Privacy Policy

Prizm. ("Prizm", "we", "our", or "us") operates the getprizm.ai website and the Prizmintegration platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.

We collect information in the following ways:

• Account Information: When you register, we collect your name, email address, company name, and password.
• Usage Data: We automatically collect information about how you interact with the Service, including API call logs, feature usage, and performance metrics.
• Third-Party OAuth Credentials: When you connect an integration (e.g., Slack, Salesforce), we receive and securely store OAuth tokens on your behalf. We never store plaintext passwords for third-party services.
• Payment Information: If you subscribe to a paid plan, payment details are processed by our payment provider (Stripe). Prizm does not store full card numbers or CVV codes.
• Communications: If you contact us via email or support channels, we keep a record of that correspondence.
• Cookies and Tracking: We use cookies and similar technologies to maintain sessions, remember preferences, and analyse usage. See Section 7 for more detail.

We use the information we collect to:

• Provide, operate, and improve the Service.
• Authenticate your identity and maintain the security of your account.
• Execute API requests on your behalf to connected third-party services using your stored OAuth tokens.
• Send transactional emails (billing receipts, password resets, security alerts).
• Send product updates and marketing communications where you have opted in — you may unsubscribe at any time.
• Comply with applicable laws, regulations, and legal processes.
• Detect, investigate, and prevent fraudulent or unauthorised activity.

Prizm does not sell your personal data. We may share information in limited circumstances:

• Service Providers: We share data with trusted vendors who help us operate the Service (cloud hosting, analytics, email delivery, payment processing). These providers are contractually bound to use data only as directed by Prizm.
• Third-Party Integrations: Data is transmitted to third-party services only when you explicitly initiate an API action through our platform.
• Business Transfers: If Prizm is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before this occurs.
• Legal Requirements: We may disclose information if required by law or if we believe disclosure is necessary to protect our rights or the safety of others.

We implement industry-standard technical and organisational measures to protect your data, including:

• TLS 1.2+ encryption in transit for all API traffic.
• AES-256 encryption at rest for stored OAuth tokens and sensitive credentials.
• Role-based access controls (RBAC) so only authorised personnel can access customer data.
• Regular security audits and penetration testing.
• SOC 2 Type II compliance (in progress).

Despite our safeguards, no method of transmission over the Internet is 100% secure. We encourage you to use a strong password and enable two-factor authentication.

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or compliance purposes (e.g., financial records are retained for 7 years as required by applicable tax law). OAuth tokens for connected integrations are revoked and deleted immediately upon account deletion.

We use the following categories of cookies:

• Essential Cookies: Required for authentication, security, and core functionality. Cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Service (e.g., PostHog, Amplitude). You may opt out via your browser settings or our cookie consent manager.
• Marketing Cookies: Used to deliver relevant advertisements. Only placed with your consent.

You can manage cookie preferences in your browser settings. Disabling non-essential cookies will not affect core functionality.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion:Request deletion of your personal data ("right to be forgotten").
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise these rights, email us at privacy@getprizm.ai. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Prizm is based in the United States. If you are accessing the Service from outside the US, your information may be transferred to and processed in the US or other countries. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection for transfers from the EEA, UK, and Switzerland.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@getprizm.ai and we will take steps to delete that information.

The Service may contain links to third-party websites or services. Prizm is not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.