Privacy Policy

How SendPromptly collects, uses, stores, and protects your information.

Effective date: January 7, 2026

This Privacy Policy explains how SendPromptly (“we,” “us,” or “our”) collects, uses, discloses, and retains information when you use our marketing website, dashboard, and API.

We are designed for small SaaS teams. We collect the minimum data needed to operate the service, and we try to explain our practices in plain language.


1. What we collect

Account information

When you register, we collect your name, email address, organization name, and password (stored as a hash — we never see your actual password).

Billing information

When you subscribe, billing is handled by Stripe. We store references such as a Stripe customer ID, subscription ID, and billing status. We do not store card numbers, CVV, or raw payment credentials. Those stay with Stripe.

Service usage data

To operate the service, we store the payment event identifiers and metadata your application sends us — event type, effect type, your internal reference, and status outcomes. By default we do not store raw webhook payload content unless you explicitly enable payload snapshots on a project. When enabled, snapshots are encrypted at rest and purged after 30 days.

API request metadata

We log API request metadata (timestamps, response codes, project identifiers) for security, debugging, and quota tracking. We do not log full request or response bodies by default.

Support communications

If you contact us for support, we retain that correspondence.

Website analytics

Our marketing website uses analytics tools, including Google Analytics, to understand traffic and improve the site. These tools may collect your IP address, browser and device information, pages visited, and session duration. This data is processed by Google in accordance with Google’s privacy terms.


2. How we use your information

We use the information we collect to:

  • create and maintain your account;
  • process payments and manage your subscription;
  • provide incident detection, alerting, and reprocess functionality;
  • send transactional emails (incident alerts, account notifications);
  • troubleshoot issues and respond to support requests;
  • detect abuse and enforce our Terms of Service;
  • improve the product and marketing website;
  • comply with legal and accounting obligations.

We do not use your information to send marketing email without consent, and we do not sell your information to third parties.


3. Third-party providers

We share information with the following providers to operate the service. A full list is available on our Subprocessors page.

ProviderPurposeWhat is shared
StripePayments and subscriptionsBilling contact and subscription data
OVHcloudApplication and database hostingAll application and database data
BrevoTransactional email deliveryEmail addresses and email content
Google AnalyticsWebsite traffic measurementIP address, browser, device, and page data

These providers process data on our behalf under their own privacy and security commitments. We do not authorize them to use your data for their own marketing purposes.


4. Cookies

Cookies are small text files placed on your device when you visit a website. Similar technologies — such as local storage and session identifiers — may be used alongside cookies for authentication, preferences, and analytics.

Our marketing website and dashboard use cookies and similar technologies for:

  • Strictly necessary: authentication, security, and session management. These support login, session persistence, and security, and cannot be disabled without breaking core functionality.
  • Analytics: Google Analytics on our marketing website, to understand how visitors find and use the site. This may collect your IP address (which may be anonymized), browser and device information, pages visited, session duration, and referring URL. This data is sent to and processed by Google. You can opt out using the Google Analytics Opt-out Browser Add-on. Analytics cookies may be subject to consent requirements in your jurisdiction (such as the EU, UK, or Quebec); where applicable, we seek consent before setting these cookies.
  • Payments: Stripe may set cookies on billing pages for secure checkout and fraud prevention. These are governed by Stripe’s Privacy Policy.

You can control cookies through your browser settings. Most browsers let you view, block, or delete cookies, and browser privacy modes or tracker-blocking extensions can limit analytics cookies further. Blocking strictly necessary cookies will affect site and dashboard functionality.


5. Data retention

We retain your data for as long as necessary to provide the service and meet legal or accounting obligations.

Data typeRetention
Account and organization dataDuration of account, then deleted on request
Billing recordsRetained for legal and accounting purposes after cancellation
Event metadata12 months from creation
Encrypted payload snapshots30 days from creation (when enabled)
Audit log12 months
Support communicationsUntil no longer needed for support purposes
Website analyticsPer Google Analytics retention settings

6. Security

We are a small SaaS product, not an enterprise security platform. We aim to be honest about what we do and do not do.

