Skip to content

PLACEHOLDER — DRAFT

This privacy policy has not been reviewed by legal counsel. It must not be published or relied upon until a qualified attorney approves the final text.

Privacy Policy

Last updated: March 17, 2026

1. Data We Collect

We collect information you provide directly: account details (email, name), project descriptions entered into the wizard, and payment information processed by Stripe. We also collect usage data including page views, feature usage, and generation history. We collect technical data such as IP addresses, browser type, and device identifiers for security and service operation purposes.

2. How We Use Your Data

Your data is used to provide the PRDContract service: generating project plans, managing your account, processing payments, and improving our AI agents. We do not sell your data to third parties. We process your data on the legal basis of contract performance (to deliver the service you signed up for) and, where applicable, your consent (for analytics cookies).

3. AI and Your Data

Project descriptions you enter are sent to Anthropic's Claude API to generate your planning documents. We do not use your project data to train AI models. Anthropic processes your prompts under their API terms; we use API access with data-retention controls. Generated output is stored in your account and can be deleted at any time.

4. Sub-Processors

We share data only with the service providers listed below that are necessary to operate PRDContract. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual obligation.

  • Supabase (database and authentication) — stores your account profile, projects, generations, and audit log. Data hosted on AWS infrastructure.
  • Stripe (payment processing) — processes subscription and one-time payments. PRDContract never stores raw card data.
  • Anthropic (AI generation) — receives your project description prompts to generate planning documents. No training on your data.
  • Vercel (hosting and edge delivery) — serves the web application and executes serverless functions. Processes request metadata and function logs.
  • Sentry (error monitoring) — receives anonymized error reports and stack traces. Configured to strip PII before transmission.
  • PostHog (product analytics) — receives anonymized usage events after you accept analytics cookies. Does not receive project content.

5. Data Retention

Account data is retained while your account is active. Project data and generated output are retained until you delete them or close your account. After account deletion, data is purged within 30 days. Financial records (payment history, usage records) are retained for 7 years as required by applicable tax and accounting law. Audit log entries are retained for 7 years for compliance purposes.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access and export — download a complete copy of your data from Account Settings → Privacy → Export Data.
  • Correction — update your profile information in Account Settings at any time.
  • Deletion — delete your account and all associated data from Account Settings → Privacy → Delete Account. Financial records subject to legal retention obligations may be retained in anonymized form.
  • Portability — your data export is provided in machine-readable JSON format.
  • Objection and restriction — contact privacy@prdcontract.com to object to or restrict specific processing activities.

We respond to all privacy requests within 30 days.

7. Cookie Policy

We use the following categories of cookies:

  • Essential cookies — required for authentication and session management. These cannot be disabled.
  • Analytics cookies — PostHog collects anonymized usage data to help us improve the product. These are disabled by default and only activated after you explicitly accept them in the cookie consent banner. You can change your preference at any time in Account Settings → Privacy.

8. Security

Data is encrypted at rest (AES-256) and in transit (TLS 1.3). We use row-level security (RLS) in our database so that your project content is never accessible to other users or PRDContract staff. Access to production systems is restricted to service accounts and audited via our audit log. We enforce HSTS to prevent protocol downgrade attacks.

9. International Transfers

PRDContract and its sub-processors operate infrastructure in the United States and, optionally, the European Union. Transfers of personal data from the EU/EEA to the United States are covered by Standard Contractual Clauses (SCCs) where applicable under GDPR Chapter V.

10. Contact

For privacy inquiries, data subject requests, or to exercise your rights, contact: privacy@prdcontract.com.

PLACEHOLDER — DRAFT. This privacy policy has not been reviewed by legal counsel and must not be published or relied upon until a qualified attorney approves the final text.