LynxPromptLynxPrompt

Privacy Policy

Last updated: December 2025

1. Introduction

LynxPrompt is operated by GeiserCloud, a company registered in Spain. We respect your privacy and are committed to protecting your personal data. This policy explains how we collect, use, and safeguard your information in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Data Controller

GeiserCloud is the data controller responsible for your personal data:

We have not appointed a Data Protection Officer (DPO). For all privacy inquiries, please contact us at the email above.

3. Data We Collect

We collect and process the following categories of personal data:

Account Information:
  • Email address
  • Name (if provided by your OAuth provider)
  • Profile picture (if provided by your OAuth provider)
  • OAuth provider identifiers (GitHub ID, Google ID)
User Content:
  • Blueprints and prompts you create
  • Wizard configurations and preferences
  • Favorites and download history
Usage Data:
  • Pages visited and features used
  • Device type and browser information
  • Anonymized analytics data (via Umami)
Teams Data (Teams subscribers only):
  • Team membership and role information
  • Last login timestamps (for active user billing)
  • Team-shared blueprints and configurations
  • SSO configuration data (if configured by team admin)

4. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Contractual Necessity (Article 6(1)(b)):
  • To create and manage your account
  • To provide our service and save your blueprints
  • To process payments through Stripe
  • To send transactional emails (passwordless login links, payment receipts, critical security notices, service changes)
Legitimate Interest (Article 6(1)(f)):
  • To improve our service based on usage patterns
  • To ensure security and prevent fraud
  • To maintain and debug our systems

We do not send marketing emails and therefore do not rely on consent for email communications.

5. How We Use Your Data

  • To provide and maintain our service
  • To authenticate your account via OAuth providers
  • To save your preferences, blueprints, and configurations
  • To process payments securely through Stripe
  • To analyze anonymized usage patterns for service improvement
  • To send essential service communications

6. Third-Party Services & Data Sharing

We share data with the following third parties to provide our service:

GitHub (Microsoft)

Data shared: OAuth authentication tokens

Purpose: Account authentication

Location: USA (EU SCCs in place)

GitHub Privacy Statement →

Google

Data shared: OAuth authentication tokens

Purpose: Account authentication

Location: USA/EU (EU SCCs in place)

Google Privacy Policy →

Stripe

Data shared: Email, payment information (processed directly by Stripe)

Purpose: Payment processing

Location: USA/EU (EU SCCs in place, PCI-DSS compliant)

Stripe Privacy Policy →

Umami Analytics (Self-Hosted)

Data collected: Anonymized page views, device type, country (no personal identifiers)

Purpose: Privacy-focused usage analytics

Hosting: Self-hosted on our EU servers (no data shared with third parties)

Cookies: Cookieless - does not track individuals across sessions

Legal basis: Legitimate interest (minimal, privacy-preserving analytics)

Anthropic (Claude AI)

Data shared: Blueprint content you submit for AI-assisted editing (Teams subscription feature only)

Purpose: AI-powered blueprint modification

Location: USA (EU SCCs in place)

Data retention: Anthropic does not train on API data; content processed transiently

Legal basis: Contractual necessity (you initiate AI editing requests)

Anthropic Privacy Policy →

GlitchTip (Self-Hosted)

Data collected: Error messages, stack traces, browser/device information, URL where error occurred

Purpose: Error tracking to identify and fix bugs, improve application stability

Hosting: Self-hosted on our EU servers (no data shared with third parties)

Data retention: Error data automatically deleted after 90 days

Legal basis: Legitimate interest (maintaining service quality and fixing bugs)

Note: Error reports may contain information about your actions when an error occurred, but we do not use this for user profiling

Enterprise SSO Providers (Teams only)

Data shared: Authentication tokens, user identifiers as configured by your organization

Purpose: Single Sign-On authentication for Teams subscribers

Providers supported: SAML 2.0 (Okta, Azure AD, OneLogin), OpenID Connect, LDAP/Active Directory

Configuration: Your team administrator configures the SSO connection; we only store the minimum data needed to authenticate users

Data retention: SSO configuration data is deleted when the team is deleted or SSO is disabled

Legal basis: Contractual necessity (you or your organization configured SSO)

7. International Data Transfers

Your data is primarily stored in the European Union. When data is transferred to third parties outside the EU (GitHub, Google, Stripe, Anthropic), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): Our third-party providers use EU-approved SCCs for international transfers
  • Adequacy decisions: Where applicable, we rely on EU adequacy decisions
  • Supplementary measures: Encryption and access controls protect data in transit

8. Data Storage & Security

We implement appropriate technical and organizational measures to protect your data:

  • Location: All primary data is stored on servers located in the European Union
  • Encryption: All data in transit is encrypted via TLS/HTTPS
  • Authentication: Secure OAuth 2.0 authentication via trusted providers
  • Access control: Database access is restricted and password-protected
  • Payments: We never store payment card details; all payment processing is handled by Stripe (PCI-DSS Level 1 certified)

9. Your Rights Under GDPR

If you are in the European Economic Area, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request limited processing of your data
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing based on legitimate interest

To exercise these rights, contact us at [email protected]. We will respond within one month of receiving your request.

You also have the right to lodge a complaint with your local supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).

10. Information for US Residents

If you are a US resident, you may have additional rights under state privacy laws. While we do not currently meet the thresholds that trigger full CCPA/CPRA compliance, we extend the following rights to all users:

  • Right to Know: Request information about data we collect
  • Right to Delete: Request deletion of your personal data
  • Non-Discrimination: We will not discriminate against you for exercising your rights

Note: We do not sell personal information to third parties.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. All significant decisions regarding your account are made by humans.

12. Data Retention

We retain your personal data for as long as your account is active. If you request account deletion, we will erase your personal data within one month, except where we are legally required to retain certain records (e.g., payment records for tax purposes, which may be retained for up to 7 years).

13. Cookies

We use only essential cookies required for authentication, session management, and security. This includes:

  • Authentication cookies – To keep you logged in and protect against CSRF attacks
  • Security cookies – Cloudflare Turnstile sets cookies to protect against bots and automated attacks

We do not use advertising, tracking, or third-party marketing cookies. Our analytics provider (Umami) is cookieless and privacy-focused.

For a detailed breakdown of all cookies used, see our Cookie Policy.

14. Age Requirement

LynxPrompt is intended for users aged 16 and older (or the applicable age of digital consent in your country, which ranges from 13 to 16 within the EU). We do not knowingly collect data from users below this age. If you believe we have collected data from a minor, please contact us immediately.

15. Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated via our website or email. We encourage you to review this policy periodically.

16. Contact Us

For privacy-related questions, data requests, or to exercise your rights:

GeiserCloud

Calle Tierno Galván 25

30203 Cartagena, Murcia

Spain

Email: [email protected]