Privacy Policy
Last updated: March 6, 2026
1. Who We Are
Prismfy (“we”, “us”, or “our”) operates the Prismfy API and website at prismfy.io. We act as the data controller for personal data processed in connection with your use of the Service.
For privacy-related inquiries, contact us at: privacy@prismfy.io
2. Data We Collect
2.1 Account Data
When you register, we collect:
- Email address — used for account identification and communication
- Password (hashed with bcrypt) — never stored in plain text
- Clerk user ID — if you sign up via social auth (Google, GitHub, etc.)
2.2 Usage Data
When you use the API, we automatically collect:
- Search queries — to deliver search results and detect abuse
- Request metadata — timestamp, IP address, HTTP method, response time, status code
- API key identifier — to authenticate and attribute requests
- Quota usage — requests made, remaining quota, reset date
2.3 Billing Data
If you subscribe to a paid plan, billing is processed by Paddle, our payment processor. We receive and store:
- Paddle customer ID and subscription ID
- Subscription status and current billing period
- Plan type (Pro / Enterprise)
We do not store credit card numbers or payment card data. All payment data is handled exclusively by Paddle in accordance with their Privacy Policy.
2.4 Cookies and Tracking
We use essential cookies for authentication sessions and functional cookies to remember your preferences. For details, see our Cookie Policy.
3. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the API service | Performance of a contract (Art. 6(1)(b)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails | Performance of a contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Improving the Service | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications (opt-in) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
- To authenticate you and provide API access
- To process payments and manage your subscription
- To enforce usage quotas and rate limits
- To detect and prevent abuse, fraud, and security incidents
- To respond to support requests
- To send billing receipts and service-related notifications
- To improve the reliability and performance of the Service
We do not sell your personal data to third parties. We do not use your search queries for advertising or sell them to data brokers.
5. Third-Party Processors
We share data with the following processors who assist us in delivering the Service. All processors are bound by data processing agreements (DPAs):
| Processor | Purpose | Data Transferred |
|---|---|---|
| Clerk | Authentication & user management | Email, name, social profile |
| Paddle | Payment processing | Email, billing address, payment data |
| Webshare | Rotating proxy for search | No personal data |
| Self-hosted VPS | API & database hosting | All account & usage data |
6. Data Retention
- Account data: Retained while your account is active. Deleted 30 days after account closure.
- Search logs: Retained for 90 days, then automatically purged.
- Usage/quota logs: Retained for 12 months for billing and abuse prevention.
- Billing records: Retained for 7 years to comply with tax and accounting requirements.
- Anonymized analytics: May be retained indefinitely (no personal data).
7. Data Security
We implement technical and organizational measures to protect your data, including:
- Passwords hashed with bcrypt
- API keys stored as SHA-256 hashes
- All data in transit encrypted with TLS 1.2+
- Database access restricted to internal network
- Redis authentication enabled
- Regular dependency updates and security patching
Despite these measures, no system is 100% secure. In the event of a data breach that affects your rights, we will notify you within 72 hours as required by GDPR.
8. International Transfers
Our servers are located within the EU/EEA. Some processors (Clerk, Paddle) may process data in the United States or other countries. Where this occurs, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions under GDPR Art. 46).
9. Your Rights (GDPR / EEA & UK)
If you are located in the EEA, UK, or Switzerland, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Correct inaccurate or incomplete data.
- Right to erasure: Request deletion of your data (“right to be forgotten”).
- Right to restriction: Limit how we process your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
- Right to lodge a complaint: You may complain to your local supervisory authority (e.g., your national Data Protection Authority).
To exercise any of these rights, email us at dpo@prismfy.io. We will respond within 30 days.
10. Children's Privacy
The Service is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the website at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
12. Contact Us
For general privacy inquiries: privacy@prismfy.io
For GDPR requests: dpo@prismfy.io