Privacy Policy

Last Updated: January 20, 2025

Effective Date: January 20, 2025

Introduction

PRPM ("we", "us", or "our") operates https://prpm.dev (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using PRPM, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

Account Information:

GitHub username (from OAuth)

Email address (from GitHub)

Display name

Avatar URL

Organization affiliations

Package Content:

Package source code and metadata

Package descriptions and documentation

README files and examples

Tags, categories, and classifications

Payment Information (for paid plans):

Billing name and address

Payment method details (processed by Stripe, not stored by us)

Transaction history

Tax information (where applicable)

Support Communications:

Support ticket content

Email correspondence

Feedback and survey responses

1.2 Information Automatically Collected

Usage Data:

Package installs and downloads

Search queries

CLI command usage

Web page views

Feature usage patterns

Session duration and frequency

Technical Data:

IP address

Browser type and version

Operating system

Device type

CLI version

Referral source

Timestamps

Analytics:

Aggregate usage statistics

Performance metrics

Error logs and crash reports

1.3 Information from Third Parties

GitHub:

Public profile information

Email addresses

Repository information (if you link packages)

Organization memberships

Payment Processors:

Payment confirmation

Subscription status

Billing events

2. How We Use Your Information

We use collected information for:

2.1 Service Delivery

Creating and managing your account

Authenticating your identity

Hosting and distributing packages

Processing package installations

Converting package formats

Providing search and discovery features

2.2 Service Improvement

Analyzing usage patterns

Identifying bugs and issues

Developing new features

Optimizing performance

A/B testing new functionality

2.3 Communication

Service updates and announcements

Security alerts

Billing notifications

Marketing emails (opt-out available)

Support responses

Feature release notifications

2.4 Business Operations

Processing payments

Preventing fraud and abuse

Enforcing Terms of Service

Complying with legal obligations

Resolving disputes

Maintaining security

2.5 Analytics and Research

Understanding user behavior

Measuring package popularity

Generating usage reports

Creating aggregated, anonymized statistics

Publishing public metrics (e.g., "Top 10 packages")

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process data under the following legal bases:

Contract Performance: Processing necessary to provide the Service

Legitimate Interests: Improving our Service, preventing fraud, ensuring security

Consent: Marketing communications (with opt-out)

Legal Obligations: Tax reporting, law enforcement requests

You have the right to object to processing based on legitimate interests.

4. How We Share Your Information

We do NOT sell your personal information. We share data only in these circumstances:

4.1 Public Information

Publicly Visible by Default:

Username

Public package content

Package metadata (description, tags, categories)

Download counts

Public comments or reviews

Verified badge status

You can control visibility through privacy settings.

4.2 Service Providers

We share data with third parties who provide services on our behalf:

Infrastructure Providers:

AWS (hosting, storage, CDN)

CloudFlare (DDoS protection, CDN)

Authentication:

GitHub (OAuth login)

Payment Processing:

Stripe (payment processing, PCI compliance)

Analytics:

Plausible Analytics (privacy-focused, GDPR compliant, no cookies)

Support:

Email service provider (transactional emails)

All service providers are bound by confidentiality agreements and data processing addendums.

4.3 Business Transfers

If PRPM is acquired, merged, or sold, your information may be transferred to the new owner. You'll be notified via email.

4.4 Legal Requirements

We may disclose information if required by law:

Court orders or subpoenas

Legal investigations

National security requests

Protection of rights and safety

We will notify you unless prohibited by law.

4.5 Aggregated Data

We may share aggregated, anonymized data publicly or with partners:

"50,000 packages installed this month"

"Top 10 most popular packages"

Usage trends and statistics

This data cannot identify individual users.

5. Data Retention

We retain information for as long as necessary to provide the Service and comply with legal obligations:

| Data Type | Retention Period |

|-----------|-----------------|

| Account information | Account lifetime + 30 days after deletion |

| Public packages | Indefinitely (unless unpublished) |

| Private packages | Subscription lifetime + 30 days |

| Usage logs | 90 days |

| Analytics data | 24 months (aggregated) |

| Billing records | 7 years (tax requirement) |

| Support tickets | 3 years |

| Marketing emails | Until opt-out + 30 days |

After retention periods, data is permanently deleted or anonymized.

6. Your Rights and Choices

6.1 Access and Portability

View your data: Account settings page

Export your data: Download all packages and metadata in JSON format

Request: Email privacy@prpm.dev for complete data export

6.2 Correction

Update account info: Account settings

Correct package data: Republish or update packages

Request correction: Email privacy@prpm.dev

6.3 Deletion

Delete packages: `prpm unpublish `

Delete account: Account settings → Delete Account

Request deletion: Email privacy@prpm.dev

Note: Deletion may not affect:

Aggregated statistics

Cached copies (cleared within 30 days)

Backups (overwritten within 90 days)

Legal retention requirements

6.4 Opt-Out

Marketing Emails:

Unsubscribe link in every marketing email

Account settings → Email Preferences

Email privacy@prpm.dev

Analytics:

We use Plausible Analytics (privacy-focused, no cookies)

No opt-out needed (already privacy-preserving)

Do Not Track: We honor browser DNT signals where feasible.

