Privacy Policy

1. Who We Are

PrismPoster is operated by PrismLabs OÜ. This policy explains how we collect, use, disclose, retain, and protect personal data when you visit https://www.prismposter.com or use PrismPoster's SaaS application, generation tools, publishing workflows, community features, and related services.

For account, billing, website, security, analytics, and product operations, we generally act as the data controller. For customer content that a business user uploads or processes on behalf of its own customers or audience, we may act as a processor under the applicable customer agreement or data processing addendum.

2. Personal Data We Process

• Account data: name, email address, profile image, public usertag, password hash, OAuth provider identifiers, passkey metadata, and verification state.
• Billing data: Stripe customer, subscription, invoice, credit, and transaction metadata. We do not store full payment-card numbers.
• Content and media data: prompts, drafts, uploaded files, generated text, images, videos, music, captions, metadata, scheduled posts, and published community content.
• Connected-account data: social-platform usernames, scopes, status, and encrypted access credentials needed to publish or analyze connected channels.
• Verified identity and likeness data: if you use consent-backed real-person features, we process capture evidence, likeness references, consent records, audience-gate data, and generated fan/video outputs for that feature.
• Usage, device, and security data: IP-derived request metadata, browser/device information, rate-limit events, audit logs, diagnostics, and consent-choice records.
• Support and feedback: messages, attachments, contact details, and administrative notes needed to respond to you.

3. Why We Process Data

We process personal data only when we have a lawful basis, including:

• Contract performance: creating accounts, authenticating users, generating content, storing projects, providing downloads, billing subscriptions, and publishing to connected accounts at your direction.
• Consent: optional analytics/marketing cookies, verified identity likeness capture, and other opt-in workflows where consent is requested.
• Legitimate interests: service security, abuse prevention, debugging, reliability, fraud prevention, and product improvement that does not override your rights.
• Legal obligations: tax, accounting, sanctions, security, consumer protection, copyright, and regulatory compliance.

4. Cookies, Analytics, And Privacy Signals

Essential cookies and storage keep authentication, security, consent records, and core product workflows working. Optional analytics, functional, and marketing categories load only according to your cookie choices. See the Cookie Policy.

PrismPoster honors browser Do Not Track and Global Privacy Control by keeping optional analytics and marketing disabled. You can also manage choices at Privacy Choices or, when signed in, at Settings > Privacy.

5. Sub-Processors And Third Parties

We use vetted service providers for hosting, database storage, payments, transactional email, analytics after consent, security monitoring, AI/media generation, social publishing, and file storage. The current list is maintained on our Sub-Processors page.

We do not sell personal information for money. If optional analytics, advertising, or cross-context disclosures are considered a sale or sharing under applicable US privacy law, you can opt out through Privacy Choices, Global Privacy Control, or Settings > Privacy.

6. Your Privacy Rights

Depending on your location, you may have rights to:

• Access personal data and receive information about how it is used.
• Receive portable data in a structured, machine-readable format.
• Correct inaccurate or incomplete personal data.
• Delete personal data, subject to legal, security, fraud-prevention, and billing exceptions.
• Restrict or object to certain processing.
• Withdraw consent for optional processing.
• Object to solely automated decisions with legal or similarly significant effects.
• Opt out of sale/sharing and limit sensitive personal information under CCPA/CPRA.
• Exercise rights without unlawful discrimination.

Signed-in users can exercise these rights in Settings > Privacy. You can also email dpo@prismposter.com. We aim to respond within 30 days unless applicable law permits or requires a different timeline.

7. Retention And Deletion

• Active accounts: account, project, media, and workspace data are retained while needed to provide the service.
• Deleted accounts: account-linked product data is deleted or detached according to the account deletion workflow. Backups are purged on their normal rotation, generally within 30 days.
• Legal records: billing, tax, fraud-prevention, security, audit, consent, and dispute records may be retained as required or permitted by law, typically up to 7 years for financial records.
• Aggregated data: anonymized or aggregated metrics that no longer identify an individual may be retained for product, security, and business analysis.

8. International Transfers

PrismPoster and its providers may process data in the European Economic Area, United Kingdom, United States, and other countries where our providers operate. Where required, we use safeguards such as data processing agreements, Standard Contractual Clauses, transfer impact assessments, and provider security commitments.

9. Security

We use technical and organizational measures including TLS, encrypted provider storage, password hashing, scoped OAuth access, rate limiting, origin checks, audit logging, and access controls. No system is perfectly secure, but we work to prevent, detect, and respond to unauthorized access. See our Security page for more detail.

10. Children

PrismPoster is not directed to children. You may not use the service if you are under 13, or under 16 where EEA/UK law requires a higher age for consent to online services. If we learn that we collected personal data from a child without appropriate consent, we will delete it.

11. Changes

We may update this policy as PrismPoster, our providers, or applicable law changes. Material changes will be posted on this page and, where appropriate, communicated in the product or by email.