Privacy policy
Last updated: May 2026
1. Controller
The data controller responsible for processing personal data on prudos.ai is:
Registered at Amtsgericht Charlottenburg, HRB 287568 B
Berlin, Germany
hello@prudos.ai
2. Personal data we collect and why
The table below lists every category of personal data processed on prudos.ai, the purpose and legal basis for each, and how long it is retained.
| Data category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address | Workspace authentication via one-time magic link. Not used for marketing without separate consent. | Art. 6(1)(b) — performance of a contract | Until account deletion, then within 30 days |
| Session token | Maintains authenticated state across requests. Stored in an HTTP-only cookie; not accessible to client-side scripts. | Art. 6(1)(b) — performance of a contract | Expires within 7 days or on sign-out |
| Workspace data | Shortlists, comparison sets, and exports created by authenticated users. Stored in your account only; not shared with third parties or used for any purpose beyond delivering the service. | Art. 6(1)(b) — performance of a contract | Until account deletion, then within 30 days |
| Analytics data | Aggregated, anonymised usage metrics — page views, referrer, browser type. Collected without cookies and without cross-site tracking. No personal data leaves the EU. No individual user is identifiable from this data. | Art. 6(1)(f) — legitimate interest in understanding product usage, balanced against the absence of any privacy intrusion given full anonymisation | No personal retention — data is anonymous at source |
| Newsletter subscription | Delivery of the Prudos newsletter to subscribers who have opted in. Unsubscribe link included in every issue. | Art. 6(1)(a) — consent | Until you unsubscribe, then promptly deleted |
| Actify booking enquiry | Name, company, role, email address, and optional notes submitted through the Actify booking form. Used solely to respond to the enquiry and, if an engagement follows, to conduct it. | Art. 6(1)(b) — steps taken at the data subject's request prior to entering a contract | 12 months from enquiry if no engagement follows; duration of engagement plus 3 years if it does |
3. Cookies
prudos.ai does not use advertising cookies, tracking cookies, or any third-party cookies. One first-party session cookie is set when you authenticate with the workspace. It maintains your signed-in state, is stored in an HTTP-only flag to prevent client-side access, and is deleted when you sign out or after 7 days, whichever comes first.
The analytics service used on prudos.ai is cookieless by design. No consent banner is required for analytics on this site.
4. Sub-processors
Prudos engages third-party processors in the categories below. Each processes personal data only on documented instructions and under a data processing agreement compliant with Article 28 GDPR. Where a processor is based outside the EU/EEA, transfers are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission.
| Category | Purpose | Data location | Transfer mechanism |
|---|---|---|---|
| Database and authentication infrastructure | Storage of user accounts, session records, and workspace data | EU (Frankfurt) | EU-resident processor; no transfer |
| Application hosting | Serving prudos.ai and processing server-side requests | EU (Frankfurt) | SCCs |
| DNS and network infrastructure | Domain resolution and network routing. Does not receive authenticated session data. | Global edge network | SCCs |
| Transactional email delivery | Sending magic link authentication emails to workspace users | Processed outside EU | SCCs |
| Newsletter delivery | Sending the Prudos newsletter to subscribers who have opted in | EU | EU-resident processor; no transfer |
| Analytics | Aggregated, anonymised usage metrics. No personal data collected or transferred. | EU | No personal data transferred |
We do not sell personal data. We do not share personal data with advertisers. We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.
5. International data transfers
Where personal data is transferred to processors outside the EU/EEA, the transfer is governed by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). Transfers are limited to what is strictly necessary for the processing purpose described. No personal data is transferred to countries without an adequacy decision unless SCCs are in place.
6. Retention
Retention periods are set out in the table in Section 2. As a general principle: data is retained only for as long as required to fulfil the purpose for which it was collected, or as required by applicable law. Account data is deleted within 30 days of an account deletion request. Authentication tokens expire automatically. Anonymised analytics data carries no personal retention implications.
7. Your rights under the GDPR
As a data subject, you hold the following rights under the GDPR. To exercise any of them, contact hello@prudos.ai. We will respond within 30 days. No fee applies to reasonable requests.
| Right | What it means |
|---|---|
| Access (Art. 15) | Obtain confirmation of whether we process your data and receive a copy of it |
| Rectification (Art. 16) | Have inaccurate data corrected without undue delay |
| Erasure (Art. 17) | Request deletion of your personal data where there is no overriding legal basis for continued processing |
| Restriction (Art. 18) | Restrict processing while a dispute about accuracy or lawfulness is resolved |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format where processing is based on consent or contract |
| Objection (Art. 21) | Object to processing based on legitimate interest; we will cease unless we can demonstrate compelling grounds |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing |
You also have the right to lodge a complaint with a supervisory authority. The authority competent for Prudos UG is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59–61, 10555 Berlin.
8. Changes to this policy
We will update this policy when our data practices change materially. The date at the top of this page reflects the last revision. Where a change affects your rights or introduces a new processing activity, we will notify authenticated users by email before the change takes effect.