Privacy Policy

Last Updated: April 29, 2026

Effective Date: April 29, 2026

This Privacy Policy ("Policy") describes how SCOPELABS PTE. LTD., operating the PromptRanks Platform ("we," "us," or "our"), collects, uses, discloses, and protects your personal information when you use our Platform accessible at https://app.prompt-skill.com and the associated API at https://api.prompt-skill.com.

We are committed to protecting your privacy and ensuring transparency about our data practices. Please read this Policy carefully before using the Platform.

1. Information We Collect

1.1 Information You Provide Directly

1.2 Information Collected Automatically

1.3 Information from Third Parties

When you authenticate using third-party providers:

• Google OAuth (scopes: openid email profile): We receive your Google user ID, email address, name, and profile picture.
• GitHub OAuth (scopes: read:user user:email): We receive your GitHub user ID, email address, name, and avatar URL.

1.4 Payment Information via Stripe

We use Stripe, Inc. to process payments. We do not collect, store, or have access to your full credit card number, CVV, or bank account details. Stripe provides us with:

• Customer ID
• Subscription ID
• Payment status and history
• Last four digits of payment method (for display purposes)

Stripe's processing of your payment data is governed by Stripe's Privacy Policy.

1.5 Trial and Referral Data

When you participate in our trial or referral programs:

• Trial usage: We record whether you have used a trial offer (trial_used_at) to enforce the one-trial-per-account policy.
• Referral tracking: We track referral relationships between referrers and referred users in a dedicated referral_usage table.
• Referral statistics: We maintain a count of successful referrals and earned bonus months on your account.

2. How We Use Your Information

2.1 Primary Uses

We use your personal information to:

1. Provide Services: Create and manage your account, deliver Assessments, generate Badges, maintain the Leaderboard, and provide teaching content (videos and texts).
2. Authentication: Verify your identity and manage your session using short-lived Access Tokens and long-lived Refresh Tokens.
3. Assessment Processing: Submit your prompts to third-party AI/LLM providers for execution and scoring.
4. Badge Issuance: Generate and issue digital Badges with your Assessment results, and enable social sharing of Badges with your referral link.
5. Payment Processing: Process subscription payments, manage trial offers ($1 trial periods), and manage your subscription.
6. Referral System: Track referrals, attribute referred users, calculate and apply referral rewards (bonus subscription months), and generate referral statistics.
7. Communication: Send transactional emails, including welcome emails, payment receipts, subscription confirmations, and Magic Link emails.
8. Teaching Content: Deliver personalized teaching video and text recommendations based on your assessment scores.
9. Security: Detect and prevent fraud, cheating, unauthorized access, and referral system abuse.

2.2 Analytics and Improvement

We may use aggregated, anonymized data to:

• Analyze Assessment patterns and improve our evaluation methodology
• Generate platform-wide statistics and insights
• Improve the quality and accuracy of our AI models
• Monitor referral conversion rates and trial-to-paid conversion rates

2.3 Legal Basis for Processing (GDPR/UK GDPR)

For Users in the European Economic Area (EEA) and United Kingdom, we process your personal data based on:

• Contractual necessity: To provide the Services you have requested (Art. 6(1)(b) GDPR)
• Legitimate interests: For security, analytics, and service improvement (Art. 6(1)(f) GDPR)
• Consent: Where you have provided explicit consent for specific processing activities (Art. 6(1)(a) GDPR)
• Legal obligation: Where required by law (Art. 6(1)(c) GDPR)

3. How We Share Your Information

3.1 Third-Party AI/LLM Providers

To execute and score Assessments, your prompts and responses are sent to third-party AI providers. Currently, these include:

• OpenAI (GPT models) — OpenAI Privacy Policy
• Anthropic (Claude models) — Anthropic Privacy Policy

Important: Your Assessment prompts and responses are processed by these services. While we use API access that limits training on your data, you should review each provider's data practices.

3.2 Payment Processor — Stripe

We share your email address and user ID (in metadata) with Stripe for payment processing. Stripe handles all credit card and banking information directly. See Stripe's Privacy Policy.

3.3 OAuth Providers

When you use Google or GitHub authentication, we exchange authentication data with these providers as described in Section 1.3.

3.4 Email Service Provider

We use an SMTP email service to send transactional communications, including payment receipts, Magic Link emails, and subscription confirmations. Your email address and name may be included in these communications.

3.5 Public Leaderboard

When you complete a Full Assessment, your display name, avatar, score, proficiency level, and industry/role may be displayed publicly on the Leaderboard. The Leaderboard displays the Top 100 users and supports filtering by time range and industry. You may opt out through account settings.

3.6 Badge Verification and Social Sharing

Badges are publicly verifiable. Your Badge level, score, assessment type (Quick/Full), industry/role, and issuance date may be visible to anyone who accesses the verification URL.

When you share your Badge on social media platforms (X/Twitter, LinkedIn, Facebook), your Badge image, referral link (prompt-skill.com/ref/{code}), and a description of your score are shared. Other users who click your shared referral link and register will be attributed as your referrals.

3.7 Referral System

When you refer new users:

• Referred users' email addresses are visible to you in masked form (e.g., a***@mail.com) in the Referral Dashboard.
• We do not share your full email address with your referrer or referee.

3.8 Service Providers

We may share data with service providers who assist in operating the Platform, subject to confidentiality obligations. This includes cloud storage providers (S3-compatible) for avatar image hosting.

3.9 Legal Requirements

We may disclose your information if required to do so by law, in response to a valid legal request (such as a court order or subpoena), or to protect the rights, property, or safety of SCOPELABS PTE. LTD., our Users, or others.

