π Draft β awaiting legal review
This privacy policy is a draft and has not yet been reviewed by counsel. It will be replaced with a counsel-reviewed version before public launch (M8.5).
Privacy Policy
Last updated: May 2026 (draft)
1. What we collect
PromptSurge collects the following data through the Android SDK and admin panel:
- Hashed device ID: A SHA-256 hash of the device's Android ID combined with the host app's package name. This cannot be reversed to obtain the original Android ID.
- App version, SDK version, locale: Used for metrics aggregation and prompt localization. No personal data.
- Event types: Which prompt events occurred (shown, confirmed, dismissed, native prompt requested, first open). No message content.
- Developer account data: Email address and hashed password for admin panel authentication.
- LLM API keys: Encrypted at rest using libsodium sealed-box encryption. Never returned in API responses beyond a masked last-4 display.
2. What we do not collect
- Raw Android ID or any other persistent device identifier
- IP addresses beyond what is included in server access logs (retained β€ 30 days)
- Pasted app review text β processed in memory only, never stored
- Names, emails, or any PII of end users of the host app
- Location data beyond the device locale tag (e.g. βen-USβ)
3. How we use data
- To render the metrics dashboard for app developers
- To generate AI-powered review prompt suggestions (via developer's own LLM provider)
- To enforce rate limits and prevent abuse
- To improve the PromptSurge product
4. Data sharing
We do not sell personal data. We share data with the following sub-processors:
- Supabase / PostgreSQL: Primary data store (hosted in the EU/US)
- Fly.io: API hosting
- Vercel: Admin panel hosting
- AWS S3: Image upload storage
Each sub-processor is bound by a Data Processing Agreement.
5. Retention
- Event data: retained indefinitely unless you delete your app or account
- Server access logs (including IP): retained for 30 days
- Developer accounts: a 7-day soft-delete window applies before hard deletion
6. Your rights (GDPR / CCPA)
You have the right to access, correct, export, or delete your data. To exercise these rights, email [email protected]. We will respond within 30 days.
Note: Data export and deletion endpoints in the admin panel are planned for M8.5.
7. Contact
For privacy questions: [email protected]