Legal
Privacy Policy
Last updated: 13 April 2026 · Effective: 13 April 2026
We do not sell your personal data. We do not run advertising. We use your data solely to operate the Build My Prompts platform and improve your experience.
01 Who We Are
Build My Prompts ("we", "us", "our") operates the website at buildmyprompts.com and associated subdomains. We are the data controller for personal data collected through this platform.
For any privacy matters, contact us at privacy@buildmyprompts.com.
02 Data We Collect
We collect the following categories of personal data:
- Account data: Name, email address, and hashed password when you register.
- Usage data: Pages visited, features used, prompts created (stored against your account for your access), session timestamps.
- Payment data: Billing information is processed by our payment provider (Stripe). We do not store card numbers on our servers.
- Communications: Messages you send us via the contact form or by email.
- Technical data: IP address, browser type, device type, and referral source collected automatically via server logs.
- Voice data: If you use the Voice Prompt feature, audio is processed in real-time via your browser and our AI provider. We do not store audio recordings.
03 How We Use Your Data
- To create and manage your account and authenticate your sessions.
- To operate the prompt building, voice, and marketplace features.
- To process payments and maintain billing records.
- To respond to support requests and enquiries.
- To send transactional emails (account confirmation, password reset, booking confirmations). We do not send marketing emails unless you explicitly opt in.
- To improve the platform through aggregated, anonymised analytics.
- To comply with legal obligations.
04 Legal Basis for Processing
Under GDPR and applicable UK data protection law, we process your data on the following bases:
- Contract performance: Processing necessary to deliver the service you have signed up for.
- Legitimate interests: Security, fraud prevention, and platform improvement through anonymised analytics.
- Legal obligation: Retaining financial records as required by law.
- Consent: Where we rely on consent (e.g. optional marketing emails), you may withdraw it at any time.
05 Data Sharing & Third Parties
We share data only with the following categories of processors, and only to the extent necessary to operate the service:
- MongoDB Atlas — cloud database hosting (account and prompt data).
- Vercel — hosting and serverless function execution.
- Stripe — payment processing. Subject to Stripe's own Privacy Policy.
- Google (Gemini API) — AI processing for Voice Prompt features. Prompts are sent as API requests; we do not share your identity with Google.
- Anthropic (Claude API) — AI processing for Aria prompt building features.
We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising.
06 Cookies & Local Storage
We use browser localStorage (not cookies) to store your authentication token (bmp_token), your Brand Brain preferences, and active persona settings. This data is stored exclusively on your device and is not transmitted to third parties.
We do not use advertising cookies or third-party tracking pixels. Server-side analytics are aggregated and anonymised.
07 Data Retention
- Account data: Retained for the lifetime of your account and deleted within 30 days of a verified account deletion request.
- Saved prompts: Retained until you delete them or delete your account.
- Server logs: Retained for 90 days for security and debugging purposes, then automatically deleted.
- Payment records: Retained for 7 years as required by financial regulations.
08 Your Rights
Under GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your account and associated data ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to restrict processing in certain circumstances.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email privacy@buildmyprompts.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in the UK: the ICO).
09 Security
We implement industry-standard security measures including: bcrypt password hashing, JWT authentication with expiry, HTTPS enforcement on all routes, and least-privilege database access. No system is entirely immune to breach; in the event of a data breach affecting your rights and freedoms, we will notify you and the relevant authority within 72 hours as required by law.
10 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes we will notify registered users by email.