# Privacy Policy for PromptEasy **Effective Date:** January 21, 2026 **Provider:** Metacode Oy (Business ID: 3375232-1) This Privacy Policy describes how Metacode Oy ("we," "us," or "our") collects, uses, and protects your personal data when you use the PromptEasy service (**prompteasy.eu**). This policy is designed to comply with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (*Tietosuojalaki*). --- ## 1. Data Controller The entity responsible for the processing of your personal data is: **Metacode Oy** Business ID: 3375232-1 Metsäpurontie 10 00630 Helsinki, Finland **Email:** support@prompteasy.eu --- ## 2. Legal Basis and Purpose of Processing We process personal data only when there is a legal basis to do so under GDPR Article 6. | Data Category | Purpose of Processing | Legal Basis (GDPR) | | :--- | :--- | :--- | | **Registration Data** (Name, email, country, postal code) | Creating and managing your account and verifying user identity. | **Contract:** Necessary for the performance of our service agreement. | | **Billing Data** (Company name, VAT ID, transaction history) | Subscription management, invoicing, and tax compliance. | **Legal Obligation:** Compliance with Finnish Accounting & VAT laws. | | **Usage & Audit Logs** (IP address, timestamps, action types) | Ensuring platform security, preventing fraud, and debugging. | **Legitimate Interest:** Protecting our infrastructure and user data. | | **Communication Data** (Support emails, notifications) | Providing technical support and service updates. | **Contract / Legitimate Interest:** Maintaining service quality. | --- ## 3. Data Residency and Third-Party Processors We prioritize **EU data residency**. While we use third-party service providers ("Data Processors"), we ensure they meet strict security standards through Data Processing Agreements (DPAs). * **Cloud Infrastructure:** **Google Cloud Platform (GCP)**. All customer data and databases are hosted on servers physically located within the **European Union**. * **Payment Processing:** **Stripe**. Used for secure payment handling. Stripe may process data globally; where data is transferred outside the EEA, it is protected by Standard Contractual Clauses (SCCs). We do not store full credit card details. * **Email Services:** **Mailgun**. Used for transactional emails (e.g., password resets). We utilize Mailgun’s **EU-based infrastructure** to ensure data remains within the EEA. --- ## 4. Security and Zero-Knowledge Architecture * **Zero-Knowledge Encryption:** All prompts and parameters are encrypted at the database level. Our architecture is designed so that we do not hold the decryption keys. We cannot access or read your prompt content. * **Mandatory 2FA:** Two-Factor Authentication (2FA) is mandatory for all users. **Note:** Due to our zero-knowledge protocol, if you lose both your 2FA device and recovery codes, account recovery is not possible. * **Access Control:** We utilize strict Role-Based Access Control (RBAC) to ensure users only see content within authorized vaults. --- ## 5. Data Retention We retain data only as long as necessary for the purposes defined in Section 2: * **Active Account Data:** Retained for the duration of your subscription. * **Subscription Termination:** Upon cancellation, data is retained for a short window (typically 90 days) to allow for export before permanent deletion. Tenants are notified 14 days and 7 days prior to final deletion. * **Accounting Records:** Retained for **7 years** to comply with the Finnish Accounting Act. * **Security Logs:** Retained for up to **12 months** unless required longer for an investigation. --- ## 6. Your Rights Under the GDPR, you have the following rights: * **Right of Access & Portability:** You may request an export of your data. *Note: Encrypted prompts will be provided in their "as-is" encrypted state.* * **Right to Rectification:** You can update your profile information via the "My Profile" settings. * **Right to Erasure ("Right to be Forgotten"):** You may request the deletion of your personal data. When a user is deleted, identifiers (name/email) are removed; in audit logs, they are replaced with "Deleted User." * **Right to Restriction & Objection:** You may object to processing based on legitimate interest. However, certain logging is mandatory for the security of the service. --- ## 7. Right to Lodge a Complaint If you believe Metacode Oy is processing your personal data in violation of data protection regulations, you have the right to lodge a complaint with the Finnish supervisory authority: **Office of the Data Protection Ombudsman** P.O. Box 800, 00531 Helsinki, Finland **Email:** tietosuoja@om.fi **Website:** [tietosuoja.fi](https://tietosuoja.fi) --- ## 8. Cookies We use only **strictly necessary cookies** (first-party session cookies) required for authentication and security. We do not use third-party tracking or advertising cookies. --- ## 9. Contact Information For any privacy-related questions or to exercise your rights, please contact: **Metacode Oy / PromptEasy Administration** **Email:** support@prompteasy.eu