ENG
PL
DE
ES
Login
Monitor visibility in AI
ENG
PL
DE
ES
Login
Monitor visibility in AI

Privacy Policy

1. Data Controller

1.1. The controller of your personal data is PromptEye Sp. z o.o., registered in Poland (“PromptEye”, “we”, “us”).

1.2. If you have any questions regarding the protection of personal data, you can contact us at: office@prompteye.com.

1.3. As of the date of this Policy, we have not appointed a Data Protection Officer (DPO). Should one be appointed, this document will be updated accordingly.

2. What Data We Process

2.1. Account Data

  • email address (typically a business address),
  • password (stored in hashed form, not in plain text),
  • company name and details,
  • user role/type (e.g. administrator, team member),
  • other data voluntarily provided during Account configuration.

2.2. Technical Data

  • IP address,
  • browser, operating system, and device information,
  • session identifiers, technical tokens,
  • system logs (e.g. login time, settings changes, panel activity).

2.3. Business Data

  • prompts and content entered into the Service,
  • brand, product, and competitor names,
  • other data used as input for analyses and Report generation.

The Service is not intended for the processing of personal data of third parties (e.g. consumers, patients, or employees of our Clients’ customers), unless this has been explicitly agreed upon and regulated in the Agreement and a corresponding Data Processing Agreement (DPA).

2.4. Billing and Communication Data

  • invoice details (company name, address, VAT number),
  • payment information (typically provided by the payment processor — we do not store full payment card data),
  • content of email correspondence, support tickets, and survey responses.

3. Purposes and Legal Bases for Processing

3.1. Service Provision and Account Management

Purpose: creation and maintenance of the Account, provision of the PromptEye SaaS service, Report generation, operational communication (e.g. notifications about significant changes or security matters).

Legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR) to which the entity represented by the User is a party.

3.2. Billing and Legal Obligations

Purpose: issuing invoices, maintaining accounting records, fulfilling tax obligations, retaining accounting documentation.

Legal basis: legal obligation (Art. 6(1)(c) GDPR) arising from tax and accounting regulations.

3.3. Security and Fraud Prevention

Purpose: ensuring Platform security, detecting and preventing abuse, monitoring logins, suspicious activity, and incidents.

Legal basis: legitimate interest of PromptEye (Art. 6(1)(f) GDPR) in ensuring the security of its systems and services.

3.4. Analytics and Service Improvement

Purpose: analysis of Platform usage, UX improvement, feature development, usage statistics.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in developing and improving the Service. For this purpose, we primarily use aggregated and anonymised data.

3.5. Marketing and Business Communication

Purpose: informing about new features, offers, events, sending newsletters, commercial contact.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in marketing our own B2B services), in conjunction with national regulations on consent to electronic communication, or Art. 6(1)(a) GDPR (consent), where required by law (e.g. newsletters, email communication to certain categories of recipients).

You have the right to object to the processing of your data for direct marketing purposes at any time (see section 9).

4. AI, Data and Third-Party Providers

4.1. Data (including prompts) may be transmitted to external AI and infrastructure service providers, in particular to providers of large language models (LLMs) and response aggregation layers, such as OpenAI (GPT models), Perplexity, DeepSeek, AI Overview-type providers, as well as cloud infrastructure and tooling providers (e.g. hosting, database, communication, and marketing automation systems). The list of providers may change and also includes other AI model and infrastructure providers used within the Service.

4.2. We do not sell data and do not use your data to train AI models beyond what is necessary to provide the Service.

4.3. In some cases, these providers may act as independent data controllers (e.g. in the context of technical logs or abuse monitoring on their end). We encourage you to review their privacy policies.

5. Data Retention

5.1. We retain data for no longer than necessary for the purposes for which it was collected, in particular:

  • data associated with an active Account – for the duration of the Agreement,
  • after termination of the Agreement – generally for 30 days (to allow for data export and account closure),
  • data in backup systems – up to 60 days from deletion from production systems,
  • technical logs – up to 12 months, unless a longer period is justified by security or claims purposes,
  • billing data (invoices, records) – generally 5 years (in accordance with tax and accounting regulations).

