Your data,
clearly explained.

1. Who we are

PromptChain is operated by William Braddock, an independent developer based in Pulaski, Virginia, USA. You can reach us at [email protected].

This policy applies to the PromptChain web application available at prompt-chain.app.

2. What we collect and why

We collect the minimum necessary to provide the service.

• Account data — When you sign in with Google, we receive your name, email address, and profile picture. This is stored in our database to identify your account.
• Prompt chains — The chains you create (name, node content, model selection) are stored in our database and linked to your account. They are private by default.
• Usage data — We track how many chains you've created and how many runs you've made this month to enforce plan limits. We do not log the content of your AI responses.
• Billing data — If you upgrade to a paid plan, Stripe processes your payment. We store only your Stripe customer ID and subscription status — never your card number or billing address.
• Session data — We use a server-side session cookie to keep you logged in. It contains only your user ID. It is cleared when you log out.

3. API keys — we never see them

PromptChain supports bring-your-own-key (BYOK). When you enter an API key for Anthropic, OpenAI, Google, LM Studio, or Ollama, it is stored exclusively in your browser's sessionStorage.

• Keys are never transmitted to our servers
• Keys are cleared automatically when you close the browser tab
• Keys are sent directly from your browser to the AI provider when you run a chain
• We have no technical ability to access or recover your API keys

Admin accounts (PromptChain staff) use server-side keys configured as environment variables on our hosting infrastructure — these are never exposed to the client.

4. Cookies

We use one first-party session cookie named pc.sid to maintain your login session. It is:

• HttpOnly — not accessible to JavaScript
• Secure — only sent over HTTPS
• SameSite: Lax — not sent on cross-site requests
• Cleared on logout

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

5. Third-party services

• Google OAuth — Used for sign-in only. We receive only your name, email, and profile picture. We do not request access to your Gmail, Drive, or any other Google services.
• Stripe — Handles all payment processing. Subject to Stripe's Privacy Policy.
• Railway — Our hosting provider. Your data is stored on Railway's infrastructure in the United States. Subject to Railway's Privacy Policy.
• AI providers (Anthropic, OpenAI, Google, etc.) — If you use your own API keys, your prompts are sent directly from your browser to the provider you choose. Their privacy policies govern how they handle that data.

6. Data sharing

We do not sell, rent, trade, or share your personal data with any third party for marketing or commercial purposes — ever.

We may share data only in the following circumstances:

• With service providers listed above (Google, Stripe, Railway) solely to operate the service
• If required by law or valid legal process
• To protect the safety or security of our users or the service

7. Public gallery and sharing

Your prompt chains are private by default. You may optionally share individual chains to the public gallery. If you do:

• The chain name, node content, and your display name will be visible to all visitors
• You can un-share a chain at any time, which removes it from the gallery immediately
• Your email address is never displayed publicly

8. Data retention

We keep your data for as long as your account is active. If you delete your account:

• Your account record, chains, and run history are deleted from our database
• Deletion is permanent and cannot be undone
• Stripe may retain billing records as required by financial regulations

To request account deletion, email [email protected] with the subject line "Delete my account."

9. Your rights

Depending on where you live, you may have rights including access, correction, deletion, portability, and objection. To exercise any of these, contact us at the email below. We will respond within 30 days.

10. Children's privacy

PromptChain is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy as the product evolves. We will update the "Last updated" date above and, for material changes, notify you by email or via an in-app notice. Continued use of the service after changes constitutes acceptance.