Privacy Policy
1. Data Controller
E.CALL (sole proprietorship), France — hello@prompted.fr
2. Data We Collect
- Account data: email address, username (optional), language and interface preferences. Authentication is delegated to Clerk.
- Content: prompts you create, media uploaded to your gallery (images, videos, PDFs).
- Billing data: handled exclusively by Stripe. prompted.fr never stores card numbers.
- Technical data: access logs (timestamps, anonymised IP addresses), API usage counters.
- API keys and access tokens: credentials generated at your request to connect third-party tools (API keys of the form
prmpt_…, OAuth tokens). These are stored as SHA-256 hashes only; the original token is not retained after creation. - OAuth authorisations: when you authorise a third-party application (e.g. Claude, Cursor) to access your library via our MCP server, we record the application identifier, the granted scope, and the date of authorisation.
3. Purpose of Processing
- Providing and improving the Service
- Subscription management and billing
- Sending transactional emails (registration, invoices, payment alerts)
- Abuse prevention (rate limiting)
- Customer support
- MCP (Model Context Protocol) integration: enabling AI tools (Claude Code, Cursor, VS Code, etc.) to access your prompt library in read-only mode, subject to your explicit authorisation
4. Third-party Access via OAuth / MCP
prompted.fr operates an MCP server implementing the OAuth 2.1 + PKCE protocol. When you authorise a third-party application:
- The application gains read-only access to your prompt library (title, content, category).
- No personal data (email, billing, account data) is shared with the third-party application.
- You may revoke access at any time from your dashboard.
- prompted.fr is not responsible for data processing carried out by third-party applications after they access the Service.
5. Legal Basis
Processing is based on: (a) performance of the service contract; (b) compliance with legal obligations; (c) our legitimate interest in securing the Service; (d) your explicit consent for OAuth authorisations.
6. Data Retention
Account data is retained while your account is active. Upon account deletion, data is erased within 30 days, except billing data retained for 10 years to comply with accounting obligations. OAuth tokens expire automatically after 1 year or upon revocation.
7. Data Sharing
We do not sell your data. It is shared only with sub-processors required to operate the Service:
- Clerk — authentication (United States, DPF certified)
- Stripe — payments (US/Europe, PCI-DSS certified)
- Cloudflare — hosting, CDN, KV/D1 storage (European Union)
- Mailgun — transactional email (European Union)
8. Your Rights (GDPR)
Under GDPR, you have the right to access, rectify, erase, restrict, port, and object to processing of your data. To exercise these rights: contact form or hello@prompted.fr. You may also lodge a complaint with your local data protection authority.
9. Cookies
The Service uses strictly necessary cookies for authentication (Clerk session). No advertising or third-party tracking cookies are used.
10. Security
Data is encrypted in transit (HTTPS/TLS). Database access is restricted and authenticated. API keys and OAuth tokens are stored as SHA-256 hashes.
11. Contact
For any data protection questions: hello@prompted.fr