5.2. Upon expiry of the applicable retention periods, data is deleted or anonymised.

6. Recipients of Data and Transfers Outside the EEA

6.1. Recipients of Data

We may share your data with the following categories of recipients:

  • hosting and cloud infrastructure providers (e.g. AWS and other cloud providers),
  • AI service providers, including LLM providers and response aggregation layers (e.g. GPT model providers, Perplexity, DeepSeek, AI Overview-type systems),
  • CRM systems, communication tools, and email marketing providers (e.g. Mailchimp, Bitrix, or equivalent providers),
  • analytics and marketing tool providers (e.g. Google Analytics, Google Tag Manager, Meta Pixel, Cookiebot),
  • legal, tax, and accounting advisors, as well as public authorities – to the extent required by law.

6.2. Transfers Outside the EEA

6.2.1. Data may be transferred to third countries (e.g. the USA) in connection with the use of the services of the providers listed above.

6.2.2. We apply appropriate legal safeguards, in particular:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission,
  • where applicable, we use providers participating in the EU–US Data Privacy Framework (DPF).

6.2.3. Where data is transferred to a country for which no adequacy decision has been issued, we rely on additional technical and organisational measures (e.g. encryption, pseudonymisation), limiting the scope of transferred data where possible.

7. Data Security

7.1. We implement technical and organisational measures appropriate to the risk, including:

  • encryption of data in transit and at rest,
  • role-based access control (RBAC),
  • multi-factor authentication (MFA) capability,
  • regular backups and disaster recovery procedures,
  • event monitoring and logging,
  • security testing and software updates.

7.2. Despite these measures, no system is entirely free from risk. In the event of a security incident, we will take steps to minimise the impact and — where required by law — notify you of the breach.

8. Cookies and Tracking Technologies

8.1. On our website and within the Platform, we may use cookies and similar technologies for the following purposes:

  • essential operation of the service (technical cookies),
  • analytics (e.g. Google Analytics, Google Tag Manager),
  • marketing (e.g. Meta Pixel),
  • consent management (e.g. Cookiebot).

8.2. The legal basis for essential cookies is our legitimate interest (ensuring the functioning of the service). For analytics and marketing cookies, the legal basis is your consent, given via the consent management tool (Cookiebot), in accordance with telecommunications law.

8.3. You may change your cookie preferences at any time via the Cookiebot tool or your browser settings. However, restricting certain cookies may affect the functioning of the website and the Service.

9. Your Rights

In connection with the processing of personal data by PromptEye, you have the following rights (within the limits set by the GDPR):

  • Right of access to your data (Art. 15 GDPR),
  • Right to rectification of inaccurate or incomplete data (Art. 16 GDPR),
  • Right to erasure of data (Art. 17 GDPR), where the statutory conditions are met,
  • Right to restriction of processing (Art. 18 GDPR),
  • Right to data portability (Art. 20 GDPR), where processing is based on consent or a contract and carried out by automated means,
  • Right to object to processing based on our legitimate interest (Art. 21 GDPR) — including in particular the right to object to direct marketing,
  • Right to withdraw consent at any time, where processing is based on consent; withdrawal does not affect the lawfulness of processing prior to the withdrawal,
  • Right to lodge a complaint with a supervisory authority.

In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00‑193 Warsaw, www.uodo.gov.pl.

10. Automated Decision-Making and Profiling

10.1. As a general rule, we do not make decisions that produce legal effects or similarly significantly affect you based solely on automated processing of data (including profiling).

10.2. We use data in an automated manner for:

  • technical traffic analysis,
  • fraud detection,
  • generating analytical Reports for the Client,

which does not, however, constitute profiling within the meaning of Art. 22 GDPR that produces legal effects on Users.

11. Contact and Exercising Your Rights

11.1. To exercise your rights or to obtain further information about data processing, please contact us at: office@prompteye.com.

11.2. We will respond to your request without undue delay, and no later than one month from receipt. In justified cases, this period may be extended by a further two months, of which we will inform you, stating the reasons.

12. Changes to the Privacy Policy

12.1. We may update this Privacy Policy in response to legal, technological, or organisational changes.

12.2. We will notify you of significant changes via an appropriate notice within the Service or by email. The current version of the Policy will always be available on our website.