Authentication. Passwords are hashed using a secure one-way algorithm — we do not store or have access to your plaintext password. Accounts support multi-factor authentication (MFA) via authenticator app (TOTP), with recovery codes provided at setup and MFA prompted for sensitive actions in addition to login. Sessions are protected against common web attack patterns.

API keys. API keys are hashed on creation; the dashboard shows the plaintext value once, and only the hash is stored after that. Keys are scoped to a single project, so a compromised key affects only that project. You can generate new keys and revoke old ones at any time — rotate keys on a regular schedule and immediately after any suspected exposure. Keep API keys in server-side secret managers; do not commit them to source control or expose them in browser or mobile clients.

Signed repair callbacks. When you trigger a reprocess, we send a signed HTTP POST to your configured repair endpoint. Every callback is signed with HMAC-SHA256 using a project-scoped signing secret, stored and managed separately from your ingest API keys, and includes X-SendPromptly-Timestamp, X-SendPromptly-Nonce, and X-SendPromptly-Signature headers to prevent replay.

Payment security. Billing is processed through Stripe. We do not store card numbers, CVV, or raw payment credentials — only Stripe references such as customer ID, subscription ID, and billing status. Stripe webhook events for billing are verified using Stripe’s signature mechanism before any billing state is updated.

Webhook and event data. By default we store only metadata — event type, effect type, your internal reference, and status. Full payload snapshots are opt-in per project, encrypted at rest, and purged automatically after 30 days. All inbound API requests require an Idempotency-Key, and event records are deduped on (project, provider, provider_event_id), so duplicate provider webhooks never create duplicate incidents.

Audit logging. We log login events, MFA changes, API key creation and revocation, project creation and deletion, billing actions, incident state changes, and operator reprocess actions, each with actor and timestamp. The audit log is read-only in the console and retained for 12 months.

Application and infrastructure. All traffic is served over HTTPS, with HTTP requests redirected. API endpoints enforce authentication, rate limiting, and content type requirements, and access is scoped by organization. We are hosted on OVHcloud VPS infrastructure with backups, uptime monitoring, and operational alerting. We do not publish infrastructure IP ranges, firewall configuration, internal architecture details, or deployment pipeline specifics.

Compliance positioning. SendPromptly is designed with practical security and privacy safeguards informed by GDPR, CCPA/CPRA, and PIPEDA principles. We are not certified against any formal compliance framework. If you have specific compliance requirements, review our practices here to assess fit.

Reporting a vulnerability. If you discover a potential security issue, contact us at support@sendpromptly.com before public disclosure. We will acknowledge receipt and work with you on a resolution timeline.

No system is completely secure. You are responsible for keeping your account credentials and API keys secure.


7. International data transfers

Our infrastructure is hosted on OVHcloud. Depending on the OVHcloud region used, your data may be processed outside your home jurisdiction. Other providers such as Stripe and Google operate globally. We rely on those providers’ transfer mechanisms where applicable.


8. Your rights

Depending on where you are located, you may have rights under privacy law including:

  • Access: request a copy of the personal information we hold about you.
  • Correction: ask us to correct inaccurate information.
  • Deletion: request deletion of your account and personal data.
  • Restriction or objection: ask us to limit certain processing.
  • Data portability: receive your data in a structured format.
  • Withdraw consent: where processing is based on consent.

To exercise any of these rights, email us at support@sendpromptly.com. We will respond within a reasonable time. We may need to verify your identity before acting on requests.

We aim to apply these rights practically regardless of your jurisdiction, not only where legally compelled.


9. Children’s privacy

SendPromptly is not directed at children under 16. We do not knowingly collect personal information from children.


10. Updates to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated policy with a new effective date. Continued use of the service after the updated policy is posted means you accept the changes.


11. Contact

For privacy questions or requests:

  • Email: support@sendpromptly.com
  • Website: https://sendpromptly.com