At a glance
- We collect only what we need to run the Service: account email, prompts you save, usage telemetry, billing records and basic technical logs.
- We never sell your personal data. We never use saved prompts to train foundation AI models.
- Payments are processed by Creem as our Merchant of Record. HotPrompt never sees your full card number.
- AI completions are processed by kie.ai, which routes to upstream LLM and vision providers (OpenAI, Google, Anthropic, etc.).
- You can export, correct or delete your data any time — [email protected].
1. Who we are
HotPrompt (“HotPrompt”, “we”, “us”) operates the website and product at hotpromptai.com. For the purposes of the EU/UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), HotPrompt is the Controller of personal data described in this Policy, except where a sub-processor acts as an independent Controller (notably Creem for payment data).
Privacy contact: [email protected].
2. What we collect
2.1 Information you give us
- Account data — your email address and a hashed password (PBKDF2-SHA256, salted; we never store the plaintext).
- Prompt content — the ideas, text, uploaded images and uploaded video frames you submit to the Service. We send these to AI providers (see Section 5) to generate output for you.
- Saved prompts — the optimisations you explicitly save into a project folder. Only saved prompts are retained beyond the immediate request/response.
- Support content — emails you send us and any files you attach.
2.2 Information collected automatically
- Usage events — credit grants, credit consumption, which tools and categories you used, and approximate response sizes.
- Device and connection — IP address, user agent and referer headers, captured for rate-limiting, fraud prevention and basic analytics. We do not perform device fingerprinting.
- Cookies — a session cookie that keeps you signed in, and (if you accept) cookies dropped by Google Analytics 4 for aggregated traffic analytics.
2.3 Information from third parties
- Billing — Creem (our Merchant of Record) shares your subscription status, plan, currency, country (for tax) and a masked card brand / last-four. We do not receive the full card number, CVV or full billing address.
- Moderation flags — Creem's Moderation API and our upstream AI providers may return a flag (e.g. “policy_violation”) for individual generations. We log that the flag was raised so we can prevent abuse and respond to law-enforcement requests where legally required.
3. Why we use your data (lawful bases)
| Purpose | Categories used | Lawful basis (GDPR) |
|---|---|---|
| Operate the Service (auth, optimisation, save/load) | Account data, prompt content, usage events | Performance of a contract (Art. 6(1)(b)) |
| Billing and tax | Subscription status from Creem, country | Performance of a contract; legal obligation (6(1)(b)(c)) |
| Fraud, abuse and rate limiting | IP, usage events, moderation flags | Legitimate interest (6(1)(f)) |
| Product analytics (aggregated) | GA4 events, page views | Consent (6(1)(a)) or legitimate interest |
| Customer support | Support content, account data | Performance of a contract; legitimate interest |
| Legal compliance | As required | Legal obligation (6(1)(c)) |
4. We do not train foundation models on your data
Prompts and optimised output you save are private to your account. We do not use them as training data for any foundation AI model, our own or a third party's. The upstream AI providers we call for completions operate under their own no-training-by-default policies as configured for the API tier we use; see our Data Processing Addendum for the list.
5. Sub-processors
We rely on a small number of carefully vetted sub-processors to run HotPrompt. They process your data only as instructed and under appropriate contractual safeguards (DPAs and, where relevant, Standard Contractual Clauses).
| Sub-processor | Role | Region |
|---|---|---|
| Creem.io | Merchant of Record — payment processing, tax calculation, receipts, customer portal, Moderation API | Global |
| Cloudflare | Hosting (Pages, Workers), D1 database, KV store, CDN, DDoS protection | Global edge |
| kie.ai | OpenAI-compatible router for LLM completions and vision analysis (forwards to OpenAI, Google, Anthropic and others) | Global |
| Google Analytics 4 | Aggregated usage analytics (cookie-based) | EU + US |
We will update this list before adding a new sub-processor that materially affects your data. Significant changes are announced on the DPA page.
6. How long we keep data
- Account record — for as long as your account is active and for up to ninety (90) days after deletion request to allow undo and to comply with anti-fraud requirements.
- Prompt inputs and outputs — request-time inputs are kept only as long as needed to fulfil the request and are discarded within thirty (30) days. Saved prompts are kept until you delete them.
- Billing records — retained by Creem and by us as required by tax and accounting law (typically seven (7) years).
- Security logs — up to ninety (90) days.
- Analytics — Google Analytics 4 default retention (14 months as of writing).
7. Security
We use industry-standard safeguards including TLS in transit, AES-256 at rest where supported by the hosting layer, hashed passwords, sessions stored as opaque tokens in Cloudflare KV, IP-based rate limiting, and least-privilege access for the team. No system is one hundred percent secure — please report suspected vulnerabilities to [email protected].
8. Your rights
Depending on where you live, you may have the right to:
- access the personal data we hold about you;
- correct it if it is inaccurate;
- delete it (the “right to be forgotten”), subject to legal retention requirements;
- port it to another service in a machine-readable format;
- object to or restrict processing where the lawful basis is legitimate interest;
- withdraw consent at any time (without affecting past lawful processing); and
- complain to a supervisory authority.
California residents have similar rights under CCPA/CPRA, including the right to know what personal information we collect and the right to delete it. We do not sell or share personal informationfor cross-context behavioural advertising as those terms are defined under CCPA/CPRA.
To exercise any of these rights, email [email protected] from the email address on your account. We respond within thirty (30) days.
9. International transfers
HotPrompt is operated globally on Cloudflare's edge. If you are in the European Economic Area, United Kingdom or Switzerland, your data may be transferred to and processed in countries outside your own. Where required, we rely on the Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), and we use sub-processors that are themselves bound by SCCs / Data Privacy Framework certifications.
10. Children
HotPrompt is not intended for children under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided personal data, email us and we will delete it.
11. Cookies
We use only the cookies we need:
- Session cookie (strictly necessary) — keeps you signed in. Cleared on logout or expiry (≈ 30 days idle).
- Google Analytics 4 cookies (analytics) — anonymous aggregated traffic statistics. You can opt out by declining analytics cookies or using a tracker-blocker.
We do not use advertising or cross-site tracking cookies.
12. Changes to this Policy
We may update this Policy as the Service evolves. Material changes will be announced by email or in-app notice at least fourteen (14) days before they take effect. The “Effective date” at the top of this page always reflects the current version.
13. Contact
Questions about privacy at HotPrompt? Email us at [email protected] or visit the Contact page.