Privacy Policy
1. Controller
The controller responsible for data processing on this website is:
ITz-Easy Tobias Itzel
Gänsstücke 14
67819 Kriegsfeld
Deutschland
2. Overview of Data Processing
Purposes of Processing
We process your data for the following purposes:
- Provision of the AI Answer Intelligence service: management of projects, brands, websites, competitors, prompts, scan configurations, results and reports
- Execution of AI visibility scans: automated queries to selected AI systems or AI providers and evaluation of answers for visibility, accuracy, sources, mentions and answer patterns
- Execution of website and content scans: retrieval and analysis of publicly accessible URLs, technical signals, page structures, content and discoverability
- User account management: registration, authentication, settings, team and role management
- Billing: management of plans, quotas, invoice references and payment status
- Technical operation: ensuring functionality, security, abuse prevention and error analysis
Processing is carried out on the basis of:
- your consent (Art. 6 (1) lit. a GDPR), where consent is required
- performance of a contract or pre-contractual measures (Art. 6 (1) lit. b GDPR)
- our legitimate interests in secure, stable and low-abuse operation (Art. 6 (1) lit. f GDPR)
Requirement to provide data: Certain information, such as email address, login data, project, domain, prompt and scan configurations, is required to provide the service. Without this data, use of Promptalyze is not possible or only possible to a limited extent.
3. Categories of Data Processed
Project, scan and analysis data
Promptalyze stores the data required for analysis, monitoring and reporting. This includes in particular:
- account and organization data, such as name, email address, workspace/team assignment, roles and settings
- project and brand data, such as project name, brand name, product name, website domain, competitors, target markets and language settings
- prompt and scan configurations, such as questions, prompt variants, scan schedules, selected AI providers, scan types and limits
- AI scan results, such as answers from external AI systems, mentions, source/evidence references, scores, classifications, comparison values and time series
- website scan results, such as analyzed URLs, technical signals, page structures, discoverable content, crawlability/indexability indicators and identified optimization potential
- billing data, such as Stripe customer/subscription IDs, plan status, quota status and invoice references
- technical operational data, such as log events, error codes, audit entries, security events and rate-limit information
Promptalyze is designed for the analysis of public-facing brand, website and AI answer data. Please do not enter confidential information, trade secrets, special categories of personal data or other sensitive content into prompts, project descriptions or scan configurations unless this is necessary and legally permissible.
What we store, briefly and concretely
| Stored | Examples | Why? |
|---|---|---|
| Account and team data | Email address, workspace, roles, settings | So login, teamwork and access control can function |
| Project/brand data | Project name, brand, website, competitors, locale/market | So scans can be assigned to an analysis context |
| Prompt and scan configurations | Questions, prompt variants, scan schedule, provider selection | So scans can be repeated and compared |
| AI scan results | Answers, mentions, source references, scores, time series | So visibility, accuracy and changes can be tracked |
| Website scan results | URLs, technical signals, content insights, findings | So optimization potential can be identified and prioritized |
| Billing data | Stripe customer/subscription IDs, status, invoice references | Processing of payments, plans and quotas |
| Technical operational data | Log events, error codes, audit entries | Security, abuse prevention, error analysis |
Stored vs. not stored matrix
| Data category | Stored by Promptalyze? | Where it is stored instead / note |
|---|---|---|
| Account and login data | Yes | At Promptalyze |
| Project, brand and website configurations | Yes | At Promptalyze |
| Prompts/questions configured by the user | Yes | At Promptalyze; may be transmitted to selected providers for scans |
| AI answers and scan results | Yes | At Promptalyze as report/history data |
| Publicly accessible website content or excerpts | Yes, where required for scan/report | Originates on the analyzed website |
| Complete private website backends or non-public content | No, unless provided by the user | Held by the respective website/system operator |
| Access credentials for third-party websites | No, unless expressly provided as a feature | Not required for public website scans |
| Payment data, such as card or bank details | No | At Stripe |
| Raw data from external AI providers beyond the scan result | Not permanently, where technically avoidable | At the respective provider according to its terms |
| Special categories of personal data | Not intended | Please do not enter such data in prompts or project information |
Technical Data
- IP address (shortened/anonymized where possible)
- browser type and version
- operating system
- referrer URL
- time of access
- accessed pages and technical request metadata
- error, security and rate-limit events
4. Retention Periods
| Type of data | Retention period |
|---|---|
| Account, workspace and team data | As long as the account is active |
| Project, prompt and scan configurations | As long as the project or account is active, or until deleted by the user |
| Scan results, reports and time series | As long as the project or account is active, or until deleted by the user |
| Server access logs | 7 days |
| App/audit logs | 30 days |
| Billing/invoice references | Generally up to 10 years under commercial and tax law; payment data is held by Stripe |
Account deletion: When you delete your account, the account, project, scan and report data stored in Promptalyze will be deleted or made inaccessible unless statutory retention obligations apply.
