Privacy Policy — PromptGrammerly

Effective date: 2025‑10‑23

1. Who we are

PromptGrammerly ("we", "us", "our") is a browser extension that enhances the prompts you write on AI sites (e.g., ChatGPT, Claude, Gemini, Perplexity). This policy explains what we collect, how we use it, who we share it with, and your choices.

2. What we collect

• Account information (Google Sign‑In). Email address and basic profile (openid, email, profile) to identify your account and apply free/pro limits.
• Subscription/billing metadata. Subscription tier, expiry, and non‑sensitive payment identifiers (e.g., order/payment IDs). Card details are processed by our payment provider; we never receive card numbers or CVV.
• Usage data. Counts of prompts enhanced (daily/total) and per‑platform counters to enforce free‑tier limits and display usage.
• Prompt content. The text you ask us to enhance is transmitted to our servers solely to generate an enhanced version and returned to your page. We do not persist full prompt text after processing; only aggregate counters and idempotency event IDs may be retained.
• Technical diagnostics. Basic error codes, timestamps, and performance metrics to operate and secure the service. We do not collect browsing history, keystrokes, or personal communications.

2.a Data we do NOT collect

• No passwords, PINs, or 2FA secrets
• No browsing history or page analytics unrelated to enhancement
• No precise location or device sensors
• No personal communications (emails, texts, chats)
• No ad tracking identifiers or cross‑site profiling

3. How we collect data

• You provide it directly (sign‑in, prompts you choose to enhance, upgrade/purchase).
• Automatic service events (usage counters, error logs).
• Payment notifications from our payment processor (for receipt/verification only).

4. How we use data

• Provide the core functionality (enhance prompts and insert results back into the page).
• Authenticate users, determine free/pro status, enforce usage limits, and prevent abuse/fraud.
• Process and verify payments and subscriptions.
• Operate, maintain, and improve reliability and performance.
• Communicate important service updates.

Payments SDK (remote script)

For Pro upgrades, we load the official Razorpay Checkout script inside the extension popup only. It is not injected into websites you visit. Card data is entered directly into Razorpay's PCI‑compliant fields; we do not receive card numbers or CVV.

5. Sharing and processors (all parties)

We do not sell user data. We share limited data with processors strictly to operate the service:

• Google Identity Platform — Google Sign‑In (openid, email, profile).
• Razorpay — checkout, payment processing, and payment verification (we do not receive card numbers/CVV).
• Database/hosting (e.g., Supabase and cloud hosting/logging providers) — store account/subscription metadata and usage counters with standard security controls.

These parties process data on our behalf under contracts and may not use it for their own purposes.

5.a AI model providers we call on your behalf

To generate enhancements, our backend may send the prompt text to one or more AI providers, depending on availability and your settings. We do not attach your email or other identifiers to model calls.

• OpenAI (ChatGPT APIs)
• Google (Gemini)
• Anthropic (Claude)
• Together AI / model hosts (Llama/others, when configured)

Each provider processes the prompt solely to return a completion subject to its own terms and privacy policy.

6. Data retention

• Account & subscription data: deleted within 30 days of a verified deletion request or after 24 months of inactivity, except records we must retain for legal/accounting requirements.
• Prompt content: not stored after enhancement completes (only counters/events retained).
• Payment records: retained by Razorpay per regulatory/financial retention rules.
• Diagnostics: retained up to 30 days for reliability and security, then deleted or aggregated.

7. Your choices and rights

• You may sign out in the extension and uninstall at any time.
• You may request access to or deletion of your account data by emailing us from your signed‑in address. We will verify and respond within 30 days, deleting data not required by law (e.g., financial records).
• Tokens are stored in chrome.storage.local and cleared on sign‑out/uninstall.

7.a Your rights (GDPR/EEA/UK)

• Access, correction, deletion
• Portability (a copy of your account/subscription data)
• Restriction/objection where applicable
• Withdraw consent (by signing out/uninstalling; email us for deletion)

You may also lodge a complaint with your local data protection supervisory authority.

7.b California (CCPA/CPRA)

• Right to know, delete, and correct
• We do not sell or share personal information for cross‑context behavioral advertising
• No sensitive categories are processed

Legal bases (GDPR)

• Contract: to provide the enhancement service you request.
• Legitimate interests: fraud/abuse prevention and reliability improvement.
• Consent: only when you choose optional features (no marketing by default).
• Legal obligation: retain payment/transaction records as required by law.

8. Security

• Transport encryption (HTTPS/TLS), least‑privilege access, and provider security controls.
• Minimal OAuth scopes (openid, email, profile).
• No collection of web history, keystroke logging, or reading of personal communications.

8.a Cookies & local storage

The extension uses chrome.storage.local to store session tokens, subscription tier, usage counters, and UI preferences. No third‑party cookies are set by the extension, and no tracking pixels are used.

Do Not Track

We do not track users across third‑party sites and do not respond to DNT signals, consistent with current standards.

9. Children's privacy

Not intended for children under 13. If you believe a child has provided data, contact us to delete it.

10. International transfers

Data may be processed in regions where our providers operate, subject to appropriate safeguards.

11. Changes to this policy

We may update this policy. The "Effective date" above reflects the latest version. Continued use after changes indicates acceptance.

12. Data controller

PromptGrammerly acts as the data controller for account/subscription data and as a processor for prompt content sent to AI providers strictly to fulfill your request.

13. Contact