Privacy Policy
The short version
- The free composer keeps everything on your device. No account, no analytics,
no tracking. Your drafts live in your browser's
localStorage; share links are encoded in the URL. The only third-party request the free page makes is loading fonts from Google Fonts. - Pro adds an account, so it stores a little. Your email (for sign-in), your subscription status (for billing), and your encrypted AI-provider API keys plus your Orchestra drafts.
- We never store the prompts you run through AI Eval or AI Help, and we don't train anything on them. Your prompt goes straight from our server to the AI provider you chose, using your key. We keep only a one-way hash of it to count usage against your daily limit.
- You can see, export, or delete your data by emailing us (see Contact).
1. Who we are
The service is operated by Philip Terry (operating as "phbeks") ("phbeks", "we", "us"). You can reach us at support@phbeks.com.
The free composer is open-source (MIT) and runs entirely in your browser. The Pro app is a hosted, account-based product. This policy covers both.
2. What we collect, and why
Free composer (prompt.phbeks.com)
We collect nothing server-side. We set no analytics or advertising cookies and run no trackers.
| Stays on your device | Why |
|---|---|
Your drafts and settings (localStorage) |
So your work persists between visits |
| Share links (URL fragment) | Browsers never transmit the #fragment to a server |
The only external request is to Google Fonts (fonts.googleapis.com /
fonts.gstatic.com) to load typefaces; Google may log the request IP per its own policy.
Pro app (app.prompt.phbeks.com)
To run an account-based product we process the following, each through a named sub-processor (§4):
| Data | Purpose | Where it lives |
|---|---|---|
| Account email + authentication data | Sign-in, account security | Clerk |
| Subscription status, billing events (we never receive your full card number) | Process your Pro subscription (monthly or annual) | Stripe |
| Your AI-provider API keys (encrypted — see §3) and your Orchestra drafts | Run evals on your behalf; sync your work across devices | Supabase (our Postgres database) |
| Per-run metadata for both AI Eval and AI Help: a SHA-256 hash of the prompt, token counts, timestamp, chosen provider/model | Enforce the daily rate limit and show your usage — we do not store the prompt text, your AI Help chat messages, or the model's response | Supabase |
| Standard server/request logs (IP, user agent, timestamps) | Operate and secure the service | Vercel (hosting) |
3. Your AI-provider API keys (BYOK)
AI Eval and AI Help are bring-your-own-key: you paste your own Anthropic, OpenAI, Google, xAI, NVIDIA, OpenRouter, or DeepSeek API key.
- At rest, your key is encrypted with AES-256-GCM envelope encryption before it touches our database. The plaintext key is never written to disk in the clear.
- In use, it is decrypted server-side only at the moment you run an eval or use AI Help, used to call the provider, and discarded from memory. It is never logged.
- When you run an eval or use AI Help, your prompt — and, for AI Help, your chat
messages plus our help knowledge base — is sent directly from our server to the AI provider
you selected, authenticated with your key. That request, and what the
provider does with it, is governed by your own agreement with that provider, not by us.
Providers' data-retention and training policies differ, so review the policy for
the provider you choose before sending sensitive content:
- Anthropic — Commercial Terms & Privacy · Is my data used for training?
- OpenAI — API data controls · How your data is used
- Google — Gemini API Terms
- xAI (Grok) — Privacy Policy
- NVIDIA (NIM) — Privacy Policy
- OpenRouter — Privacy Policy
- DeepSeek — Privacy Policy
- Where your prompt is processed, and whether it may be retained or used for training, depends on the provider you pick. Some providers process data outside your own jurisdiction — for example, DeepSeek is operated by a company in the People's Republic of China and stores data there, and OpenRouter is an aggregator that forwards your prompt to an upstream model that may be hosted anywhere; some of its free model variants (and any logging you opt into) permit the prompt to be logged or used for training. If data residency or training use matters to you, choose a provider and model accordingly and check that provider's settings.
- You can delete a stored key at any time from Account → Manage API keys; deletion is immediate.
4. Sub-processors
We rely on these third parties to run the Pro app. We share only the minimum data each needs.
| Sub-processor | What it handles | Policies |
|---|---|---|
| Clerk | Authentication, account email | Privacy · DPA |
| Stripe | Subscription billing & payments | Privacy · DPA |
| Supabase | Database (encrypted keys, drafts, usage metadata) | Privacy · DPA |
| Vercel | Hosting, CDN, request logs | Privacy |
| Google Fonts | Web fonts (both sites) | Privacy |
The AI provider(s) you choose under BYOK are not our sub-processors — you contract with them directly, and your prompt reaches them on your own key. See §3.
5. Cookies & local storage
- Free site: uses
localStoragefor your drafts and sets no cookies of its own. If you're signed in to the Pro app, the sharedph_signed_inflag described below may also be visible on this domain — it's scoped to.phbeks.comso the free site can offer to take you into the Pro app. No analytics, no trackers. - Pro app: we set only the cookies needed to keep you signed in — never any
advertising or analytics cookies:
- Clerk session & client-state cookies (e.g.
__sessionand__client_uat) on.phbeks.com, which authenticate you and keep you signed in across prompt.phbeks.com and app.prompt.phbeks.com. ph_signed_inon.phbeks.com— a first-party flag we set that holds only the value1(no identity, no tracking), so the static free site can tell you're signed in and route you to the Pro app. It expires after about 30 days.
- Clerk session & client-state cookies (e.g.
- We run no analytics or product-metrics tooling at all — no Vercel Web Analytics, no Vercel Speed Insights, no Google Analytics, and no third-party tracking pixels — and therefore set no advertising or analytics cookies.
6. How long we keep data
- Account data (email): for as long as your account exists.
- API keys & Orchestra drafts: until you delete them or close your account.
- AI Eval and AI Help usage metadata (hash, counts): kept as an append-only log for the life of your account (only the current day's entries count toward your daily limit), and deleted when you delete your account.
- On account deletion: deleting your account removes your user record and cascades to your encrypted API keys, Orchestra drafts, and eval usage log. Billing records retained by Stripe are kept as required by law/accounting.
7. Your rights
You can access, export, correct, or delete your data. Many actions are self-service: manage keys under Account → Manage API keys, and manage or cancel billing via the Stripe customer portal under Account. For anything else — including a full export or account deletion — email us and we'll handle it within a reasonable time.
Depending on where you live (e.g., the EU/UK under GDPR, or California under the CCPA/CPRA), you may have additional rights such as objecting to processing or lodging a complaint with a regulator. We honor these requests regardless of location.
8. Security
Keys are encrypted at rest (AES-256-GCM); all traffic is served over HTTPS/TLS. No system is perfectly secure, but we keep the attack surface small: we never store your prompts, never log your keys, and route inference straight to your chosen provider. To report a vulnerability, see Contact.
9. Children
The Pro app is not intended for anyone under 18. We don't knowingly collect data from children.
10. International users
We're based in the United States and our sub-processors may process data in the US and elsewhere. By using the Pro app you understand your data may be processed in the US.
11. Changes to this policy
We'll update the "Last updated" date above when this policy changes and, for material changes, give notice in-app or by email.
12. Contact
Questions, data requests, or privacy concerns:
support@phbeks.com — see also our Contact and
Terms pages.