Technical residual data may still be contained in backups and will be removed as part of the backup rotation within a maximum of 30 days.
Export & Deletion
- Data export: Upon request, we will provide you with the data stored in a commonly used format.
- Deletion: “Delete account” in the product deletes stored data in accordance with the retention periods and statutory retention obligations described above.
5. Recipients, Processors & Third-Country Transfers
AI, search and data providers
Promptalyze performs AI visibility scans and evaluations based on the projects, prompts, websites, competitors and scan targets configured by the user. Depending on the scan source enabled, data may be transmitted to external AI, search or data providers, for example prompts, brand/product names, domain information, competitors, language/market, scan context and technical request metadata.
The specific providers may vary depending on product status, plan, region and enabled scan sources. Examples of possible provider classes include AI model providers, AI answer systems, search providers, crawling/indexing services and technical analysis providers.
Where providers outside the EU or EEA are used, a third-country transfer may take place. Where required, we base such transfers on appropriate safeguards such as adequacy decisions, standard contractual clauses or comparable protection mechanisms.
Website scans
Promptalyze retrieves the publicly accessible websites and URLs configured by the user in order to analyze technical signals, content, structure, discoverability and optimization potential. In doing so, the respective web servers of the analyzed websites are technically contacted.
AI visibility scans and evaluations
Promptalyze offers features for automated analysis of AI answers, brand/website visibility, source coverage and content accuracy.
- User configuration: Scans are based on the projects, prompts, domains, competitors, markets, languages and schedules configured by the user.
- No unlimited monitoring: No arbitrary content is analyzed without user configuration.
- Storage of results: Answers, evaluations, scores and findings are stored so that trends, comparisons and reports are available in the product.
- Provider dependency: Answers from external AI systems may vary and are subject to the terms and technical characteristics of the respective provider.
- Training: Where possible and contractually provided for, we use providers via business/API access and settings that exclude or restrict the use of transmitted data for training purposes. Details depend on the respective provider and contract.
- Logging: Technical metadata is logged, such as scan type, provider, duration, status, error codes and quota consumption.
Hosting
Our website and servers are operated by: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Payment Processing
We use Stripe for payments. Stripe processes payment data, such as card data, under its own responsibility. Promptalyze stores only the necessary references, such as Stripe customer/subscription ID, payment/invoice status and plan information.
Legal basis: performance of a contract (Art. 6 (1) lit. b GDPR) and legitimate interests in operation, security, abuse prevention and product improvement (Art. 6 (1) lit. f GDPR). Where consent is required, processing is based on Art. 6 (1) lit. a GDPR.
6. Analytics, Tracking & Security Measures
We currently do not use any external analytics or tracking services.
Security Measures (TOMs)
- Transport encryption (TLS) for communication between the browser, Promptalyze and connected services.
- Access control via user accounts, roles and permissions.
- Encryption of sensitive access credentials, tokens or secrets where such data is stored as part of individual features.
- Data minimization: storage only of the data required for account, project, scan, report, billing and operation.
- Logging for security and error analysis, where possible without unnecessary content data.
- Protection mechanisms against abuse, automated overload and unauthorized access.
Transparency statement
In response to official or court requests, we can provide only the account, project, scan, report, operational and billing data stored by us, provided that we are legally required to do so.
No Automated Decision-Making
No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.
7. Cookies
We only use technically necessary cookies/storage that are required for login and secure use (Art. 6 para. 1 lit. b GDPR / Art. 6 para. 1 lit. f GDPR).
Technically Necessary Cookies
| Cookie / storage | Purpose | Retention period |
|---|---|---|
| Session cookie | Authentication and maintaining the session | Session or according to login setting |
| CSRF cookie | Protection against cross-site request forgery | Session |
| Consent/cookie notice status | Stores whether the notice regarding technically necessary cookies has been confirmed | Until deleted by the user or according to browser settings |
8. Your Rights
You have the following rights with regard to your personal data:
- Right of access (Art. 15 GDPR): right to obtain information about your stored data
- Right to rectification (Art. 16 GDPR): right to have inaccurate data corrected
- Right to erasure (Art. 17 GDPR): right to have your data deleted
- Right to restriction of processing (Art. 18 GDPR): right to restrict processing
- Right to data portability (Art. 20 GDPR): right to receive your data in a commonly used format
- Right to object (Art. 21 GDPR): right to object to processing
- Right to withdraw consent (Art. 7 (3) GDPR): right to withdraw consent previously given
To exercise your rights, please contact: data-privacy@promptalyze.com
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.
10. Updates
This privacy policy is updated as needed. The current version date is noted at the beginning of this document.