Privacy Policy

1. Introduction

At Prismio, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our QR code management platform.

2. Information We Collect

Account Information

• Name, email address, and profile information
• Company/organization details (if applicable)
• Account preferences and settings
• Authentication data (encrypted passwords, OAuth tokens)

QR Code & Project Data

• QR codes you create, including destination URLs and parameters
• Workspace and team collaboration data
• QR code scan analytics and performance metrics
• Templates and bulk import/export data

Payment Information

• Billing address and payment method details (processed by Stripe)
• Subscription and transaction history
• Tax identification information (if required)

Analytics & Usage Data (With Consent)

• Platform usage patterns and feature interactions
• Performance metrics via Vercel Analytics (privacy-first, no cookies)
• Website analytics via Google Tag Manager (only with your consent)
• Device information, browser type, and technical specifications
• IP address and approximate location (for security and analytics)

Cookies & Tracking

We use cookies and similar technologies for:

• Necessary: Authentication, security, and essential functionality
• Performance: Analytics and usage statistics (with consent)
• Functional: User preferences and settings
• Marketing: Advertising and remarketing (only with explicit consent)

You can manage your cookie preferences through our consent banner or browser settings.

3. How We Use Your Information

We use the collected information to:

• Provide and maintain our services
• Process transactions and send billing information
• Send administrative information and updates
• Improve our platform and develop new features
• Provide customer support
• Detect and prevent fraudulent activities

4. Data Sharing and Third-Party Services

We do not sell, trade, or rent your personal information to third parties. We work with trusted service providers to deliver our services:

Essential Service Providers

• Supabase - Database hosting and user authentication (GDPR compliant)
• Vercel - Application hosting and performance analytics (privacy-first)
• Stripe - Payment processing and billing management (PCI DSS compliant)
• Cookiebot - Consent management and cookie compliance

Analytics Providers (With Consent)

• Google Tag Manager - Analytics and marketing tags (only with consent)
• Vercel Analytics - Privacy-first performance monitoring (no personal data)

We may also share your information:

• With your explicit consent
• To comply with legal obligations or court orders
• To protect our rights, safety, and prevent fraud
• In connection with a business transfer or acquisition

All our service providers have signed Data Processing Agreements (DPAs) and comply with GDPR requirements.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes encryption, secure servers, and regular security audits.

6. Your Privacy Rights (GDPR)

Under GDPR and other privacy laws, you have the following rights:

Data Subject Rights

• Right to Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data
• Right to Restrict Processing (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Export your data in a structured format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for cookie/analytics tracking

How to Exercise Your Rights

You can exercise these rights by:

• Updating your account settings directly in the platform
• Contacting us at privacy@prismio.com
• Using our automated data export tool in your Privacy settings

We will respond to your request within 30 days. Some requests may require identity verification for security purposes.

7. Cookie Management & Consent

We use Cookiebot to manage cookie consent in compliance with GDPR and ePrivacy regulations. Our cookies are categorized as follows:

Cookie Categories

• Necessary Cookies: Essential for website functionality and security
• Preference Cookies: Remember your settings and language preferences
• Statistics Cookies: Help us understand how you use our platform
• Marketing Cookies: Used for advertising and remarketing (optional)

Managing Your Preferences

You can:

• Update your cookie preferences through the consent banner
• Access cookie settings from our website footer
• Configure browser settings to block cookies
• Contact us to opt-out of specific tracking

Note: Disabling necessary cookies may impact website functionality.

8. Data Retention & Automated Cleanup

We retain your data only as long as necessary and have implemented automated retention policies:

• Account Data: Until account deletion + 30 days grace period
• Analytics & Usage Data: 26 months (automatically deleted)
• Session Data: 90 days (automatically deleted)
• Payment Records: 10 years for German tax compliance (HGB)
• QR Code & Business Data: 7 years (manual review required)
• GDPR Access Logs: 6 years for compliance audit trail
• Email Communications: 3 years (automatically deleted)

Our automated retention system runs daily to clean up expired data while maintaining legal compliance requirements. You can request immediate deletion through your Privacy settings or by contacting privacy@prismio.com.

9. Data Processing Location & Transfers

We process and store your personal data within the European Union for GDPR compliance:

EU Data Processing

• Primary Database: Supabase EU Central (Frankfurt, Germany) 🇩🇪
• Application Hosting: Vercel (with EU data centers where possible)
• Payment Processing: Stripe (EU operations, Dublin office)
• Consent Management: Cookiebot (EU-based, Danish company)

International Transfers

When limited data transfers outside the EU occur, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) with service providers
• Adequacy decisions by the European Commission
• Data Processing Agreements (DPAs) with all vendors
• Regular compliance assessments

GDPR Compliance: Your personal data is primarily stored and processed within the EU, ensuring full compliance with European data protection laws.

10. Contact Us

If you have questions about this Privacy Policy, want to exercise your data protection rights, or need to report a privacy concern, please contact us:

Privacy Inquiries

• Email: privacy@prismio.com
• Data Protection Officer: dpo@prismio.com
• Response Time: Within 30 days

General Contact

• Company: Prismio
• Email: hello@prismio.com
• Website: www.prismio.io

Supervisory Authority

If you are located in the EU and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.