Privacy Policy

Last Updated: February 22, 2026

This Privacy Policy (hereinafter the “Policy”) sets out the rules for the collection, processing, and protection of personal data of Users utilizing the Prismare platform available at https://prismare.ai.

The Service is operated by Mariusz Szlęzak, a natural person conducting an unregistered business activity (działalność nierejestrowana) under the laws of the Republic of Poland.

By using the Service, you acknowledge that you have read and understood this Policy. This Policy constitutes an integral part of our Terms of Service.

§ 1. Definitions

For the purposes of this Policy, the definitions set forth in the Terms of Service shall apply. Additionally, the following definitions are established:

Controller: The entity that determines the purposes and means of the processing of Personal Data. For this Service, the Controller is the Service Provider.
Personal Data: Any information relating to an identified or identifiable natural person (hereinafter the “User”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an email address, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processor: A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller (e.g., cloud providers, AI service providers).

§ 2. Data Controller Contact Details

The Controller of your Personal Data is:

Mariusz Szlęzak

ul. Na Szlakowisku 9/130, 27-200 Starachowice, Poland

Contact for Privacy Matters: You may contact us regarding any data protection issues, including the exercise of your rights, via email: [email protected]

§ 3. Scope and Source of Data

We adhere to the principle of data minimization. We collect and process only the data necessary to provide the Service, ensure security, and comply with legal obligations.

Data Provided Directly by You
- Account Data: Email address, username, and encrypted password (or authentication tokens if logging in via Google).
- Affiliate Data: Name, email address, and PayPal email address voluntarily provided by you through our affiliate portal to register for and participate in the Prismare Affiliate Program.
- User Content: Text entries in your journal, uploaded images, and text prompts sent to the AI interface.
- Communication Data: Content of emails or support tickets sent to us.
Data Collected Automatically
- Technical Logs: IP address, browser type and version, operating system, device information, time of access, and request errors.
- Usage Data: Information about how you use the Service (e.g., features accessed, time spent on pages).
- Cookies: Session tokens and security markers managed by NextAuth.js (detailed in § 9).
Payment Data
- We do not store full credit card numbers or sensitive payment authentication data. Payments are processed by our third-party partner, Stripe. We only receive and retain transaction status, subscription details (e.g., “Active”, “Canceled”), and limited identifiers (e.g., last 4 digits of the card) required for tax compliance.
Affiliate Payouts
- If you earn commissions through the Prismare Affiliate Program, payouts are processed by the Service Provider using PayPal. In this context, your email address associated with your PayPal account is shared with PayPal. PayPal acts as an Independent Data Controller for these transactions, managing the data for its own anti-money laundering (AML) and fraud prevention purposes. For more details on how your data is handled during payouts, please refer to the PayPal Privacy Statement at www.paypal.com.

§ 4. Purposes and Legal Bases for Processing

We process your data for specific purposes based on the following legal grounds under the GDPR:

Purpose of Processing	Data Categories	Legal Basis (GDPR)
Service Provision Creating accounts, authentication, storing journal entries, generating AI analysis.	Account Data, User Content	Art. 6(1)(b) - Contract Performance Necessary to fulfill the Terms of Service.
Billing & Tax Compliance Issuing invoices (if applicable), accounting, tax reporting.	Account Data, Transaction Data	Art. 6(1)(c) - Legal Obligation Required by Polish Tax Ordinances (Ordynacja podatkowa).
Security & Fraud Prevention Detecting unauthorized access, preventing “ban evasion” (see § 8), monitoring system stability.	IP Address, Logs, Account Data	Art. 6(1)(f) - Legitimate Interest Ensuring the security and integrity of the Platform.
AI Features Generating trade ideas, summaries, or analyzing User notes.	User Content (Prompts)	Art. 6(1)(b) - Contract Performance Providing the core functionality of the Service requested by the User.
Analytics Analyzing aggregated usage to improve the Service (bugs, UI/UX).	Usage Data (Anonymized)	Art. 6(1)(f) - Legitimate Interest Improving the quality of our software.

§ 5. Data Recipients and Sub-processors

To operate the Service, we utilize trusted third-party infrastructure providers (“Sub-processors”). We have entered into appropriate Data Processing Agreements (DPAs) with all Sub-processors to ensure that personal data is processed in accordance with applicable data protection laws and subject to appropriate safeguards.

A current and complete list of Sub-processors, including their location and the nature of the processing they perform, may be accessed at any time at: https://prismare.ai/legal-documents/sub-processors. This list is maintained on an ongoing basis and forms an integral part of this Privacy Policy.

§ 6. International Data Transfers

The Service operates on a modern cloud infrastructure. Consequently, your data may be processed in countries outside the European Economic Area (EEA), primarily the United States.

We ensure that such transfers are lawful under Chapter V of the GDPR by relying on:

EU-U.S. Data Privacy Framework (DPF): For processors certified under the DPF.
Standard Contractual Clauses (SCCs): For processors not covered by an adequacy decision, we utilize the European Commission’s approved model clauses to contractually guarantee the safety of your data.

