Promptic GmbH

Privacy Policy

Effective date: May 15, 2026

1. Scope and controller

This Privacy Policy explains how Promptic GmbH ("Promptic", "we", "us", or "our") processes personal data when you visit promptic.eu, subscribe to updates, contact us, create an account, use the Promptic application, send tracing data to our APIs, or otherwise interact with our services.

The controller for account, website, sales, marketing, billing, security, and service administration data is Promptic GmbH, Ostbahnhofstraße 11, 60314 Frankfurt am Main, Germany. Contact: hello@promptic.eu.

When a customer or organization uses Promptic to process prompts, datasets, traces, evaluation data, model outputs, or other content for its own business purposes, that customer is normally the controller and Promptic acts as processor under the customer agreement and, where applicable, our Data Processing Addendum. If you are an end user of one of our customers, please contact that customer first. We will support the customer in handling your request.

2. Personal data we process

The data we process depends on how you use Promptic. We ask customers not to submit special category data under GDPR Article 9, criminal-offence data, protected health information, payment card numbers, government identifiers, secrets, or other highly sensitive personal data unless Promptic has expressly agreed to that use in writing.

Category	Examples
Account and identity data	Name, first name, last name, email address, email verification status, profile image, account role, organization membership, workspace membership, invitations, and admin status.
Authentication and session data	Password hashes where password login is used, one-time passcodes, verification tokens, OAuth provider account IDs, OAuth tokens and scopes, session tokens, active organization, IP address, user agent, and device authorization data.
Organization and workspace data	Organization name, slug, logo, contact email, workspace name, description, collaborators, roles, spending limits, feature settings, notifications, and invitation status.
Customer content and AI optimization data	Prompts, chat messages, system instructions, input variables, datasets, observations, expected outputs, schemas, model configuration, evaluator configuration, optimization iterations, predictions, scores, annotations, feedback, and generated outputs.
Tracing and telemetry submitted by customers	OpenTelemetry traces, spans, span events, inputs, outputs, metadata, tags, session IDs, user IDs provided by a customer application, tool-call information, model names, provider names, token usage, cost metadata, timing, status, and error data.
Model-provider configuration and secrets	Customer-provided API keys, custom provider base URLs, OpenAI/OpenRouter/Google settings, Google service account JSON, disabled model lists, optimizer and judge model settings, and tracing API keys. Secrets are encrypted before database storage.
Website, form, and communications data	Email address for the newsletter and early access list; first name, last name, work email, company, and optional message for contact or enterprise-access forms; support requests; transactional emails; notification emails; and unsubscribe records.
Usage, billing, and audit data	Experiment status, API usage, token counts, provider request IDs, usage ledger entries, billing-account data, subscription status, invoices, payment-method metadata such as brand and last four digits, audit events, and fraud-prevention data.
Technical, security, and analytics data	IP address, request metadata, rate-limit keys, browser and device information, pages visited, timestamps, error messages, application logs, monitoring events, deployment logs, and privacy-preserving Vercel Analytics reports.
Uploaded files and images	Profile images, organization logos, and other files uploaded to configured object storage. Some images are served from randomized public URLs so they can render in the application; do not upload images that should remain confidential to anyone with the URL.

3. Sources of data

We receive personal data from the following sources:

Directly from you when you create an account, configure a workspace, upload data, or contact us.
From your organization, such as when an admin invites you or configures shared workspaces.
From customer applications that send traces, spans, evaluation data, or related metadata to Promptic APIs.
From login providers such as GitHub, Google, or Microsoft when you choose social sign-in.
Automatically from our application, hosting, security, analytics, and monitoring infrastructure.
From service providers where needed for email delivery, billing, support, monitoring, or security.

