Your entries are yours. Here’s exactly what that means.

Prism is a journal that uses AI to read your entries back to you as weekly patterns. For that to work, your writing is processed by a handful of named service providers listed below. None of them use your entries to train models. Nothing is sold. Nothing is advertised against. If you delete an entry, it’s gone.

Because Prism collects information about your mental state, mood, and behaviour, UAE law treats it as sensitive personal data, and we hold ourselves to the higher standard that applies to it.

Prism is operated from the United Arab Emirates. If you’re a UAE resident, your data is protected by UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data(“PDPL”) and its forthcoming Executive Regulations. If we later incorporate in Abu Dhabi Global Market, the ADGM Data Protection Regulations 2021 will govern Prism’s direct processing; federal PDPL will still apply to our UAE mainland-resident users. If you’re in the EU/UK, you have rights under the GDPR / UK GDPR equivalent; we honour those rights to the same standard.

Controller:Prism (contact details below). When we refer to “Prism”, “we”, or “us” we mean the legal entity that operates prismlens.net.

Data Protection Officer (DPO): dpo@prismlens.net. Because Prism conducts systematic assessment of sensitive personal data, the DPO is appointed on a permanent basis in line with PDPL Article 10.

·Account data — email address, optional display name, and the timezone your browser reports. Used to sign you in and render dates correctly.

·Your entries — the raw text you write, the mood and mood word you tag it with, optional uploaded images, and anything the editor saves as rich formatting.

·AI-derived signals from your entries — classifications (entry type, themes, tags), numeric embeddings used for connection and pattern matching, the weekly Mirror we generate for you, and the behavioural model that tracks shifts over time. We treat these signals as sensitive personal data because they reveal information about your mental state and behaviour.

·Account activity — when you signed up, when entries were written, aggregate counts. Used to compute streaks and weekly summaries.

·Server logs — standard request records (IP address, user agent, status code, timestamp). Retained 30 days for security and debugging.

·No device fingerprinting, advertising identifiers, or cross-site tracking cookies.

·No social-graph scraping; we don’t read your contacts, calendar, or other apps.

·No third-party marketing trackers or ad pixels (Meta, Google Ads, TikTok, none of them).

·No audio is retained by Prism when you use voice entry. The audio blob is streamed to OpenAI Whisper for transcription and dropped from memory the moment the transcript returns.

Under PDPL Article 1, personal data that “directly or indirectly reveals” health, psychological, or biometric information is sensitive personal data and attracts heightened obligations.

Journal entries about mental state, mood scores, relationship conflicts, trading psychology, and AI-generated behavioural pattern analysis are, in our view, sensitive personal data under that definition. We treat them as such even where the classification is arguable.

What that means in practice:

·At signup, you give a separate, explicit consent (a dedicated checkbox, not bundled into Terms acceptance) before we process any sensitive personal data. You can withdraw that consent at any time by deleting your account or your entries; withdrawal does not affect the lawfulness of processing already done.

·We do not share sensitive personal data with any third party outside the named subprocessors listed below, and only to the extent each needs it for its role.

·We do not use sensitive personal data for marketing, profiling for advertising, or any automated decision that produces legal or similarly significant effects on you.

·Your explicit consent for processing sensitive personal data (entries, mood, behavioural inferences), captured at signup on a separate checkbox.

·Performance of the contract between you and Prism for the account-operations processing necessary to deliver the service you paid for (sign-in, billing, account maintenance).

·Our legitimate interests for security logging and abuse prevention, weighed against your privacy interest and not overriding it.

We use a deliberately small set of vendors to run the product. Each one sees only the data it needs for its role. Every vendor below has signed a Data Processing Agreement (DPA) with Prism (or a PDPL-equivalent contractual protection addendum where their standard DPA does not yet cover PDPL). The authoritative versioned list is at Subprocessors.

·Anthropic (Claude API) — processes your entries for classification, formatting, and Mirror synthesis. Prism uses Anthropic’s zero-retention API mode: your data is not stored by Anthropic and is never used to train models.

·OpenAI — used for two narrow things: generating embeddings and transcribing voice entries via Whisper. Not used for Mirror synthesis. Zero-retention.

·Supabase — our Postgres database, authentication, and file storage. Your entries live here, encrypted at rest.

·Vercel — hosts the web app and provides anonymous traffic analytics. No personal identifiers are sent to Vercel Analytics.

·Resend — sends account emails. Only sees your email address and the body of the message we ask it to deliver.

We do not use any other third-party data processors. If we add one, this list is updated and active users are emailed before the change takes effect.

The vendors above process data in the United States. The UAE Data Office has not designated the US as providing adequate protection under PDPL Article 22.

