GDPR & DPA.

PromptMantra is GDPR-compliant. We process customer data only on your instructions, sign a Data Processing Addendum (DPA) with every customer who needs one, transfer data internationally under Standard Contractual Clauses (SCCs), and publish our sub-processor list on this page.

For procurement teams: our standard DPA is below as a downloadable PDF. We're happy to sign yours if it's materially equivalent.

Under GDPR, when you use PromptMantra:

• You are the data controller for the prompts, brand lists, and any personal data you submit (e.g. your team members' email addresses for collaboration).
• PromptMantra is the data processor — we process that data only on your instructions (i.e. running scans you configured, sending alerts you set up).

For the marketing site, when you visit promptmantra.ai or fill in our contact form, we are the data controller for the data you submit there.

If you're an EU/UK resident, you have the following rights, exercisable by emailing us:

• Right of access — get a copy of all personal data we hold about you.
• Right to rectification — correct inaccurate data.
• Right to erasure (“right to be forgotten”) — request deletion. Most account data deletes automatically when you close your account; for residual data in backups, we confirm deletion within 35 days.
• Right to data portability — receive your data in machine-readable format.
• Right to object — object to processing based on legitimate interest.
• Right to restrict processing — pause processing while a question is being resolved.
• Right to withdraw consent — for any processing that depended on consent.
• Right to lodge a complaint with your local supervisory authority (e.g. CNIL, ICO, AEPD).

To exercise any of these: info@reputeinfosystems.com. We respond within 30 days, usually within a week.

We sign a DPA with every customer who needs one — typically Business plan and above, or any EU/UK customer on Growth+. Our standard DPA includes:

• The Standard Contractual Clauses (2021 EU SCCs, modules 2 & 3 as applicable)
• Detailed sub-processor list (below)
• Technical and organizational measures (TOMs)
• Data breach notification commitments (within 72 hours of awareness)
• Audit rights and information request handling

Request the standard DPA: info@reputeinfosystems.com. We typically return it signed within 1 business day.

Need us to sign your DPA instead? Send it over — we accept materially-equivalent customer DPAs at no charge on Business plans and above.

The following sub-processors process customer data on our behalf, each bound by a DPA:

We notify customers via email at least 30 days before adding a new sub-processor that processes customer data, so you have time to object.

PromptMantra is operated from Pune, India. Data may be processed in India and in our cloud providers' EU and US regions. For transfers from the EU/UK to non-adequate countries, we rely on:

• Standard Contractual Clauses (SCCs) — the 2021 EU SCCs are baked into our standard DPA.
• UK International Data Transfer Addendum (IDTA) — for UK-origin transfers, used in conjunction with SCCs.
• Supplementary measures — encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, logging.

For EU-only data residency, our Business+ plans support pinning customer data to AWS eu-west-1 with a region-locked deployment. Contact us for setup.

In the unlikely event of a personal data breach, we notify affected customers within 72 hours of becoming aware. Notification includes the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

Active accounts: data retained as long as the account is active. After cancellation, retained for 30 days then permanently deleted.

Backups roll off after 35 days. Billing records retained for 7 years per Indian tax law.

See privacy policy §retention for full schedule.

We don't maintain a separately-titled DPO (we're below the GDPR threshold), but all data-protection matters are handled by:

Ankur · Repute Infosystems · Pune, India
info@reputeinfosystems.com