Privacy Policy
This policy explains what personal data we process when you use the Prompo app and the www.prompo.app website (together, the "Service") and on what legal basis. Under GDPR we act as the data controller; under Türkiye's KVKK (Law no. 6698) we act as the "data controller (veri sorumlusu)".
1. Controller
Prompo developer (interim): Prompo Studio. Contact: support@prompo.app.
This section will be updated once the company is incorporated; today's arrangement reflects a personal-use beta phase.
2. Data we process
Account data: your email address, verification tokens, the display name you provide.
Content data: the text of the prompter scripts you create; your application preferences (theme, language, prompter settings).
Usage data: device type, operating system version, app version, anonymous error logs.
On-device only: camera and microphone streams stay on your device — they are never uploaded to our servers. Selfie-mode recordings are written directly to your device gallery.
3. Legal basis and purpose
GDPR Art. 6(1)(b) and KVKK Art. 5/2(c) (performance of a contract): to create your account, manage sessions, store your content, and synchronise it across your devices.
GDPR Art. 6(1)(f) and KVKK Art. 5/2(f) (legitimate interest): to keep the service secure, detect abuse, and gather anonymous metrics that help us improve the product.
GDPR Art. 6(1)(a) and KVKK Art. 5/1 (consent): for optional things like newsletters or marketing emails — we ask separately and you can withdraw any time.
4. Who we share data with
Supabase (Frankfurt — eu-central-1): authentication, database, and file storage. Your data stays inside the EU.
Vercel (EU + US): hosting for the website and Edge Functions. US transfers are governed by the EU Standard Contractual Clauses (SCCs).
Legal requirements: we will disclose data when legally compelled by a competent authority; we will try to inform you whenever it is lawful to do so.
We do not share, sell, or rent your data to advertisers, brokers, or profilers.
5. International transfers
Your data is processed inside the EU (Frankfurt) by default. Some static assets or logs may transit through Vercel's US regions; those transfers rely on the SCCs under GDPR Art. 46 and on the limited statutory exceptions of KVKK Art. 9.
6. Retention
We keep your data while your account is active. When you delete your account, all of your scripts and your profile record are erased irreversibly within 30 days; backup rotation completes within 90 days.
Anonymous error logs are kept for at most 90 days. Verification email logs are deleted within 12 months.
7. Security
All transport is TLS 1.2+. At rest, Supabase encrypts disks with AES-256; tables are protected with Row Level Security (RLS) policies — no other user can read your scripts.
Admin access is role-based and every administrative action is recorded in an audit log.
8. Your rights
Under GDPR Art. 15-22 and KVKK Art. 11, you have the right to access, rectify, erase, restrict, port your data, and to object to processing.
To exercise these rights, write to support@prompo.app. After identity verification we will respond within 30 days.
You may also lodge a complaint with the Turkish Personal Data Protection Authority (KVKK) or, if you are based in the EU, with your local supervisory authority.
9. Cookies and tracking
On the website we only set cookies that are strictly necessary for session management. We do not use advertising or third-party tracking cookies; analytics tools are disabled during the beta.
10. Children
The Service is not directed to children under 13. If we learn that a user under 13 has provided data, we will delete the account and all associated data.
11. Changes
When we update this policy we change the "Last updated" date at the top of the page; for material changes we send an in-app and email notice.
Current version: 2026.04.17 (Last updated: 2026-04-17).
12. Contact
For any privacy question: support@prompo.app.