Privacy Policy

1. Introduction

Prompy ("we", "our", or "us") operates the AI Prompt Generator website. This Privacy Policy explains our practices regarding data collection, usage, and protection. By accessing and using Prompy, you agree to the terms outlined in this policy.

2. Information We Collect

• Account Information: Email address, and (when signing in with Google) your Google account name and profile picture. Authentication is handled by Supabase Auth — we never see or store your Google password, and email passwords are stored only as cryptographic hashes by Supabase.
• Usage Data: Prompts you generate, your current plan, daily prompt counts, and timestamps of activity.
• Payment Data: When you upgrade to a paid plan, we record the public blockchain transaction hash on the Base network and the wallet address that paid. We do not collect or store private keys, seed phrases, or any wallet credentials.
• Technical Data: Your IP address is recorded at the moment of account creation or deletion to enforce abuse-prevention cooldowns (see Section 12). Standard request metadata such as browser user-agent is also processed for rate limiting.

3. How We Use Your Information

• To provide, maintain, and improve our AI prompt generation service.
• To enforce plan limitations (Free: 5/day, Basic: 20/day, Premium: Unlimited).
• To verify on-chain payments and activate paid plans for one month from the date of payment.
• To prevent fraud, abuse, and duplicate use of the same blockchain transaction.
• To send essential service or security notifications related to your account.

4. Authentication

We use Supabase Auth for sign-up and sign-in. You can authenticate either with email and password or by using "Continue with Google". When you choose Google, only your basic profile information (email, name, profile picture) is shared with us through standard OAuth scopes. We do not request access to Gmail, Drive, Calendar, or any other Google service.

5. Data Security

Authentication, password hashing, and session tokens are managed by Supabase using industry-standard cryptography. All data is transmitted over HTTPS. Sensitive operations (plan upgrades, history, account deletion) are validated server-side. No method of transmission or storage is 100% secure, but we maintain reasonable safeguards.

6. Sessions

Sessions are managed by Supabase Auth using secure, http-only cookies. Sessions are refreshed automatically while you are active and expire after a period of inactivity. You can sign out at any time from the profile menu.

7. Payments

Paid plans are purchased by sending USDC on the Base network from your own wallet (e.g., MetaMask). We verify the transaction on-chain using a public RPC provider before activating your plan. We do not custody funds, do not have access to your wallet, and never request your private key or seed phrase. Blockchain transactions are public by nature; the transaction hash and the sending wallet address may be visible to anyone on the Base blockchain.

8. Premium History Storage

If you are on the Premium plan, generated prompts are saved to your private history so you can revisit them. History is visible only to you. You can delete your account to remove all stored history.

9. Account Deletion

You can delete your account at any time from the profile menu. This permanently removes your authentication record, plan information, and all stored prompt history. After deletion, the IP address used to delete the account cannot be used to create a new account for 24 hours, as described in Section 12.

10. Third-Party Services

• Supabase — authentication and database storage.
• Google — Google OAuth (only when you choose "Continue with Google").
• OpenRouter — routes prompt generation requests to underlying AI models. The text of your prompt and goal is sent to OpenRouter and the selected model provider for processing.
• Alchemy — public blockchain RPC used to verify Base network transactions.
• Vercel — application hosting and serverless functions.

Each of these services has its own privacy policy; we recommend reviewing them.

11. Cookies and Local Storage

We use cookies set by Supabase Auth to keep you signed in. We use the browser's local storage and a non-sensitive cookie to remember UI preferences (such as your last known plan tier for instant rendering) and to mark a device as having signed up at least once (see Section 12). We do not use third-party advertising cookies.

12. Abuse Prevention

To deter automated or fraudulent account creation, we apply the following limits:

• IP signup cooldown: after a successful signup from a given IP address, we block additional signups from that IP for 24 hours. Your IP and the timestamp are recorded for this purpose.
• Post-deletion cooldown: if an account is deleted, the IP address used at deletion time cannot be used to create a new account for 24 hours.
• Device signup flag: we mark a device (via local storage and a non-sensitive cookie) once an account has been created on it. The signup form is then disabled on that device, encouraging the user to sign in instead. This is a soft barrier and can be reset by clearing site data.
• Sign-in cooldown after sign-out: once you sign out (or are signed out by deleting your account), you cannot sign back in to that account for 24 hours. The timestamp is stored on your account row. Attempts to sign in during this window are rejected, and OAuth attempts are signed back out automatically.

These restrictions apply to both email/password and Google OAuth signups. If a Google OAuth signup is attempted while a cooldown is active, the newly created account is removed automatically and the user is redirected back to the sign-in page with an explanation.

13. Children

Prompy is not directed at children under 13. If you believe a child has provided us with information, contact us and we will delete it.

14. Contact Us

If you have questions about this Privacy Policy or our practices, please contact us through the support channel listed on the website.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date below. Continued use of Prompy after changes constitutes acceptance of the updated policy.