The data controller for GENPROMPT ("we", "us") is the individual operator of the Service, based in Spain, reachable at martir1346@gmail.com. This Policy explains how we process your personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Spanish LOPDGDD (Organic Law 3/2018).
When you create an account, we collect your email address and authentication data (via email/password or Google OAuth). When you use the generator, we store your generated prompts, ratings and usage statistics. When you subscribe to Pro, Stripe collects billing information directly — we only store a stripe_customer_id and the subscription status. We do not see or store your full card number, CVV or IBAN.
We process your data on the following legal bases:
— Performance of a contract (Art. 6(1)(b)): account creation, generator usage, billing via Stripe.
— Legitimate interest (Art. 6(1)(f)): security, abuse prevention, essential service logs.
— Consent (Art. 6(1)(a)): non-essential analytics cookies (Vercel Analytics), marketing emails if any. You may withdraw consent at any time via the cookie banner or by emailing us.
— Legal obligation (Art. 6(1)(c)): retention of billing records required by Spanish tax law.
We use your information to: provide and maintain the service, enforce daily generation limits, improve prompt quality through ratings, process payments, prevent fraud and abuse, and send account-related emails (confirmation, password reset, billing notices).
Your data is stored in Supabase (PostgreSQL) with row-level security policies. Passwords are hashed using bcrypt and never stored in plain text. All data transmission is encrypted via HTTPS/TLS 1.2+. Authentication cookies are httpOnly, secure, and sameSite=lax.
We rely on the following processors:
— Supabase Inc. (USA) — authentication & database. Transfers covered by EU Standard Contractual Clauses.
— Vercel Inc. (USA) — hosting, analytics (gated behind consent), SpeedInsights. Transfers covered by EU SCCs and the EU–US Data Privacy Framework.
— Stripe Payments Europe Ltd. (Ireland) — payment processing, Stripe Tax. Data remains within the EU for EU customers.
— Google LLC (USA) — optional OAuth sign-in.
We use essential cookies for authentication sessions (required, cannot be disabled). Non-essential analytics cookies (Vercel Analytics, SpeedInsights) load only if you click "Accept" in our cookie banner. You can withdraw your consent at any time by clearing your browser storage or contacting us.
You have the right to: access your personal data, request rectification of inaccurate data, request erasure of your account and data ("right to be forgotten"), restrict or object to processing, receive your data in a portable format, and withdraw consent at any time. To exercise these rights, email martir1346@gmail.com; we will respond within 30 days.
If you believe we have mishandled your personal data, you have the right to lodge a complaint with the Spanish data-protection authority: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain · www.aepd.es. EU residents may alternatively contact the supervisory authority of their own member state.
You can delete your account and all associated data from the Account Settings page. Upon deletion, prompts, ratings and profile data are permanently removed within 30 days. Billing records are retained for 6 years as required by Spanish tax law. Anonymised aggregate statistics may be retained indefinitely.
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
We may update this policy from time to time. Material changes will be notified via email or in-app banner at least 15 days before the effective date.
For privacy-related questions, data-subject requests or complaints, contact: martir1346@gmail.com.