Skip to main content
PRD-AI

Privacy Policy

Last updated: February 16, 2026

1. Introduction

PRD-AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and related services (collectively, the "Service").

PRD-AI acts as the data controller for the personal data processed through the Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy. This policy applies to all users of the PRD-AI web application, regardless of location.

2. Information We Collect

Account Information

When you sign in via Google or GitHub OAuth, we receive and store:

  • Full name
  • Email address
  • Avatar URL (profile picture)
  • OAuth provider name and provider-specific user ID

Workspace & Content Data

We store the content you create and manage within the Service:

  • Workspace names and configuration settings
  • PRD titles and section content (stored as structured JSONB data)
  • User stories, epics, and acceptance criteria
  • Version history snapshots for change tracking

AI Interaction Data

  • Chat history messages (stored per PRD, per user)
  • AI wizard responses and creation prompts
  • Inline suggestion interactions and feedback

Images & Files

  • Uploaded images (stored in Google Cloud Storage)
  • Imported documents (.md, .docx, .txt formats)

Billing Information

  • Stripe customer ID and subscription ID (stored encrypted)
  • Subscription plan type and billing status
  • Payment card details are handled entirely by Stripe and are never stored on PRD-AI servers

Integration Data

  • GitHub access tokens (stored encrypted), repository and project selections
  • Integration tokens (e.g. GitHub; stored encrypted) where connected
  • Webhook events from connected services

Usage & Analytics Data

  • Page views and feature usage events (opt-in via Google Analytics)
  • Anonymized IP addresses for analytics purposes

Share Link Analytics

  • View count and last viewed timestamp
  • Viewer IP address and user agent string

Technical Data

  • Browser type and version
  • Device information and operating system
  • Referral URLs

Notification Preferences

  • Per-type notification toggles (email, in-app)
  • Read/unread status for notifications

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing and operating the Service, including AI-powered PRD creation and editing
  • Processing your PRD content through AI models for generation, refinement, and suggestions
  • Synchronizing your stories and data with connected third-party integrations (e.g. GitHub)
  • Processing subscription payments and managing billing through Stripe
  • Collecting anonymized usage analytics (opt-in only) to improve the Service
  • Sending transactional notifications such as workspace invitations and billing alerts
  • Maintaining security, detecting abuse, and preventing fraud
  • Complying with legal obligations and responding to lawful requests

4. AI Data Processing

When you use AI features (wizard creation, inline suggestions, chat assistant, story generation), your PRD content and chat messages are sent to OpenRouter, which routes requests to your selected large language model (LLM) provider.

AI processing details:

  • You may select from available AI models within the Service
  • Content is processed in real-time and is not stored by the AI provider beyond the scope of the individual request
  • PRD-AI does not use your content to train, fine-tune, or improve any AI models
  • AI-generated content is clearly disclosed within the user interface
  • Only the content necessary for the specific AI operation is transmitted (e.g., relevant PRD sections, not your entire account data)

5. Third-Party Service Providers

We share data with the following third-party providers as necessary to operate the Service:

  • Google — OAuth authentication, Google Analytics (opt-in), Google Cloud Storage (file hosting), Cloud SQL (database infrastructure)
  • GitHub — OAuth authentication, GitHub Projects integration for syncing stories to issues
  • Integrations — OAuth authentication (e.g. GitHub) for syncing stories to external tools
  • Stripe — Payment processing, subscription management, and billing
  • OpenRouter — LLM/AI processing for PRD generation, refinement, suggestions, and chat

Each provider processes data in accordance with their own privacy policies. We encourage you to review the privacy policies of these providers.

6. Cookies & Tracking Technologies

We use cookies and similar technologies as follows:

Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled:

  • Session cookie — maintains your authenticated session
  • CSRF token — protects against cross-site request forgery attacks
  • Cookie consent storage — remembers your cookie preferences

Analytics Cookies (Opt-In Only)

These cookies are only set if you explicitly consent to analytics:

  • _ga — Google Analytics client identifier
  • _ga_* — Google Analytics session tracking
  • _gid — Google Analytics daily unique visitor identifier

We do not use marketing or advertising cookies. We honor Do Not Track (DNT) browser signals. You can manage your cookie preferences through the cookie consent banner or your browser settings at any time.

7. Data Storage & Security

We implement comprehensive technical and organizational measures to protect your data:

  • Infrastructure hosted on Google Cloud Platform
  • All data transmitted over TLS 1.3 encryption
  • Data encrypted at rest using industry-standard encryption
  • Application-level encryption for sensitive tokens (OAuth tokens, Stripe IDs)
  • Virtual Private Cloud (VPC) network isolation
  • Parameterized database queries to prevent SQL injection
  • Content Security Policy (CSP) headers to prevent XSS attacks
  • CSRF protection on all state-changing requests
  • Rate limiting on API endpoints to prevent abuse

While we implement strong security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Data Retention

We retain your data according to the following schedule:

  • User accounts — retained until you delete your account
  • Soft-deleted PRDs — retained for 30 days, then permanently purged
  • Version history — 30 days on the Free tier; unlimited on the Paid tier
  • Chat history — retained until the associated PRD is deleted
  • Audit logs — retained for 90 days
  • Database backups — retained for 7 days on a rolling basis
  • Webhook events — processed upon receipt and retained for deduplication purposes

When you delete your account, your data enters a 30-day soft-delete period for recovery purposes, after which it is permanently purged from all systems.

9. Data Sharing & Disclosure

We share your data only in the following circumstances:

  • With the third-party service providers listed in Section 5, solely as necessary to operate the Service
  • When required by law, regulation, legal process, or governmental request
  • To protect the rights, property, or safety of PRD-AI, our users, or the public
  • In connection with a merger, acquisition, or sale of assets, in which case you will be notified

We do not sell your personal data to third parties. We do not share your data with advertisers or data brokers.

10. International Data Transfers

Your data is hosted on Google Cloud Platform infrastructure. Data may be processed in jurisdictions outside your country of residence. When transferring data internationally, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, and we ensure that our third-party providers maintain equivalent data protection standards.

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of Access — You may request a copy of the personal data we hold about you.
  • Right to Rectification — You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure — You may request deletion of your personal data. We will process erasure requests within 30 days.
  • Right to Data Portability — You may request your data in a structured, machine-readable format (JSON export available through account settings).
  • Right to Restriction — You may request that we restrict processing of your personal data under certain circumstances.
  • Right to Object — You may object to processing of your personal data for specific purposes.
  • Automated Decision-Making — AI features in the Service provide suggestions and generated content. These are assistive tools and do not make automated decisions with legal or similarly significant effects.
  • Right to Withdraw Consent — Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, visit your User Settings page or contact us at privacy@prd-ai.xyz. You also have the right to lodge a complaint with your local data protection supervisory authority.

12. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the third parties with whom we share it.
  • Right to Delete — You may request deletion of your personal information. We will process deletion requests within 30 days.
  • Right to Opt-Out of Sale — We do not sell your personal information. No opt-out action is required.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, contact us at privacy@prd-ai.xyz.

13. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@prd-ai.xyz.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' prior notice via the email address associated with your account. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@prd-ai.xyz. For data protection inquiries, including exercising your rights under GDPR or CCPA, please use the same email address and include "Data Protection Inquiry" in the subject line.