Privacy Policy
Version 2026-05-25
1. Who we are and what we control
This Privacy Policy explains how Prompt("we", "us", "our") handles personal data when you use our hosted app-builder service (the "Service"). It covers data about you — the account holder.
The Service is operated by Haroon Khan, a sole trader based in the United Kingdom, trading as Prompt.
For the purposes of the UK General Data Protection Regulation and the Data Protection Act 2018, we are the data controller for personal data we collect about your account (sign-in details, prompts you submit, billing data, and the credentials you give us to operate the Service).
For personal data your generated apps process about their end users, you are the controller. Generated apps run on the end user's own device and connect directly to your own Supabase project; that data does not flow through our servers, so we are not a processor of it either. You are responsible for providing your end users with their own privacy notice and lawful basis.
Business customers (for example, organisations building apps for their own users or staff) who require a Data Processing Agreement covering the account data we hold about your team's accounts can request one at projectbloxx@gmail.com.
We have not appointed a statutory Data Protection Officer (we are not required to under UK GDPR Art. 37). Privacy queries, including the rights set out in Section 8, should be directed to projectbloxx@gmail.com.
2. What personal data we collect
- Account data from Google Sign-In: your Google account ID, email address, display name and avatar URL.
- Usage data: app descriptions and prompts you submit, the apps and screens we generate for you, credit balance, request logs (limited to operational metadata such as timestamps, IP, error codes — not the contents of your prompts unless required to investigate a specific issue).
- Supabase connection data: the project reference, URL and publishable (anon) key of the Supabase project you connect, plus the access token and (if you provide it) service-role key we need to operate the Service on your behalf. Tokens and service-role keys are encrypted at rest.
- Third-party integration credentials (e.g. Stripe or OpenAI keys you connect to your generated apps) are stored in your own infrastructure, not ours.
- App distribution and push credentials.If you generate mobile apps, you may give us credentials we need to sign and distribute them on your behalf, or to deliver push notifications — for example an Apple App Store Connect API key, iOS push credentials from Apple, or Firebase credentials from Google. We use these only to operate the Service on your instructions and keep them encrypted at rest.
- Tester device identifiers.If you invite a tester to install a preview build using our enrollment link, the tester's iPhone returns a unique device identifier (UDID), plus basic model and operating system information, so the device can be added to your Apple Developer team. We do not keep a separate copy beyond what is needed to register it with Apple on your behalf. You are responsible for making sure your testers understand and consent to this before they install the enrollment profile.
- Billing data for paid plans: handled by Stripe. We store your Stripe customer ID and subscription status. We never see your card details.
- Cookies / local storage: a JWT in your browser's
localStorageto keep you signed in, and a small flag recording your acceptance of these terms before sign-in. These are strictly necessary for the Service to operate, so under the Privacy and Electronic Communications Regulations Reg. 6(4) we do not require a separate consent banner for them. We do not use analytics or advertising cookies.
We do not intentionally collect special category data (data revealing health, biometrics, ethnicity, political opinions, etc.) and ask that you do not include such information in prompts. If you do, we will treat it like the rest of your prompt content but cannot offer additional safeguards required by Art. 9 UK GDPR.
3. Why we use it (lawful bases)
We process the personal data described above on the following lawful bases (UK GDPR Article 6):
- Contract (Art. 6(1)(b)): to operate the Service, run app generation, communicate with your Supabase project on your behalf, and bill paid plans.
- Legitimate interests (Art. 6(1)(f)): keeping the Service secure, preventing abuse, debugging, basic product analytics. You can object — see Section 8.
- Legal obligation (Art. 6(1)(c)): tax records, responding to lawful requests.
- Consent (Art. 6(1)(a)): where we explicitly ask, for example before sending optional product updates.
Automated decision-making. The Service does not make decisions about you that produce legal or similarly significant effects within the meaning of UK GDPR Art. 22. AI-generated app code is created at your request and reviewed by you before use; it is not used to evaluate or take decisions about you as an individual.
4. Sub-processors and data sharing
We share personal data only with the providers needed to deliver the Service, on contractual terms requiring confidentiality and appropriate security:
- Anthropic, PBC (USA) — runs the AI models that generate your apps. Your prompts and app descriptions are sent to their API. Subject to Anthropic's privacy policy.
- Google LLC (USA) — sign-in only; we receive your basic profile after you authenticate.
- Stripe Payments Europe Ltd (Ireland) — payment processing for paid plans.
- Supabase Inc. (USA) — we connect to your Supabase project on your behalf using the credentials you provide. We are not party to your relationship with Supabase.
- Apple Inc.(USA) — where you generate iOS apps, we use Apple's developer and push notification services on your instructions and within your own Apple Developer account. We are not party to your relationship with Apple.
- Google LLC(USA) — additionally to sign-in, where you configure Android push notifications, your apps' pushes are delivered via Google's push infrastructure using credentials you provide.
- Diawi sarl (Luxembourg) — hosts iOS preview install links you share with your testers. The build itself is hosted there so testers can install it directly on their device.
- A cloud database provider (USA) — hosts the database that stores your account and connection metadata.
We do not sell personal data and do not use it for advertising profiling.
5. International transfers
Several of our sub-processors (notably the AI provider, Google, Apple, and our database host) are based outside the UK. Where personal data is transferred internationally we rely on the UK International Data Transfer Agreement (or the EU Standard Contractual Clauses with the UK Addendum), and on the providers' own UK/EU data residency options where available.
6. Retention
- Account data: kept while your account is active. Deleted within 30 days of account deletion.
- Generated apps and prompts: kept while your account is active. You can delete individual apps from your dashboard at any time.
- Supabase connection data (project ref, encrypted access token, etc.): kept until you disconnect or delete your account.
- App distribution and push credentials you upload: kept while the corresponding app exists in your account. Deleted alongside the app.
- Tester device identifiers: registered with your Apple Developer team for as long as you have iOS preview builds for that app, and removed from the team when you delete the app.
- Preview build files: rolled on a most-recent-N basis per app; older preview builds are deleted automatically.
- Operational logs: rolling 30 days.
- Billing records: retained for 6 years to meet UK tax obligations.
7. Security
We use industry-standard encryption in transit and at rest, and follow least-privilege access controls internally. No system is 100% secure; please report suspected vulnerabilities to projectbloxx@gmail.com.
If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in line with UK GDPR Art. 34, and will report to the Information Commissioner's Office where required under Art. 33.
8. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you (Art. 15);
- have inaccurate data corrected (Art. 16);
- have your data erased (Art. 17), subject to lawful retention obligations;
- restrict processing (Art. 18) or object to it (Art. 21) — including direct marketing;
- data portability (Art. 20);
- withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email projectbloxx@gmail.com. We aim to respond within one month, extendable by up to two further months for complex or numerous requests in line with UK GDPR Art. 12(3); if we need that extra time we will tell you within the first month and explain why.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We'd appreciate the chance to address your concern first.
9. Children
The Service is intended for business users aged 16 and over and is not directed at children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. The version number above will change and, when it does, you will be asked to review and re-accept on next sign-in. Material changes will also be communicated by email where reasonable.
See also our Terms of Service.