Nalanda
Prompts
Log InGet invite
HomeAll PromptsTagsUsersBadges
Categories
WritingCodingMarketingBusinessEducationImage GenerationVideoDataOther

Privacy Policy

Last updated: 2026-05-28 (DRAFT — under legal review)

This is the privacy policy for Nalanda Prompts ("we", "us"), a community site for AI prompt engineering at https://www.nalandaprompts.com. We are a solo project based in Australia and not subject to the Australian Privacy Act 1988 by turnover threshold, but we self-certify to GDPR-equivalent practices for all visitors regardless of location.

1. What we collect

When you join the waitlist, register, or use the site, we collect:

  • Email address (required for the waitlist and for registration).
  • Username and display name (you choose these at registration).
  • Optional profile fields (bio, location, website URL, avatar) that you provide on your profile.
  • Content you create (prompts, comments, votes, bookmarks).
  • Your IP address, briefly, for rate-limiting only. We do not store IP addresses in our database; they are passed to Upstash Redis as the key for a sliding-window rate limit and expire automatically within minutes.
  • Analytics events about how you use the site (which pages you view, when you sign up, when you post a prompt, when you cast a vote, and similar product-usage events). Each event is tagged with a per-session "distinct id" that is held only in memory and resets on every full page reload; once you are signed in, the distinct id is your Supabase user id. The events include the page URL, the referring page, your browser and device type, and an approximate country (derived from IP at receipt time, if IP-anonymisation is not enabled). Events do not include keystrokes, form values, password fields, prompt drafts, comment drafts, or page snapshots. We send these events to PostHog (see §3); see §7 for what this means for cookies.
  • Cookies set by Supabase Auth (sb-<project>-auth-token) which keep you signed in. These are HttpOnly, Secure, SameSite=Lax. There are no advertising, analytics, or tracking cookies — see §7.
  • OAuth provider data if you sign in with Google or GitHub: email address, public profile name, and avatar URL. We do not request additional scopes.

We do not collect your real name (unless you choose to put it in your display name), phone number, postal address, precise location, payment details, or biometric data.

2. How we use it

Your data is used only to:

  • Run the service (authenticate you, render your posts, deliver notifications).
  • Send you a one-time invite email if you joined the waitlist. We do not currently send other emails.
  • Prevent abuse (rate-limit by IP, ban abusive accounts).
  • Improve the site (look at aggregate counts, fix bugs).

We do not sell, rent, or share your personal data with third parties for advertising or marketing. We do not perform user profiling.

3. Service providers we share data with

ProviderWhat it doesWhat it receivesWhere data lives
SupabaseAuthentication, database, file storageAccount email, hashed password, your contentap-southeast-2 region
VercelHosting; briefly sees request metadataIP, user-agent, URLEdge + USA
UpstashRedis for rate-limiting; sees IP as a key for minutesIP (as a short-lived key)USA
PostHogProduct analytics (page views and conversion events)The analytics-event fields described in §1 (distinct id, page URL, referrer, event name, browser, device, country); reached via a same-origin reverse proxy on /ingestUSA (PostHog Cloud)
Amazon SESTransactional email (waitlist invites)Recipient email address, message bodyap-southeast-2 region
AnthropicThe "prompt-curator" bot uses Anthropic's Claude API to humanise curated content. It never sees user-generated content from registered users.Public source text onlyUSA
Sentry (when enabled)Error reportingError message, stack trace, anonymised distinct idUSA
Google, GitHubIf you choose social login, the provider sees the login eventOAuth handshake metadataUSA

Each acts as a data processor on our behalf and only for the purposes above.

4. How long we keep it

  • Account data: kept while your account exists. If you delete your account, your personal fields (email, bio, location, etc.) are erased; your posts and comments are anonymized with the display name "[deleted]" so community threads remain readable.
  • Waitlist emails: kept until you receive an invite, plus 12 months for anti-abuse, then deleted automatically by a scheduled job that runs daily.
  • Rate-limit IP keys: deleted automatically within minutes (Redis TTL).
  • Vercel access logs: retained per Vercel's policy (default 1 day on Hobby).

5. Your rights

You have the right to:

  • Access the data we hold about you. Email us at hello@nalandaprompts.com and we will respond within 30 days. An automated export endpoint is available at /api/account/export once you are signed in.
  • Correct inaccurate data via your /settings page.
  • Delete your account via your /settings page. This action is immediate and not reversible.
  • Object to specific processing. Email us.
  • Lodge a complaint with your local data protection authority (e.g. the UK ICO, the Irish DPC, the OAIC in Australia).

6. Children

You must be at least 13 years old to use Nalanda Prompts (16 if you are in the EU). We do not knowingly collect data from anyone younger.

7. Cookies

We use one type of cookie: a Supabase authentication cookie that keeps you signed in. It is strictly necessary for the service to function. No tracking, analytics, or advertising cookies are set. Because of this we do not show a cookie consent banner. If you sign out, the cookie is cleared.

Our product analytics (see §1 and the PostHog row in §3) runs in cookieless mode: the analytics SDK is configured with persistence: 'memory', which means no ph_* cookies are written and no analytics state is persisted in your browser's local storage. The per-visit distinct id lives only in memory and disappears as soon as you reload or close the tab. Once you sign in, your stable identifier is your Supabase user id (already used elsewhere in the service), not a tracking identifier.

8. Security

We encrypt all traffic with HTTPS (HSTS preload). Passwords are hashed with bcrypt (via Supabase Auth). We use Row Level Security to scope reads at the database layer. We have no current bug-bounty program but accept responsible-disclosure reports at security@nalandaprompts.com.

9. Changes to this policy

If we materially change this policy we will update the date above and, if you have an account, notify you in-app before the change takes effect.

10. Contact

Questions about this policy or your data: hello@nalandaprompts.com. We aim to respond within 5 business days.

AboutPrivacyTermsSecurityContact
Nalanda Prompts · Where prompts are perfected · Inspired by the ancient university of Nalanda (~427 CE)
+ Share a Prompt

Trending Tags

template ×31system-prompt ×27anthropic ×22xml-structured ×20agent ×17reasoning ×17chain-of-thought ×15guardrails ×15tool-use ×13role-play ×13

Top Prompters

S
Sagar Verma
1krep
Prompt Curator
Prompt Curator
120rep
Q
Quantum-loop
1rep