Privacy Policy — Proompi
Last updated: 1 May 2026 | Version 1.0
ENGIT sp. z o.o.
ul. Stefana Jaracza 39, 33-100 Tarnów, Polska
KRS: 0001109234 · NIP: 8733296963 · REGON: 528839231
1. Who we are (Data Controller)
The controller of your personal data is:
ENGIT spółka z ograniczoną odpowiedzialnością (ENGIT Ltd.), ul. Stefana Jaracza 39, 33-100 Tarnów, Poland, KRS: 0001109234, NIP: 8733296963, REGON: 528839231. General contact: hi@proompi.com. Data protection contact: privacy@proompi.com.
We operate the Proompi service (https://www.proompi.com) — an AI-powered SaaS platform for content creation.
In this Policy, "we" / "Proompi" / "Controller" refers to ENGIT sp. z o.o.; "you" / "User" refers to the data subject.
2. Data protection contact point
We have not appointed a formal Data Protection Officer (DPO) within the meaning of Art. 37 GDPR. Please address all data protection inquiries to: privacy@proompi.com or in writing to our registered office.
Data protection matters are handled internally by the management of ENGIT sp. z o.o. (Jacek Barwacz, CEO).
3. What data we process
3.1. Data you provide during registration and use of the Service
| Category | Example data | Required / Optional |
|---|---|---|
| Login credentials | email address, password (stored as bcrypt hash) | Required |
| Profile data | name/pseudonym, profile picture | Optional |
| Preference data | interface language, preferred AI model | Optional |
| Onboarding data | primary usage goal, industry | Optional |
| Business data (B2B) | VAT number, company name, address | Required for B2B purchases |
3.2. Data collected automatically
| Category | Data | Purpose |
|---|---|---|
| IP address | collected at registration/login — stored as irreversible SHA-256 hash | Security, fraud detection, accountability |
| Country | detected from IP, 2-letter code (e.g. "PL") | Personalisation, analytics |
| User agent | browser, operating system | Security, optimisation |
| Activity time | login, last activity | Security, retention |
| Device identifiers | anonymous fingerprint for non-logged-in users | Limiting free trials |
3.3. Data from OAuth login (Google, Facebook)
When you log in via Google or Facebook, we receive: provider account ID, email, first name, profile picture, and access tokens (stored encrypted).
3.4. Content you generate
- Prompts (text input for generation)
- Generated content (images, video, audio, text — stored in Google Cloud Storage, Warsaw region)
- AI conversations
- Workflows (your automation sequences)
- Brand profiles (communication tone, keywords, industry, values)
- Reference content uploads (images for editing, materials for variant generation)
3.5. Financial data
- Stripe customer and transaction IDs (e.g. cus_..., sub_...)
- Amounts paid, currency, transaction status
- VAT invoices (for Entrepreneurs)
3.6. Analytics data
- In-app events (login, signup, content generation, purchases)
- Usage statistics (number of prompts, AI models, Credits consumed)
- Session data (duration, pages visited)
3.7. Social media data (if you connect accounts)
- Platform account ID (Instagram, Facebook, TikTok, LinkedIn, Threads)
- Login, display name, avatar
- OAuth tokens (stored by bundle.social, not by us)
- Post analytics data (impressions, reach, likes, comments) — from Proompi v2
3.8. Onboarding data and preferences (Proompi v2)
- Primary usage goal (primaryGoal)
- Industry (userIndustry)
3.9. Behavioural data — Brand Intelligence (Proompi v2)
The AI Brand Intelligence feature automatically analyses: average post length, emoji and hashtag usage (style, average count), posting hours and days, engagement rates per platform, content type effectiveness.
3.10. Data of persons invited to a Team (Team Workspace, Proompi v2)
Invited persons receive a full GDPR Art. 13 information clause in the invitation email.
- Email address of the invited person
- Invitation token (single-use, valid for 7 days)
- Invitation status (pending / accepted / declined / expired)
4. Purposes and legal bases for processing
| Purpose | Legal basis (GDPR) | Data |
|---|---|---|
| Account creation and maintenance | Art. 6(1)(b) — contract performance | login credentials, profile data |
| Provision of AI Services | Art. 6(1)(b) | Prompts, generated content, brand profiles |
| Payment processing and invoicing | Art. 6(1)(b) and Art. 6(1)(c) (tax obligations) | financial data, business data |
| Transactional communications | Art. 6(1)(b) | email address, notification content |
| Marketing communications (newsletter) | Art. 6(1)(a) — consent | email address |
| Team invitations (Team Workspace) | Art. 6(1)(b) — pre-contractual measures | invited person's email address |
| Brand Intelligence — behaviour analysis | Art. 6(1)(f) — legitimate interest | behavioural data; with effective opt-out |
| Internal product analytics | Art. 6(1)(f) — legitimate interest | events, statistics |
| Security and fraud detection | Art. 6(1)(f) — legitimate interest | IP address (hashed), user agent, logs |
| Handling complaints and claims | Art. 6(1)(f) — legitimate interest | account data, ticket content |
| Analytics and marketing cookies | Art. 6(1)(a) — consent | cookie identifiers |
| Training AI models on identifiable data | Art. 6(1)(a) — consent (opt-in) | only after explicit consent in Account Settings |
| Tax and accounting compliance | Art. 6(1)(c) — legal obligation | financial data, invoices — for 5 years |
5. Sources of data
Most data is received directly from you. Some data is received from other sources:
| Source | What data |
|---|---|
| OAuth providers (Google, Facebook) | email address, name, account ID, avatar, permission scopes |
| bundle.social | post analytics data, publication status |
| Stripe | transaction data, payment status |
| AI sub-processors | usage signals (for credit billing) |
| IP geolocation | country code (based on IP address) |
6. Recipients of data (processors and joint controllers)
We share data with selected, vetted processors (sub-processors). We have concluded a data processing agreement under Art. 28 GDPR with each of them. For transfers outside the EEA, we apply Standard Contractual Clauses (SCCs) adopted by the European Commission.
6.1. Infrastructure (EU)
| Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Google Cloud EMEA Limited) | application hosting, database, storage | Warsaw, Poland (europe-central2) |
| Upstash | cache, rate limiting | Frankfurt, Germany (eu-central-1) |
| Cyberfolks (h88 S.A.) | transactional email sending (SMTP) | Poland |
6.2. Payments
| Processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd. | payment processing | EU / USA |
6.3. AI models (transfer outside EEA — USA)
| Processor | Purpose | Location | Data |
|---|---|---|---|
| Anthropic, PBC | prompt enhancement, conversations, Content Score | USA | Prompt content, conversation history |
| OpenAI, L.L.C. | image generation, visual analysis | USA | Prompt content, reference images |
| Together AI Inc. | image generation (FLUX) | USA | Prompt content |
| Ideogram AI | text-to-image generation | USA | Prompt content |
| ElevenLabs Inc. | music and narration generation | USA | text, musical description |
| Replicate Inc. | video/audio generation | USA | Prompt content |
| Luma AI Inc. | video generation | USA | video description |
| fal.ai | photo editing (background) | USA | image uploaded by User |
6.4. Other sub-processors
| Processor | Purpose | Location |
|---|---|---|
| bundle.social | social media publishing and analytics | EU |
| Sentry / Functional Software, Inc. | error monitoring, session replay | USA |
| Google LLC (Google Analytics) | usage analytics (with consent) | USA |
| Meta Platforms, Inc. (Facebook Pixel) | conversion tracking (with marketing consent) | USA |
6.5. Other data sharing scenarios
- public authorities, where required by law (e.g. police, prosecutors, data protection authority),
- legal, tax and audit advisors — to the extent necessary,
- acquirer of the business or its part in M&A transactions — with data protection standards maintained.
7. International data transfers
Some sub-processors are located outside the European Economic Area (mainly in the USA). We apply the following safeguards:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision 2021/914), with additional technical and organisational measures following the Schrems II ruling.
- Where possible — participation in Data Privacy Framework (DPF) programmes for the USA.
- Pseudonymisation of data before transfer (including IP hashing).
