← Back

Privacy Policy

Last updated: June 2025 — Compliant with GDPR (Regulation EU 2016/679) and the French Data Protection Act (loi Informatique et Libertés).

Prompt My Project (hereinafter “the Service”) is operated by Benoit Petit, an individual acting in a personal capacity (“we”, “us”, “our”). This policy describes what personal data we collect, why we collect it, the legal basis for each processing activity, how long we keep it, who we share it with, and the rights you hold as a data subject under European Union and French law.

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect and Legal Bases for Processing

We only collect data that is strictly necessary. The table below lists each category of data, why we process it, and the legal basis under Article 6 GDPR.

GitHub OAuth Identity Data

  • What: GitHub user ID, username, public email address, and OAuth access token (scoped to the repositories you explicitly authorize).
  • Why: To authenticate you and to read the repository metadata and files you select for prompt generation.
  • Legal basis: Performance of a contract — Article 6(1)(b) GDPR. Processing this data is necessary to provide the authenticated features you request.

Session Data

  • What: A session identifier stored in an HTTP-only cookie to maintain your authenticated session.
  • Why: To keep you logged in between page loads without requiring repeated OAuth authorization.
  • Legal basis: Performance of a contract — Article 6(1)(b) GDPR.

Analytics Data (Google Analytics 4)

  • What: Page views, approximate geographic location (country/region), device type, browser, session duration, and interaction events. No repository content is ever included.
  • Why: To understand how the Service is used and to prioritize improvements and bug fixes.
  • Legal basis: Legitimate interest — Article 6(1)(f) GDPR. We have a legitimate interest in understanding aggregate usage patterns to maintain and improve the Service. This processing does not override your rights; you may opt out at any time (see section 5).
  • Data transfer: Google Analytics 4 is operated by Google LLC (USA). Data is transferred to the United States under Standard Contractual Clauses (SCCs) adopted by the European Commission. See Google's Privacy Policy for details.

Support & Feedback Data

  • What: Any information you voluntarily provide when contacting us by email or via a GitHub issue (name, email, message content).
  • Why: To respond to your enquiry or bug report.
  • Legal basis: Legitimate interest — Article 6(1)(f) GDPR.

3. How Your Repository Code Is Processed

The operator (Benoit Petit) has no access to, and does not retain, the content of the code you analyze or the prompts you generate. The core PMP engine runs entirely in your browser as a WebAssembly module.

The following describes the exact data flow when you use the Service:

  1. 1.Authentication. Your GitHub OAuth token is stored in a server-side session on Cloudflare solely to enable authenticated calls to the GitHub API on your behalf.
  2. 2.File fetching (proxy). When you select files to analyze, the browser calls a server-side API proxy which fetches the raw file content from GitHub using your token, then immediately forwards it to your browser. File content transits through the Cloudflare server in memory only — it is not logged, cached, or stored.
  3. 3.Prompt generation (client-side WASM). The fetched file content is passed directly to pmp.wasm, the PMP engine compiled to WebAssembly and running entirely inside your browser. The prompt or dependency graph is assembled client-side. This step never involves the server.
  4. 4.Output. The generated prompt or graph is displayed in your browser only. It is never transmitted to our servers. You copy it to the clipboard or download it — it stays on your device.

Only repositories you explicitly authorize are accessed. We do not claim ownership of your code.

4. Third-Party Services & International Data Transfers

The Service relies on the following third-party providers. Each involves a transfer of data outside the European Economic Area (EEA) to the United States, which is safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46 GDPR.

  • GitHub, Inc. (Microsoft Corporation) — OAuth authentication and repository access. Privacy policy: GitHub Privacy Statement.
  • Cloudflare, Inc. — Website hosting and serverless compute. 101 Townsend St, San Francisco, CA 94107, USA. Privacy policy: Cloudflare Privacy Policy.
  • Google LLC — Google Analytics 4 for aggregated audience metrics. Privacy policy: Google Privacy Policy.

5. Analytics & Cookies

We use Google Analytics 4 (measurement ID: G-P8BESQZYKM). When you visit the site, GA4 sets cookies on your device (including _ga, _ga_*) and sends pseudonymous usage data to Google servers.

Session cookies are also used to maintain your authenticated state; these are strictly necessary and do not require consent.

You can opt out of Google Analytics tracking at any time by:

  • Installing the Google Analytics opt-out browser add-on.
  • Enabling the “Do Not Track” signal in your browser (honoured on a best-effort basis).
  • Using a browser extension that blocks tracking scripts.

6. Data Retention

  • GitHub OAuth tokens & account data: Retained for as long as your account is active. Deleted within 30 days of you revoking access or submitting a deletion request.
  • Session cookies: Expire at the end of your browser session or after 30 days of inactivity, whichever comes first.
  • Google Analytics data: Retained for a maximum of 14 months on Google's servers, in line with the CNIL's recommended maximum retention period. This is configured in the GA4 property settings.
  • Support & feedback data (emails, GitHub issues): Retained for 3 years from the date of last exchange, then deleted.
  • Repository file content: Processed in memory only. Not stored persistently.

7. Your Rights under GDPR and French Law

Under the GDPR and the French Data Protection Act (loi Informatique et Libertés), you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You may request a copy of all personal data we hold about you.
  • Right of rectification (Art. 16 GDPR): You may ask us to correct inaccurate or incomplete personal data.
  • Right to erasure / “Right to be forgotten” (Art. 17 GDPR): You may request deletion of your personal data where the legal grounds for processing no longer apply.
  • Right to restriction of processing (Art. 18 GDPR): You may ask us to suspend processing of your data in certain circumstances (e.g. while a rectification request is assessed).
  • Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): You may object at any time to processing based on legitimate interest (including analytics). We will comply unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint with a supervisory authority: If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr or any other competent EU supervisory authority.

To exercise any of the rights above, contact us at contact@devbyben.fr. We will respond within one month as required by Article 12 GDPR. We may ask you to verify your identity before processing the request.

8. Revoking GitHub Access

You can revoke the application's access to your GitHub account at any time. This immediately stops any future authenticated processing on your behalf. To do so, go to:

https://github.com/settings/connections/applications

Find and remove the entry for “Prompt My Project”. To request deletion of stored account data following revocation, email contact@devbyben.fr.

9. Security

Reasonable technical and organizational measures are implemented to protect your personal data against unauthorized access, loss, or alteration (HTTPS, HTTP-only cookies, scoped OAuth tokens). However, no system is completely secure. Avoid submitting sensitive secrets (API keys, passwords) in content that will be processed by the Service unless you fully understand the risks involved.

10. Children

The Service is not directed at children under the age of 15 (or the applicable age of digital consent in your country). We do not knowingly collect personal data from minors. If you believe a minor has provided personal data, please contact us at contact@devbyben.fr so we can delete it promptly.

11. Changes to this Policy

This policy may be updated from time to time. Material changes will be reflected on this page with an updated “Last updated” date at the top. Where changes are significant, we will endeavour to provide notice (e.g. via a banner on the site). Continued use of the Service after the effective date constitutes acceptance of the revised policy.

12. Contact

For any question or request relating to this Privacy Policy or your personal data, contact:

You also have the right to lodge a complaint with the CNIL at www.cnil.fr.

Prompt My Project