Privacy Policy

Prism does not collect biometric data, precise geolocation, or contact lists. No data is collected from users who do not create an account beyond IP address for rate limiting (retained 90 days).

Two encryption-key domains. Platform OAuth tokens (Stripe Connect, GitHub for Autopilot provisioning) and user-controlled OAuth tokens (your Google Calendar, your Slack, your GitHub) are encrypted at rest under separate AES-256-GCM keys (CONFIG_ENCRYPTION_KEY and VAULT_ENCRYPTION_KEY respectively). A leak of one key does not compromise the other. The user-OAuth vault is fail-closed: if its key is misconfigured, the platform refuses to store tokens rather than fall back to plaintext.

We process your personal data under the following legal bases (GDPR Article 6):

• Contract performance, Processing your idea descriptions, wizard answers, and payment information is necessary to provide the services you requested (blueprint generation, code export, Autopilot builds).
• Legitimate interest, IP address logging for security and rate limiting, and anonymized/aggregated usage data for service improvement. We have assessed that these interests do not override your rights and freedoms.
• Consent, If we introduce analytics or marketing communications in the future, we will obtain your explicit consent before processing. You may withdraw consent at any time.

• Generate personalized architecture recommendations based on your answers.
• Power AI analysis via Anthropic Claude. Your idea text and wizard answers are sent to the Anthropic API to generate architecture reviews. Anthropic does not use this data to train models (per their API data policy).
• Process payments securely via Stripe.
• Send transactional emails such as receipts and build status updates. We do not send marketing emails without your consent.
• Improve our recommendation engine using anonymized, aggregated data. Individual idea descriptions are never shared publicly or sold.

We share limited data with the following services to operate Prism. Each service has its own privacy policy governing how your data is handled:

Third-party privacy policies: Supabase, Stripe, Anthropic, OpenAI, Vercel, GitHub, Google, Slack, Discord, Resend, Twilio, Upstash, PostHog, Sentry.

User-configured MCP servers. If you connect your agent to external Model Context Protocol (MCP) servers by providing their URLs, your agent's tool calls send data to those URLs. The privacy practices of those servers are governed by their own policies. Prism does not retain the data flowing to or from user-configured MCP servers beyond the standard agent_memory traces of tool calls and results.

Embeddable widget, host site responsibility. If you publish your agent's embeddable widget on a third-party website, visitors to that site can interact with your agent anonymously. Their messages are processed by Prism and stored under your account. You are responsible for ensuring the host site's privacy notice discloses that visitor chat content is processed by Prism on the site owner's (your) behalf. Visitor UUIDs live in their own browser localStorage; visitors can clear them at any time, which starts a fresh conversation thread.

Prism is operated from the United States. Your data may be transferred to, stored in, and processed in the United States and other countries where our third-party service providers operate (including AWS regions used by Supabase).

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated into our agreements with sub-processors.
• Adequacy decisions where applicable (e.g., the EU-U.S. Data Privacy Framework).

You may request a copy of the applicable transfer safeguards by contacting support@byoidea.com.

We retain your personal data only as long as necessary for the purposes described in this policy:

• Account data (email, profile), Retained while your account is active. Deleted 30 days after account deletion (grace period for reactivation).
• Blueprints, idea text, agent plans, agent memory, Retained while your account is active. Deleted 30 days after account deletion.
• Agent OAuth tokens, Deleted immediately when you disconnect a service, when you exit via the Exit Protocol, or when your account is deleted.
• Agent approval queue + audit log + production sample traces, Retained for the lifetime of the agent provision (so you can audit what was approved and what the agent did). Deleted 30 days after account deletion.
• IP addresses, Retained for 90 days for security and rate limiting, then permanently deleted.
• Usage metadata + funnel events (PostHog), Retained for 12 months, then irreversibly anonymized (no link back to your identity).
• Marketplace listings, Retained until you unpublish them. Listings remain published after author account deletion only if explicitly transferred; otherwise they are unpublished within 30 days of account deletion. Installs of the listing in other users' workspaces remain functional regardless.
• Marketplace purchase records, Transaction references (not card numbers) retained for 7 years for tax and legal compliance, regardless of account deletion.
• Payment records, Stripe retains payment data per their own retention policy. Prism retains transaction references (not card numbers) for 7 years for tax and legal compliance.
• Inbound surface data (email body, Slack mention text, SMS body), Stored as part of agent_memory and follows the same retention as conversation history above. SMS registrations can be deleted at any time by texting STOP to the platform number.

