Last Updated: Last updated 28-12-2025
Privacy Policy1. IntroductionThis Privacy Policy explains how Prometheo (“Prometheo”, “we”, “us”, or “our”) collects, uses, processes, and protects personal data when you access or use our website and software platform (the “Service”). We are committed to protecting personal data in accordance with:Regulation (EU) 2016/679 (GDPR)Romanian data protection legislationApplicable EU electronic communications lawsBy using the Service, you acknowledge this Privacy Policy.2. Data Controller InformationData Controller (for platform users):Prometheo[Legal entity name][Registered address – Romania]Email: privacy@prometheo.aiFor personal data related to leads generated, uploaded, or contacted by users, Prometheo acts as a Data Processor, while the user acts as the Data Controller.3. Categories of Personal Data We Process3.1 Account & User DataWhen you create or manage an account, we process:NameEmail addressCompany name (if provided)Authentication identifiersSubscription and usage dataLegal basis: Contract (Art. 6(1)(b) GDPR)3.2 Google Login & Microsoft Login (OAuth)If you choose to sign in using Google or Microsoft, we may receive:Email addressNameUnique user identifier provided by the authentication providerWe:Do not receive your passwordDo not access your email contentUse this data only for authentication and account creationAuthentication is handled via secure OAuth protocols.Legal basis: Contract (Art. 6(1)(b) GDPR)Third-party providers:Google LLCMicrosoft CorporationTheir data processing is governed by their own privacy policies.3.3 Billing & Payment Data (Stripe)Payments are processed through Stripe. Prometheo does not store:Credit card numbersBank account detailsStripe may process:Payment method detailsBilling addressTransaction metadataLegal basis: Contract and legal obligation (Art. 6(1)(b), (c) GDPR)3.4 Lead & Outreach Data (Processed on Behalf of Users)Depending on how the Service is used, Prometheo may process:Business contact details (name, job title, company)Business email addressesPublicly available professional informationEmail content generated and sent via the platformThis data is processed solely on the instructions of the user.Legal role:User: Data ControllerPrometheo: Data ProcessorPrometheo does not determine the legality of contacting specific leads.3.5 Technical & Usage DataWe automatically collect:IP addressDevice and browser typeLog filesUsage statisticsError and performance dataLegal basis: Legitimate interest (Art. 6(1)(f) GDPR)4. Purposes of ProcessingWe process personal data to:Provide and operate the ServiceAuthenticate users (including via Google and Microsoft)Manage subscriptions and creditsProcess payments via StripeGenerate and send outreach emailsProvide customer supportImprove security and performanceComply with legal obligations5. Email Outreach & Legal ResponsibilityPrometheo provides technical tools for lead outreach but:Does not determine who is contactedDoes not verify the legal basis for outreachDoes not act as sender in a legal senseUsers are solely responsible for:Having a lawful basis under GDPR and ePrivacy lawsProviding required information notices to data subjectsManaging opt-outs and objectionsResponding to data subject rights requests6. Data Sharing & Third PartiesWe share data only with trusted processors necessary to operate the Service. Key third-party processors include:Stripe – payment processingGoogle & Microsoft – authentication servicesEmail delivery providersHosting and cloud infrastructure providersMonitoring and analytics providersAll processors are bound by GDPR-compliant data processing agreements. We do not sell personal data.7. International Data TransfersWhere personal data is transferred outside the EU/EEA, Prometheo ensures appropriate safeguards, including:Standard Contractual Clauses (SCCs)Adequacy decisions where applicable8. Data RetentionWe retain personal data only as long as necessary:Account data: duration of the account + legal retention periodBilling data: as required by accounting and tax lawsLead data: according to user settings or deletion requestsLogs and technical data: limited retention for security and diagnostics9. Data Subject RightsUnder GDPR, data subjects have the right to:Access personal dataRectify inaccurate dataRequest erasureRestrict or object to processingData portabilityLodge a complaint with a supervisory authorityFor lead-related data, requests should primarily be addressed to the user (Data Controller). Prometheo will assist where legally required.10. Security MeasuresPrometheo implements appropriate technical and organizational measures, including:Encrypted data transmission (HTTPS)Access controls and authentication safeguardsLimited internal access to personal dataSecure infrastructure and monitoringNo system can be guaranteed to be fully secure.11. Cookies & TrackingPrometheo uses cookies and similar technologies for:Authentication (including OAuth login)SecurityPerformance and analytics (with consent)More details are provided in our Cookie Policy.12. Children’s DataThe Service is not intended for individuals under 18 years of age. We do not knowingly collect data from children.13. Changes to This Privacy PolicyWe may update this Privacy Policy from time to time. Changes take effect upon publication on our website. Continued use of the Service constitutes acceptance of the updated Policy.