Privacy Policy

We keep the minimum needed to run the product:

• Account: your email address (for the one-time sign-in code and your account).
• Usage: counts of how many plans you’ve generated (to enforce quotas), your paid status, and your credit balance.
• Consent records: which version of the Terms and this Policy you accepted, and when.
• Payment: handled by Stripe; we receive confirmation and limited billing metadata, not your card number.
• Technical / security: your IP address and request metadata, used transiently for rate-limiting and bot protection — not stored in our database or analytics.

Your idea content is processed to generate your plan and is not stored by us after the pack is returned (see Section 3).

We don’t sell your personal information, and we don’t “share” it for cross-context behavioural advertising (as defined by California law). We don’t use your content to train, develop, or improve any AI or machine-learning models — we don’t train models at all. Your idea text, answers, email, and sign-in codes are kept out of our logs and analytics by design (analytics carry only content-free, allow-listed signals).

To create your plan, we send your idea text and answers to a third-party AI provider:

• DeepSeek — People’s Republic of China — clarifying questions and plan synthesis.

DeepSeek processes your input under its own terms and privacy policy. We do not store your input after returning your pack.

EU/UK users: our legal basis for this processing is performance of our contract with you (and, for the transfer, your explicit request to use the Service); where available, we rely on Standard Contractual Clauses with providers. You can avoid the transfer by not using the Service.

Each provider uses your data only to provide its service to us, under a data-processing agreement where offered:

• DeepSeek — AI (clarifying questions and plan synthesis) — China.
• Stripe — payments / hosted checkout (handles card data directly; we never receive it) — US / global.
• Supabase — authentication and the database that stores your account — United States.
• Sentry — error monitoring (personal data scrubbed before it’s sent) — US / EU.
• PostHog — content-free, cookieless product analytics — US / EU.
• Vercel — website hosting and delivery — United States.
• Cloudflare Turnstile — bot / abuse protection — global.

• Providing the Service (account email, usage, AI processing) — performance of a contract.
• Security, anti-abuse, and rate-limiting — legitimate interests.
• Payments and record-keeping — contract and legal obligation.
• Content-free product analytics — legitimate interests.
• Consent records — legal obligation / legitimate interest.

We use only strictly-necessary cookies — a signed session cookie and your sign-in session — to keep you logged in and enforce quotas and security. Our analytics (PostHog) run without a cookie (in-memory only) and capture only content-free, allow-listed events. We set no advertising or cross-site tracking cookies, so there is no cookie-consent banner to dismiss.

Account data (email, usage, credits) is kept while your account is active and deleted within 30 days of account deletion (backups are purged on our standard backup cycle). Consent records are kept for up to 3 years to evidence compliance. Payment and tax records are kept as required by law (typically up to 7 years) and by Stripe. Your idea content is not retained by us. Security counters use short, fixed windows.

Depending on where you live, you can request to access, correct, delete, or port your data, and to object to or restrict certain processing. California (CCPA/CPRA): you may know, access, delete, and correct your information and opt out of the sale or sharing of personal information — we do not sell or share it — and you won’t be discriminated against for exercising these rights. Residents of other U.S. states with privacy laws have similar rights, including a right to appeal. To exercise any right, email contact@pogoprompt.ai; we verify your request and respond within the time the law allows (generally 45 days in California, one month under GDPR/UK GDPR). EU/UK users may also lodge a complaint with their local data-protection supervisory authority.

We do not use your personal information or content to train, develop, or improve AI or machine-learning models. Note that DeepSeek, the provider that processes your input, may use inputs to improve its own services under its policies (see Section 3) — this is outside our control.

The Service is for adults (18+). We don’t knowingly collect data from children; if you believe a child has given us data, email us and we’ll delete it.

Managed authentication (no stored passwords), HTTPS in transit, Stripe for card data, secrets kept in server-side environment variables, database row-level security, and PII-scrubbed logs. No method of transmission or storage is 100% secure.

We’ll post any update with a new effective date and record your acceptance of material changes.

PogoPrompt Co · contact@pogoprompt.ai