§ 7. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes described in this Policy:

Active Accounts: Data is stored for the duration of the Service provision.
Deleted Accounts: Generally, data is deleted within 30 days of account closure request, subject to the exceptions below.
Tax Records : Transaction data required for tax purposes is retained for 5 years from the end of the calendar year in which the tax payment deadline expired, as mandated by Polish law.
AI Abuse Monitoring: OpenAI retains API inputs/outputs for up to 30 days to monitor for abuse, after which they are deleted.

§ 8. Security Exception: Ban Evasion Prevention

Specific Clause regarding Data Hashing:
Upon the deletion of your account (whether voluntary or due to a violation of Terms), you acknowledge and agree that the Service Provider retains a cryptographic hash of your email address.

Mechanism: The email is hashed using a secure, salted one-way algorithm (e.g., SHA-256). The original email address is permanently deleted from the active database.
Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).
Purpose: The sole purpose of this retention is to enforce our Terms of Service, specifically to prevent ban evasion and the abuse of free trials or welcome offers by re-registering users.
Safeguards: This hashed data is isolated, technically irreversible without the original input, and is never used for marketing, analytics, or communication.

§ 9. Cookies and Tracking Technologies

The Service uses Cookies and similar technologies (e.g., Local Storage) primarily to ensure the Service functions correctly.

You may manage your cookie preferences at any time via our cookie consent banner.

Essential Cookies (Strictly Necessary):
We use strictly necessary cookies to ensure secure authentication, session management, and protection against security threats. These cookies are required for the proper functioning of the Service and do not require user consent pursuant to applicable ePrivacy regulations and Article 6(1)(f) of the GDPR (legitimate interest in ensuring secure and stable operation of the Service).
Examples include authentication cookies set by NextAuth.js:
- next-auth.session-token: Maintains your active session.
- next-auth.csrf-token: Protects against Cross-Site Request Forgery attacks.
- next-auth.callback-url: Remembers the URL to redirect you to after login.
These cookies may be prefixed with __Secure- or __Host- for enhanced security.
Retention: Session-based or short-term persistent (depending on authentication settings).
Analytics Cookies:
Subject to your prior consent, we use Google Analytics, a web analytics service provided by Google LLC.
Google Analytics uses cookies to collect information about how users interact with the Service. This may include:
- page visited
- time spent on pages
- approximate geographic location (country/region)
- device and browser information
- anonymized IP address (IP anonymization enabled, if configured)
The information collected is used to generate aggregated and pseudonymized statistical reports that help us improve the Service.
Legal basis: Article 6(1)(a) GDPR (consent).
Data may be transferred outside the European Economic Area. Where applicable, such transfers are based on appropriate safeguards, such as Standard Contractual Clauses or participation in the EU-US Data Privacy Framework.
Retention: Data is retained for the period configured in our Google Analytics settings.
You may withdraw your consent at any time via our cookie settings.
Cookie Consent Management:
We use a consent management tool to:
- obtain and record user consent,
- allow users to accept or reject non-essential cookies,
- enable modification or withdrawal of consent at any time.
Your consent preferences are stored in a dedicated technical cookie.
Managing Cookies via Browser:
You can also control or delete cookies through your browser settings. Please note that disabling strictly necessary cookies may affect the functionality of the Service.

§ 10. Artificial Intelligence & Automated Decision-Making

The Service utilizes Artificial Intelligence (LLMs) to process your data.

No Automated Legal Decisions: We do not use automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR). All investment decisions are made by you.
Accuracy Warning: AI-generated content is probabilistic and may contain errors (“hallucinations”). While we strive for quality, the Service Provider cannot guarantee the accuracy of AI analysis regarding personal data contained in your journal entries. You have the right to correct any personal data that may be inaccurately processed or generated by the AI within your account.

§ 11. Your Rights

Under the GDPR, you have the following rights regarding your Personal Data:

Right of Access: You can request a copy of the data we hold about you.
Right to Rectification: You can correct inaccurate or incomplete data directly in your account settings or by contacting us.
Right to Erasure (“Right to be Forgotten”): You can request the deletion of your account and data. This right is subject to our legal obligations (e.g., tax retention) and legitimate interests (e.g., retention of hashed email for fraud prevention).
Right to Restriction of Processing: You can ask us to pause processing your data in certain scenarios.
Right to Data Portability: You can request to receive your data in a structured, commonly used, and machine-readable format (e.g., JSON).
Right to Object: You can object to processing based on Legitimate Interest.

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

Right to Lodge a Complaint:

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority, specifically:

Prezes Urzędu Ochrony Danych Osobowych (UODO)

ul. Stawki 2, 00-193 Warszawa, Poland

Website: https://uodo.gov.pl

§ 12. Security of Data

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or alteration. These measures include:

Encryption of data in transit (TLS/SSL) and at rest (database encryption).
Password hashing (we never store plain-text passwords).
Access controls limiting data access only to authorized personnel/systems.
Regular backups to ensure data availability.

§ 13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

If we make material changes, we will notify you by email or via a prominent notice on the Service at least 30 days prior to the effective date of the changes. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

Contact Us

Via Email: [email protected]
Via this Link: https://prismare.ai/contact
Mailing Address: Mariusz Szlęzak, ul. Na Szlakowisku 9/130, 27-200 Starachowice, Poland