Privacy Policy

3.1 Account Information

When you create an account, we collect:

• Email address — for account identification, authentication, and communication
• Full name — for personalisation and invoicing
• Password — securely hashed using bcrypt (never stored as plain text)
• Account status and registration date

3.2 Billing and Payment Information

We collect:

• Billing address (street, city, state, postal code, country)
• Payment transaction data including amount, currency, status, and transaction IDs processed by Stripe
• Stripe identifiers (session ID, payment intent ID, customer ID)
• Billingo partner ID for invoice generation

We do NOT store your credit card details. All payment card information is processed and stored securely by Stripe, our PCI-DSS compliant payment processor.

3.3 Content Data

We store the content you create using the Service, including:

• Projects, prompts, and component instructions
• Stack and framework rules
• Reusable templates and saved patterns
• Timestamps and activity history
• Soft-delete flags for recovery purposes

3.4 Usage and Technical Data

We automatically collect:

• Authentication tokens stored in secure, HTTP-only cookies
• Rate limiting data for abuse prevention (stored in Redis)
• Temporary purchase intent data in browser sessionStorage
• Optional analytics data — page views, feature usage, performance metrics, and device information

We do not use advertising trackers or sell your data to third parties. We do not track your browsing behavior outside our Service.

3.5 Email Communication Data

Your email address is processed to send:

• Transactional emails (password resets, welcome messages, refund confirmations)
• Invoices via Billingo
• Customer support responses

4.1 Service Provision

• Account creation and maintenance
• Identity authentication and account security
• Storing and syncing your projects and prompts
• Delivering the prompt-building features
• Providing technical support

4.2 Payment Processing

• Processing one-time payments through Stripe
• Generating electronic invoices through Billingo for Hungarian tax compliance
• Handling refunds
• Applying discount codes
• Maintaining payment records for accounting and taxes

4.3 Communication

• Password reset emails with time-limited tokens
• Welcome emails
• Refund confirmations
• Invoices and receipts
• Responses to support inquiries

4.4 Security and Fraud Prevention

• Rate limiting on API endpoints
• Fraudulent transaction detection and prevention
• Monitoring suspicious account activity
• Enforcing password requirements (8+ chars, mixed case, numbers, special characters)

4.5 Legal Compliance

• Complying with GDPR, Hungarian, and EU data protection laws
• Meeting Hungarian tax and invoicing regulations
• Responding to legal requests and court orders
• Enforcing our Terms of Service

Stripe (Payment Processing)

• Data shared: Email, name, billing address, payment amount
• Purpose: Secure payment processing
• Location: USA (GDPR-compliant, Standard Contractual Clauses)
• Privacy Policy: https://stripe.com/privacy

Billingo (Invoice Generation)

• Data shared: Name, email, billing address, payment amount
• Purpose: Electronic invoice generation for Hungarian tax compliance
• Location: Hungary
• Privacy Policy: https://www.billingo.hu/adatkezelesi-tajekoztato

Resend (Email Delivery)

• Data shared: Email address, name for personalisation
• Purpose: Transactional email delivery
• Location: USA (GDPR-compliant)
• Privacy Policy: https://resend.com/legal/privacy-policy

MongoDB Atlas (Database Hosting)

• Data shared: All user data, content, and payment records
• Purpose: Primary database storage
• Location: EU region (configurable)
• Privacy Policy: https://www.mongodb.com/legal/privacy-policy

Upstash Redis (Rate Limiting & Caching)

• Data shared: Request counts, temporary session data
• Purpose: Rate limiting and abuse prevention
• Location: EU region (configurable)
• Privacy Policy: https://upstash.com/privacy

7.1 Active Accounts

We retain your personal data for as long as your account is active and you continue to use the Service. Since UIPrompt offers lifetime access, your data is retained indefinitely unless you request deletion.

7.2 Deleted Content

Soft-deleted content may be recoverable for a limited time. Permanent deletion may occur after a reasonable period.

7.3 Closed Accounts

Personal data is deleted within 30 days of account closure or deletion request. Some data may be retained for legal or regulatory purposes. Anonymised usage data may be retained for analytics and service improvement.

7.4 Legal Retention Requirements

• Payment and invoice records: retained for 8 years (Hungarian tax law requirement)
• Fraud prevention records: retained as necessary to prevent future fraudulent activity

8.1 Authentication Cookie

• Name: auth_token (configurable)
• Purpose: Storing JWT authentication token
• Type: Strictly necessary
• Security: HttpOnly: Yes, Secure: Yes in production, SameSite: Lax

8.2 Session Storage (Client-Side)

Browser sessionStorage is used for temporary data such as purchase intent (expires after 5 minutes or when the tab closes). sessionStorage data is stored locally in your browser, never transmitted to our servers, and is automatically cleared when you close the browser tab.

8.3 Analytics Cookies (Optional)

Analytics tools may collect page views, navigation patterns, feature usage, time spent on pages, device and browser information, and general geographic location (country/city level). Analytics data is used solely to improve our Service and is typically anonymised or aggregated. You can opt-out of analytics tracking.

8.4 What We DON'T Use

• Advertising or marketing cookies for targeted ads
• Social media tracking pixels for advertising
• Cross-site tracking for ad networks
• Behavioural advertising networks
• Data brokers

9.1 Encryption

• Data in transit: HTTPS/TLS encryption
• Data at rest: database encryption provided by MongoDB Atlas
• Passwords: hashed with bcrypt (10+ salt rounds, irreversible)

9.2 Access Controls

• Role-based access control (user/admin)
• JWT-based authentication with secure, HTTP-only cookies
• Rate limiting on all API endpoints
• Password reset tokens expiring after 1 hour
• Purchase intent tokens expiring after 5 minutes

9.3 Infrastructure Security

• Secure MongoDB Atlas database hosting
• Redis rate limiting via Upstash
• PCI-DSS compliant Stripe payment processing
• Regular security updates and patches

9.4 Fraud Prevention

• Stripe fraud detection and prevention
• Rate limiting against brute-force attacks
• Webhook signature verification
• Account monitoring for suspicious activity

Right to Access: Request a copy of all personal data we hold about you.

Right to Rectification: Update your account information at any time through your account settings or by contacting us.

Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.

Right to Data Portability: Request an export of your personal data by contacting us.

Right to Restrict Processing: Request that we limit how we use your data under certain circumstances.

Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Withdraw consent at any time where processing is based on your consent.

Right to Lodge a Complaint: File a complaint with your local data protection authority.