Security at PromptCraft

Your data and privacy are foundational to everything we build. Here's how we protect them.

Last updated: February 2026

Minimal Data Collection

We only collect what's necessary to provide the Service. We don't hoard data, and we give you controls to delete yours at any time.

Encryption Everywhere

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Your prompts are processed securely and never stored longer than needed.

You Own Your Data

Your prompts, your outputs, your data. We never use your content to train models, sell to third parties, or for advertising.

Infrastructure Security

  • Hosted on Supabase (AWS infrastructure) with SOC 2 compliance
  • Database encryption at rest (AES-256)
  • All API communications over HTTPS/TLS 1.2+
  • Row-level security (RLS) on all database tables
  • Regular automated backups with point-in-time recovery
  • Environment variables and secrets managed securely — never hardcoded

Application Security

  • Authentication via Apple Sign-In and Google Sign-In (OAuth 2.0) — we never handle raw passwords
  • User API keys are never exposed client-side; all AI model requests are proxied through our backend
  • Rate limiting and abuse detection on all API endpoints
  • Input validation and sanitization on all user inputs
  • Regular dependency audits and security updates

Third-Party AI Data Handling

Prompts are sent to AI providers (Anthropic, OpenAI, Google) via their official APIs. Key details:

  • We use API-tier access, which is subject to each provider's enterprise/API data policies — generally, inputs are not used to train models
  • We do not permanently store AI-generated responses on our servers
  • Users should avoid entering sensitive personal or confidential information in prompts

Provider security pages:

Data Handling Practices

  • Prompt history: stored encrypted, user-deletable at any time, auto-expires after 30 days by default
  • Analytics: aggregated and anonymized before storage
  • Payment data: handled entirely by Apple/Google/Stripe — we never see or store full card numbers
  • Account deletion: full data erasure within 90 days of request

Your Controls

  • Delete individual prompts or your full history at any time
  • Export your data (prompts, progress, account info)
  • Adjust prompt retention settings
  • Delete your account entirely from Settings
  • Manage cookie and analytics consent

Compliance

  • Singapore Personal Data Protection Act 2012 (PDPA)
  • EU General Data Protection Regulation (GDPR) for international users
  • Apple App Store and Google Play data safety requirements
  • Working toward SOC 2 Type II certification (planned)

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly to security@promptcraft.app.

  • We appreciate responsible disclosure and will acknowledge reports within 48 hours
  • Please do not publicly disclose vulnerabilities before we've had a chance to address them

Contact

Security team: security@promptcraft.app

Data Protection Officer: dpo@promptcraft.app

Marviy Pte Ltd, Singapore