Privacy Policy — Prism
Effective date: March 23, 2026
1. Introduction
Prism is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights under the GDPR.
2. Data We Collect
- Account data: email address, name (optional), profile avatar (optional)
- Usage data: deal flow data, notes, contacts, uploaded pitch decks, AI outputs, activity logs
- API keys: your Anthropic API key and optional integration keys (encrypted at rest via Supabase Vault, never stored in plaintext, never sent to the client)
- Billing data: subscription plan and status (payment details handled entirely by Stripe — we never store card numbers)
- Technical data: IP address, browser type, session tokens, error logs
3. How We Use Your Data
We use your data to:
- Provide the Service (contract performance)
- Manage your account (contract performance)
- Send transactional emails (contract performance)
- Improve and debug the Service (legitimate interest)
- Comply with legal obligations
We do not use your deal data, notes, or AI outputs to train any AI models.
4. Third-Party Services (Sub-processors)
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, file storage | EU (AWS eu-west-1) |
| Vercel | Hosting | EU/US |
| Stripe | Payments | US (adequacy decision) |
| Anthropic | AI processing via your own API key | US |
| OAuth authentication | US (adequacy decision) |
5. Data Retention
- Account and deal data: until account deletion, then 30 days
- AI outputs: 12 months, then auto-deleted
- Activity logs: 90 days, then auto-deleted
- Billing records: 7 years (legal requirement)
- Uploaded PDFs: 30 days after upload, then deleted
6. Your Rights (GDPR)
If you are in the EU/EEA, you have the right to:
- Access your data
- Correct inaccurate data
- Request deletion
- Receive your data in portable format
- Restrict processing
- Object to processing
- Withdraw consent
Email contact@prismapp.co to exercise any right. Response within 30 days. You may also complain to the CNIL (www.cnil.fr).
7. Data Security
All data is encrypted in transit (TLS 1.2+). API keys are encrypted at rest via Supabase Vault. Row-level security ensures each user accesses only their own data.
8. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| sb-auth-token | Authentication session | Session duration |
| prism-tour-step | Product tour progress | 7 days |
| prism-view-mode | Kanban/list preference | 30 days |
We do not use advertising cookies or third-party tracking pixels.
9. Contact & Data Controller
Prism, Paris, France
contact@prismapp.co