Privacy Policy

The data controller is Boyarin Ltd (registration number HE402264), incorporated in Cyprus. Contact: [email protected].

From Developers (admin panel):

• Name and email address, for account creation and communication.
• OAuth account identifiers (Google or GitHub user ID), if you sign in using OAuth.
• LLM API keys you configure for AI features — encrypted at rest using libsodium sealed-box encryption. The plaintext key is never stored or returned in API responses beyond a masked last-4 display.
• Billing contact and payment method — handled entirely by our payment processor (Lemon Squeezy). We receive webhook notifications about subscription status only. We do not store card numbers or bank details.

From End Users via the SDK:

• Hashed device ID: SHA-256 of the device's hardware identifier combined with the host app's bundle or package identifier. This hash cannot be reversed to obtain the original identifier.
• App version, SDK version, locale tag (e.g. “en-US”) — used for metrics aggregation and prompt localisation.
• Event types: which prompt events occurred (shown, confirmed, dismissed, native prompt requested, first open). No message content.

We do not collect from End Users:

• Raw device identifiers or any reversible device fingerprint.
• Names, email addresses, or any other personally identifiable information.
• Location data beyond the device locale tag.
• Review text pasted by Developers for theme extraction — this is passed to the configured LLM provider and processed in memory only; it is never stored by PromptSurge.

Server logs:

• IP addresses are included in standard server access logs and retained for 30 days, after which they are deleted.

• Performance of a contract (GDPR Art. 6(1)(b)): processing your account data, authenticating API requests, delivering the Service.
• Legitimate interests (GDPR Art. 6(1)(f)): aggregated SDK event analytics, security monitoring, abuse prevention, and service improvement.
• Legal obligation (GDPR Art. 6(1)(c)): retaining billing records and responding to lawful requests.
• Consent (GDPR Art. 6(1)(a)): sending product update or promotional emails — you may withdraw consent at any time by unsubscribing.

• To provide and operate the Service, including the metrics dashboard and AI prompt generation.
• To send transactional emails (password resets, billing notifications) via our email provider.
• To enforce subscription limits and prevent API abuse.
• To respond to support requests.
• To comply with applicable laws and regulations.
• To improve the PromptSurge product using aggregated, anonymised usage data.

We do not make decisions about you solely through automated processing that produce legal or similarly significant effects.

We do not sell Personal Data. We share data with the following sub-processors in order to operate the Service:

• Supabase — primary database (EU/US)
• Fly.io — API hosting (US)
• Vercel — admin panel and marketing site hosting (global CDN)
• Lemon Squeezy — payment processing (US)
• Resend — transactional email delivery (US)

Each sub-processor is bound by a Data Processing Agreement. When data is transferred to sub-processors outside the European Economic Area, we rely on Standard Contractual Clauses or equivalent transfer mechanisms as permitted under GDPR Chapter V.

We may also disclose information when required by law, a court order, or to protect the rights and safety of our users or the public.

• Developer accounts: retained while the account is active. A 7-day soft-delete window applies after account deletion, after which all account data is permanently deleted.
• SDK event data: retained while the associated app and account are active; deleted within 7 days of account hard-deletion.
• LLM usage logs: retained while the account is active.
• Server access logs (including IP): 30 days.
• Billing records: retained as required by applicable tax and accounting law.

Under GDPR, you have the right to:

• Access the Personal Data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”), where no legal obligation requires retention.
• Portability — receive your data in a structured, machine-readable format.
• Restrict processing in certain circumstances.
• Object to processing based on legitimate interests.
• Lodge a complaint with your national supervisory authority, or with the Cyprus Commissioner for Personal Data Protection (dataprotection.gov.cy).

To exercise any of these rights, email [email protected]. We will respond within 30 calendar days.

We take reasonable technical and organisational measures to protect Personal Data from unauthorised access, disclosure, alteration, or destruction — including encryption of sensitive credentials at rest and TLS for all data in transit. No internet transmission or electronic storage method is completely secure.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the admin panel before the changes take effect.

For privacy questions: [email protected]
Boyarin Ltd (HE402264), Cyprus