Privacy Policy

Effective Date: April 23, 2026  |  Last Updated: April 23, 2026

1. Scope

This Policy applies to information we process about Users of the Service. It does not apply to: (a) the content of prompts you store locally on your own machine using the CLI or daemon, which we do not access; (b) third-party services you may integrate with the Service (such as large language model providers); or (c) websites operated by third parties to which we may link.

MicroPrompt is designed as a local-first tool. The CLI and daemon run entirely on your device, and prompt content stored locally is not transmitted to us unless you explicitly publish it to the Registry or invoke another network-bound feature.

2. Information We Collect

2.1 Information You Provide

• Registry Handle and Public Key. When you register a handle on the Registry, we collect the handle string and the Ed25519 public key you submit. We do not collect or store your private key under any circumstances; your private key resides solely on your device.
• Published Prompts. When you publish a prompt to the Registry, we collect the prompt content, title, tier (mp, comp, mcomp), code, version number, BLAKE3 content hash, and your cryptographic signature.
• Communications. If you contact us by email or other channels (for support, DMCA notices, privacy requests, or otherwise), we collect the contents of those communications and any information you choose to include.

2.2 Information Collected Automatically

• Server Logs. Our Registry server logs each HTTP request, including the request method, path, timestamp, response status, response duration, and the IP address of the requesting client. Logs are retained for up to ninety (90) days for security, debugging, and abuse prevention purposes.
• Download Counts. When a Registry resolve endpoint is invoked in non-preview mode, we increment an aggregate download counter associated with the resolved prompt. This counter is public.
• Rate-Limit Counters. We maintain in-memory, per-IP request counters with a one-minute window to enforce rate limits. These counters are not persisted and are reset on server restart.

2.3 Cookies and Similar Technologies

The Registry website does not use cookies, web beacons, pixel tags, or similar tracking technologies for analytics, advertising, or cross-site tracking. We may use functional client-side storage (such as localStorage) only as needed for the user interface to remember non-personal preferences.

2.4 Information We Do Not Collect

We do not collect:

• Your private signing key (which never leaves your device);
• The contents of prompts you create locally and do not publish;
• Your real name, postal address, telephone number, date of birth, government identifiers, or financial account information (we do not currently process payments);
• Geolocation data beyond what may be inferred coarsely from IP addresses for security purposes;
• Browsing or activity data from outside the Service.

3. How We Use Information

We use the information described above for the following purposes:

• To provide and operate the Service — including resolving prompts, verifying signatures, enforcing rate limits, serving the web interface, and operating the install scripts;
• To secure the Service — including detecting, preventing, and responding to fraud, abuse, denial-of-service attacks, and security incidents;
• To enforce our Terms and Content Policy — including investigating reports and taking enforcement action;
• To comply with legal obligations — including responding to lawful requests from public authorities and complying with valid legal process; and
• To improve the Service — including analyzing aggregate, non-identifying usage patterns to inform product decisions.

4. Legal Bases for Processing (EEA / UK Users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation ("GDPR") and the UK GDPR:

• Performance of a Contract (Article 6(1)(b)) — to provide the Service you have requested;
• Legitimate Interests (Article 6(1)(f)) — to secure the Service, prevent abuse, and operate our business, where such interests are not overridden by your interests or fundamental rights;
• Compliance with Legal Obligations (Article 6(1)(c)) — to comply with applicable law; and
• Consent (Article 6(1)(a)) — where we expressly request it.

5. How We Share Information

We do not sell, rent, or trade personal information. We share information only as follows:

• Public by Design. Your registry handle, public key, published prompt content, signature, BLAKE3 hash, version history, registration date, and aggregate download counts are public by design and are accessible via the Registry API and web interface.
• Service Providers. We share information with third-party vendors who perform services on our behalf (such as hosting, content delivery, email, and security monitoring). These vendors are contractually bound to use information only as necessary to perform their services and to protect it consistent with this Policy. Our current hosting provider is Hostinger International Ltd. with infrastructure located in the European Union.
• Legal Compliance and Protection. We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms; (c) protect the security or integrity of the Service; (d) protect the rights, property, or safety of Microbiocol AI, our Users, or the public; or (e) detect, prevent, or address fraud or technical issues.
• Business Transfers. In connection with a merger, acquisition, financing, sale of assets, bankruptcy, or similar transaction, information may be transferred to the successor or acquirer. We will require any such successor to honor the terms of this Policy.

