

The processing of personal data is only lawful if it is based on one of the legal grounds set out in Article 6 of the UK GDPR. Our processing activities rely on the following lawful bases:

• Performance of a Contract (Article 6(1)(b) GDPR): This is our primary basis for processing. When you sign up for Promatly AI, you enter into a contract with us as defined by our Terms of Service. The processing of your account details, service data, and payment information is necessary for us to deliver the services you have requested, manage your account, and fulfil our contractual obligations.
• Legal Obligation (Article 6(1)(c) GDPR): We may be required to process and retain certain data to comply with our legal and regulatory obligations. This primarily applies to financial and transactional data, which must be retained for tax and accounting purposes as mandated by UK law (e.g., HMRC requirements).
• Legitimate Interests (Article 6(1)(f) GDPR): In limited circumstances, we may process data based on our legitimate interests, such as for internal analytics to improve our service, provided that such processing does not override your fundamental rights and freedoms. We do not use this basis for marketing or non-essential processing.

4. Categories of Personal Data Processed and Purposes

In accordance with the principle of data minimisation, we collect and process only the data that is strictly necessary for the specified purposes.

4.1. Data Provided Directly by You

• Identity and Contact Data: This includes your email address, a unique user identifier (UID) generated by our authentication system, and optionally, a display name and profile photograph if you choose to authenticate using a third-party service like Google.
  Purpose: To establish and maintain your user account, provide secure access, and for essential service-related communications (e.g., password resets, service updates). Lawful Basis: Performance of a Contract.
• Financial Data: This includes your subscription plan details and a secure, anonymised customer identifier provided by our payment processor, Stripe. We do not directly collect, process, or store your credit card number, expiry date, or CVC.
  Purpose: To manage your subscription, process payments, and handle billing inquiries. Lawful Basis: Performance of a Contract.

4.2. Data Generated Through Your Use of the Service

• Service Data: This comprises the AI prompts you submit to the Service and the corresponding outputs generated, including scores, suggestions, and workflow JSON files.
  Purpose: This is the fundamental data required for the core operation of the Service. Without processing this data, we cannot provide the prompt engineering tools you have contracted us to provide. Lawful Basis: Performance of a Contract.
• Usage Data: We maintain a transactional log that counts the number of AI generations (scores, suggestions, workflows) you initiate on a monthly basis.
  Purpose: To monitor your usage against the limits of your subscription plan and to ensure fair and accurate billing. Lawful Basis: Performance of a Contract.

5. Data Processors and Third-Party Disclosures

We engage a limited number of third-party service providers ("Data Processors") to support the delivery of our Service. We have performed due diligence on each processor and have binding Data Processing Agreements (DPAs) in place to ensure they handle your data with the same level of care and security that we do, and in full compliance with UK GDPR.

• Google Cloud Platform / Firebase (USA): Provides user authentication services and secure, scalable cloud infrastructure for hosting our application.
• MongoDB Atlas (USA): Provides our primary database hosting, where your account and usage data are securely stored with encryption at rest.
• OpenAI, L.L.C. (USA): Acts as the core AI engine for processing your prompts. Prompts are sent to their API for analysis and generation of results.
• Stripe, Inc. (USA): Our exclusive partner for secure payment and subscription management. They are PCI-DSS Level 1 certified.

We will not sell, rent, or lease your personal data. We will only disclose personal data to other third parties, such as law enforcement or regulatory bodies, if we are under a legal obligation to do so.

6. International Transfers of Personal Data

The operation of our Service involves the transfer of your personal data to our key Data Processors located in the United States. Such transfers outside the United Kingdom and the European Economic Area are conducted in strict compliance with Chapter V of the UK GDPR.

To ensure your data receives a level of protection equivalent to that provided within the UK, we rely on legally-approved transfer mechanisms. Specifically, we have executed the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU's Standard Contractual Clauses (SCCs) with each of our US-based processors. These agreements contractually obligate the receiving party to protect your personal data in accordance with UK and EU data protection standards.

7. Your Data Subject Rights under UK GDPR

As a Data Subject residing in the United Kingdom, the law grants you a comprehensive set of rights to control your personal data. We are fully committed to upholding these rights.

• The Right of Access (Subject Access Request): You have the right to request and obtain a copy of the personal data we hold about you, along with information about how and why we process it.
• The Right to Rectification: If you believe any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected.
• The Right to Erasure (The "Right to be Forgotten"): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing.
• The Right to Restrict Processing: You have the right to request that we suspend the processing of your personal data in certain circumstances, for example, while its accuracy is being established.
• The Right to Data Portability: You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format (such as JSON) and to transfer it to another data controller.
• The Right to Object: You have the right to object to the processing of your personal data if it is based on our legitimate interests.

8. Data Management and Exercising Your Rights

We believe in empowering you with direct control over your data. You can exercise your rights to erasure and rectification through the self-service tools available in your Account Settings page. There, you will find options to permanently delete your service data (prompt history) or to permanently delete your entire account and all associated personal information.

For all other requests, including Subject Access Requests or Data Portability requests, please submit a formal request in writing to our Data Protection Officer at support@promatly.com. We will verify your identity and process your request without undue delay, and in any event within one calendar month of receipt.

9. Data Security and Retention Policy

We take the security of your data extremely seriously. We implement robust technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. These measures include Transport Layer Security (TLS) encryption for all data in transit and industry-standard AES-256 encryption for all data at rest within our databases.

Our data retention policy is straightforward: we will retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected. This means we will keep your account and service data for as long as you maintain an active account with us. Should you choose to delete your account, we have an automated process that will permanently erase all associated personal data from our live production systems within a 30-day period. Anonymised financial transaction data will be retained for a period of seven years to comply with our legal obligations under UK tax law.

10. Your Right to Lodge a Complaint

We are committed to resolving any concerns you may have about your privacy and our data protection practices. We encourage you to contact us first at support@promatly.com to allow us to address the matter directly.

However, if you are a resident of the United Kingdom and you feel that your data protection rights have been infringed, you have the right to lodge a complaint with the UK's independent data protection authority, the Information Commissioner's Office (ICO).

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk/concerns