Privacy Policy

Introduction

Prompt Repo ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, a SaaS platform for developing, testing, and iterating on AI prompts.

By using Prompt Repo, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

Information We Collect

Account Information

When you create an account, we collect:

• Email address (required for authentication)
• Name (optional, provided during account creation or profile updates)
• Language preference (optional)
• Date format preference (optional)
• Subscription plan and status
• Trial start and end dates
• Account creation timestamp

API Keys and Credentials

You may provide OpenRouter API keys for LLM inference. These keys are:

• Encrypted using AES-256-GCM encryption before storage
• Stored in encrypted format in our database
• Only decrypted when needed for API calls to OpenRouter
• Associated with a fingerprint (partial preview) for identification purposes

You can add, update, or remove your API keys at any time through your account settings.

Content and Prompts

We store the content you create and manage through our service:

• Prompts and prompt versions (base prompts, variants, archived prompts)
• Prompt descriptions and metadata
• Experiment configurations and results
• LLM outputs and responses
• User feedback and ratings on outputs
• Team memberships and collaboration data

Usage and Analytics Data

When you use our service to test prompts, we collect:

• Token usage (prompt tokens, completion tokens, reasoning tokens)
• Cost information (calculated based on model pricing)
• Latency metrics (response time in milliseconds)
• Model and provider information
• Finish reasons for LLM responses

Payment Information

Payment processing is handled by Stripe, a third-party payment processor. We do not store your credit card information or payment details. Stripe collects and processes:

• Payment method information
• Billing address
• Transaction history

We receive notification of subscription status changes and store subscription metadata (plan type, status, trial dates) in our database.

Cookies and Session Data

We use session cookies to maintain your authentication state:

• wos-session: A JWT (JSON Web Token) cookie that stores your session information
• Cookie attributes: HttpOnly (not accessible via JavaScript), Secure (HTTPS only in production), SameSite=Lax
• Expiration: 7 days from last activity
• Contains: User ID, email, and name

How We Use Your Information

We use the information we collect to:

• Provide and maintain our service: Process your prompts, run experiments, and deliver LLM responses
• Authenticate and authorize: Verify your identity and manage access to your account
• Enable team collaboration: Share prompts, experiments, and results with team members
• Process payments: Manage subscriptions and billing through Stripe
• Send notifications: Alert you about team activity, experiment completions, and other relevant events
• Improve our service: Analyze usage patterns to enhance functionality and user experience
• Comply with legal obligations: Meet regulatory requirements and respond to legal requests

Third-Party Services

We use several third-party services to operate Prompt Repo. Each service has its own privacy policy:

WorkOS

We use WorkOS for authentication services. WorkOS handles:

• User authentication (email/password, magic links, OAuth)
• Session management
• User identity verification

Privacy Policy: https://workos.com/legal/privacy-policy

Stripe

We use Stripe for payment processing and subscription management. Stripe handles:

• Payment method collection and processing
• Subscription billing and renewals
• Payment security and fraud prevention

When you proceed to checkout, Stripe may set cookies on your browser for fraud prevention purposes. These are functional cookies necessary for secure payment processing.

Privacy Policy: https://stripe.com/privacy

OpenRouter

We use OpenRouter as a gateway to access various LLM providers (OpenAI, Anthropic, Google, Meta, Mistral, etc.). When you use our service to test prompts:

• Your prompts and user inputs are sent to OpenRouter
• OpenRouter forwards requests to the selected LLM provider
• Responses are returned through OpenRouter to our service
• We use your OpenRouter API key (or team API key) for authentication

Privacy Policy: https://openrouter.ai/privacy

Neon

We use Neon for PostgreSQL database hosting. Neon stores:

• All application data (user accounts, prompts, experiments, etc.)
• Encrypted API keys
• Usage metrics and analytics

Privacy Policy: https://neon.tech/privacy-policy

Website Analytics

We use self-hosted Plausible Analytics for website analytics. This privacy-friendly analytics solution:

• Does not use cookies
• Does not track individuals across sites
• Does not collect personal data
• Collects only aggregate, anonymous usage statistics (page views, referrers, browser type)
• Is hosted on our own infrastructure - analytics data is not shared with any third party

Data Security

We implement industry-standard security measures to protect your data:

Encryption

• API Keys: Encrypted using AES-256-GCM encryption before storage
• Session Cookies: JWT tokens signed with a secret key
• Data in Transit: All communications use HTTPS/TLS encryption
• Database: Stored in secure, encrypted databases hosted by Neon

Access Controls

• Authentication required for all account access
• HttpOnly cookies prevent JavaScript access to session tokens
• Secure cookie flag ensures cookies are only sent over HTTPS in production
• Team-based access controls for shared content

Data Minimization

We only collect and store data necessary to provide our service. API keys are encrypted and only decrypted when needed for API calls.

Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

Team Collaboration

When you create or join a team, team members can access:

• Prompts assigned to the team
• Experiments created within the team
• Team API keys (if configured)
• Team notifications and activity

Service Providers

We share data with third-party service providers who help us operate our service:

• WorkOS (authentication)
• Stripe (payments)
• OpenRouter (LLM gateway)
• Neon (database hosting)
• Vercel (application hosting)

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users or others.

Your Rights

You have the following rights regarding your personal data:

Access and Portability

You can access your account information, prompts, and data through the application interface. You can export your prompts and content at any time.

Modification

You can update your profile information (name, language, date format) and API keys through your account settings.

Deletion

You can delete your account at any time through your account settings. Account deletion:

• Requires cancellation of any active subscription first
• Performs a "soft delete" - sets a deletion timestamp on your account
• Removes your encrypted API keys
• Prevents you from logging in
• Allows account reactivation if you change your mind

Note: Your prompts, experiments, and team memberships may be retained for team collaboration purposes even after account deletion. If you want to ensure complete data removal, please contact us.

Reactivation

If you delete your account, you can reactivate it by logging in again. Your account will be restored, but you will need to:

• Re-add your API keys
• Re-subscribe if you want to restore your subscription

Cookie Preferences

Session cookies are essential for authentication. You can clear cookies through your browser settings, but this will log you out of the service.

Data Retention

We retain your data for as long as necessary to provide our service:

• Active Accounts: Data is retained while your account is active
• Deleted Accounts: Accounts are soft-deleted (marked with a deletion timestamp) but data may be retained for team collaboration purposes
• Legal Requirements: We may retain certain data longer if required by law or for legitimate business purposes
• Payment Records: Retained as required by financial regulations

Children's Privacy

Prompt Repo is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us to have that information removed.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. By using our service, you consent to the transfer of your information to these countries.

We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy, regardless of where it is processed.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top of this policy
• Sending an email notification for material changes (if you have provided an email address)

You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights regarding your personal data, please contact us:

• Email: contact@prompt-repo.com
• Website: prompt-repo.com

We will respond to your inquiry within a reasonable timeframe and in accordance with applicable data protection laws.