Privacy Policy — Smida

Smida is a prompt optimization tool. You paste a prompt, we improve it using AI, and you get better results from the AI tools you already use. That is the whole product. This Privacy Policy explains exactly what data we collect in the process of doing that, why we collect it, how long we keep it, and what rights you have over it.

We wrote this to be readable, not to bury things in legal language. If something is unclear, email us at privacy@smida.com and we will explain it.

1. Who We Are

Smida is operated as an independent software product. For the purposes of data protection law, Smida is the data controller — meaning we decide what data we collect and how we use it. Our contact address for privacy matters is: privacy@smida.com.

2. What Data We Collect and Why

2.1 Account information

When you create an account, we collect your email address and a hashed password. We use this to identify you, let you log in, and send you transactional emails (like a password reset). We do not collect your name, phone number, address, or any other personal details unless you voluntarily provide them in a support message.

Legal basis: Contract — this data is necessary to provide the service you signed up for.

2.2 The prompts you submit

When you use Smida, you paste a prompt and we send it to the Claude AI API (operated by Anthropic) to generate optimized versions. We store the original prompt and the optimized result in your account history so you can refer back to it. We do not read your prompts manually. We do not use your prompts to train AI models. We do not share your prompts with any third party other than Anthropic's API, which processes them to generate the output.

Important: do not paste personal information, passwords, private credentials, or sensitive data into the prompt field. The tool is designed for writing and working prompts — not for processing personal or confidential information.

Legal basis: Contract — storing your optimization history is part of the service.

2.3 Payment information

Payments are processed by Stripe. When you purchase a credit pack, you enter your payment details directly on Stripe's secure checkout page — your card number, expiry, and CVV never touch our servers. We receive from Stripe: a customer ID, a payment confirmation, and the amount paid. We store this to maintain your credit balance and provide a purchase history. We do not store your full card number or any raw payment data.

Legal basis: Contract — we need to know you paid in order to credit your account.

2.4 Usage data

We use Plausible Analytics to understand how people use Smida — which pages are visited, how people move through the app, where sign-ups come from. Plausible is privacy-first: it does not use cookies, does not track you across other websites, and does not collect any personally identifiable information. It aggregates behavior into anonymous statistics. Because of this, we do not show a cookie consent banner for analytics — there is nothing to consent to.

Legal basis: Legitimate interest — understanding how the product is used helps us improve it.

2.5 Error and performance logs

We use Sentry to track application errors. If something breaks while you are using Smida, Sentry captures the technical error details (stack trace, browser type, app version) so we can fix it. Sentry does not capture the content of your prompts or any payment information. Error logs are retained for 30 days.

Legal basis: Legitimate interest — fixing bugs is part of running a reliable service.

2.6 Email communications

We use Resend to send transactional emails: account confirmation, password reset, low-credit warning (when your balance drops below 10 credits), and purchase receipts. We do not send marketing emails unless you explicitly opt in. You can opt out of any non-essential emails at any time by emailing privacy@smida.com.

Legal basis: Contract for transactional emails. Consent for any marketing emails.

3. Data Storage and Security

Your account data and optimization history are stored in Supabase's EU (Frankfurt) data center. We chose EU hosting intentionally to keep your data within the European Economic Area and support GDPR compliance.

Security measures we have in place:

Row-level security in the database — your data is isolated from other users at the database layer, not just the application layer.
Passwords are never stored in plain text — Supabase Auth handles password hashing using bcrypt.
All connections are encrypted in transit using TLS.
Access to the production database is restricted to the application service — no individual developer has routine access to your data.
Stripe handles all payment card data — we never touch raw card numbers.

No system is completely immune to security incidents. In the event of a data breach that poses a risk to your rights, we will notify affected users and, where required by law, the relevant supervisory authority within 72 hours of becoming aware of the breach.

4. How Long We Keep Your Data

Account data (email, hashed password): Kept for the duration of your account. Deleted within 30 days of account deletion.
Optimization history (prompts and results): Kept for the duration of your account. You can delete individual entries at any time from your history page.
Purchase records: Kept for 7 years for accounting and tax compliance purposes, even after account deletion.
Error logs: 30 days, then automatically purged by Sentry.
Analytics data: Anonymous and aggregated — no retention limit because it cannot be linked to you.

5. Your Rights

Depending on where you are located, you have the following rights over your personal data. We honor these for all users, not just those in jurisdictions where they are legally required.

Access: You can request a copy of all personal data we hold about you.
Correction: You can correct inaccurate data — your email address can be changed in Settings.
Deletion: You can delete your account at any time from Settings. This deletes your account data and optimization history within 30 days. Purchase records are retained for accounting purposes as described above.
Portability: You can request an export of your optimization history in JSON format.
Objection: You can object to processing based on legitimate interest. We will review and respond.
Withdraw consent: Where we rely on consent (marketing emails), you can withdraw it at any time.

To exercise any of these rights, email privacy@smida.com. We will respond within 30 days. We do not charge for rights requests.

6. Users in the European Economic Area

If you are in the EEA, GDPR applies to the processing of your personal data. The legal bases we rely on are set out in each section of this policy. If you believe we have processed your data unlawfully, you have the right to lodge a complaint with your national data protection authority. In Sweden, that is Integritetsskyddsmyndigheten (IMY) at imy.se.

7. Users in California

If you are a California resident, the CCPA gives you the right to know what personal information we collect, to request deletion, and to opt out of the sale of your data. We do not sell personal data. To exercise your CCPA rights, contact privacy@smida.com.

8. Children

Smida is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has created an account, we will delete it promptly. If you believe a child under 16 has signed up, please contact privacy@smida.com.

9. Changes to This Policy

We will update this policy when our data practices change. If we make a material change — one that affects your rights or how we use your data in a significant way — we will notify you by email at least 14 days before the change takes effect. Minor clarifications may be updated without notice. The current version is always available at smida.com/privacy.

10. Contact

For any privacy questions, data requests, or concerns, contact us at: privacy@smida.com. We aim to respond within 5 business days.