Legal

Privacy Policy

Effective date: April 23, 2026

Contents

  1. 1. Introduction
  2. 2. Information we collect
  3. 3. How we use your information
  4. 4. Sharing with third parties
  5. 5. Data retention
  6. 6. Where your data is stored
  7. 7. Your privacy rights
  8. 8. Children's privacy
  9. 9. Cookies
  10. 10. Security
  11. 11. Changes to this policy
  12. 12. Contact

1. Introduction

This policy explains how Promlo ("we," "us," "our") collects, uses, and shares information when you use our website and product (the "Service"). We're a small team building an Answer Engine Optimization platform that tracks how brands are mentioned across AI models.

We try to keep this policy short and honest. If anything is unclear, email us at privacy@promlo.ai.

2. Information we collect

Account information

  • Email address and name
  • Password (stored only as a hash — never in plain text) if you sign up with email and password
  • OAuth profile basics (name, email, avatar URL) if you sign in with a supported provider like Google
  • Organization name and membership (for teams)

Product data

  • Brand names, domains, and descriptions you add
  • Prompts you create and run
  • AI model responses and the brand mentions + citations we extract from them
  • Competitor entities and website-audit results you configure

Billing information

  • Stripe customer ID and current plan tier
  • Billing period boundaries and usage counters
  • We do not store card numbers, CVVs, or bank details — that all stays with Stripe

Logs and technical data

  • IP address, user agent, and request paths for security and debugging
  • Error traces when something goes wrong
  • Cloudflare edge logs (standard for any site on Cloudflare)

Cookies and preferences

See the Cookies section below.

3. How we use your information

  • Provide the Service. Run your prompts against AI providers, extract mentions, compute analytics, send you results.
  • Account management. Sign-in, session management, password reset, organization membership.
  • Billing. Charge your subscription, send receipts, enforce quotas.
  • Product improvement. Aggregated usage metrics help us prioritize what to build. We do not sell your data and we do not use your prompts or responses to train our own models.
  • Security and abuse prevention. Rate limiting, fraud detection, investigating violations of our Terms.
  • Transactional communication. Account emails, product alerts, billing notices. We don't send marketing email without opt-in.

4. Sharing with third parties

We don't sell your personal data. We share it only with the sub-processors we use to operate the Service:

OpenRouter

Routes your prompts to the underlying AI models (OpenAI, Anthropic, Google, Perplexity, xAI, Meta). We send prompt text, any brand context you've configured, and model parameters. OpenRouter in turn shares the prompt with the upstream model provider you're targeting.

OpenRouter privacy policy →
Stripe

Handles all billing and payment processing. We pass your name, email, and plan selection; Stripe collects and stores your payment details directly. Stripe is PCI-DSS Level 1 certified.

Stripe privacy policy →
Cloudflare

Hosts our application (Workers), stores our database (D1), serves edge traffic, and provides DDoS + bot protection. All Service data transits or lives on Cloudflare infrastructure.

Cloudflare privacy policy →
Resend

Sends transactional email (verification, password reset, billing receipts) where enabled. We pass your email address and the contents of those transactional messages.

Resend privacy policy →

We may also disclose data when legally required (subpoena, court order, protection of rights or safety). If Promlo is acquired or merges with another company, your data may transfer to the successor under this policy or an equivalent one.

5. Data retention

  • Free tier. Prompt-run history (responses, mentions, citations) older than 30 days is automatically deleted. The prompts themselves and your brand configuration are kept as long as your account is active.
  • Paid tiers. Prompt-run history is retained according to your plan. See your plan details in billing.
  • Account deletion. When you delete your account, we remove your personal data and product data within 30 days. Backups are overwritten on the normal rotation and do not live beyond 90 days.
  • Billing records. Stripe may retain billing records for as long as legally required for tax and accounting purposes, independent of your Promlo account state.
  • Aggregated data. We may keep anonymous, aggregated usage statistics indefinitely (e.g. "how many prompts run per day across all users"). These contain no personal or brand-identifying information.

6. Where your data is stored

Our application runs on Cloudflare Workers, which serves traffic from Cloudflare's global edge network. Our primary database is Cloudflare D1, which replicates to the Cloudflare region we've configured.

Because Cloudflare, Stripe, OpenRouter, and the upstream AI providers operate globally, your data may be processed outside the country where you live, including in the United States, the European Union, and Asia-Pacific. We rely on the standard contractual protections offered by each provider for cross-border transfers.

7. Your privacy rights

Depending on where you live, you may have some or all of the following rights under laws like the EU / UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar frameworks:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Deletion — delete your account and the data tied to it.
  • Portability / export — receive a machine-readable export of your brand and prompt data.
  • Objection / restriction — limit how we process your data in certain cases.
  • Opt-out of "sale" / "sharing" — we don't sell personal information, but you can formally request this be recorded.
  • Non-discrimination — we won't degrade your Service for exercising these rights.

To exercise a right, email privacy@promlo.ai or use our contact page. We may need to verify your identity before acting. If you are in the EU / UK and think we're not meeting our obligations, you have the right to complain to your local data protection authority.

Promlo is not certified under SOC 2, ISO 27001, or GDPR/CCPA compliance programs at this time, and we don't claim to be. We aim to honor the substantive rights described above regardless.

8. Children's privacy

Promlo is not directed at children. You must be at least 18 years old to create an account (or 16 in the EU where we rely on consent). If you believe a child has given us personal data, contact us and we'll delete it.

9. Cookies

We use a minimal set of cookies:

  • Auth session cookie — set by Better Auth after you sign in. Keeps you logged in. Strictly necessary.
  • Theme preference — stores your light / dark / system preference.
  • Locale preference — stores your language preference.

We do not currently use third-party analytics, advertising, or cross-site tracking cookies. If we add a privacy-respecting analytics product in the future (for example Plausible or self-hosted PostHog), we'll update this page before turning it on.

10. Security

  • All traffic to Promlo is encrypted in transit via HTTPS / TLS.
  • Passwords are stored only as salted hashes (managed by Better Auth). We never see your plain-text password.
  • Payment data never touches our servers — Stripe handles it and is PCI-DSS Level 1 certified.
  • Access to production data is restricted to the core team and protected by 2FA.
  • We follow standard least-privilege practices on Cloudflare and our sub-processors.

No system is perfectly secure. If you discover a vulnerability, please report it to security@promlo.ai.

11. Changes to this policy

We may update this Privacy Policy from time to time. For material changes we'll email registered account holders and update the effective date above. Continued use of the Service after changes take effect means you accept the updated policy.

12. Contact

Questions, requests, or concerns? Email privacy@promlo.ai or visit our contact page.

Effective date: April 23, 2026