Privacy Policy
Last updated: 2026-05-21
Who we are
PromptLib is a personal prompt library web app run by an individual operator based in Switzerland. The site is hosted in the EU (Vercel) with a database in Frankfurt (Supabase). Swiss data protection law (revDSG, in force since 1 September 2023) applies; for EU users the GDPR also applies extraterritorially via Art. 3 GDPR.
What we collect
You can sign in with Google, with GitHub, or with an email magic link. With Google or GitHub we receive your email address, display name, and avatar URL from that provider. With the email magic link we collect only the email address you enter, in order to send you a one-time sign-in link. We store the prompts you create. If you publish a prompt publicly your display name and username are shown alongside it. If you click the support/donate link we record that click — linked to your account ID when you are signed in — using our privacy-first analytics, to gauge interest; we do not share it with Ko-fi.
Why we process it
Strictly to provide the service: authentication, your personal library, and the public Discover feed. Legal basis: contract performance (Art. 6(1)(b) GDPR) for service-related processing.
Cookies
We use the minimum cookies needed to run the service. `sb-*` (essential, Supabase) — keeps you signed in by storing the auth session; required for the service to work. `consent` (essential) — records whether you accepted or declined optional analytics; lives for 365 days. Vercel Analytics (analytics, opt-in only) — counts page views using a session-based fingerprint; no persistent cookie is set. Vercel Analytics is loaded only after you click Accept on the consent banner. You can change your choice at any time by clearing the `consent` cookie in your browser, or by signing out and back in.
Sub-processors
We use the following third-party data processors. Supabase Inc. (USA / EU regions; database hosted in Frankfurt, Germany) — authentication, database, and storage; role: data processor. Vercel Inc. (USA) — hosting and CDN; role: data processor. Upstash Inc. (USA) — rate-limit cache (Redis); role: data processor. Brevo / Sendinblue SAS (France) — transactional email delivery (invitations, notifications, and magic-link sign-in emails); role: data processor. Resend Inc. (USA) — alternative transactional email provider, used only if Brevo is not configured; role: data processor. Sentry / Functional Software Inc. (USA) — error monitoring (post-launch); role: data processor. Google LLC (USA) — OAuth identity provider when you choose Google sign-in; role: independent controller for that authentication flow. GitHub, Inc. (USA) — OAuth identity provider when you choose GitHub sign-in; role: independent controller for that authentication flow. Transfers between Switzerland and the EU rely on the European Commission's adequacy decision recognising Switzerland (most recently reaffirmed in 2024) and the corresponding Swiss recognition of EU/EEA states, so no additional safeguards are required. Transfers to the United States rely on Standard Contractual Clauses (SCC) — both the EU SCC and the Swiss addendum issued by the EDÖB — together with additional supplementary measures.
Your rights
Under the revDSG and, where applicable, the GDPR, you can request access, correction, deletion, or export of your personal data. You also have the right to lodge a complaint with the Swiss supervisory authority — the Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), https://www.edoeb.admin.ch/ — or, if you are an EU resident, with your local data protection authority. Contact us first: support@promptlib.ch.
Retention
Account data is kept until you delete your account. Self-serve account deletion is being implemented; until then please contact us.
Changes
We will update this page when our processing changes. The date at the top of the page reflects the most recent update.