We rely on the following PDPL Article 23 mechanism for these transfers:

·Your explicit consent at signup, after we disclose (i) the categories of sensitive data, (ii) the named US subprocessors, (iii) that data leaves the UAE to a jurisdiction without an adequacy decision, and (iv) the specific risks of such transfer.

·Contractual protections equivalent to PDPL imposed on each US subprocessor via our DPA / PDPL-addendum with them — limiting use to our instructions, requiring equivalent technical and organisational measures, and supporting our response to data-subject rights requests.

If you do not consent to these transfers, Prism cannot be delivered to you — the AI processing is a core feature. You can withdraw consent and delete your account at any time.

·Entries and AI-derived signals stay as long as your account exists. Delete an entry and the entry row, its embeddings, its connections, and any insights citing it are removed immediately. No soft-delete window, no 30-day trash can.

·Weekly Mirrors are kept for the life of your account as your own historical read. Delete an account and every Mirror goes with it.

·Backups and subprocessor caches roll off within 30 days of deletion. Deletion is immediate in our primary database; residual copies expire on standard cycles.

·Server logs rotate on a 30-day cycle and are then discarded.

·Anonymous analytics (page views, Core Web Vitals) are aggregated by Vercel Analytics without identifiers and cannot be tied back to you.

·Access — request a copy of the personal data we hold about you. Settings → Export my data delivers this as JSON at any time.

·Rectification — correct inaccurate personal data in your account.

·Erasure — delete your entries (Settings → Delete everything) or your full account (Settings → Delete account). Deletion is immediate in our primary database and within 30 days across backups and subprocessor caches.

·Restriction of processing — ask us to pause processing while a dispute over accuracy or lawfulness is resolved.

·Portability — export your data in JSON for use elsewhere.

·Objection to automated decisions — the Mirror and behavioural model are automated processing, but they do not produce legal or similarly significant effects on you. You can stop them entirely by deleting your account. If we ever introduce automated decision-making with legal or significant effects, we will obtain fresh explicit consent first.

·Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We respond to rights requests within 7 days.

If you’re unhappy with how we handled a request, you can complain to:

·UAE: the UAE Data Office (administrator of federal PDPL).

·ADGM: the ADGM Office of Data Protection (once Prism incorporates in ADGM).

·EU/UK: your local supervisory authority.

We’d prefer you email us first — privacy@prismlens.net or dpo@prismlens.net — so we can try to fix it.

·In transit: TLS 1.3 between your browser and Prism, and between Prism and each subprocessor.

·At rest: AES-256 encryption on Supabase-managed storage. This is our voluntary standard and exceeds the risk-based “appropriate technical and organisational measures” test in PDPL Article 20, which is technology-neutral.

·Access control: Supabase row-level security policies prevent any user from reading another user’s data through the API.

·Key management and secrets rotation: rotated on a documented internal cadence; access is audited.

Reporting a security issue? See our vulnerability disclosure policy.

PDPL Article 21 requires a DPIA before processing involving modern technologies (such as large language models) that poses a high risk to data-subject privacy, or that involves sensitive personal data at scale. Prism’s core function meets both triggers.

A DPIA for the service is maintained on file. It covers: purpose, necessity and proportionality, categories of data, risks to data subjects, cross-border transfer risk, mitigations (zero-retention API tier, Row-Level Security, explicit consent, encryption), and residual risk. Data-subject access to a summary is available on written request.

If a personal-data breach occurs that is likely to prejudice your privacy or the security of your data, we will notify:

·The UAE Data Office immediately upon becoming aware, in line with PDPL Article 9. The statute does not specify a fixed 72-hour window; we operate to a 72-hour internal SLA to discovery, which is stricter than the statutory “immediately upon becoming aware” test.

·You, if the breach is likely to pose a risk to your rights, by email to the address on file, without undue delay, including: the nature of the breach, the approximate categories and number of subjects affected, the likely consequences, and the measures we have taken.

Subprocessors are contractually required to notify us of any breach on their end without delay.

Prism is not for children. The minimum age is 18, enforced via signup attestation and reactive removal. This floor is set conservatively because the UAE Child Digital Safety Law (Federal Decree-Law No. 26 of 2025) defines a “child” as anyone under 18 and imposes heightened obligations for under-13 data processing, both of which we avoid by the 18+ floor. We reference this further in the Terms of Service and at Children’s Privacy. We do not knowingly collect personal data from anyone under 18. If you believe a child is using Prism, email us and we will investigate and delete.

If we change anything material — a new processor, a retention change, a new data category, a change to the lawful bases above — we’ll email active users at least 30 days before the change takes effect, and the change will appear above with a new “last updated” date. The version you agreed to at signup stays governing until then.

Privacy questions, data-subject requests, complaints: email privacy@prismlens.net.

DPO: dpo@prismlens.net. General support: support@prismlens.net.

A real person answers within 7 days.