Privacy Policy
Last updated: 1 April 2026
Who we are
PromptScroll is a product of HardPath. If you have questions about this policy, email us at contact@promptscroll.dev.
What we collect and why
We collect the minimum needed to run the service.
- Account data — your name and email address when you sign up. Used to identify your account and send transactional emails (password reset, billing receipts).
- OAuth data — if you sign in with GitHub or Google, we receive your name, email, and profile image from that provider. We do not receive your password.
- Usage data — API call counts per project per month. Used to enforce plan limits and show your usage dashboard.
- Payment data — if you subscribe to a paid plan, your payment details are handled entirely by Stripe. We store only your Stripe customer ID and subscription ID — never card numbers.
- Error data — unhandled errors in the application are sent to our self-hosted error tracker (GlitchTip, running on our own infrastructure). These may include request paths and error messages, but never your prompt content.
- Log data — server logs include request paths, response codes, and timestamps. These are stored for up to 30 days for debugging and are not shared.
What we do not collect
- No tracking pixels, advertising cookies, or third-party analytics. We run self-hosted analytics (Umami) on our own EU infrastructure — no data leaves our servers.
- No behavioural profiling.
- No access to the content of your prompts beyond what is required to serve them via the API.
Cookies
We use one session cookie to keep you logged in. No advertising or tracking cookies are set. No cookie consent banner is required for session cookies under ePrivacy rules, but we are disclosing this here for completeness.
Subprocessors
We use the following third-party services to operate PromptScroll:
| Service | Purpose | Location |
|---|---|---|
| Hetzner | Server infrastructure, database hosting | Germany (EU) |
| Stripe | Payment processing and subscription management | USA (SCCs) |
| GitHub OAuth | Optional sign-in provider | USA (SCCs) |
| Google OAuth | Optional sign-in provider | USA (SCCs) |
| GlitchTip | Error tracking (self-hosted on our EU servers) | Germany (EU) |
| Resend | Transactional email delivery | USA (SCCs) |
SCCs = Standard Contractual Clauses (legal mechanism for EU→US data transfers under GDPR).
Legal basis for processing (GDPR)
- Contract — processing your account data and usage data is necessary to provide the service you signed up for.
- Legitimate interest — server logs and error tracking are used to keep the service running correctly.
- Consent — we do not rely on consent for any processing. You can delete your account at any time.
How long we keep your data
- Account data: until you delete your account.
- Usage data: rolling 13 months.
- Server logs: 30 days.
- Error logs: 90 days.
- Billing records: 7 years (required by EU accounting law).
Your rights
Under GDPR you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Delete your account and associated data
- Export your data in a machine-readable format
- Object to processing
To exercise any of these rights, email contact@promptscroll.dev. We respond within 30 days.
Changes to this policy
If we make material changes, we will notify you by email before they take effect. The date at the top of this page reflects the last update.