6. International Data Transfers

Microbiocol AI operates internationally. Information we collect may be transferred to, stored, and processed in countries other than your country of residence, including the United States. When we transfer personal data of EEA, UK, or Swiss residents outside those jurisdictions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) or applicable adequacy decisions.

7. Data Retention

We retain information for the following periods:

• Server logs: up to 90 days, then deleted or anonymized;
• Registry handles, public keys, and published prompts: for as long as your account remains active, plus a reasonable period thereafter for backup, audit, and dispute-resolution purposes;
• Communications with us: for as long as necessary to address your inquiry and for our records, typically up to three (3) years;
• Information required to be retained by law: for the period required by the applicable legal obligation.

8. Security

We implement administrative, technical, and physical safeguards designed to protect information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include encryption in transit using Transport Layer Security ("TLS") for all communications with the Registry API and web interface, cryptographic signature verification for published prompts, daily backups of the Registry database, and access controls limiting who can administer Registry infrastructure. No method of transmission or storage is 100% secure, however, and we cannot guarantee absolute security.

If we become aware of a security incident affecting personal data, we will notify affected individuals and applicable regulators as required by law (including notification timelines under GDPR Article 33–34 and applicable U.S. state breach notification laws).

9. Your Rights

9.1 All Users

You may at any time:

• Request access to the information we hold about you;
• Request correction of inaccurate information;
• Request deletion of your account and associated personal information (subject to retention exceptions described in Section 7 and Section 6.2 of our Terms);
• Withdraw any consent you have given (where processing is based on consent).

9.2 EEA / UK / Swiss Residents

In addition to the rights above, the GDPR and UK GDPR grant you the rights to: data portability (Article 20), restriction of processing (Article 18), objection to processing based on legitimate interests (Article 21), and to lodge a complaint with your local supervisory authority (a list of EU authorities is maintained at edpb.europa.eu; the UK supervisory authority is the Information Commissioner's Office at ico.org.uk).

9.3 California Residents

The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), Cal. Civ. Code §§ 1798.100 et seq., grants California consumers specific rights including:

• The right to know what personal information we collect, use, disclose, and sell;
• The right to delete personal information we have collected from you, subject to certain exceptions;
• The right to correct inaccurate personal information;
• The right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under the CCPA/CPRA);
• The right to limit use of sensitive personal information (we do not knowingly collect sensitive personal information);
• The right to non-discrimination for exercising any of these rights.

In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2 of this Policy. We have not sold or shared personal information for cross-context behavioral advertising. We disclose personal information only as described in Section 5.

9.4 Other U.S. State Residents

Residents of Colorado (Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 et seq.), Connecticut (Connecticut Data Privacy Act, P.A. 22-15), Virginia (Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et seq.), Utah (Utah Consumer Privacy Act, Utah Code §§ 13-61-101 et seq.), and other states with applicable comprehensive privacy laws have substantially similar rights to those described above and may exercise them by contacting us as described in Section 12.

9.5 How to Exercise Your Rights

To exercise any of these rights, contact us at info@microbiocol.com. We will verify your identity (where appropriate) and respond within the time periods required by applicable law (typically thirty (30) days under GDPR; forty-five (45) days under CCPA/CPRA, extendable by another forty-five (45) days where reasonably necessary). You may designate an authorized agent to make a request on your behalf.

10. Children's Privacy

The Service is not directed to children under thirteen (13), and we do not knowingly collect personal information from children under thirteen, in compliance with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. §§ 6501–6506 and 16 C.F.R. Part 312. If you believe we have collected information from a child under thirteen, please contact us at info@microbiocol.com so we can promptly delete it.

If you are between thirteen (13) and sixteen (16), or in a jurisdiction with a higher digital age of consent (e.g., GDPR Article 8, where the threshold may be up to sixteen depending on the Member State), you may use the Service only with the consent of a parent or legal guardian.

11. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice by updating the "Last Updated" date and, where appropriate, by posting a more prominent notice on the Service or contacting Users directly. Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the updated Policy.

12. Contact Us