Privacy Policy
1. Who we are and how to contact us
Prism is the data controller for the purposes of this policy.
For all privacy-related questions, requests, and complaints:
- Email: prismprivacy@paulojuri.com
We aim to respond to all privacy enquiries within 5 working days and will always respond within 30 days as required by law.
2. What data we collect and why
Browsing data (collected by the Chrome extension)
When you use the Prism extension, it collects the following from your browser. This data is collected locally on your device first and only synced to your encrypted wallet when you choose to connect the extension to your account.
| Data | Why we collect it |
|---|---|
| URLs visited | To build your browsing history and identify which sites you use |
| Page titles | To label sessions in your wallet in a human-readable way |
| Time spent on page | To show you how you spend your time online |
| Scroll depth | To understand how engaged you are with content |
| Links clicked per page | To measure browsing engagement |
| Search queries | To understand your interests and search patterns (Google, Bing, YouTube, DuckDuckGo) |
| Content categories | To classify pages you visit (news, shopping, social, etc.) for your interest graph |
| Page topics | Keywords and topics extracted from page headings and meta tags |
| Visit frequency per domain | To show you which sites you visit most |
| Shopping/product views | To identify shopping intent signals for your wallet profile |
| Cookies encountered per site | To show you what trackers sites are placing on your device |
| Tracker detections per site | To identify which third-party tracking scripts run on sites you visit |
We never collect: passwords, form inputs, payment card details, private messages, content inside login-gated pages, or the values of HttpOnly cookies (these are hidden by the browser itself and cannot be read by any extension).
Account data
When you create a Prism account:
- Email address: for authentication and to contact you about your account
- Encrypted password: managed by Supabase Auth; we never see your plain-text password
- Sync token: a randomly generated token stored as a hash, used to authenticate the extension
Consent and preference data
We record your consent decisions: which data collection you agreed to, when, and what version of our consent text was shown. This is a legal requirement under GDPR and is used only for compliance purposes.
Technical data
When you use the dashboard, standard server logs may record your IP address, browser type, and the time of each request. This is used solely for security monitoring and is not linked to your browsing data.
3. Legal basis for processing
Under GDPR, we must have a lawful reason to process your personal data. Here is the basis for each type of processing we carry out:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Collecting browsing data (sessions, URLs, categories) | Consent: Art. 6(1)(a). You explicitly consent to this during onboarding. You can withdraw consent at any time. |
| Storing data in your encrypted wallet | Consent: Art. 6(1)(a). You consent to storage during onboarding. |
| Processing browsing summaries via Claude AI API | Consent: Art. 6(1)(a). You explicitly consent to AI processing during onboarding. Summaries are anonymised before leaving our servers. |
| Account creation and authentication | Contract: Art. 6(1)(b). Necessary to provide the service you have signed up for. |
| Consent records and compliance logging | Legal obligation: Art. 6(1)(c). Required to demonstrate GDPR compliance under the accountability principle (Art. 5(2)). |
| Security monitoring and fraud prevention | Legitimate interests: Art. 6(1)(f). We have a legitimate interest in protecting the security of our systems and users. |
4. How data is stored and protected
Local storage (Chrome extension)
Browsing sessions are first stored in your browser using Chrome's local storage API. This data lives on your device only and does not leave it until you connect the extension to your account and initiate a sync.
Encrypted wallet (Supabase)
When you sync, data is transmitted over HTTPS to your personal wallet hosted on Supabase, a PostgreSQL database service. All tables have Row Level Security (RLS) enabled, which means database-level enforcement that you can only access your own data. No query can return another user's records, even in the event of an application-layer bug.
Wallet PIN encryption
Your data wallet is protected by a PIN you choose. Prism derives an AES-256 encryption key from your PIN using PBKDF2 (100,000 iterations, SHA-256), with your user ID used as a unique salt. This derived key is never stored anywhere, not on your device, not on our servers. Only you, with your PIN, can decrypt your wallet data.
AI processing
When you use the AI assistant, your raw browsing data is never sent to the AI. Our servers first produce an anonymised, aggregated summary (e.g. "top 10 visited domains", "content categories this week") before any call to the Claude API. The summary cannot be used to reconstruct your individual browsing history.
Infrastructure security
All data is transmitted over TLS 1.2 or higher. Supabase infrastructure is hosted on AWS with SOC 2 compliance. Access to the database is restricted to authorised personnel only, and we do not grant third parties direct access to production data.
