Privacy Policy

Prizm. ("Prizm", "we", "our", or "us") operates the getprizm.ai website and the Prizmconnector platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.

We collect information in the following ways:

• Account Information: When you register, we collect your name, email address, company name, and password.
• Usage Data: We automatically collect information about how you interact with the Service, including API call logs, feature usage, and performance metrics.
• Third-Party OAuth Credentials: When you connect a connector (e.g., Slack, Salesforce), we receive and securely store OAuth tokens on your behalf. We never store plaintext passwords for third-party services.
• Payment Information: If you subscribe to a paid plan, payment details are processed by our payment provider (Stripe). Prizm does not store full card numbers or CVV codes.
• Communications: If you contact us via email or support channels, we keep a record of that correspondence.
• Cookies and Tracking: We use cookies and similar technologies to maintain sessions, remember preferences, and analyse usage. See Section 7 for more detail.

We use the information we collect to:

• Provide, operate, and improve the Service.
• Authenticate your identity and maintain the security of your account.
• Execute API requests on your behalf to connected third-party services using your stored OAuth tokens.
• Send transactional emails (billing receipts, password resets, security alerts).
• Send product updates and marketing communications where you have opted in — you may unsubscribe at any time.
• Comply with applicable laws, regulations, and legal processes.
• Detect, investigate, and prevent fraudulent or unauthorised activity.

Prizm does not sell your personal data. We may share information in limited circumstances:

• Service Providers: We share data with trusted vendors who help us operate the Service (cloud hosting, analytics, email delivery, payment processing). These providers are contractually bound to use data only as directed by Prizm.
• Third-Party Connectors: Data is transmitted to third-party services only when you explicitly initiate an API action through our platform.
• Business Transfers: If Prizm is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before this occurs.
• Legal Requirements: We may disclose information if required by law or if we believe disclosure is necessary to protect our rights or the safety of others.

We implement industry-standard technical and organisational measures to protect your data, including:

• TLS 1.2+ encryption for data in transit.
• KMS encryption for sensitive credentials at rest.
• Role-based access controls.
• Security monitoring and periodic assessments.

Despite our safeguards, no method of transmission over the Internet is 100% secure. We encourage you to use a strong password and enable two-factor authentication.

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or compliance purposes (e.g., financial records are retained for 7 years as required by applicable tax law). OAuth tokens for connected connectors are revoked and deleted immediately upon account deletion.

We use the following categories of cookies:

• Essential Cookies: Required for authentication, security, and core functionality. Cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Service (e.g., PostHog, Amplitude). You may opt out via your browser settings or our cookie consent manager.
• Marketing Cookies: Used to deliver relevant advertisements. Only placed with your consent.

You can manage cookie preferences in your browser settings. Disabling non-essential cookies will not affect core functionality.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion:Request deletion of your personal data ("right to be forgotten").
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise these rights, email us at vault@getprizm.ai. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Prizm is based in the United States. If you are accessing the Service from outside the US, your information may be transferred to and processed in the US or other countries. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection for transfers from the EEA, UK, and Switzerland.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at vault@getprizm.ai and we will take steps to delete that information.

When you connect a Google account to Prizm, we request access to specific Google APIs to perform actions that you explicitly authorize and initiate. Prizm acts as a connectivity platform that enables individuals and organizations to securely connect applications and use authorized integrations across AI and agentic environments.

Individual users can connect their applications and use those integrations across platforms such as Gemini, Claude, AniGravity, and similar AI environments. Organizations may connect applications at project or workspace level and enable those integrations across teams and AI-powered workflows.

Prizmsupports a broad and growing catalog of third-party tools and services that users may choose to connect. Each integration performs only the actions you explicitly authorize, governed by that provider's permissions and terms. Google is one of many supported providers — the OAuth scopes listed below apply specifically to Google APIs and are requested only when you connect a Google account and enable the related features.

Prizm.'s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

OAuth Scopes Requested

Depending on the connectors and features you enable, Prizm may request one or more of the following Google OAuth scopes:

How Prizm Uses Google Data

Google user data is processed only to perform actions explicitly requested by users. Examples include:

• Reading, drafting, and sending emails, and managing labels
• Creating and managing calendar events, and checking availability
• Creating, editing, and organizing Drive files, Google Docs, and Google Sheets
• Creating and managing tasks
• Creating and managing Google Meet spaces and settings
• Adding to and editing app-created Google Photos content
• Querying and managing data in Google BigQuery
• Managing Google Ads accounts and data
• Executing other user-authorized actions

Data Storage and Processing

Prizm may process and retain Google-derived information as part of execution history, operational logs, auditability features, security monitoring, debugging, and service reliability features. Execution logs may contain:

• Tool name
• Input parameters
• Output responses
• Execution status
• User-requested content involved in execution

Execution logs are retained for up to 90 days, after which they are automatically deleted. Users may request deletion of associated data where applicable.

Deletion requests may be submitted through account settings or by contacting vault@getprizm.ai. Approved deletion requests are processed according to operational and legal retention requirements.

Revoking a connection immediately disables future access to Google-connected functionality; however, operational records and execution logs may continue to be retained according to the stated retention policy.

OAuth access and refresh tokens required for authentication are encrypted at rest using Key Management Service (KMS) encryption and transmitted only through TLS-secured channels.

OAuth credential values are not exposed in application logs, execution history, or operational monitoring systems.

Data Access Transparency

Prizm provides visibility into executed operations through execution history and operational logs. Execution history may contain:

• Tool names
• Request parameters
• Response outputs
• Execution status
• User-requested content involved in execution

This information is retained only for operational visibility, auditability, and user-facing functionality.

Limited Use Compliance

Prizm's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google Workspace and Google API-derived user data is not:

• Sold to third parties
• Used for advertising
• Used for behavioral profiling
• Google Workspace and Google API-derived user data is not used to develop, improve, fine-tune, or train generalized artificial intelligence or machine learning models.
• Shared except where necessary to provide user-facing functionality or comply with applicable legal obligations

Google user data obtained through Google APIs is used solely to provide user-facing functionality requested and authorized by users.

Google API Policy Compliance

Prizm's access, use, storage, and transfer of information received from Google APIs adheres to the Google API Services User Data Policy and Limited Use requirements. Google-derived data is used only for user-facing functionality explicitly requested and authorized by users.

Revoking Access

Users may revoke Prizm's access to Google accounts at any time through Google Account Permissions or through Prizm account settings. Revoking access immediately disables future access to Google-connected functionality. Stored OAuth tokens associated with revoked integrations become invalid and can no longer be used for future requests.

The Service may contain links to third-party websites or services. Prizm is not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.