Privacy Policy

Last Updated: 23 September 2025

1. Introduction

Welcome to Promatly AI (“Promatly”, “we”, “us”, “our”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website and services (the “Service”). We write this to be clear and to reflect our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

We collect information you provide directly and information generated by your use of the Service.

2.1 Information You Provide

• Account Information: Email address and a unique user identifier (UID). If you sign in with a provider (e.g., Google), we may receive your display name and profile image URL from that provider.
• Payment Information: For paid plans, payment details are handled by our payment processor (Stripe). We do not store card numbers or CVC on our systems.
• Prompts and Content: Prompts you submit and the resulting AI outputs (e.g., scores, suggestions, workflow JSON) necessary to provide the Service.

2.2 Information Collected Automatically

• Usage Data: Monthly counts of generations (scores, suggestions, workflows) to enforce plan limits and provide usage visibility.
• Essential Session Data: Authentication state (e.g., Firebase session) to keep you signed in securely. This is strictly necessary for the Service.
• Analytics (optional, consent-based): If you consent, we may load privacy-friendly analytics (e.g., GA4) to understand feature usage and improve reliability. Analytics are disabled by default and only activated after you choose “Accept” in our banner.

3. How and Why We Use Your Information

• Provide and Maintain the Service: Account creation, authentication, prompt processing, and delivering results you request.
  Lawful Basis: Performance of a Contract.
• Manage Subscriptions and Payments: Plan changes, billing, receipts, and customer support for billing.
  Lawful Basis: Performance of a Contract.
• Service Communications: Important notices about security, service changes, or your account.
  Lawful Basis: Performance of a Contract / Legitimate Interests.
• Compliance: Legal, regulatory, tax, and accounting obligations (e.g., retaining certain records).
  Lawful Basis: Legal Obligation.
• Security and Reliability: Prevent abuse, detect incidents, and ensure availability (minimal logs, access controls).
  Lawful Basis: Legitimate Interests (balanced against your rights).
• Analytics (only with consent): Improve usability and performance without identifying you directly.
  Lawful Basis: Consent.

4. Security Controls (CSRF and Authentication)

For actions that change data (e.g., generating AI outputs, managing billing), our API requires secure authentication and a Cross-Site Request Forgery (CSRF) token. After sign-in, you can request a CSRF token from /api/csrf-token and must include it (as X-CSRF-Token) with your authenticated POST requests. This helps prevent unauthorized requests from other sites.

5. Third-Party Services (Processors)

We don’t sell personal data. We use trusted providers that process data on our behalf under data processing agreements:

• Google Cloud / Firebase: Authentication and related hosting services.
• MongoDB Atlas: Database hosting.
• OpenAI: AI inference for prompts you submit.
• Stripe: Payments and subscription management (we don’t store card numbers).
• Google Analytics (GA4, only if you consent): Privacy-friendly usage analytics.

6. Data Storage and International Transfers

Data may be processed or stored outside the UK. When transfers occur, we use legally recognised safeguards (e.g., UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses (SCCs)) requiring recipients to protect personal data to UK standards.

7. Your Data Protection Rights

Under UK data protection law, you may have the right to access, correct, erase, restrict, port, or object to processing of your personal data, subject to conditions and limitations in law.

You can exercise several rights directly in your Account Settings, including: (i) viewing your plan and usage, (ii) deleting your usage data (/api/user/delete-data), and (iii) deleting your account (/api/user/delete-account). These actions require you to be signed in and include a valid CSRF token for security. For other requests, email support@promatly.com. We verify identity and respond within one month.

8. Cookies and Consent

We use strictly necessary cookies/storage for secure sign-in and essential features. Non-essential analytics are disabled by default and load only after you choose “Accept” in our banner.

Name	Type	Purpose	Retention
Firebase session	Strictly necessary	Keeps you signed in securely	Session (or per provider)
promatly_consent (cookie)	Preference	Stores your analytics consent choice used by /api/consent	Up to 12 months
_ga / GA4 client ID (only if you consent)	Analytics (non-essential)	Helps improve reliability and UX	Up to 24 months

We only enable analytics after you choose “Accept” in the banner. You can change this anytime: click Cookie settings. This updates your promatly_consent cookie via our /api/consent endpoint.

We use Content Security Policy (CSP) to restrict where scripts can load from. Analytics scripts (e.g., Google Tag Manager / GA4) are only permitted and initialized after you provide consent.

9. Data Security

We use Transport Layer Security (TLS) for data in transit, encryption-at-rest in our databases, and least-privilege access controls. We also apply monitoring and other technical and organisational measures appropriate to the risk.

10. Data Retention

We retain personal data only as long as needed for the purposes above. If you delete your account, associated personal data is removed from our live production systems promptly. Backup copies may persist for a limited period as part of routine disaster-recovery processes and are deleted on a rolling schedule. Aggregated or anonymised billing records may be kept for up to seven years to meet legal obligations.

11. Children’s Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, please contact us and we will take appropriate steps.

12. Complaints

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local authority. We would appreciate the chance to address your concerns first at support@promatly.com.

13. Changes to This Privacy Policy

We may update this policy. Material changes will be highlighted here and, where appropriate, notified via email or in-product notice. Please review periodically.

14. Contact

Questions about this policy or our data practices: support@promatly.com