Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your email address, display name, and profile avatar. You can sign up with Google OAuth, GitHub OAuth, or a standard email and password. For OAuth sign-ups, we only receive the basic profile information those providers share (name, email, and avatar) — we never receive your passwords from those services.

Organization Information

If you create or join an organization, we store the organization name, member list, and each member's role (owner, admin, or member).

Google Workspace Integration Data

When a Google Workspace administrator connects their organization to TeamPrompt, we make read-only API calls to access:

• User Directory: Basic user information including names and email addresses. This is used to display a preview of available users for invitation to TeamPrompt. We do not modify, create, or delete users in your Google Workspace.
• Google Groups: Group names and member email addresses. This information is used to suggest team assignments based on existing Google Groups structure. We do not modify, create, or delete groups in your Google Workspace.

All Google Workspace API calls are:

• Read-only and never modify your Google Workspace data
• Manually triggered by administrators (no automatic or scheduled syncing)
• Limited to the minimum data necessary for user onboarding
• Stored securely with the same security measures as other TeamPrompt data
• Retained only as long as your organization uses TeamPrompt

Google Workspace administrators must explicitly consent to these API accesses during the OAuth consent process. You can revoke TeamPrompt's access at any time through your Google Workspace admin console.

Prompt Content

We store the prompts you create, including prompt text, templates, tags, and any associated metadata. This is the core data that powers TeamPrompt's prompt management features.

Usage Data

We record which prompts are used, when they are used, and which AI tool they are used with (e.g., ChatGPT, Claude, Gemini). This data helps surface analytics for your team, such as most-used prompts and adoption trends.

DLP & Security Rules Data

If your organization uses our Data Protection feature, we log violation events. These logs include what type of sensitive data was detected, the severity level, and the action taken (blocked or warned). This data is used for your organization's audit trail.

Two-Factor Authentication Data

If you enable two-factor authentication (2FA), your TOTP factor enrollment is managed entirely by our authentication provider, Supabase. We do not store your TOTP secrets, recovery codes, or authenticator app details on our own servers. Supabase stores the cryptographic data necessary to verify your time-based one-time passwords (TOTP) in its secure auth.mfa_factors system table.

Support Information

If you contact us through our support form, we collect whatever information you provide in your message, along with your email address so we can respond.

2. How We Use Your Information

We use your information to:

• Provide and operate the Service, including prompt storage, sharing, and team collaboration features
• Authenticate your identity and manage your account and organization memberships
• Generate usage analytics and insights for your team (e.g., which prompts are most popular, how adoption is trending)
• Enforce DLP/security policies your organization has configured and maintain audit logs of violations
• Send transactional emails such as organization invitations, password resets, and account notifications
• Process payments and manage your subscription through our payment provider
• Respond to support requests and communicate with you about your account
• Improve and maintain the Service, fix bugs, and develop new features

We do not sell your personal information. We do not use your prompt content to train AI models. Your prompts belong to you and your organization.

3. Chrome Extension Data Practices

The TeamPrompt Chrome Extension requires specific permissions to function. Here is exactly what it does and does not do:

What the extension does

• Reads page content only on supported AI tool websites — ChatGPT, Claude, Google Gemini, GitHub Copilot, and Perplexity — to insert prompts into the input field and scan outbound text for DLP policy violations
• Stores your authentication token in browser.storage.local so you stay logged in
• Communicates with the TeamPrompt API at teamprompt.app to fetch your prompts, log usage, and check security policies

What the extension does NOT do

• Does not collect or access your browsing history
• Does not track you across websites
• Does not read page content on any website other than the supported AI tools listed above
• Does not sell or share your data with third parties for advertising
• Does not inject ads, modify search results, or alter web pages beyond inserting prompts into supported AI tool input fields

4. Data Storage & Security

Your data is stored in a PostgreSQL database managed by Supabase, with servers hosted in secure, SOC 2-compliant data centers. All data is encrypted in transit using TLS and at rest using AES-256 encryption.

We implement industry-standard security measures including:

• HTTPS enforcement across all connections
• Row-level security policies in our database to isolate organization data
• Secure, HTTP-only authentication tokens
• Optional two-factor authentication (TOTP) for admin and manager accounts, with organization-level enforcement
• Role-based access controls within organizations
• Regular security reviews of our codebase and infrastructure

While no system is 100% secure, we take reasonable and appropriate measures to protect your data. If we ever become aware of a security breach that affects your personal information, we will notify you promptly.

5. Third-Party Services

We use the following third-party services to operate TeamPrompt. Each service only receives the minimum data necessary to perform its function:

• Supabase — Database hosting and authentication. Your account data, prompts, and organization information are stored in Supabase-managed PostgreSQL.
• Stripe — Payment processing. Stripe handles all credit card transactions directly. We do not store your credit card numbers — Stripe provides us only with a token reference and basic billing details (last four digits, expiration date).
• Resend — Email delivery. Used to send transactional emails such as organization invitations, password resets, and account notifications. Resend receives recipient email addresses and email content.
• Vercel — Application hosting. Our web application is deployed on Vercel's infrastructure. Vercel may process standard server logs (IP addresses, request timestamps) as part of hosting.

We do not share your data with any third parties for advertising or marketing purposes.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained until you delete your account
• Prompt content is retained until you or your organization admin deletes it, or until your account is deleted
• Usage analytics are retained for the lifetime of the organization
• DLP/security violation logs are retained for the lifetime of the organization for audit purposes
• Support correspondence is retained for up to 2 years after resolution

When you delete your account, we remove your personal data from our active systems within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently deleted.

7. Your Rights

You have the following rights regarding your data:

• Access — You can request a copy of all personal data we hold about you
• Correction — You can update your account information at any time through your profile settings
• Deletion — You can request that we delete your account and all associated personal data
• Export — You can request an export of your prompts and data in a portable format
• Restriction — You can request that we limit how we process your data in certain circumstances

To exercise any of these rights, contact us at support@teamprompt.app. We will respond to your request within 30 days.

8. Children's Privacy

TeamPrompt is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@teamprompt.app and we will promptly delete that information.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you by email or through a notice in the app. We encourage you to review this policy periodically to stay informed about how we protect your data.

10. Contact Us

If you have any questions about this Privacy Policy, your data, or your rights, please contact us at: