Skip to main content
PromptMetrics
Book a free call
Legal · Privacy

Your data, handled like we'd want ours handled.

We sell governance. So this page is written the way the rest of our work is: plainly, concretely, no hidden clauses. Here's exactly what we collect, where it lives, and what you can ask us to do with it.

Last updated June 12, 2026GDPR · CCPA alignedController: PromptMetrics GmbH · Berlin
The short version
We collect
What you send us, plus basic product + usage logs.
We never
Sell or rent your data, or train public models on it.
Customer data
Processed under a DPA — read-only by default, never autonomous.
You can
Access, export, correct, or delete it any time.

01What this policy covers

This policy applies to promptmetrics.dev, the people who contact us through it, and the operators who use our governed Claude agents during a pilot or engagement. It explains how PromptMetrics GmbH — the data controller for the marketing site and our own business records — collects and handles personal data.

When we run agents inside your stack, your company is the controller and we act as a processor. That relationship is governed by a Data Processing Agreement, not this page. The DPA always wins where the two differ.

02What we collect

We try to collect as little as does the job. In practice:

  • What you tell us. Name, work email, company, role, and anything you type into the pilot form or send us by email.
  • Product & usage logs. When you use our tools we log prompts, actions, approvals, and timestamps — the audit trail is the product. These are tied to your workspace, not sold or shared.
  • Site analytics. Privacy-respecting, cookie-free page counts (no cross-site tracking, no ad networks).
  • Technical basics. IP, browser, and device info in server logs, kept short-term for security and debugging.
No dark patterns. There is no hidden tracking pixel, no data broker, no “legitimate interest” loophole doing quiet work in the background. If it's not in this list, we're not collecting it.

03How we use it

Six things, and that's the whole list:

  • To reply to you and scope a pilot.
  • To run, secure, and debug the agents you've asked us to run.
  • To produce the audit trail and reporting you're paying for.
  • To meet legal, tax, and accounting obligations.
  • To improve our own product — using aggregated, de-identified signals, never your raw content.
  • To send operational email you'd expect (never purchased lists, never spam).

04Your customers' data

During an engagement, agents read from systems you connect — CRM, call recorder, support tool, Slack, Drive. That data stays under your control and your DPA. Our defaults are deliberately conservative:

  • Read-only by default. Write access is opt-in, scoped, and gated.
  • Never autonomous. A human reviews and approves before any external action.
  • Zero-retention API. Where supported, content sent to the model is not retained by the model provider.
  • No training. Your content is never used to train public or third-party models.

05Where your data lives

Our default hosting is in the EU. For EMEA engagements we pin processing and storage to EU regions, execute a DPA with Standard Contractual Clauses where relevant, and classify AI-Act risk from day one. If your data cannot leave your environment at all, tell us early — sometimes that's an architectural mismatch, and we'll say so.

06Sub-processors

We use a short, named list of sub-processors to run the business and the product — model providers, cloud hosting, email, and analytics. Each is bound by contract to confidentiality and security terms at least as strict as ours. We keep the current list public and give notice before adding a new one that touches your data.

07Retention & deletion

We keep personal data only as long as it's useful for the purpose we collected it, or as the law requires — whichever is longer. Pilot inquiries are kept while the conversation is live and for a reasonable follow-up window after. Audit logs follow the retention term in your agreement. Ask us to delete your data and we will, except where we're legally required to keep a record.

08Your rights

Under GDPR, CCPA, and similar laws you can ask to access, correct, export, restrict, or delete your personal data, and to object to certain processing. Email us and we'll action it within the legal window — usually much faster. You also have the right to complain to your local supervisory authority.

09Security

Encryption in transit and at rest, least-privilege access, audit logging on our own systems, and a SOC 2 Type II program. Security and the human gate aren't add-ons here — they're the thing we sell, so they're the thing we hold ourselves to first.

10Cookies

The marketing site runs without advertising or cross-site tracking cookies. We use only what's strictly necessary to serve the page and remember your theme preference. No consent wall, because there's nothing to consent to.

11Changes & contact

If we change this policy we'll update the date at the top and, for material changes, tell you directly. Questions, requests, or a data concern? We read every one.

Privacy
privacy@promptmetrics.dev
General
hello@promptmetrics.dev
Controller
PromptMetrics GmbH · Berlin, DE
Start a pilot conversation