Effective Date: March 6, 2026 | Version 3.0 | Last Reviewed: March 6, 2026
Data Controller: MC Conversions Ltd (Company No. 14019497), Pantycrai, Adfa, Newtown, Powys, SY16 3BX, United Kingdom. Contact: Luke@mcconversions.uk
📋 In Plain English
We collect the minimum data needed to run the service (your account info, usage data, payment details). We don't sell your data. We don't use your content to train AI models. You can request, export, or delete your data at any time. We use encryption to keep it safe.
Table of Contents
- Introduction & Scope
- Definitions
- Data We Collect
- How We Collect Your Data
- Lawful Bases for Processing
- How We Use Your Data
- AI Processing & Sub-Processors
- Data Sharing & Third Parties
- International Transfers
- Data Retention
- Your Rights
- California Privacy Rights (CCPA/CPRA)
- Children's Privacy
- Cookies & Tracking
- Security Measures
- Data Breach Notification
- Impact Assessments
- Automated Decision-Making
- Changes to This Policy
- Contact & Complaints
1. Introduction & Scope
1.1 This Privacy Policy ("Policy") explains how MC Conversions Ltd ("We," "Us," "Our"), trading as AI Prompt Architect, collects, processes, stores, shares, and protects Your Personal Data when You use Our Service.
1.2 This Policy applies to: (a) all Users of the Service, whether registered or unregistered; (b) visitors to Our website; (c) individuals whose Personal Data is processed through the Service by Users; and (d) all jurisdictions in which the Service operates.
1.3 We are committed to transparency and to protecting Your privacy. This Policy should be read alongside Our Terms of Service, Acceptable Use Policy, and Cookie Policy.
1.4 Data Controller. MC Conversions Ltd is the Data Controller for Personal Data collected through the Service. Where Users process Personal Data of their own customers or end-users through the Service, We act as a Data Processor on their behalf, governed by Our Data Processing Addendum (DPA), available upon request.
2. Definitions
"Personal Data" has the meaning given in the UK GDPR and/or EU GDPR, as applicable: any information relating to an identified or identifiable natural person.
"Special Category Data" means data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation (GDPR Art. 9).
"Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Sub-Processor" means a third party engaged by Us to process Personal Data on Our behalf.
"Personal Information" has the meaning given in the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
"Service," "User," "Account," "Credits," "Output" have the meanings given in Our Terms of Service.
3. Data We Collect
3.1 Account Data: Name, email address, authentication credentials (hashed), profile information, and account preferences.
3.2 Payment Data: Payment method type, last four digits of card number, billing address, and transaction history. Full payment card details are processed by Stripe, Inc. and are never stored on Our servers.
3.3 Usage Data: Service interactions, feature usage, Credit consumption, session duration, pages viewed, and click patterns.
3.4 Technical Data: IP address, browser type and version, device type, operating system, screen resolution, timezone, language preferences, and referring URL.
3.5 Content Data: Prompts, documents, code, and other Content You upload to or generate through the Service. This is processed solely to provide the Service and is not used for AI model training.
3.6 Communication Data: Emails, support tickets, feedback, and other correspondence with Us.
3.7 Cookie Data: Information collected through cookies and similar tracking technologies, as detailed in Our Cookie Policy.
3.8 Special Category Data. We do not intentionally collect Special Category Data. If You upload Content containing Special Category Data to the Service, You do so at Your own risk and are responsible for ensuring a lawful basis exists for such processing.
4. How We Collect Your Data
4.1 Directly from You: When You register, make purchases, use the Service, contact support, or provide feedback.
4.2 Automatically: Through cookies, server logs, and analytics tools when You interact with the Service.
4.3 From Third Parties: Authentication providers (Google, GitHub), payment processor (Stripe), and analytics services (Google Analytics).
4.4 From Your Usage: We derive insights from Your usage patterns to improve the Service, but We do not build individual profiles for advertising purposes.
5. Lawful Bases for Processing
Under the UK GDPR and EU GDPR, We process Your Personal Data on the following lawful bases:
| Purpose | Lawful Basis | GDPR Article |
|---|---|---|
| Providing the Service, processing payments, managing Your Account | Contract performance | Art. 6(1)(b) |
| Responding to data subject requests, tax/accounting obligations | Legal obligation | Art. 6(1)(c) |
| Service improvement, analytics, fraud prevention, security | Legitimate interest | Art. 6(1)(f) |
| Marketing communications, non-essential cookies | Consent | Art. 6(1)(a) |
5.2 Legitimate Interest Assessment. Where We rely on legitimate interest, We have conducted a balancing test to ensure Our interests do not override Your fundamental rights and freedoms. Records of these assessments are available upon request.
6. How We Use Your Data
We process Your Personal Data for the following purposes:
6.1 To provide, maintain, and improve the Service
6.2 To process transactions and manage Credits
6.3 To communicate with You (service notifications, support, updates)
6.4 To detect and prevent fraud, abuse, and security threats
6.5 To comply with legal obligations (tax, regulatory, law enforcement)
6.6 To enforce Our Terms of Service and Acceptable Use Policy
6.7 To conduct analytics and service improvement (aggregated/anonymised where possible)
6.8 To send marketing communications (only with Your consent; You may opt out at any time)
6.9 We Do NOT: (a) sell Your Personal Data; (b) use Your Content to train AI models; (c) share Your data with advertisers; (d) build profiles for targeted advertising; or (e) process Personal Data for purposes incompatible with those described above.
