Privacy Policy

Prompt Carrot is the data controller responsible for protecting your personal information. This policy applies to visitors, customers, and workspace members who access our websites, applications, and related services.

Where we rely on third-party processors (Supabase, Vercel, Polar.sh, PostHog, and trusted analytics and infrastructure partners), we ensure contractual safeguards and data-processing agreements are in place.

We only collect the information needed to operate Prompt Carrot securely and effectively:

• Account & Profile Data: name, email, authentication details, profile fields, and team membership metadata.
• Workspace Content: prompts, collections, annotations, files, and activity your team chooses to store in the platform.
• Usage & Device Data: log files, IP address, browser details, device identifiers, API usage, and feature engagement analytics (aggregated whenever possible).
• Billing & Compliance: limited payment data (handled via Polar.sh), invoices, and tax location information for paid plans.
• Support Communications: messages, feedback forms, and incident reports when you contact us for help.

• Provide, maintain, and improve the Prompt Carrot platform and AI prompt collaboration features.
• Authenticate users, secure workspaces, prevent fraud, and monitor for abuse or policy violations.
• Respond to support requests, deliver platform announcements, and provide onboarding guidance.
• Process payments, manage subscriptions, and comply with accounting, tax, and legal obligations.
• Analyze aggregated usage trends to prioritize roadmap improvements and maintain service reliability. This includes operational analytics (such as account creation, subscription changes, and error monitoring) processed under our legitimate interest, as well as behavioral analytics (such as feature usage, navigation patterns, and search activity) processed only with your consent.

We never sell personal data. Marketing communications are optional and you can opt out at any time via email preferences.

For individuals in the European Economic Area, United Kingdom, and Switzerland, we process personal data using the following lawful bases:

• Contractual necessity for providing the services you request and enabling workspace collaboration.
• Legitimate interests such as improving product reliability, preventing misuse, and safeguarding our infrastructure (balanced against your rights and expectations). This includes server-side operational analytics—account events, subscription lifecycle, error monitoring, and system health metrics—which we process to maintain, secure, and improve the service regardless of cookie consent preferences.
• Legal obligations including financial record keeping, responding to lawful requests, and honoring regulatory requirements.
• Consent for optional client-side analytics cookies and behavioral tracking (page views, feature interactions, search activity), marketing emails, and when you choose to share content publicly. You may withdraw consent at any time without affecting prior processing.

We share data only with vetted partners who help us run Prompt Carrot:

• Supabase (EU/US): authentication, database hosting, and secure storage with row-level security enforcement.
• Vercel (Global): application hosting and edge delivery with regional failover.
• Polar.sh (Global): payment processing. Sensitive card data never touches our servers.
• PostHog (EU-hosted option): privacy-aware analytics to improve the product. Tracking is pseudonymized and respects Do Not Track signals where available.
• Support tooling: email, incident response, and ticketing services solely to assist you.

All processors are bound by data protection agreements, confidentiality obligations, and sub-processor controls.

We may transfer personal data outside of your home country. When we do, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized transfer mechanisms. Data hosted in Supabase or Vercel can be regionally located based on your organization's selection.

We continuously assess partner compliance with EU and UK data-export requirements and limit transfer scope to the minimum required to provide the service.

We retain personal data for as long as your account is active or as needed to deliver services. Workspace owners can delete prompts, collections, and entire organizations at any time. When you request deletion, we remove or anonymize data within 30 days unless legal obligations require longer retention (e.g. billing records held for seven years).

Backup copies are purged on a rolling schedule. Aggregated analytics may be retained without identifying information for benchmarking and service planning.

Depending on your location, you may exercise the following rights. We honor requests under GDPR, CCPA, UK Data Protection Act, and other applicable laws:

• Right of access – request a copy of personal data we hold about you.
• Right to rectification – correct incomplete or inaccurate information.
• Right to erasure – ask us to delete data when it is no longer needed or consent is withdrawn.
• Restriction of processing – pause certain data uses while we assess your request.
• Data portability – receive personal data in a structured, machine-readable format.
• Right to object – opt out of processing based on legitimate interests or direct marketing.
• Withdraw consent – change your preferences for optional features or communications.
• Lodge a complaint – contact your local supervisory authority if you believe we violated data protection laws.

We aim to respond to verified requests within 30 days. When requests are complex or numerous, we may extend by another 30 days and will inform you promptly.

Security is built into Prompt Carrot. We apply encryption in transit and at rest, access controls, audit trails, rate limiting, and continuous monitoring. Production access is restricted to trained personnel and reviewed quarterly. We follow responsible disclosure practices and notify you of any data incidents as required by law.

Prompt Carrot uses a cookie consent banner on all public pages so you can make an informed choice before any non-essential tracking occurs. You can update your preferences at any time through the “Cookie Settings” link in the page footer or the Privacy section of your dashboard Account Settings.

Cookie Categories

• Essential Cookies — Required for authentication, session security, and core platform functionality. These cannot be disabled.
  • sb-*-auth-token — Supabase authentication session (expires with session or on sign-out)
  • pc_cookie_consent — Stores your cookie preferences (365 days)
• Analytics Cookies — Help us understand how you use the product so we can improve it. Powered by PostHog, a privacy-focused, EU-hosted analytics platform with no advertising or cross-site tracking. These are opt-in only and require your explicit consent.
  • ph_* — PostHog analytics identifiers (expires with session or on consent revocation)

When you revoke analytics consent, all PostHog cookies and local storage data are deleted immediately. No further client-side behavioral tracking occurs for your session.

Separately, we process limited server-side operational events—such as account creation, subscription changes, and error reports—under our legitimate interest in maintaining and improving the service. These events do not rely on cookies and are not affected by your cookie consent preferences. You may object to this processing by contacting our privacy team.

We honor Do Not Track (DNT) and Global Privacy Control (GPC) browser signals—our analytics SDK respects these signals, and we display their status in your privacy settings for transparency.

Prompt Carrot is not directed to children under 16. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, please contact us so we can investigate and delete the information.

For questions, data subject requests, or concerns, contact our Data Protection Officer:

• Email: privacy@promptcarrot.com
• Mail: Prompt Carrot, Attn: Privacy Team, 500 Market Street, Suite 210, San Francisco, CA 94105

EU/UK residents may also contact the Irish Data Protection Commission (DPC) or your local authority. We are committed to resolving every inquiry and will never retaliate for exercising your privacy rights.