6.5 Restrict Processing

Request limited processing (e.g., storage only) by emailing privacy@prpm.dev

6.6 Object to Processing

Object to processing based on legitimate interests

Email privacy@prpm.dev with your objection

6.7 Withdraw Consent

For marketing: Unsubscribe or update email preferences

For Service use: Delete your account (Service requires consent to operate)

6.8 Complain to Regulator

EU residents can file complaints with their local data protection authority.

7. Data Security

7.1 Security Measures

We implement industry-standard security practices:

Technical Safeguards:

TLS/SSL encryption in transit (HTTPS)

Encryption at rest (database, S3)

Secure authentication (OAuth, JWT tokens)

Regular security audits

Automated vulnerability scanning

DDoS protection (CloudFlare)

Access Controls:

Role-based access control (RBAC)

Principle of least privilege

Multi-factor authentication (for staff)

Audit logging

Operational Security:

Security training for employees

Incident response plan

Regular backups

Penetration testing (annually)

7.2 Data Breach Notification

In the event of a data breach affecting personal information:

We'll notify affected users within 72 hours

We'll notify regulators where required by law

We'll provide details on data affected and remediation steps

7.3 Limitations

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for:

Keeping your credentials confidential

Using strong passwords

Securing your devices

Reporting suspicious activity

8. International Data Transfers

8.1 Data Storage

PRPM servers are located in the United States (AWS us-east-1 region).

8.2 EU-US Data Transfers

For EU users, we comply with GDPR through:

Standard Contractual Clauses (SCCs) with service providers

Data Processing Addendum (DPA) available upon request

Privacy Shield (where applicable)

8.3 Your Consent

By using the Service, you consent to the transfer of your information to the United States.

9. Children's Privacy

PRPM is not intended for users under 13 years old (16 in the EU).

We do not knowingly collect data from children

If you believe a child has provided information, contact privacy@prpm.dev

We will delete children's data upon discovery

10. Cookies and Tracking

10.1 Cookies We Use

Essential Cookies (required for Service operation):

Authentication tokens (JWT)

Session management

CSRF protection

Analytics Cookies (privacy-preserving):

Plausible Analytics (no personal data, GDPR compliant)

No third-party advertising cookies

10.2 Cookie Control

Essential cookies cannot be disabled (Service won't function)

Clear cookies via browser settings

We don't use tracking cookies for advertising

10.3 Third-Party Cookies

GitHub OAuth may set cookies

Stripe may set cookies during payment

See their privacy policies for details

11. Third-Party Links

The Service may contain links to third-party websites:

We're not responsible for their privacy practices

Review their privacy policies before providing information

Examples: GitHub repositories, package documentation URLs

12. California Privacy Rights (CCPA)

California residents have additional rights under CCPA:

12.1 Right to Know

Categories of personal information collected

Sources of personal information

Business purposes for collection

Categories of third parties with whom we share data

12.2 Right to Delete

Request deletion of personal information

Subject to legal retention requirements

12.3 Right to Opt-Out

We do NOT sell personal information

No opt-out needed

12.4 Right to Non-Discrimination

We won't discriminate against you for exercising CCPA rights

12.5 Exercising Rights

Email privacy@prpm.dev

We'll verify your identity before processing requests

We'll respond within 45 days

13. Business Customers (B2B)

For organizations using Team, Business, or Enterprise plans:

13.1 Your Responsibilities

You are the data controller for your team members

You must obtain consent from team members

You must provide privacy notices to team members

You determine purposes and means of processing

13.2 Our Responsibilities

We are the data processor

We process data per your instructions (Terms of Service)

We implement security measures

We provide Data Processing Addendum (DPA)

13.3 Data Processing Addendum (DPA)

Required for GDPR compliance

Available at: [DPA_LINK]

Auto-accepted when you create an organization

Custom DPA available for Enterprise

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy from time to time:

Material changes: 30 days notice via email

Non-material changes: Effective immediately

"Last Updated" date always current

14.2 Notification

Email to registered address

Banner on website

Notification in CLI (for major changes)

14.3 Continued Use

Continued use after changes constitutes acceptance.

14.4 Version History

Previous versions: https://github.com/[org]/prompt-package-manager/docs/legal/PRIVACY_POLICY.md

15. Contact Us

15.1 Privacy Questions

Email: privacy@prpm.dev

15.2 Data Protection Officer (DPO)

For GDPR inquiries: dpo@prpm.dev

15.3 Mailing Address

[Your Company Name]

[Street Address]

[City, State ZIP]

[Country]

15.4 Response Time

We aim to respond to privacy requests within 30 days (or sooner as required by law).

---

Appendix: Data Collection Summary

|----------------|---------|-------------|-----------|

---

Questions? Contact privacy@prpm.dev

Last reviewed: January 20, 2025