8. How long we retain your data
| Data category | Retention period |
|---|---|
| Active User Account | until deletion request (or 24 months of inactivity) |
| Account after deletion request | 30 days (grace period) → permanent deletion |
| Generated images (FREE) | 7 days |
| Generated images (SPARK) | 30 days |
| Generated images (ACCELERATOR) | 90 days |
| Generated images (PRO) | 365 days |
| Invoices and accounting data | 5 years (Tax Ordinance) |
| Access and security logs | 90 days |
| JWT sessions | 30 days |
| Email verification tokens | 24 hours |
| Password reset tokens | 1 hour |
| Anonymous usage limits | 30 days |
| Processing logs (DataProcessingLog) | 3 years |
| Google Analytics data | 14 months |
| Team invitations (not accepted) | 7 days → automatic deletion |
| Team invitations (accepted) | until leaving the team or account deletion |
| Complaints and tickets | 3 years after closure |
9. Your rights
Under GDPR, you have the following rights:
| Right | Legal basis | How to exercise |
|---|---|---|
| Right of access | Art. 15 GDPR | Settings → Privacy → Download data or privacy@proompi.com |
| Right to rectification | Art. 16 GDPR | Settings → Profile or privacy@proompi.com |
| Right to erasure | Art. 17 GDPR | Settings → Privacy → Delete account |
| Right to restriction of processing | Art. 18 GDPR | privacy@proompi.com |
| Right to data portability (JSON format) | Art. 20 GDPR | Settings → Privacy → Export data |
| Right to object | Art. 21 GDPR | Settings → Privacy → File objection or privacy@proompi.com |
| Right to withdraw consent | Art. 7(3) GDPR | Settings → Consents |
| Right to lodge a complaint with supervisory authority | Art. 77 GDPR | Prezes UODO, ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl |
- Response deadline: up to 1 month, extendable by another 2 months for complex cases (with prior notice).
- Free of charge: Exercising rights is free unless a request is manifestly unfounded or excessive.
- Identity verification: To protect against abuse, we may request identity confirmation.
10. Profiling and automated decision-making
10.1. Brand Intelligence (Proompi v2)
- Do we use profiling? Yes — we automatically analyse your publishing patterns to recommend optimal posting times, hashtags and content formats.
- Does it produce legal or similarly significant effects? No. You retain full control: recommendations are suggestions only.
- Legal basis: Art. 6(1)(f) GDPR — legitimate interest (improving service quality).
- Your rights: Right to object (Art. 21 GDPR), right to disable the feature.
10.2. Content Score (Proompi v2, ACCELERATOR+ plan)
Optional feature, triggered by you. An AI model evaluates the quality of your post on 4 criteria (hook strength, readability, hashtags, brand voice alignment). The score is a suggestion only. We never block publication regardless of the score.
10.3. Anti-fraud and security
- We use automated fraud detection mechanisms (e.g. excessive credit usage, suspicious logins).
- We do not make fully automated decisions with legal effects (e.g. account blocking) — every decision is subject to human review.
11. Cookies
Full information about cookies is available in the Cookie Policy at https://www.proompi.com/legal/cookies.
- Necessary cookies (session, CSRF) — no consent required, based on Art. 6(1)(b) GDPR.
- Analytics cookies (Google Analytics) — only with your consent.
- Marketing cookies (Facebook Pixel) — only with your consent.
12. Data security
We apply advanced technical and organisational measures (Art. 32 GDPR):
- Encryption: TLS 1.2+ on all connections, database encryption, token encryption.
- Passwords: stored as irreversible hash (bcrypt, 10 rounds + random salt).
- Pseudonymisation: IP addresses are hashed (HMAC-SHA256, salt in environment variable).
- Access control: RBAC (role-based access control), data isolation per teamId/userId, audit trail.
- Backup: daily, point-in-time recovery up to 7 days, multi-AZ replication.
- Monitoring: fraud detection, cost alert thresholds, AI kill switch.
- Secure engineering: Zod validation, sanitisation, Prisma ORM, automatic React escaping, CSRF tokens, SameSite/Secure/httpOnly cookies.
13. Children
The Proompi Service is intended exclusively for persons aged 18 or over. We do not knowingly collect data from children. If you have information that a child is using the Service, please contact us: privacy@proompi.com. We will immediately delete such an Account and associated data.
14. Personal data breaches
- Within 72 hours we report the breach to the President of the UODO (Art. 33 GDPR), where it is likely to result in a risk to the rights and freedoms of natural persons.
- We notify affected individuals without undue delay where the breach is likely to result in a high risk (Art. 34 GDPR).
- Each breach is documented in an internal register.
15. Changes to this Privacy Policy
We may update this Privacy Policy upon changes to applicable law, data protection authority guidelines, changes in Services, or addition of new sub-processors.
We will notify you of material changes with at least 14 days' advance notice via: email notification, in-app Account panel message, homepage banner.
16. Contact
Email: privacy@proompi.com
Postal address: ENGIT sp. z o.o., ul. Stefana Jaracza 39, 33-100 Tarnów, Poland
You also have the right to lodge a complaint with the supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (President of the Personal Data Protection Office), ul. Stawki 2, 00-193 Warsaw, tel. +48 22 531 03 00, https://uodo.gov.pl
Last updated: 1 May 2026 | Version 1.0