Privacy & GDPR Compliance
Last Updated: 10/13/2025
Contact: support@thepromptslab.com
1. Introduction
At The Prompts Lab, protecting your privacy is a top priority. We commit to processing personal data in compliance with the General Data Protection Regulation (GDPR) and other relevant privacy and data protection laws. This policy explains what data we collect, how we use it, and your rights.
2. What Personal Data We Collect
| Type of Data | Description / Examples | Why We Need It |
|---|---|---|
| Account & Profile Info | Name, Email, Username, Profile Picture | For user registration, login, and identity management |
| Payment & Billing Data | Payment records, billing address, transaction history (via Razorpay, PayPal) | To process orders and subscriptions (we do not store full card numbers) |
| Prompt Usage & Purchase History | Which packs you’ve bought, downloads, usage metrics | To track entitlements, recommend content, and prevent fraud |
| Communications & Support | Messages you send, customer support history | To resolve issues, provide support, improve service |
| Analytics & Technical Data | Device info, IP, browser, session timing, cookies | To monitor site performance, security, and usage trends |
| Embedded / Third-Party Content Data | Data collected by embedded services (YouTube, Twitter, etc.) | To render embedded content properly (see section below) |
3. Payment & Card Data Handling
We use third-party, PCI-compliant gateways:
Razorpay (India) for INR / UPI / local payments
PayPal (Global / USD) for international transactions
We only store the minimal billing metadata (e.g. transaction ID, billing reference). Card or bank credentials are never stored on our servers—these are handled securely by the payment providers under their privacy compliance.
4. How We Use Your Data
We use your data for the following purposes:
Fulfilling prompt pack & subscription purchases
Verifying your access to content & features
Providing personalized recommendations & updates
Sending transactional emails (billing, receipts)
Sending promotional / newsletter emails (with opt-out)
Complying with legal or financial obligations
Detecting fraud, abuse, or violations of our policies
Improving site performance, UX, and debugging
5. Legal Basis for Processing
Under GDPR, we rely on one or more legal grounds for processing:
Contractual necessity (processing payments, delivering purchases)
Legitimate interests (analytics, fraud prevention)
Consent (marketing communications, cookies)
Legal obligations (tax, accounting, recordkeeping)
6. Embedded Content & External Services
When our pages embed content (videos, social feeds, etc.), those services may collect data about you—just as if you visited those external sites.
We list some common embedded services below:
YouTube – our video demos are often embedded. YouTube may track views, cookies, and analytics per its Privacy Policy
Facebook / Meta – social plugins (e.g. “like / share” widgets) may load cookies or scripts. Their policy: Meta Privacy
Twitter / X – their timeline embeds may send tracking data to Twitter. Refer to their Privacy Policy
We do not control these external sites’ policies—these features only activate after user consent as required by law (cookie banners, etc.).
7. Cookie Use
We use cookies to improve functionality, security, user experience, and analytics. You can manage cookie preferences or disable them (though some features may break). Below are cookie categories:
7.1 Necessary Cookies (always active)
cfduid(Cloudflare) – client identification / CDN securityPHPSESSID– user session trackingwp-auth,wordpress_logged_in_{hash},wp-settings-{UID}– WordPress login / session cookies
7.2 Optional / Performance Cookies
Google Analytics / Matomo
Performance & A/B test cookies
Marketing cookies (if opted in)
You may disable cookies in your browser settings. For guidance, see your browser’s “Help” or “Settings” section.
8. Who Can Access Your Data
We limit access to personal data internally:
System administrators / engineers who maintain server health
Support staff (on need-to-know basis for resolving issues)
Third-party services under contract (e.g. analytics, email services)
All such access is governed by confidentiality agreements and strict access controls.
9. Data Retention & Deletion
We retain personal data only as long as necessary:
Active user accounts: retained until account deletion
Transaction & billing logs: retained 7–10 years (for legal/tax compliance)
Marketing / analytics data: retained unless you withdraw consent
Deletion Request: Upon your request to erase data, we will remove all personal records except those we are legally required to keep
10. Your Rights (GDPR Articles 12–23)
You have these rights:
Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure (“right to be forgotten”): Delete your personal data (subject to exceptions)
Restriction: Limit how we process your data
Portability: Receive your data in a machine-readable format
Withdraw Consent: Revoke previously given consent
Complain: Submit a complaint to your local Data Protection Authority
To exercise these rights, contact us at support@thepromptslab.com. We aim to respond within 30 days (or per legal timeline).
11. Security Practices
We implement robust security to protect your data:
SSL / HTTPS encryption site-wide
Data encryption at rest (database-level)
Role-based access and least privileges
Regular backups & disaster recovery
Monitoring, intrusion detection, and patching
Breach protocol: immediate notifications, password resets, forensics
12. Changes & Updates
We may update this Privacy Policy from time to time. Any substantial changes will be posted on this page with a new “Last Updated” date. If needed, we will notify registered users via email of significant changes.