Under GDPR, CCPA, and similar regulations, you have the following rights:

• Access, Request a copy of all personal data we hold about you.
• Correction, Update inaccurate personal data.
• Deletion, Request deletion of your account and all associated data. We will complete deletion within 30 days (subject to the 90-day grace period).
• Portability, Export your data in a machine-readable format (JSON).
• Restriction, Request that we limit processing of your data while a complaint is resolved.
• Objection, Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Withdraw consent, Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, use the in-app support chat or email support@byoidea.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know, You may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.
• Right to delete, You may request deletion of your personal information, subject to legal exceptions.
• Right to non-discrimination, We will not deny you service, charge different prices, or provide a different quality of service for exercising your CCPA rights.

Prism does not sell your personal information. We do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months as defined by the CCPA.

• All data is stored in Supabase (hosted on AWS) with encryption at rest (AES-256) and in transit (TLS 1.3).
• Row-level security policies enforce strict data isolation between users. Service-role keys (which bypass row-level security) are never exposed to client-side code.
• Two-domain encryption-key separation. Platform OAuth tokens (Stripe Connect, GitHub for Autopilot provisioning) are encrypted with AES-256-GCM under CONFIG_ENCRYPTION_KEY. User-controlled OAuth tokens (your Google Calendar, Slack workspace, GitHub account for agent tools) are encrypted under a separate key, VAULT_ENCRYPTION_KEY, in a distinct security domain. A leak of one key does not compromise the other. The user-vault encrypter is fail-closed: if its key is misconfigured, the platform refuses to store tokens.
• Agent OAuth tokens are scoped narrowly (Google Calendar uses Calendar-only scopes; Slack uses bot scopes only; GitHub scopes follow least-privilege per use case). The platform has not requested Gmail-send or restricted Google scopes that would require CASA security audit.
• The Prism marketplace is gated by automated moderation checks (leak-word scanning, spam heuristics, cross-creator clone detection) at publish time. Listings that fail moderation are held for manual review before becoming publicly browsable.
• Sensitive secrets (API keys, encryption keys, webhook signing secrets) are stored in Vercel-managed environment variables. Source code never contains live secrets.
• Access to production systems is limited to authorized personnel and protected by multi-factor authentication.

In the event of a security breach that compromises your personal data, Prism will:

• Notify affected users within 72 hours of confirming the breach, via email and in-app notification.
• Provide a description of the breach, the categories of data affected, the likely consequences, and the measures we are taking to address it.
• Notify relevant supervisory authorities within 72 hours where required by applicable law (GDPR Article 33).
• Publish a post-incident report within 30 days describing root cause and remediation steps.

• Essential cookies: Supabase auth session cookie, required for login functionality. Cannot be disabled.
• Analytics cookies: None currently. If we add analytics in the future, we will implement a consent banner before setting any non-essential cookies.
• We do not use any third-party tracking cookies.

Prism does not currently respond to “Do Not Track” (DNT) browser signals because there is no industry-standard DNT specification. We do not track users across third-party websites. If a uniform DNT standard is adopted, we will update this policy accordingly.

Prism is not intended for users under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will delete it within 30 days. If you believe a child has provided us with personal data, please contact support@byoidea.com.

We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of Prism after the effective date constitutes acceptance of the updated policy.

Questions about this privacy policy or your data? Reach out through the in-app support chat or email us at support@byoidea.com. For formal data protection inquiries, you may also write to us at the address listed on our website.