5. How long we keep your data
| Data type | Retention period |
|---|---|
| Browsing sessions | Until you delete them, or until you delete your account. You can delete individual sessions or all sessions at any time from the dashboard. |
| Cookie and tracker profiles | Until you delete them, or account deletion. |
| AI insights (cached) | 24 hours for daily insights; 12 hours for briefings. Then auto-deleted. |
| Account data (email, auth) | Until you delete your account. After deletion, Supabase purges auth records within 30 days. |
| Consent records | 7 years from the date of consent. This is a legal requirement to demonstrate GDPR compliance. |
| Security/access logs | 90 days, then automatically deleted. |
When you delete your account, we initiate immediate deletion of all your browsing data, wallet profiles, cookie profiles, tracker data, and consent decisions. Consent records themselves are retained for 7 years as required by law. Account deletion is irreversible and takes effect immediately.
6. Your rights
Under GDPR, you have the following rights. You can exercise all of them from within the Prism dashboard, or by emailing prismprivacy@paulojuri.com.
Right to access (Subject Access Request)
You can request a copy of all personal data we hold about you at any time. We will provide this within 30 days. Most of your data is already visible directly in your Prism dashboard.
Right to deletion ("Right to be forgotten")
You can delete any or all of your data at any time: individual browsing sessions, a site's cookie profile, your entire wallet, or your full account. Deletion takes effect immediately. This is available in the dashboard without needing to contact us.
Right to portability
You can export all your data as an encrypted JSON file from the Wallet page in the dashboard. This file is encrypted with your wallet PIN, so only you can read it. You can use this to transfer your data or simply keep a local copy.
Right to object
Where we rely on legitimate interests as our lawful basis (security monitoring), you have the right to object. In most cases, this will mean we cease that processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent
You can withdraw consent for browsing data collection at any time by pausing or disabling the extension, or by deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Right to rectification
You can update your email address from within your account settings. If other data we hold about you is inaccurate, contact us and we will correct it.
Right to restrict processing
You can restrict processing at any time by pausing data collection from the extension popup. This stops new data from being collected while preserving your existing wallet.
To exercise any of these rights, email prismprivacy@paulojuri.com. We will respond within 5 working days and fulfil requests within 30 days. We will not charge a fee for reasonable requests.
7. Third party services
Prism uses the following third party services to operate. We have Data Processing Agreements (DPAs) in place with each and have taken steps to ensure they meet GDPR standards.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication, and row-level security | Account data, encrypted browsing data, consent records | AWS EU West (Ireland). Data is not transferred outside the EEA without appropriate safeguards. |
| Anthropic (Claude API) | AI assistant: generating insights, briefings, and responses | Anonymised, aggregated summaries only. No raw URLs, no identifiable browsing data, no account data. | United States. Data transfer governed by Standard Contractual Clauses (SCCs) under GDPR Chapter V. |
| Disconnect.me tracker database | Identifying trackers on sites you visit | No data is sent to Disconnect.me. The database is embedded locally inside the extension. No network calls are made. | N/A, runs entirely on your device |
We do not sell your data to any third party. We do not share your data with advertisers or data brokers. We do not use your data for any purpose other than operating the Prism service.
9. Children's data
Prism is not intended for use by anyone under the age of 16. Under GDPR Article 8, individuals under 16 cannot legally provide consent for the processing of their personal data without parental authorisation.
We do not knowingly collect data from anyone under 16. During onboarding, we ask users to confirm they are 16 or over. If you believe a child under 16 has created a Prism account, please contact us at prismprivacy@paulojuri.com and we will delete the account and all associated data immediately.
10. Changes to this policy
We may update this policy as Prism grows and the law changes. If we make significant changes, particularly changes that affect how your data is used, we will notify you by email at least 30 days before they take effect and ask for fresh consent where required.
The "Effective date" at the top of this page will always reflect the most recent version. You can find previous versions at [link to version history].
11. How to make a complaint
If you are unhappy with how we have handled your personal data, please contact us first at prismprivacy@paulojuri.com. We take all complaints seriously and will respond within 5 working days.
If you are not satisfied with our response, or if you believe we are processing your data unlawfully, you have the right to complain to the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA)):
- Website: dataprotectionauthority.be