Privacy Policy

Who We Are

ProsoPal ("we", "us", "our") provides a mobile app and website that help people with prosopagnosia (face blindness) learn and remember faces.

For GDPR purposes, ProsoPal is the data controller for personal data described in this policy. You can contact us at privacy@prosopal.com.

Scope

This policy applies to the ProsoPal mobile app, website, and related support operations.

Data We Process

Account and authentication data

We process your email address to send one-time passcodes (OTP), authenticate your account, and secure access. We do not use passwords.

App content you create

We process data you choose to add, including person entries, memory cues, groups, and spaced-repetition progress.

Photos

If you upload photos, we process and store them so they can be shown in your account.

Device contacts (optional)

If you use contact import, we access contact data with your permission and use it to help create person entries. We do not upload your entire contact list as a standalone dataset.

Usage analytics

We process limited product analytics events to improve reliability and product quality. We design analytics to avoid direct identifiers and sensitive content (for example email, names, memory cue text, photos, or auth tokens).

• Website analytics: Amplitude, configured as anonymous and cookieless (no cookies are set by us for analytics).
• Mobile app analytics: Aptabase, configured for anonymous product events.

Purposes and GDPR Legal Bases

• Provide the service (account access, syncing, uploads, app features): GDPR Article 6(1)(b) (contract).
• Security and abuse prevention (rate limiting, auth protection, incident handling): GDPR Article 6(1)(f) (legitimate interests).
• Anonymous product analytics (service quality and feature improvement): GDPR Article 6(1)(f) (legitimate interests), with user controls in-app where available.
• Legal obligations where applicable: GDPR Article 6(1)(c).

Where Data Is Stored

• Structured app data: PostgreSQL (Neon), EU region (Frankfurt).
• Photos: Amazon S3, EU region (Frankfurt), encrypted at rest.
• Auth artifacts: OTPs are hashed before storage and expire after a short validity window.

Processors and Third Parties

We use service providers acting as processors, including:

• AWS (infrastructure, storage, transactional email delivery)
• Neon (managed PostgreSQL)
• Amplitude (website analytics)
• Aptabase (mobile analytics)

We do not sell personal data and do not use your data for third-party advertising.

International Transfers

Some providers may process data outside the EEA. Where transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures where required.

Retention

We keep account and app content while your account is active. If you delete your account, associated content is deleted according to our operational deletion workflow.

Analytics data is retained for limited periods configured in our analytics tools and then automatically deleted or aggregated.

Your Rights (EEA/UK)

You may have the right to request:

• access to your personal data,
• rectification of inaccurate data,
• erasure of your data,
• restriction of processing,
• objection to processing based on legitimate interests, and
• data portability where applicable.

You may also lodge a complaint with your local supervisory authority. To exercise your rights, contact privacy@prosopal.com.

Cookies and Similar Technologies

We do not use cookies for website analytics. The website analytics setup is cookieless. The mobile app uses local secure storage for essential app functionality (for example, session tokens).

Children's Privacy

ProsoPal is not intended for children under 13, and we do not knowingly collect personal data from children under 13.

Changes to This Policy

We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date on this page.

Contact

For privacy questions or requests, contact us at privacy@prosopal.com.