Privacy Policy
Last updated: May 9, 2026The short version
We collect what we need to run the service, nothing more. Your email if you sign up. Your prompts when you submit them for refraction (the enhanced version is the product). Payments go directly to Polar — we never see your card. We don't run analytics, ad pixels, or third-party trackers. We don't sell your data.
Who we are
Promly ("we," "us," "our") is operated by Erez Haim. We build a prompt-refraction service that takes a rough prompt and turns it into a precise one tuned for Midjourney v7, GPT Image 2, Flux Pro, DALL-E 3, and Nano Banana. Our website is promly.ai.
For privacy questions, email legal@promly.ai.
What we collect
Here is everything we store, why, and where:
| Data | Why | Where it lives |
|---|---|---|
| Email address | Account identity, sign-in via magic link | Supabase (auth + your row in pl_users) |
| OAuth profile (Google or Discord) | Sign-in if you choose social login. We receive your email and display name only — never your password | Supabase auth, scoped to your row |
| Prompts you submit | To refract them into enhanced prompts — the core service | Sent to Anthropic (primary) or OpenAI (fallback) at request time. Stored in your account history so you can revisit past refractions |
| Enhanced outputs | So you can copy them and use them in your image tool of choice | Your account history in Supabase, scoped to your row |
| Plan and usage state | Track which plan you're on (Free, Starter, Pro, or Studio), your remaining subscription credits, and any top-up credit balance with its expiry date | Supabase (pl_users, pl_subscriptions, pl_credits) |
| Payment state (subscription ID, order ID, status) | Match your Polar checkout to your account; renew, refund, expire | Supabase. We never see or store your card number — Polar handles all card data and is PCI DSS Level 1 |
| Browser session token | Keep you signed in between visits | Your browser (localStorage and an sb-…-auth-token cookie set by Supabase) |
That's the complete list. We don't run web analytics, behavioral tracking, ad pixels, retargeting, or fingerprinting.
What we don't collect
- We don't track you across other websites
- We don't use Google Analytics, Plausible, Segment, Mixpanel, or any analytics provider
- We don't run Facebook, Twitter, Reddit, or LinkedIn pixels
- We don't store your credit card number — Polar handles all payment data
- We don't collect your name, phone number, or address unless you email us directly
- We don't build profiles or sell data to third parties
Third-party services
Promly is a small operation that relies on a few specialized services. Each handles a slice of the product and has its own privacy policy:
- Anthropic — runs Claude Haiku, our primary refraction model. When you submit a prompt, we send the prompt content to Anthropic's API for processing. Anthropic Privacy Policy →
- OpenAI — runs GPT-4o-mini, our fallback model when Anthropic errors. Used only when the primary fails. Same data flow: prompt content goes to their API. OpenAI Privacy Policy →
- Supabase — handles authentication and stores your account data, plan state, and refraction history. Hosted on AWS. Supabase Privacy Policy →
- Polar — processes payments, subscriptions, and refunds. PCI DSS Level 1. We never touch your card data. Polar Privacy Policy →
- Google — only if you choose Google sign-in. We receive your email and name; nothing else. Google Privacy Policy →
- Discord — only if you choose Discord sign-in. Same scope: email and username. Discord Privacy Policy →
- Vercel — hosts the website itself. Standard server logs (IP, user agent, request path) for operational purposes. Vercel Privacy Policy →
Cookies and browser storage
Promly uses the bare minimum:
- Supabase auth cookie (
sb-…-auth-token) — keeps you signed in. Strictly necessary for the service to work. Cleared when you sign out. - localStorage — Supabase auth library uses localStorage to refresh your session token. Stored in your browser; never sent to us as a cookie.
That's it. No analytics cookies, no consent-banner tracking cookies, no third-party advertising cookies. Because we don't run any of those things, there's nothing to consent to beyond what's strictly necessary to sign you in and keep you signed in.
Your rights
Regardless of where you live, you can:
- See your data — your account state and refraction history are visible from /dashboard/. For anything else, email us
- Delete your account — use the danger-zone card in /dashboard/, or email us. We delete your row in
pl_usersand your refraction history. Polar transaction records remain for the legal retention window noted below - Export your history — email us and we'll send a JSON dump within 14 days
- Cancel your subscription — manage via the Polar customer portal linked from /dashboard/, or email us
If you live in the EU (GDPR), UK (UK GDPR), California (CCPA/CPRA), Brazil (LGPD), or Israel (PPL 5741-1981), you have additional statutory rights. Use the contact email at the bottom of this page with your request and we'll respond within 30 days.
Data retention
- Account data — retained until you delete your account
- Refraction history (your prompts and outputs) — retained until you delete it from your dashboard or delete the account; you can clear individual entries from /enhance/ at any time
- Payment records — Polar retains transaction records as required by financial regulations (typically 7 years). We retain the subscription/order IDs that link your Polar account to your Promly account; we delete those when you delete your account
- Server logs — Vercel keeps standard request logs; we don't use them beyond operational debugging
How model providers handle your prompts
Because Promly's whole job is to refract your prompts, we have to send them to the model provider that does the refraction. A few specifics:
- We use Anthropic and OpenAI's API endpoints, not their consumer chat products. API requests are not used to train their models by default
- Anthropic's API data policy: prompts and outputs are not used to train Claude unless you opt in via Anthropic's own settings (you do not have an Anthropic account through us). Anthropic retains API request logs for up to 30 days for trust-and-safety review, then deletes
- OpenAI's API data policy similarly excludes API traffic from training data and retains logs for limited periods for abuse prevention
- If you submit something private or sensitive in a prompt, both providers will see it. We recommend not pasting secrets, credentials, or anything you wouldn't want a third-party processor to handle
Children
Promly is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, use the contact email at the bottom of this page and we'll delete it.
Changes to this policy
If we change this policy, we'll update the "Last updated" date at the top. For material changes, we'll notify account holders by email. We won't reduce your rights without notice.