4. Purposes and legal bases

Purpose	Legal basis
Provide and administer the Promptic service, including accounts, organizations, workspaces, prompt optimization, evaluation, tracing, collaboration, invitations, and support.	GDPR Article 6(1)(b) for contracts and pre-contractual steps; Article 6(1)(f) for our legitimate interest in operating a secure B2B service; for customer content processed on behalf of an organization, the customer's documented instructions and legal basis.
Process customer content with selected AI model providers so the service can run evaluations, optimization jobs, prompt tests, structured output checks, and model comparisons.	Article 6(1)(b) where you use the service directly; Article 6(1)(f) for reliability and abuse prevention; for organization customer content, processor processing under the customer's instructions.
Authenticate users, maintain sessions, verify emails, manage OAuth sign-in, enforce permissions, rate-limit requests, prevent misuse, and protect accounts and infrastructure.	Article 6(1)(b), Article 6(1)(f), and, where security logging is legally required, Article 6(1)(c).
Send transactional emails, verification codes, security messages, workspace and organization invitations, service notices, trial notices, and operational notifications.	Article 6(1)(b) and Article 6(1)(f).
Send newsletters, early-access updates, workshop information, marketing communications, and sales follow-ups when you request them.	Article 6(1)(a) consent or Article 6(1)(b) for requested pre-contractual communications. You can withdraw consent at any time.
Run privacy-preserving website analytics, understand aggregate traffic, diagnose performance, and improve the website and product.	Article 6(1)(f), our legitimate interest in maintaining and improving our website and service. We do not use targeted advertising cookies on promptic.eu.
Manage paid plans, invoices, spending controls, credits, taxes, accounting, payment processing, and dispute handling.	Article 6(1)(b), Article 6(1)(c), and Article 6(1)(f).
Comply with law, respond to lawful requests, enforce agreements, resolve disputes, conduct audits, and protect Promptic, customers, users, and the public.	Article 6(1)(c) and Article 6(1)(f).

5. AI processing and model providers

Promptic is an AI prompt optimization and tracing platform. To provide the service, we may send customer content to the model provider selected for an experiment, evaluation, or AI feature. This may include prompts, examples, expected outputs, variables, schemas, traces, span inputs and outputs, and related metadata necessary to complete the requested task.

Platform-managed OpenAI processing uses Promptic's OpenAI project configured for Europe and OpenAI's API data controls, including no default training on API inputs and outputs and Modified Abuse Monitoring for eligible API processing.
If you configure your own API key, custom base URL, OpenRouter routing, Google model access, Azure OpenAI access, or another OpenAI-compatible provider, you control that provider choice. Promptic sends data to the provider you select or configure, and that provider's own terms, privacy commitments, retention settings, and transfer safeguards apply.
We do not use customer content to train foundation models or to build generalized model datasets. We may use aggregated or de-identified operational information to maintain reliability, prevent abuse, understand usage, and improve the service.
Promptic does not make decisions about individuals that produce legal or similarly significant effects. Customers are responsible for any decisions they make using prompts, traces, evaluations, outputs, or model results generated through Promptic.

6. Cookies and analytics

We use strictly necessary cookies and similar technologies for login, session management, CSRF protection, organization and workspace state, security, and user interface preferences. These are required for the application to work.

We use Vercel Analytics for privacy-focused website analytics. Vercel states that Web Analytics does not use third-party cookies, does not let customers reconstruct a browsing session across websites, and uses aggregated statistics. We do not use Vercel Speed Insights on the current site.

You can control cookies through your browser settings, but disabling required cookies may prevent you from signing in or using the application. We do not sell personal data or use cookies for cross-context behavioral advertising. If we add non-essential advertising or tracking technologies, we will update this policy and implement required consent or opt-out controls.

7. Sharing, processors, and recipients

We share personal data only as needed to provide, secure, operate, and improve Promptic, comply with law, enforce our agreements, or complete a transaction you request. We require processors to protect personal data under appropriate contractual, technical, and organizational safeguards.

Our current subprocessors and material service providers are listed on the Subprocessors page. Business customers can also review our Data Processing Addendum and Security and TOMs.

