1. Introduction
Capital Consult Ltd (trading as Sacher AI) is the data controller for the purposes of the UK GDPR and Data Protection Act 2018 in relation to personal data processed through the PromptSafe® website and platform, except where we act as a processor on behalf of customers.
Registered office: 6/28a Wincott Street, London, SE11 4NT.
Company number: 06800173.
ICO registration number: ZC144061.
Privacy enquiries: info@sacher.ai.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at prompt-safe.com and the PromptSafe platform at app.prompt-safe.com.
2. How we act as controller and processor
PromptSafe is a business-to-business software platform.
For website visitors, account administration, billing, analytics, security monitoring, and business operations, Capital Consult Ltd acts as a data controller.
For customer workspace content processed through PromptSafe, customers are generally the controllers and Capital Consult Ltd generally acts as a processor acting on the customer's documented instructions.
Customers remain responsible for ensuring they have an appropriate lawful basis and all necessary rights and permissions for any personal data uploaded or processed through PromptSafe.
3. Information we collect
We collect the following categories of personal data:
- Registration and sign-up data: first name, work email address, company name, and a description of what you are building.
- Account data: login credentials and account settings.
- Usage data: how you interact with the platform, including features used, pages visited, session duration, and actions taken.
- Workspace content: agents, personas, evaluators, conversation transcripts from simulations, and any other content you create or upload within the platform.
- Communications: emails and messages you send to us.
PromptSafe is designed primarily for synthetic AI-generated testing workflows. Customers may choose to upload or process limited personal data within workspaces and remain solely responsible for ensuring lawful processing.
Customers should avoid uploading unnecessary personal data, identifiable patient information, regulated health records, or special category personal data unless they have independently ensured a valid legal basis and appropriate safeguards under applicable law.
4. How we use your data
We use your data to:
- Provide, maintain, and improve the PromptSafe platform and services.
- Manage your account and process payments.
- Send you onboarding communications, product updates, and service notifications.
- Respond to your enquiries and provide support.
- Ensure platform security and prevent abuse.
- Understand how users interact with the platform to inform improvements.
5. Workspace content and our access to it
Customer workspace content (agents, personas, evaluators, conversation transcripts, and any other material you create or upload) is logically segregated from other customer environments and is not intentionally shared across customer workspaces.
We do not use customer workspace content to train foundation models or general purpose AI models used to provide PromptSafe services.
We do not routinely access customer workspace content. Limited access may occur where reasonably necessary for customer support, platform maintenance, security investigation, legal compliance, or prevention of misuse, and where possible will occur with customer authorisation.
For enterprise engagements, Sacher AI may access and work inside the workspace as part of the agreed engagement. Enterprise access is documented in the order form or statement of work for that engagement.
6. Sacher AI workspace curation
On the self-serve tier, Sacher AI may add curated example content to your workspace, such as personas or evaluators that are relevant to your sector. Customers are not notified before items are added. Any items Sacher AI adds are clearly labelled as examples so you can distinguish your own work from what we have added. Sacher AI does not intentionally modify or delete content you have created except where required for platform operation, legal compliance, security, abuse prevention, or at your request.
7. Lawful bases for processing
We rely on the following lawful bases under UK GDPR (and EU GDPR where applicable):
| Purpose | Lawful basis |
|---|---|
| Account creation and administration | Contract |
| Payment processing | Contract |
| Security and fraud prevention | Legitimate interests |
| Customer support | Legitimate interests / Contract |
| Legal compliance | Legal obligation |
| Analytics cookies | Consent where required |
| Marketing communications | Consent or legitimate interests where permitted |
8. AI processing and third-party providers
Important. When you use PromptSafe with Sacher AI-provided model access, conversation data (synthetic persona messages and agent responses) is transmitted to third-party large language model providers for processing. If you connect your own API key on the enterprise tier, your use of those providers is governed by your own agreement with them.
We integrate with the following third-party model providers: OpenAI, Anthropic, and xAI. Each provider processes data in accordance with their own privacy policies. You should not input real personal data of identifiable individuals into the platform without an appropriate legal basis.
9. Service providers and subprocessors
We work with the following service providers to deliver PromptSafe:
| Provider | Function | Role |
|---|---|---|
| Supabase | Hosting, database, authentication | Processor |
| Vercel | Infrastructure hosting | Processor |
| PostHog | Analytics (EU-hosted instance) | Processor |
| Stripe | Payment processing | Independent controller for payment data |
| Calendly | Discovery call scheduling | Independent controller for scheduling data |
| OpenAI | AI inference | Processor |
| Anthropic | AI inference | Processor |
| xAI | AI inference | Processor |
10. Cookies and analytics
We use necessary cookies required for operation of the website and platform, and optional analytics cookies to understand usage and improve services. Optional analytics cookies will only be activated where required by applicable law and where appropriate consent has been provided.
For full details, please see our Cookie policy.
11. Data retention
Workspace content is retained while the relevant customer account remains active. Customers may request deletion of workspace content by contacting info@sacher.ai.
We may retain limited backup, billing, audit, security, fraud prevention, or legal compliance records where reasonably necessary.
Analytics data may be retained for operational and product improvement purposes for a limited period.
12. Your rights
Under UK GDPR (and EU GDPR where applicable), you have the following rights regarding your personal data:
- Right of access: to request a copy of the personal data we hold about you.
- Right to rectification: to request correction of inaccurate data.
- Right to erasure: to request deletion of your data in certain circumstances.
- Right to restriction: to limit how we process your data.
- Right to object: to object to processing based on legitimate interests.
- Right to data portability: to receive your data in a structured, machine-readable format.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, please contact us at info@sacher.ai.
Where we process personal data solely on behalf of customers acting as independent controllers, we may direct requests relating to such data to the relevant customer.
13. Automated decision making
PromptSafe does not make legally significant automated decisions about individuals within the meaning of Article 22 UK GDPR.
14. International data transfers
We primarily host customer workspace data within the European Economic Area using infrastructure located in Frankfurt, Germany.
Certain service providers may process limited personal data outside the UK or EEA, including in the United States.
Where transfers occur outside the UK or EEA, we rely on recognised transfer safeguards including adequacy decisions, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or equivalent lawful transfer mechanisms.
15. Security
We maintain technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and the relevant authorities in line with our legal obligations.
16. Age restriction
PromptSafe is intended solely for business and professional use and is not directed to individuals under the age of 18.
17. Marketing communications
If you create an account, contact us, or sign up for a free trial, we may send you service-related communications, onboarding emails, and, where permitted, product updates or marketing communications. Marketing emails sent from info@sacher.ai include an unsubscribe link, and you may opt out at any time.
18. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice on the platform. The date at the top of this page reflects when the policy was last updated.
19. Contact
Data controller: Capital Consult Ltd (trading as Sacher AI)
Email: info@sacher.ai
Website: sacher.ai
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.