We collect almost nothing.

Last updated · 2026-05-09

The honest version: this is a static prompt library with a small backend that handles payments and member sign-in. There's no analytics tracker, no marketing email list, no behavioral profile. The only personal data we touch is the email you give Stripe at checkout and a Stripe session ID we use to validate your purchase.

What we collect

Data	When	Why	Where it lives
Your email address	At Stripe checkout (you provide it)	To send you a one-tap magic link to your member dashboard, and to email you about quarterly library updates	Our SQLite database on Fly.io (London region) + Resend (transactional email provider)
Your tier (e.g., "pack", "agents", "suite")	At Stripe checkout	To unlock the right content on your dashboard	Our SQLite database on Fly.io (London region)
Your discipline choice (Single Pack only)	At Stripe checkout (you pick from the modal)	To unlock the right discipline's prompts on your dashboard	Our SQLite database on Fly.io (London region)
Stripe session ID	At Stripe checkout	To verify your purchase if there's a billing dispute	Our SQLite database on Fly.io (London region)
Payment details (card number, address, etc.)	At checkout	To process payment	Stripe — never touches our servers

What we don't collect

No web analytics. No Google Analytics, no Plausible, no Fathom, no Cloudflare Analytics. We have no idea which pages you read or how long you spent.
No tracking pixels in emails. Resend has open-tracking off for our domain. We don't know if you opened our magic-link email.
No marketing email list. You'll only receive emails about the product you bought (magic link, quarterly updates if you bought the Suite, important policy changes).
No data shared with third parties beyond the processors listed above (Stripe, Resend, Fly.io, Cloudflare — see "Sub-processors" below).
No content you generate with the prompts. The prompts run inside your own Claude account. We never see what you type into Claude or what Claude generates back. Anthropic processes that — see Anthropic's privacy policy.

Sub-processors

The third parties we rely on to run the service:

Stripe (payment processing) — privacy
Resend (transactional email — magic links, update notifications) — privacy
Fly.io (backend hosting in London) — privacy
Cloudflare (frontend hosting + DNS) — privacy

For B2B / Enterprise buyers A signed GDPR Data Processing Agreement (DPA) is available on request for any tier. Email hello@marketingprompthub.com with your company name and we'll send a countersigned DPA within 2 business days. Standard SCCs apply for any cross-border transfer to sub-processors based outside the EEA. Our full security posture is documented at /security.

Sub-processor change notification

If we add or replace a sub-processor that processes personal data, we will notify all paying customers by email at least 30 days in advance. You may object to the change. If we cannot accommodate your objection, you have the right to a pro-rata refund of any unused subscription period.

Breach notification

If we discover a personal-data breach affecting your account, we will notify you by email within 72 hours of becoming aware, in line with GDPR Article 33. The notification will include: the nature of the breach, the categories of data affected, the likely consequences, and the steps we are taking to mitigate. We will also notify the relevant supervisory authority (Autoriteit Persoonsgegevens in the Netherlands) within the same window.

Your rights (GDPR / CCPA)

You have the right to:

Access the data we hold about you (which is just your email, tier, discipline, and Stripe session ID)
Delete your data — email us and we'll wipe your record from our database within 7 days. Note that deletion will revoke your access to the member dashboard, since that's how we authenticate you. (You'll keep the files you've downloaded.)
Export your data in machine-readable form
Object to processing or restrict it
Lodge a complaint with your local data protection authority

For any of these, email hello@marketingprompthub.com from the address on file. We respond within 7 days and complete the request within 30 days, often much faster.

Cookies

We use one cookie-equivalent: a localStorage entry on your device that holds your member-session token, your tier, and your email after you sign in. It lasts 30 days. We never read it server-side except when you make an API request. There are no third-party cookies on the site.

Data retention

We retain your account record (email, tier, discipline, Stripe session ID) for as long as you have an active license — that's the only way to authenticate you back into your member dashboard. The retention rationale is operational, not analytical: we never use the data for behavioral profiling, ML training, or any secondary purpose.

You can request deletion at any time and we wipe within 7 days. If you've been inactive (no sign-in) for 5 years, we may delete your record proactively after notifying you by email — that's a calibration toward minimization, not a guarantee. Stripe retains transaction records for the period legally required (typically 7-10 years for tax and chargeback purposes); we cannot delete those.

Security

The backend runs on Fly.io with HTTPS-only access. Magic-link tokens expire after 30 minutes and are single-use. Session tokens are signed with itsdangerous (constant-time signature verification) and expire after 30 days. Stripe webhook payloads are signature-verified before any user record is created. We do not store payment information ourselves.

Children

The product is not directed at people under 16. We do not knowingly collect data from anyone under 16.

Changes

If we materially change what data we collect or how we process it, we'll email every paying user. Continued use means you accept the updated policy.

Contact

Privacy questions, DPA requests, deletion requests, complaints: hello@marketingprompthub.com. The data controller is Zara Walker, operating Marketing Prompt Hub as a sole proprietor in the Netherlands.

← back to the hub