Privacy Policy - PromoPack

1. Introduction

PromoPack (“we,” “our,” or “us”) is committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our promotional content management platform.

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us, including:

Name, email address, and contact information
Professional information (job title, company, role)
Account credentials and authentication data
Payment information (processed securely through third-party providers)
Communications you send to us

2.2 Usage Data

We automatically collect certain information when you use our platform:

Log data (IP address, browser type, pages visited)
Device information and usage patterns
Performance metrics and error reports
Cookies and similar tracking technologies

2.3 Health Information

As a healthcare-focused platform, we may process protected health information (PHI) including medical claims, references, and promotional content. This data is handled with the highest level of security and in full compliance with HIPAA requirements.

3. How We Use Your Information

We use collected information for the following purposes:

Service Provision: To provide, maintain, and improve our platform
Account Management: To create and manage your account
Communication: To respond to inquiries and provide customer support
Compliance: To ensure regulatory compliance and data security
Analytics: To understand usage patterns and improve our services
Legal Obligations: To comply with legal requirements and protect rights

4. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties except in the following circumstances:

Service Providers: Trusted third-party service providers who assist in operating our platform
Legal Requirements: When required by law or to protect our rights
Business Transfers: In connection with a merger, acquisition, or sale of assets
Consent: With your explicit consent

5. Data Security

We implement comprehensive security measures to protect your information:

End-to-end encryption for data in transit and at rest
Regular security audits and penetration testing
Access controls and role-based permissions
Employee training on data protection
Incident response procedures

6. Your Rights Under GDPR

If you are located in the European Economic Area or UK, you have the following rights under the General Data Protection Regulation (GDPR):

✨ Self-Service Data Tools Available

We've made it easy to exercise your rights. Visit your Data Management page to export or delete your data instantly.

1. Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you.

→ Download your data now

2. Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data.

→ Update your account details

3. Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data. We will permanently delete your account and all associated data within 30 days.

→ Delete your account

4. Right to Data Portability (Article 20)

You have the right to receive your personal data in a machine-readable format (JSON) and transmit it to another service provider.

→ Export your data as JSON

5. Right to Restrict Processing (Article 18)

You have the right to request limitation of how we process your data.

Contact: [email protected]

6. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, direct marketing, or processing for scientific/historical research purposes.

Contact: [email protected]

7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing. Our AI-powered features are tools to assist you, not replace human decision-making.

⚡ Response Time: We will respond to your requests within 30 days as required by GDPR. For urgent matters, contact us at [email protected]

7. Data Retention

We retain your personal information only for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements.

Specific Retention Periods:

Active account data:Retained while subscription is active

Inactive projects:Deleted after 2 years of inactivity

Deleted accounts:Permanently removed within 30 days

Billing records:7 years (tax/legal requirements)

Server logs:90 days (security purposes)

Analytics data:14 months (Google Analytics default)

You can request early deletion of your data at any time by visiting your Data Management page.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses approved by the European Commission.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze usage, and provide personalized content. You can control cookie preferences through the cookie banner that appears on your first visit.

Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled:

Authentication and session management
Security and fraud prevention
Load balancing and performance
Cookie consent preferences

Analytics Cookies (Optional)

These cookies help us understand how visitors interact with our website:

Google Analytics (anonymized IP addresses)
Page view tracking
Feature usage statistics
Performance monitoring

🍪 Manage Cookies: You can change your cookie preferences at any time by clearing your browser's cookies and reloading the page. The cookie banner will appear again.

10. Third-Party Services & Subprocessors

Our platform integrates with trusted third-party services to provide our functionality. All subprocessors have signed Data Processing Agreements (DPAs) and are GDPR compliant.

Current Subprocessors:

SupabaseDPA ✓

Database hosting and file storage (encrypted at rest)

StripeDPA ✓

Payment processing (PCI DSS Level 1 certified)

Vercel / CoolifyDPA ✓

Application hosting and CDN

Google AnalyticsDPA ✓

Usage analytics (anonymized, optional via cookie consent)

Custom Extractor ServiceInternal

AI-powered claim extraction (self-hosted, no third-party data sharing)

Important: We do not sell, rent, or share your personal data with third parties for their marketing purposes. All subprocessors are used solely to deliver our service to you.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

For Privacy Inquiries:

Email: [email protected]

Response time: Within 30 days (GDPR requirement)

Data Protection Officer:

Email: [email protected]

General Support:

Email: [email protected]

Security Issues:

Email: [email protected]

For responsible disclosure of security vulnerabilities

Self-Service Tools:

Data Management Page → (Export or delete your data instantly)

🇪🇺 EU Data Protection Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.