Recipient or processor	Purpose
Vercel	Hosting, serverless functions, deployment platform, web analytics, and Vercel Blob object storage where configured. Production serverless functions are configured for the Frankfurt region.
Neon	Managed PostgreSQL database hosting. The production project is configured in Neon's Azure Germany West Central region with point-in-time restore history configured to six hours.
Microsoft Azure	Azure Service Bus job queues, backend worker infrastructure, Key Vault secrets, Container Apps, Container Registry, optional Azure Blob Storage, and optional Azure Monitor/Application Insights. Production Azure resources are primarily configured in West Europe.
OpenAI	Platform-managed AI processing through Promptic's OpenAI project configured for Europe and OpenAI API data controls, including no default training on API inputs and outputs and Modified Abuse Monitoring for eligible API processing.
Resend	SMTP email delivery for transactional messages, verification emails, invitations, and operational notifications.
Better Stack	Monitoring, logging, uptime, error tracking, incident response, and operational diagnostics.
GitHub, Google, and Microsoft	Optional OAuth sign-in and account authentication when you choose those login methods.
Optional AI routing and customer-selected AI providers	OpenRouter routing where enabled by a customer, and Google, Azure OpenAI, custom OpenAI-compatible endpoints, or other providers selected or configured by a customer for model calls. These providers receive only the data needed for the selected model operation.
Stripe	Always-on billing, payment processing, subscription management, checkout, invoices, tax, payment-method metadata, fraud prevention, and customer portal operations.
Professional advisors, authorities, and transaction parties	Legal, accounting, audit, insurance, compliance, lawful-request handling, rights enforcement, or business transfer purposes, subject to confidentiality or legal safeguards where applicable.

8. International transfers

Promptic is based in Germany and configures core production infrastructure with a strong EU focus where available, including Vercel serverless functions in Frankfurt, Neon PostgreSQL in Azure Germany West Central, Azure resources in West Europe, and Promptic's OpenAI project configured for Europe for platform-managed OpenAI calls.

Some providers, login services, email services, monitoring services, billing services, or customer-selected model providers may process personal data outside the European Economic Area. Where required, we rely on adequacy decisions, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, Data Privacy Framework certifications, data processing agreements, transfer impact assessments, encryption, access controls, and other appropriate safeguards.

9. Retention

We keep personal data only for as long as needed for the purposes described in this policy, the customer agreement, applicable law, dispute handling, security, and backup integrity. Deletion from active systems may not immediately remove data from encrypted backups, logs, or provider disaster-recovery systems, but those copies are isolated and expire under the relevant retention process.

Data	Retention period or criterion
Account, organization, workspace, and collaboration data	For the life of the account, organization, or workspace, then deleted or anonymized within 90 days after verified deletion, termination, or loss of need unless a longer period is required for legal, tax, security, or dispute purposes.
Customer content, experiments, datasets, observations, traces, spans, evaluations, annotations, and model outputs	For as long as the relevant workspace or customer account remains active, until deleted in-product, or as instructed by the customer. Active-system deletion is processed promptly; residual encrypted backups and disaster-recovery copies are targeted for expiry within 90 days unless legal preservation is required.
Optimization jobs and queue messages	Azure Service Bus production job messages are configured with one-day retention. The audit/debug subscription is configured with seven-day retention.
Model-provider API keys, OAuth tokens, service account JSON, tracing API keys, and other secrets	Until removed, rotated, revoked, or the relevant account, organization, workspace, or integration is deleted. Secrets are encrypted before database storage. Key metadata and audit records may be retained for up to 12 months for security and abuse prevention.
Authentication sessions, OTPs, verification tokens, device codes, and invitations	Until expiry, revocation, acceptance, replacement, or account deletion, plus a short operational period needed for security, abuse prevention, and audit records.
Security logs, application logs, monitoring events, rate-limit records, and error diagnostics	Normally up to 180 days, unless needed longer to investigate security incidents, fraud, service abuse, legal claims, or system integrity issues.
Newsletter, early-access, workshop, contact, and enterprise lead data	Until you unsubscribe, withdraw consent, request deletion, or the data is no longer needed. Sales and contact records are normally retained for up to 24 months after the last meaningful interaction unless a customer relationship, legal duty, or dispute requires longer retention. Minimal suppression records may be retained to honor opt-outs.
Billing, tax, accounting, invoices, payment-method metadata, and subscription records	For as long as needed to provide billing, payment, tax, and accounting features and then for statutory commercial and tax retention periods, typically up to 10 years under German recordkeeping obligations.
Website analytics	Retained in aggregated or privacy-preserving form according to Vercel Analytics availability and our operational need to understand website performance.

