Privacy Policy

Prizm ("Prizm", "we", "our", or "us") operates the stage.web.getprizm.dev website and the Prizm platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.

We collect information in the following ways:

• Account Information: When you register, we collect your name, email address, company name, and password.
• Usage Data: We automatically collect information about how you interact with the Service, including API call logs, feature usage, and performance metrics.
• Third-Party OAuth Credentials: When you connect a connector (e.g., Slack, Salesforce), we receive and securely store OAuth tokens on your behalf. We never store plaintext passwords for third-party services.
• Payment Information: If you subscribe to a paid plan, payment details are processed by our payment provider (Stripe). Prizm does not store full card numbers or CVV codes.
• Communications: If you contact us via email or support channels, we keep a record of that correspondence.
• Cookies and Tracking: We use cookies and similar technologies to maintain sessions, remember preferences, and analyse usage. See Section 7 for more detail.

We use the information we collect to:

• Provide, operate, and improve the Service.
• Authenticate your identity and maintain the security of your account.
• Execute API requests on your behalf to connected third-party services using your stored OAuth tokens.
• Send transactional emails (billing receipts, password resets, security alerts).
• Send product updates and marketing communications where you have opted in — you may unsubscribe at any time.
• Comply with applicable laws, regulations, and legal processes.
• Detect, investigate, and prevent fraudulent or unauthorised activity.

Prizm does not sell your personal data. We may share information in limited circumstances:

• Service Providers: We share data with trusted vendors who help us operate the Service (cloud hosting, analytics, email delivery, payment processing). These providers are contractually bound to use data only as directed by Prizm.
• Third-Party Connectors: Data is transmitted to third-party services only when you explicitly initiate an API action through our platform.
• Business Transfers: If Prizm is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before this occurs.
• Legal Requirements: We may disclose information if required by law or if we believe disclosure is necessary to protect our rights or the safety of others.

We implement industry-standard technical and organisational measures to protect your data, including:

• TLS 1.2+ encryption for data in transit.
• KMS encryption for sensitive credentials at rest.
• Role-based access controls.
• Security monitoring and periodic assessments.

Despite our safeguards, no method of transmission over the Internet is 100% secure. We encourage you to use a strong password and enable two-factor authentication.

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or compliance purposes. OAuth tokens for connected connectors are revoked and deleted immediately upon account deletion.

The following specific retention periods apply:

• Execution logs — retained for 90 days, then automatically purged.
• Webhook delivery logs — retained for 90 days, then automatically purged.
• User activity logs — retained for 1 year, then automatically purged.
• Admin audit logs — retained for 7 years for legal and compliance purposes (SOC 2 / GDPR Article 5(2)).
• Data export files — download links expire after 7 days and the underlying files are deleted automatically.
• Financial records — retained for 7 years as required by applicable tax law.

We use the following categories of cookies:

• Essential Cookies: Required for authentication, security, and core functionality. Cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Service (e.g., PostHog, Amplitude). You may opt out via your browser settings or our cookie consent manager.
• Marketing Cookies: Used to deliver relevant advertisements. Only placed with your consent.

You can manage cookie preferences in your browser settings. Disabling non-essential cookies will not affect core functionality.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data ("right to be forgotten").
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise these rights, email us at privacy@prizm.dev. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Prizm is based in the United States. If you are accessing the Service from outside the US, your information may be transferred to and processed in the US or other countries. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection for transfers from the EEA, UK, and Switzerland.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@prizm.dev and we will take steps to delete that information.

Prizm is an AI connectivity platform that enables users and organisations to securely connect applications, data sources, and services to AI agents, automation workflows, and MCP-compatible clients.

Users may connect Google services such as Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Chat, Google Forms, Google Contacts, Google Tasks, Google Meet, Google Photos, Google Classroom, Google Analytics, Google Ads, Google Search Console, YouTube, Google Admin SDK, BigQuery, and other supported Google services.

Google integrations are optional. Users explicitly choose which Google services to connect and which permissions to grant. Prizm requests Google OAuth scopes only when a user connects and authorises a corresponding Google service.

Prizm does not request access to Gmail, Google Drive, Google Calendar, Google Docs, Google Sheets, Google Chat, Google Forms, Google Classroom, Google Analytics, Google Ads, YouTube, Google Photos, Google Meet, Search Console, BigQuery, or Google Admin data during account login. During authentication, Prizm may request only basic profile and account identification information necessary to authenticate users and manage accounts.

How Prizm Uses Google User Data

Google user data is accessed, processed, and transferred only to provide functionality explicitly requested and authorised by the user. Examples include:

• Reading, drafting, sending, organising, and managing Gmail messages
• Creating, updating, and managing Google Calendar events
• Checking calendar availability and scheduling meetings
• Creating, editing, organising, and managing Google Drive files
• Creating and updating Google Docs, Sheets, Slides, and Forms
• Reading and updating Google Contacts
• Managing Google Tasks
• Creating and managing Google Meet conferences
• Sending and reading Google Chat messages
• Managing Google Classroom resources
• Reading Google Analytics reports
• Managing Google Ads data
• Reading Search Console data
• Managing YouTube content
• Performing Google Workspace administration tasks
• Querying and analysing BigQuery datasets
• Executing user-authorised AI workflows and MCP tool operations

Google user data is never accessed unless explicitly authorised by the user through the applicable Google OAuth consent flow. Only the scopes required for the specific integration you enable will be requested. Prizm applies the principle of least privilege — we request only the minimum permissions necessary for the functionality you have chosen to use.

Data Storage & Retention

Prizm may process and retain execution-related information for operational functionality, auditability, debugging, security monitoring, abuse prevention, compliance, and service reliability. Execution logs are retained for up to 90 days and are automatically deleted after the retention period expires.

Security

OAuth access tokens and refresh tokens are encrypted at rest using KMS encryption. All communication with Google APIs occurs over encrypted TLS-secured connections. OAuth credentials are never exposed through application logs, execution history, analytics systems, monitoring systems, or user-facing interfaces.

Limited Use Compliance

Prizm's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Google Workspace and Google API-derived user data is never:

• Sold to third-party entities or advertising brokers.
• Used for targeted advertising displays or behavioural profiling.
• Used to train any artificial intelligence, large language, or machine learning models.
• Handled by human personnel unless explicit consent has been provided to troubleshoot an isolated error, to comply with legal/statutory investigations, or when data is thoroughly scrubbed of personal identifiers for structural safety checks.

Revoking Access

Users may revoke Google access at any time through Google Account Permissions or Prizm Integration Settings. Revoking access immediately prevents future access to Google-connected functionality. Stored OAuth credentials associated with revoked integrations become invalid and can no longer be used for future requests.

The Service may contain links to third-party websites or services. Prizm is not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.