🇪🇺 GDPR Compliant ยท EU AI Act Aligned
Privacy Policy
Last updated: March 2025 ยท Next review: June 2025 ยท Version 1.0
๐ช๐บ
EU Data Protection Commitment
PromptWall is built and operated by NullVector Ltd, registered in Cork, Ireland. We are subject to the General Data Protection Regulation (GDPR) and the EU AI Act. Your data is processed lawfully, fairly, and transparently. We do not sell your data. We do not share it with advertisers. We collect only what we need to provide the service.
01 Who We Are
PromptWall is an AI agent security platform operated by NullVector Ltd, Cork, Ireland. We provide AI-powered security scanning, red team testing, and permission auditing for AI agents.
For data protection purposes, NullVector Ltd is the Data Controller. Contact us at: [email protected]
02 What Data We Collect
| Data Type | What It Is | Why We Collect It | Legal Basis |
|---|
| Email address | Your email when you sign up or join the waitlist | Account creation, product updates, security alerts | Contract performance / Legitimate interest |
| Name & company | Optional fields on signup | Personalisation of your dashboard | Consent |
| Scan content | Agent system prompts you submit for scanning | Performing the security analysis you requested | Contract performance |
| Scan results | Vulnerability findings generated by PromptWall | Displaying results in your dashboard | Contract performance |
| Usage data | Number of scans run, features used, timestamps | Product improvement, plan enforcement | Legitimate interest |
| Technical data | Browser type, IP address, device type | Security monitoring, fraud prevention | Legitimate interest |
Important: We do not store the full content of your AI agent system prompts beyond the duration of your scan session unless you explicitly save them to your account. Scan results are stored in your browser's local storage by default.
03 What We Do NOT Collect
- We do not collect or store your Anthropic API key โ it exists in your browser memory only and is never transmitted to our servers
- We do not collect payment card details โ all billing is handled by Stripe under their own privacy policy
- We do not use tracking cookies for advertising purposes
- We do not sell, rent, or trade your personal data to any third party
- We do not use your scan data to train AI models
04 How We Use Your Data
We use your data solely to provide and improve the PromptWall service:
- To create and manage your account
- To perform AI security scans on agents you submit
- To generate and display your scan history and reports
- To send you security alerts and product updates you have opted into
- To enforce fair usage limits on your plan
- To comply with our legal obligations under EU law
05 EU AI Act Compliance
PromptWall uses AI to analyse AI agent system prompts and identify security vulnerabilities. Under the EU AI Act, our system is classified as a limited risk AI system. We comply with all applicable transparency, documentation, and human oversight requirements.
Specifically under the EU AI Act we:
- Maintain technical documentation of our AI analysis methodology
- Ensure human oversight โ all findings are recommendations that require human review before action
- Do not make automated decisions with legal or similarly significant effects
- Retain audit logs of AI-generated outputs for the legally required period
- Disclose clearly when content has been AI-generated
06 Data Sharing
We share your data only in the following limited circumstances:
| Recipient | Purpose | Location |
|---|
| Anthropic | AI analysis processing (your scan content is sent to the Claude API) | United States โ Standard Contractual Clauses apply |
| Netlify | Website hosting and delivery | EU region selected |
| Railway | Backend server hosting | EU region selected |
| Legal authorities | If required by law or court order | Ireland / EU |
Note on Anthropic: When you run a scan, your agent's system prompt is sent to Anthropic's Claude API for analysis. This transfer is covered by Standard Contractual Clauses. Anthropic's privacy policy applies to this processing. We recommend you do not submit system prompts containing personal data of third parties.
07 Data Retention
We retain your data for the following periods:
- Account data โ for the duration of your account plus 90 days after deletion request
- Scan results โ 12 months from the date of the scan, or until you delete them
- Billing records โ 7 years as required by Irish tax law
- Security logs โ 90 days for fraud prevention purposes
- EU AI Act audit logs โ 10 years as required by Article 12 of the EU AI Act
08 Your Rights Under GDPR
As an EU resident you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you at any time.
Right to Rectification
Correct any inaccurate or incomplete personal data we hold.
Right to Erasure
Request deletion of your personal data โ "right to be forgotten."
Right to Portability
Receive your data in a machine-readable format to transfer elsewhere.
Right to Object
Object to processing based on legitimate interests at any time.
Right to Restrict
Request we limit how we process your data in certain circumstances.
To exercise any of these rights email us at [email protected] with the subject line "GDPR Request". We will respond within 30 days.
You also have the right to lodge a complaint with the Data Protection Commission Ireland at dataprotection.ie if you believe we have handled your data improperly.
09 Cookies
We use only essential cookies required to operate the service:
- Session cookie โ keeps you logged in during your browser session
- Security cookie โ prevents cross-site request forgery attacks
We do not use advertising cookies, tracking pixels, or third-party analytics that share data with advertisers. We use privacy-focused analytics only.
10 Security
We take the security of your data seriously โ it is literally our business. We implement:
- TLS encryption for all data in transit
- Encryption at rest for all stored personal data
- Access controls limiting who within NullVector can access your data
- Regular security reviews of our own infrastructure using PromptWall
- Incident response procedures in line with GDPR Article 33 breach notification requirements
11 Changes To This Policy
We may update this Privacy Policy from time to time. When we make significant changes we will notify you by email and update the "Last updated" date at the top of this page. Continued use of PromptWall after changes constitutes acceptance of the updated policy.