3.10 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction, subject to continued protection under this Policy.

4. Data Storage and Security

4.1 Data Storage

Your data is stored in:

• PostgreSQL 16 database: Primary data storage for account information, Assessment results, Badges, subscription data, referral relationships, teaching content metadata, and refresh tokens.
• Redis 7 cache: Temporary caching for Leaderboard data, global statistics, and rate limiting.
• Browser storage: Access Tokens in memory only (not persisted to localStorage), user preferences and anonymous session data in localStorage.
• Cloud storage (S3-compatible): Avatar image uploads and Badge images.
• Local browser storage (Guest users): Guest assessment results stored locally with 7-day expiry.

4.2 Security Measures

We implement the following security measures:

• Passwordless authentication: All authentication methods are passwordless (SSO or Magic Link)
• Encryption in transit: TLS/HTTPS for all data transmissions
• Short-lived Access Tokens: 24-hour tokens stored only in application memory, not persisted to disk
• Refresh Token security: 30-day tokens stored in HttpOnly + Secure + SameSite=Strict cookies with SHA256 hashing
• Input validation: Server-side validation of all user inputs
• Access control: Role-based access restrictions for administrative functions
• Rate limiting: API rate limiting to prevent abuse, including referral link brute-force protection
• Token rotation: Refresh tokens are single-use; concurrent usage triggers revocation

4.3 Data Retention

4.4 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law.

5. Your Rights

5.1 General Rights

You have the right to:

1. Access: Request a copy of the personal data we hold about you.
2. Rectification: Request correction of inaccurate or incomplete personal data.
3. Deletion: Request deletion of your personal data, subject to legal retention requirements.
4. Portability: Request a copy of your data in a structured, machine-readable format.
5. Restriction: Request restriction of processing in certain circumstances.
6. Objection: Object to processing based on legitimate interests.
7. Withdraw Consent: Withdraw consent at any time where processing is based on consent.

5.2 Exercising Your Rights

To exercise any of these rights, please contact us at admin@promptranks.org. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

5.3 California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have additional rights under the CCPA:

• Right to Know: You can request information about the personal data we have collected, used, and shared in the past 12 months.
• Right to Delete: You can request that we delete your personal information.
• Right to Opt-Out of Sale: We do not sell personal information. You do not need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

5.4 GDPR Rights for EEA/UK Residents

If you are located in the EEA or UK, you have the right to:

• Lodge a complaint with your local supervisory authority
• Object to automated decision-making, including profiling

6. Children's Privacy

The Platform is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we discover that we have collected data from a child under 16, we will take steps to delete such information promptly. If you believe a child under 16 has provided us with personal data, please contact us at admin@promptranks.org.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using the Platform, you consent to such transfers. We take appropriate safeguards to ensure your data is protected, including:

• Using third-party providers that comply with applicable data protection regulations
• Implementing standard contractual clauses where required
• Ensuring data processing agreements are in place with all service providers

7.1 Specific Transfer Recipients

• Stripe, Inc. (United States): Payment processing — covered by EU-US Data Privacy Framework
• OpenAI, LLC (United States): AI processing — covered by standard contractual clauses
• Anthropic, Inc. (United States): AI processing — covered by standard contractual clauses
• Google LLC (United States): OAuth authentication — covered by EU-US Data Privacy Framework
• GitHub, Inc. (United States): OAuth authentication — covered by EU-US Data Privacy Framework

8. Cookies and Tracking Technologies

PromptRanks uses a limited number of HTTP cookies and browser storage technologies for essential platform functionality. We do not use cookies for advertising, analytics tracking, or cross-site tracking.

8.1 HTTP Cookies We Use

These cookies are strictly necessary for the Platform to function and do not require consent under applicable cookie laws.

8.2 Browser Storage Technologies

In addition to cookies, we use localStorage and sessionStorage for authentication and session management. For full details, please refer to our Cookie Policy.

8.3 Third-Party Cookies

When interacting with third-party services (Stripe for payments, Google/GitHub for authentication, social media platforms for sharing), those services may set their own cookies on their respective domains.

9. Email Communications

9.1 Transactional Emails

We send the following transactional emails as part of our Services:

• Account registration confirmation
• Welcome emails
• Magic Link emails (for passwordless authentication)
• Payment receipts with invoice details (triggered by Stripe webhooks)
• Subscription confirmations and renewal receipts
• Subscription upgrade/downgrade notifications
• Referral reward notifications (when earning bonus months)
• Trial period expiration reminders

9.2 Marketing Communications

We do not currently send marketing emails. If we introduce marketing communications in the future, we will obtain your consent before sending them and provide an unsubscribe mechanism.

10. Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Changes to This Privacy Policy

We may update this Policy from time to time. We will notify you of material changes by:

• Posting the updated Policy on the Platform with a revised "Last Updated" date
• Sending email notification for significant changes

We encourage you to review this Policy periodically.

12. Data Controller Information

Data Controller: SCOPELABS PTE. LTD. Registered Address: 2 Shenton Way, #15-04, SGX Centre I, Singapore 068804 Contact Email: admin@promptranks.org Website: https://app.prompt-skill.com

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Company: SCOPELABS PTE. LTD.
• Address: 2 Shenton Way, #15-04, SGX Centre I, Singapore 068804
• Email: admin@promptranks.org
• Website: https://app.prompt-skill.com

By using the PromptRanks Platform, you acknowledge that you have read and understand this Privacy Policy.