Privacy Policy

This policy explains what data Prizvox (operated by Chalk Theory Labs LLP) collects, how we use it, who we share it with, and what rights you have. Questions: privacy@prizvox.com.

01Who we are

Prizvox is a product of Chalk Theory Labs LLP, a limited liability partnership registered in India. When this policy refers to "we", "us", or "Chalk Theory Labs LLP", it means the entity operating Prizvox. Our primary contact is privacy@prizvox.com.

We are the data controller for the personal data described in this policy.

02What data we collect

Account data

When you create an account, we collect your email address and a hashed version of your password. We never store your password in plain text.

Client and audit data

When you add a client or run an audit, we store: the URL submitted, the client name, the full audit result (scores, findings, fix recommendations), and any keywords, notes, or fix statuses you add.

Usage data

We log standard server-side request data including IP address, browser type, and timestamps. This is used for rate limiting (10 audits per hour per IP), security monitoring, and debugging.

Email addresses you provide

If you configure a score-drop alert email or use the email-report feature, we store that address to send the notification. We do not add these addresses to any marketing list.

Payment data

We do not store payment card data. Payments are processed by Stripe (PCI-DSS compliant). We receive only a confirmation of payment status.

03How we use your data

Provide the Prizvox platform: run audits, store results, and display them to you
Send audit reports and score-drop alerts you have explicitly requested
Prevent abuse of the audit endpoint (rate limiting by IP)
Debug errors and monitor stability via Sentry error tracking
Improve the product based on aggregate, anonymised usage patterns

We do not sell your data. We do not use your audit data to train AI models. We do not profile you for advertising.

04Third parties we use

Running Prizvox requires us to pass data to the following services. All are contractually obligated to process your data only as instructed by us.

Service	Purpose	Data shared
Supabase	PostgreSQL database + PDF file storage	All account, client, and audit data
Fly.io	Server compute (backend API and Celery workers)	All data processed during audit execution
Upstash Redis	Job queue and short-term result caching	Audit job payloads and results (TTL: 24h)
Vercel	Frontend hosting (Next.js)	Page request metadata (no personal data stored)
Google PageSpeed Insights API	Lighthouse performance + CWV data	The URL you submit for audit
Google Chrome UX Report API	Real-user field data for audited URLs	The URL you submit for audit
Google Gemini API	AI-generated fix recommendations and executive summaries	Audit findings (no personal data; audit URL only)
RapidAPI / Moz	Domain Authority and Page Authority scores	The domain of the URL you submit
SerpApi	Keyword position data (Google rankings)	Keywords you add per client
Open PageRank	Free domain rank signal	The domain of the URL you submit
Sentry	Error tracking and crash reporting	Error stack traces (no personal data)
Stripe	Payment processing	Email address; payment handled by Stripe directly

When you run a GEO audit, the URL and brand context are sent to AI platforms (currently Gemini, and optionally ChatGPT, Claude, and Perplexity when API keys are configured). Only the URL and brand keywords are shared, not personal data.

05Data retention

We retain your account data for as long as your account is active. Audit results are retained indefinitely so you can access your history.

If you delete your account, we delete all associated client, audit, and keyword data within 30 days. Backup copies may persist for up to 90 days for disaster recovery purposes.

06Cookies and local storage

prizvox_logged_in: set when you sign in; tells the app you are authenticated
prizvox_onboarding: set when you complete onboarding; prevents repeat onboarding screens

We also use localStorage to store your dark/light mode preference. This never leaves your device.

We do not use third-party tracking cookies, Google Analytics, or any advertising pixel.

07Your rights (GDPR / UK GDPR)

Access: request a copy of all personal data we hold about you
Correction: ask us to correct inaccurate data
Deletion: ask us to delete your account and all associated data
Portability: ask for your data in a machine-readable format
Objection: object to processing based on legitimate interests
Restriction: ask us to pause processing while a dispute is resolved

To exercise any of these rights, email privacy@prizvox.com. We will respond within 30 days.

You also have the right to lodge a complaint with the ICO (ico.org.uk).

08Data transfers outside the UK / EU

Some of our third-party providers, including Fly.io, Vercel, Upstash, and SerpApi, may process data on servers outside the UK and EU. Where this happens, we rely on the EU–US Data Privacy Framework, Standard Contractual Clauses, or the provider's adequacy certification.

Supabase offers a EU-region option. We currently use the Southeast Asia region for performance reasons. If you need EU-only data residency, contact us to talk through your options.

09Security

Passwords are hashed using bcrypt before storage. All data in transit is encrypted via TLS. Our backend infrastructure on Fly.io is not publicly accessible except through the defined API endpoints.

If you discover a vulnerability, please disclose it to security@prizvox.com.

10Children

Prizvox is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11Changes to this policy

If we make significant changes, we'll notify you by email and update the date at the top of this page. Carrying on using Prizvox after that date means you accept the updated policy.

12Contact

Questions about this policy or your data: privacy@prizvox.com

Response time: within 2 business days.