10. Required and optional data

Some personal data is necessary to provide Promptic, enter into or perform a customer agreement, keep the service secure, comply with legal obligations, or answer your request. If required data is not provided, the affected feature may not work, we may be unable to create or administer an account, process billing, provide support, send required service communications, or continue providing the service.

Data or processing context	Required or optional
Account, authentication, organization, workspace, role, invitation, billing, tax, payment, and security data	Required where needed to create and administer accounts, authenticate users, provide paid services, secure the platform, comply with legal obligations, and enforce agreements.
Customer content, prompts, datasets, traces, evaluations, model outputs, provider configuration, and API keys	Provided at the customer's discretion, but required for the specific features, integrations, optimizations, evaluations, traces, or model calls the customer chooses to use.
Newsletter, early-access, workshop, marketing, contact, enterprise-access, and optional profile information	Optional. If you do not provide it, we may be unable to send requested updates, respond to optional messages, or evaluate the relevant request.
Cookies, local storage, analytics, diagnostics, and similar technical data	Required where strictly necessary for authentication, security, preferences, and service operation; optional where based on consent or configurable choices.

11. Your rights

Depending on where you live and how we process your data, you may have the following rights. We may need to verify your identity and may refuse or limit requests where the law allows, for example to protect another person's rights, preserve security, comply with legal obligations, or defend legal claims.

Right	What it means
Access	Ask whether we process your personal data and receive a copy of it.
Rectification	Ask us to correct inaccurate or incomplete personal data.
Erasure	Ask us to delete personal data where the law gives you that right, subject to retention required for legal, security, contractual, or dispute purposes.
Restriction	Ask us to limit processing while a request, objection, or dispute about accuracy or lawfulness is being resolved.
Portability	Receive personal data you provided to us in a structured, commonly used, machine-readable format where required by law.
Objection	Object to processing based on legitimate interests, including certain analytics or direct marketing processing.
Withdraw consent	Withdraw consent at any time where processing is based on consent. Withdrawal does not affect processing that happened before withdrawal.
Complaint	Lodge a complaint with a data protection authority. For Promptic in Germany, you may contact the Hessian Commissioner for Data Protection and Freedom of Information or your local authority.

To exercise rights, contact hello@promptic.eu. GDPR requests are normally answered within one month. Where CCPA or similar US state privacy laws apply, California residents and other eligible US residents may request to know, access, correct, delete, and port personal information, opt out of sale or sharing, limit use of sensitive personal information, and be free from discrimination for exercising privacy rights. We do not sell personal information or share it for cross-context behavioral advertising.

12. Security

We use technical and organizational safeguards designed to protect personal data, including TLS in transit, access controls, least-privilege permissions, row-level database security controls, encrypted storage for secrets, separation of production secrets, provider key vaults, rate limiting, monitoring, logging, backup and recovery practices, and incident response processes. Customer-provided model-provider secrets are encrypted before database storage. More detail is available on our Security and TOMs page.

No online service can guarantee absolute security. You are responsible for protecting your credentials, configuring workspaces carefully, limiting access to trusted collaborators, rotating API keys when needed, and avoiding unnecessary personal or sensitive data in prompts, datasets, traces, and provider configurations.

13. Children

Promptic is a business service and is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to Promptic, contact us so we can take appropriate action.

14. Changes to this policy

We may update this Privacy Policy to reflect changes in our services, infrastructure, legal obligations, or privacy practices. We will post the updated version on this page and update the effective date. If changes are material, we will provide additional notice where required, such as through the product or by email.

15. Contact

For privacy questions, data subject requests, DPA requests, or security and compliance inquiries, contact Promptic GmbH at hello@promptic.eu.

Promptic GmbH
Ostbahnhofstraße 11
60314 Frankfurt am Main
Germany