Promptdoc

Privacy

Privacy Policy

We built Promptdoc for regulated work, so we treat your data the way our customers' regulators expect. This policy explains what we collect, why, how we protect it, and the rights you hold. Last updated June 7, 2026.

1. Who we are and what this covers

Promptdoc (“Promptdoc,” “we,” “us,” or “our”) provides a governed AI workbench that helps organizations write, reuse, and govern prompts before they reach AI models. This policy applies to our marketing site, the Promptdoc application, and the connectors and services we operate. It covers individuals who use Promptdoc on behalf of an organization (“customers”) and the end users and visitors whose information may be processed through it.

When an organization uses Promptdoc, that organization is the controller of the data it puts into the product, and we act as its processor (service provider) under our customer agreement. For our own website and account records, we act as the controller.

2. Information we collect

  • Account data: name, work email, organization, role, and authentication records (we use one-time codes, not stored passwords in plain text).
  • Workspace content: prompts, skills, notes, meeting summaries, approvals, and the context you connect from systems you authorize.
  • Connected-system data: only the records you explicitly connect (for example documents, calendar entries, or repositories) and only to the scope you grant.
  • Usage and audit data: prompt runs, policy decisions, violations, and the evidence trail we keep so your team can show what happened.
  • Technical data: device, browser, IP address, and security logs needed to operate and protect the service.
  • Billing data: handled by our payment processor; we store plan and invoice metadata, not full card numbers.

3. How we use information

  • To provide, secure, and improve the Promptdoc workbench and connectors.
  • To apply the governance, policy, and audit controls your organization configures.
  • To authenticate users and protect accounts against abuse.
  • To communicate about your account, security, and service changes.
  • To meet our legal, regulatory, and contractual obligations.

We do not sell personal information, and we do not use your workspace content to train third-party foundation models.

4. AI processing and governance

We check every prompt against your organization’s policies before a model is called. Depending on your configuration, we may detect and redact sensitive data, route requests only to approved models, require human review, or block a run. When a request is sent to a model provider, only the cleaned, policy-approved request is transmitted, and only to the provider your organization selects. We record the policy decision and supporting evidence so the run can be reviewed later.

5. How we share information

We share information only as needed to run the service:

  • Model and infrastructure providers that process requests or host the platform, under contract and limited to what the service requires.
  • Connectors you authorize, strictly within the scope you grant and revocable at any time.
  • Legal and safety disclosures where required by law or to protect rights and safety.
  • Corporate transactions, where data may transfer as part of a merger or acquisition, subject to this policy.

We maintain a current list of subprocessors and provide it on request.

6. Data retention and residency

We keep information for as long as your organization maintains its account or as required by law, then delete or de-identify it. Where your configuration sets a residency boundary (for example a Canada-only residency lock for healthcare data), we honor that boundary for the data it covers.

7. Security

We protect data with encryption in transit and at rest, least-privilege access, row-level data isolation between organizations, audit logging, and session isolation for notes and memory. No system is perfectly secure, but we design for regulated workloads and review our controls regularly.

8. Your privacy rights by region

United States

Depending on your state (including California under the CCPA/CPRA, and Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws), you may have the right to access, correct, delete, or port your personal information, to opt out of sale or targeted advertising (we do neither), and to be free from discrimination for exercising these rights. Sector rules also apply: HIPAA for protected health information and GLBA for financial data.

Canada

Under PIPEDA and provincial laws including Alberta’s HIA and PIPA, you may request access to and correction of your personal information, withdraw consent, and ask how your data is used and disclosed. We support Canadian data residency and sovereignty requirements and are building toward Bill C-27 readiness. Health information is handled under applicable health-privacy law.

Nigeria

Under the Nigeria Data Protection Act 2023 and the NDPR, you have the right to be informed, to access and rectify your data, to object to or restrict processing, to data portability, and to erasure. We process Nigerian personal data lawfully and fairly, and we honor data-subject requests in line with the Act.

To exercise any of these rights, contact us using the details below. If your organization administers your account, we may direct your request to them as the controller. We will not retaliate for a privacy request.

9. Sector-specific handling

  • Healthcare: we govern PHI before execution with detection, redaction, minimum-necessary checks, consent evidence, clinical-review gating, role-based access, and approved-model routing.
  • Finance: we support confidentiality controls and audit evidence consistent with financial-data obligations.
  • Government and HR: we apply sector policy templates for restricted data, retention, and audit.

10. Cookies

We use cookies and similar technologies that are necessary to sign you in and keep the service secure, plus limited analytics to operate the site. You can control non-essential cookies through your browser.

11. Children

Promptdoc is a workplace product and is not directed to children. We do not knowingly collect personal information from children.

12. Changes to this policy

We may update this policy as the product and the law evolve. We will post the new version here and update the date above; material changes will be communicated to account administrators.

13. Contact us

For privacy questions or to exercise your rights, email [email protected]. To report a suspicious message or a verification code you did not request, email [email protected].

Privacy Policy · Promptdoc · Promptdoc