Privacy Policy

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent, as part of providing our application.

1. Controller

Controller within the meaning of the GDPR:

Prompt Library GmbH
123 Sample Street
10115 Berlin
Germany

Email: privacy@promptlibrary.com
Phone: +49 (0) 30 1234567

Imprint: /imprint

2. Data Protection Officer

Data Protection Officer: John Doe
Email: dpo@promptlibrary.com

3. Overview of Processing Operations

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Inventory data (e.g., names, addresses)
• Contact data (e.g., email, phone numbers)
• Content data (e.g., text entries, prompts, collections)
• Usage data (e.g., websites visited, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Categories of Data Subjects

• Users (e.g., website visitors, users of online services)
• Communication partners

Purposes of Processing

• Provision of contractual services and customer service
• Security measures
• Management and response to inquiries
• Reach measurement (e.g., access statistics, recognition of returning visitors)

4. Relevant Legal Bases

Below you will find an overview of the legal bases of the GDPR on which we process personal data:

• Consent (Art. 6(1)(a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract Performance (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

5. Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include in particular:

• Encryption: All data transmissions use TLS 1.3 (HTTPS). Passwords are hashed using Argon2id.
• Access Control: Authentication via secure session cookies (HTTP-only, Secure).
• Database Access: Isolated database with restrictive access.
• Rate Limiting: Protection against brute-force attacks through automatic rate limiting.
• Regular Backups: Automated, encrypted backup copies.

6. Transmission of Personal Data

In the course of our processing of personal data, the data may be transmitted to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of this data may include service providers under data processing agreements or IT service providers. We only share data if legally permitted, if you have consented, or if we are legally obligated to do so.

7. Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if processing occurs in the context of using third-party services or disclosure or transmission of data to other persons, entities, or companies, this only occurs in accordance with legal requirements. We only process data in third countries with a recognized level of data protection, based on special guarantees (e.g., EU Commission's standard contractual clauses), or after prior consent from users.

8. Provision of Online Services and Web Hosting

In order to provide our online services securely and efficiently, we use the services of hosting providers from whose servers (or servers managed by them) the online services can be accessed.

• Types of Data Processed: Content data, usage data, meta/communication data
• Data Subjects: Users
• Purposes: Provision of our online services and user-friendliness
• Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR)

9. Registration, Login, and User Account

Users can create a user account. As part of the registration, users are informed of the required mandatory information and this is processed for the purpose of providing the user account based on contractual obligation.

• Types of Data Processed: Inventory data (name, email address, username), contact data
• Data Subjects: Users
• Purposes: Provision of contractual services and customer service, security measures
• Legal Bases: Contract performance (Art. 6(1)(b) GDPR), Consent (Art. 6(1)(a) GDPR)

Email Verification: We may verify the email address provided during registration to ensure that it belongs to the user. For this purpose, we send a verification link to the email address.

10. Use of the Application (Prompts, Collections, Workflows)

Users can create, edit, and manage content within our application (prompts, collections, workflows). This content is processed and stored exclusively for the provision of the contractually agreed services.

• Types of Data Processed: Content data (texts, tags, descriptions), usage data (access times)
• Data Subjects: Registered users
• Purposes: Provision of application functions, storage and management
• Legal Bases: Contract performance (Art. 6(1)(b) GDPR)
• Retention Period: Until deletion by user or account deletion

11. Public Prompts and Community Features

Users can mark prompts as public and share them with the community. Public prompts are visible to all users and visitors.

• Types of Data Processed: Content data (public prompts), username, profile picture (if provided)
• Purposes: Community features, content sharing
• Legal Bases: Consent (Art. 6(1)(a) GDPR) by actively marking as "public"

12. Email Sending and Hosting

We use an external service provider for sending emails (e.g., verification, password reset).

Service Provider: Resend
Website: https://resend.com
Privacy Policy: https://resend.com/legal/privacy-policy

• Types of Data Processed: Email address, name (optional), message content
• Purposes: Email verification, password reset, transactional emails
• Legal Bases: Contract performance (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR)
• Data Processing Agreement: Resend acts as a data processor pursuant to Art. 28 GDPR

13. Cookies and Session Management

We use cookies to authenticate users and manage sessions. Cookies are small text files that are stored on your device.

Essential Cookies (Technically Necessary)

These cookies are absolutely necessary for the operation of the site and enable basic functions. Without these cookies, the website cannot function properly.

You can set your browser to inform you about the setting of cookies and only allow cookies on a case-by-case basis. Please note that disabling cookies may limit the functionality of our website.

14. Deletion of Data / Retention Period

We process and store personal data of data subjects only for the period necessary to achieve the purpose of storage or as prescribed by legislation.

• User Account: Until account deletion by the user
• Prompts and Content: Until manual deletion by the user or account deletion
• Session Cookies: 7 days or until logout
• Email Verification Tokens: 24 hours after creation
• Password Reset Tokens: 1 hour after creation
• Logs (Security): Maximum 30 days

15. Rights of Data Subjects

As a data subject under the GDPR, you have various rights, which arise in particular from Articles 15 to 21 GDPR:

• Right of Access (Art. 15 GDPR): You have the right to request information about your personal data processed by us.
• Right to Rectification (Art. 16 GDPR): You have the right to immediately request the rectification of inaccurate data concerning you.
• Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data if the requirements of Art. 17(1) GDPR are met. You can delete your account at any time in the settings.
• Right to Restriction (Art. 18 GDPR): You have the right to request a restriction of processing.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format. Export function available in settings (JSON format).
• Right to Object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you.
• Right to Withdraw Consent (Art. 7(3) GDPR): You have the right to withdraw your consent at any time.

16. Right to Lodge a Complaint with a Supervisory Authority

You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority if you believe that the processing of data concerning you violates data protection regulations.

Competent Supervisory Authority:
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
10969 Berlin, Germany
Phone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de
https://www.datenschutz-berlin.de

17. Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

18. Contact

If you have questions about data protection, please contact us at: privacy@promptlibrary.com