Privacy Policy

The data controller for prmpt.bio is:
MOONQUEST di Gazzoni Matteo (Sole proprietorship)
Registered office (Sede legale): Quartiere XXV Aprile 17, 36061 Bassano del Grappa (VI), Italy · VAT no. (P.IVA): 04626340246 · Fiscal code (C.F.): GZZMTT89P11A703I · REA: VI-418063 (Vicenza) · Certified email (PEC): matteo.gazzoni@pec.it

Privacy contact: ping@moonquest.dev

When you sign in, we receive your name, verified email address, and avatar URL from Google. We do not offer password sign-in. Our auth system stores session records (including session expiry, IP address, and user-agent) for account security and abuse prevention.

If you set up a creator profile, we store the profile information you provide (such as display name, bio, avatar, website and social links, store and support details) and any content you publish on your pages (prompts, variables, example media, descriptions, links, share assets, and design settings). Public profile and page content is visible on your creator page.

We use PostHog in cookieless mode to collect product analytics such as page views, feature interactions, and click events, together with browser-provided technical properties and product metadata such as creator and page IDs. We do not intentionally send account names, email addresses, or payment data to PostHog. In cookieless mode, PostHog does not set cookies or use browser local or session storage for analytics.

Our self-hosted infrastructure, hosted on Hetzner, records standard server logs (including IP address, user-agent, and requested URLs) for security, debugging, and infrastructure monitoring.

If you purchase a subscription or paid service, our payment provider collects and processes your billing details, including name, email, card data, billing address, and tax information. We do not store full payment card numbers. We retain invoices and transaction records as required by accounting and tax law.

When creators use AI-assisted features such as image analysis or color extraction, image URLs and the related prompt or page text are sent through Vercel AI Gateway to model providers for processing.

• Providing the service: authenticating you, displaying your creator profile and pages, processing images.
• Analytics: understanding how pages are used so we can improve the product using privacy-preserving cookieless analytics.
• Security: detecting abuse, preventing fraud, and maintaining infrastructure integrity.
• Communication: sending transactional billing, account, or service messages when required.

• Performance of a contract (Art. 6(1)(b)): processing your account and profile data is necessary to provide the prmpt.bio service you signed up for.
• Legitimate interest (Art. 6(1)(f)): cookieless analytics to improve the product, and server logs for security and abuse prevention.
• Legal obligation (Art. 6(1)(c)): retaining invoices, transaction records, and tax records where the law requires it.
• Consent (Art. 6(1)(a)): where required by law, for example if we introduce optional marketing communications in the future.

We share data with processors and external providers that are needed to operate the service or support creator-requested features:

prmpt.bio uses essential first-party authentication cookies to keep you signed in and protect account flows. Google Identity Services and Stripe may use their own cookies or browser storage when you interact with their sign-in or checkout experiences. External store providers may use their own cookies or browser storage when you leave prmpt.bio and interact with their sites. We store local interface preferences such as theme and editor panel position in browser local storage, not cookies. Our analytics service (PostHog) runs in cookieless mode and does not store analytics cookies, local storage, or session storage on your device.

Some of our processors are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework, as applicable to each provider.

• Account data: retained until you delete your account.
• Creator profiles & prompts: retained until you delete them or request account deletion.
• Analytics events: retained according to PostHog's retention settings for cookieless analytics.
• Billing & invoicing data: retained for at least 10 years after the transaction as required by Italian tax and accounting law.
• Server logs: retained for up to 30 days on our self-hosted infrastructure.

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your personal data.
• Restriction — ask us to restrict processing in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at ping@moonquest.dev. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority. In Italy, this is the Garante per la protezione dei dati personali.

prmpt.bio is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

For privacy questions or to exercise your rights, email ping@moonquest.dev.