This policy describes how Prompt Vault (the Chrome extension) collects, uses, stores, and deletes data.
2. Data We Collect
Account data: email address and authentication/session tokens (Supabase Auth).
Prompt data: title, shortcut, content, category, favorite/bookmark flags, and related
metadata.
Community data: likes, favorites/bookmarks, creator email references for shared
prompts, and leaderboard/trending engagement data.
Profile data: display name, bio, website URL, and optional social handles (Twitter/X,
GitHub, LinkedIn).
Licensing data: license entitlement status, hashed license key identifiers, purchase
email (from Gumroad webhook data), activation metadata, and device identifier used for license limits.
Operational data: timestamps and basic event metadata needed for sync, limits, abuse
prevention, and billing/license enforcement.
3. How We Use Data
Provide core extension features (save/search/copy prompts, favorites, categories, import/export).
Enable account authentication, sync, and entitlement checks.
Support community features (public profiles, likes, trending, leaderboard).
Prevent abuse and enforce plan/device limits.
Respond to support and security incidents.
4. Data Sharing
Supabase: hosting, database, authentication, and edge-function processing.
Gumroad: license purchase and verification workflows.
We do not sell personal data.
We do not share prompt content with unrelated third parties for advertising.
5. Retention
Account and prompt/profile/community records are retained while your account is active.
License and billing-related records may be retained for fraud prevention, audit, and legal compliance.
Logs and operational metadata are retained only as long as needed for security/operations.
6. Deletion and User Controls
You can edit or delete prompts and profile fields in the extension.
You can request account/data deletion through support.
On verified deletion requests, associated account data is removed or anonymized except where retention
is required by law, fraud prevention, or billing dispute handling.
7. Security
User-generated fields are rendered with DOM-safe text rendering patterns.
Links are validated to block unsafe schemes.
License webhook processing requires a valid signature.
Access to backend data is controlled by authentication and database access policies.
8. International Processing
Data may be processed in regions used by our infrastructure providers (Supabase and Gumroad).
9. Children's Privacy
Prompt Vault is not directed to children under 13.
10. Changes to This Policy
We may update this policy. Material changes will be reflected by updating the effective date above.
11. Contact
For privacy requests or questions, use the support URL listed in the Chrome Web Store listing.