Privacy Policy
Last updated: March 7, 2026
This Privacy Policy explains how ZANUBIO SRL ("we", "us", or "our"), operating PromptCreek at https://www.promptcreek.com, collects, uses, shares, and protects your personal data when you use our services. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.
1. Data Controller
The data controller responsible for your personal data is:
- Company: ZANUBIO SRL
- Email: hello@promptcreek.com
- Website: https://www.promptcreek.com
2. Personal Data We Collect
We collect the following categories of personal data:
Data You Provide Directly
- Account information: Name, email address, and profile picture when you create an account
- Profile data: Username, bio, and any other information you add to your profile
- Content: Prompts, reviews, comments, and other content you submit to the platform
- Payment information: Billing details processed through Stripe (we do not store full card numbers)
- Communications: Messages sent to us through support channels
Data Collected Automatically
- Usage data: Pages visited, features used, and interactions with the platform (only with your consent via analytics cookies)
- Device information: Browser type, operating system, and device type (only with your consent via analytics cookies)
- IP address: Collected for security purposes and geolocation
- Authentication data: Session tokens and login timestamps
Data from Third Parties
- Social login: If you sign in with Google or GitHub, we receive your name, email address, and profile picture from the provider
3. How We Use Your Data
We process your personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and maintaining our services (account, prompts, bookmarks) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and subscriptions | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (verification, magic links) | Performance of contract (Art. 6(1)(b)) |
| Analytics and website improvement | Consent (Art. 6(1)(a)) |
| Session recording and heatmaps (Microsoft Clarity) | Consent (Art. 6(1)(a)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Responding to support requests | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Services and Data Sharing
We share your data with the following third-party processors who help us operate our services. Each has a Data Processing Agreement (DPA) in place:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, payment details, IP address | US (Standard Contractual Clauses) |
| Google Analytics | Website analytics | IP address, device info, browsing behavior | US (Standard Contractual Clauses) |
| Microsoft Clarity | Session recording & heatmaps | IP address, device info, user interactions | US (Standard Contractual Clauses) |
| Google OAuth | Social authentication | Email, name, profile picture | US (Standard Contractual Clauses) |
| GitHub OAuth | Social authentication | Email, name, profile picture | US (Standard Contractual Clauses) |
| Resend | Transactional emails | Email address, name | US (Standard Contractual Clauses) |
| Vercel | Hosting and CDN | IP address, request logs | US (Standard Contractual Clauses) |
| MongoDB Atlas | Database hosting | All stored user data | EU / US (Standard Contractual Clauses) |
We do not sell your personal data to any third party. We only share data as described above and as necessary to provide our services.
5. International Data Transfers
Some of our third-party processors are based in the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Supplementary technical and organizational measures where needed
6. Data Retention
We retain your personal data only for as long as necessary for the purposes described:
- Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
- Content (prompts, reviews): Retained for the duration of your account. Deleted or anonymized upon account deletion.
- Payment records: Retained for 7 years as required by tax and accounting regulations.
- Analytics data: Retained as per Google Analytics and Microsoft Clarity retention settings (up to 26 months).
- Security logs: Retained for up to 12 months.
- Cookie consent records: Retained for 2 years.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): Request restriction of processing while a dispute is resolved.
- Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON or CSV).
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent: You may withdraw consent at any time (e.g., by changing your cookie preferences). Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise any of these rights, please contact us at hello@promptcreek.com. We will respond within 30 days.
8. Cookies
We use cookies and similar tracking technologies on our website. For detailed information about the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest
- HTTP-only, secure session cookies
- Role-based access controls
- Regular security reviews
While we take all reasonable precautions, no method of transmission over the Internet is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours.
10. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date and, where appropriate, providing additional notice (such as an email or in-app notification). We encourage you to review this page periodically.
13. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Email: hello@promptcreek.com
- Company: ZANUBIO SRL