7. AI Processing & Sub-Processors
7.1 How AI Processing Works. When You use AI features, Your prompts and Content are sent to third-party AI model providers (Sub-Processors) for processing. These Sub-Processors return Output which is displayed to You through the Service.
7.2 Current Sub-Processors:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Google (Gemini) | AI model inference | Prompts, Content | US/EU |
| Anthropic (Claude) | AI model inference | Prompts, Content | US |
| OpenAI (GPT) | AI model inference | Prompts, Content | US |
| Google Cloud Platform | Infrastructure, hosting | All Service data | EU (europe-west) |
| Firebase (Google) | Authentication, database | Account, usage data | EU |
| Stripe, Inc. | Payment processing | Payment data | US/EU |
| Sentry | Error monitoring | Technical data, errors | US |
7.3 No Training. We contractually require that Sub-Processors do NOT use Your Content or prompts to train, improve, or fine-tune their AI models. Your data is processed solely for the purpose of generating Output for You.
7.4 Data Minimisation. We send only the minimum data necessary for AI processing. We do not send Your Account Data, Payment Data, or unnecessary metadata to AI Sub-Processors.
7.5 BYOK (Bring Your Own Key). If You use Your own API keys (BYOK), data is sent directly to Your chosen provider under Your own agreement with that provider. We are not a party to that processing and bear no responsibility for data handling by providers accessed via Your keys.
7.6 Sub-Processor Changes. We shall notify You of any changes to Sub-Processors by updating this Policy and, for material changes, via email notification at least fourteen (14) days in advance.
8. Data Sharing & Third Parties
8.1 We share Personal Data only in the following circumstances:
Sub-Processors: As listed in Section 7.2, under contractual safeguards (GDPR Art. 28).
Legal Requirements: Where required by law, court order, or regulatory authority, including but not limited to: HMRC (tax), ICO (data protection), NCA (law enforcement), and Ofcom (online safety).
Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected Users.
With Your Consent: Where You have given explicit consent to specific sharing.
Aggregated/Anonymised Data: We may share anonymised, aggregated statistics that cannot identify any individual.
8.2 We Do NOT: (a) sell Personal Data to any third party; (b) share Personal Data with advertising networks; (c) allow Sub-Processors to use Your data for their own independent purposes; or (d) share Personal Data with any party not listed in this Policy without Your consent or a legal obligation.
9. International Transfers
9.1 Your Personal Data is processed primarily within the European Economic Area (EEA) and the United Kingdom using Google Cloud Platform infrastructure (europe-west region).
9.2 Where data is transferred to Sub-Processors located outside the EEA/UK (including the United States), We ensure appropriate safeguards are in place:
Adequacy Decisions: Transfers to countries with an adequate level of data protection (GDPR Art. 45).
Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses (GDPR Art. 46(2)(c)).
UK International Data Transfer Agreement (IDTA): For UK-specific transfers.
Supplementary Measures: Encryption in transit and at rest, pseudonymisation, and access controls as recommended by the EDPB.
9.3 Transfer Impact Assessments (TIAs) are conducted for all transfers to countries without adequacy decisions. TIA summaries are available upon request.
10. Data Retention
10.1 We retain Your Personal Data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Data | Duration of Account + 30 days | Contract |
| Payment/Transaction Data | 7 years from transaction | HMRC/Tax law |
| Content Data (prompts/outputs) | Duration of Account + 30 days | Contract |
| Usage/Technical Data | 24 months | Legitimate interest |
| Communication Data | 3 years | Legitimate interest |
| Policy Violation Records | 3 years from enforcement | Legal obligation |
| Cookie Data | See Cookie Policy | Consent |
10.2 Upon Account deletion or expiry of the retention period, Personal Data is securely deleted or irreversibly anonymised within thirty (30) days, except where retention is required by law.
11. Your Rights
11.1 Under the UK GDPR and EU GDPR, You have the following rights:
Right of Access (Art. 15): Request a copy of Your Personal Data.
Right to Rectification (Art. 16): Request correction of inaccurate data.
Right to Erasure (Art. 17): Request deletion of Your data ("right to be forgotten").
Right to Restriction (Art. 18): Request restriction of processing.
Right to Data Portability (Art. 20): Receive Your data in a structured, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interest.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing.
Right re Automated Decisions (Art. 22): Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
11.2 How to Exercise Your Rights. Submit requests to Luke@mcconversions.uk with the subject line "Data Subject Request." We shall respond within one (1) calendar month, extendable by two (2) further months for complex or numerous requests (Art. 12(3)).
11.3 Identity Verification. We may request proof of identity before processing Your request, to protect against fraudulent or unauthorised access.
11.4 Manifestly Unfounded Requests. In accordance with GDPR Article 12(5), We may charge a reasonable fee for, or refuse to act on, requests that are manifestly unfounded, excessive, or repetitive. Where a request is refused, We shall inform You of the reasons and Your right to complain to the supervisory authority.
12. California Privacy Rights (CCPA/CPRA)
12.1 If You are a California resident, You have the following additional rights under the CCPA as amended by the CPRA:
Right to Know: What Personal Information is collected, used, disclosed, and sold.
Right to Delete: Request deletion of Your Personal Information.
Right to Correct: Request correction of inaccurate Personal Information.
Right to Opt-Out: Opt out of the "sale" or "sharing" of Personal Information. We do not sell or share Personal Information.
Right to Limit: Limit the use of sensitive Personal Information.
Right to Non-Discrimination: Not be discriminated against for exercising Your rights.
12.2 Categories Disclosed. In the preceding 12 months, We have collected the categories of Personal Information described in Section 3. We have not sold Personal Information to any third party. We disclose Personal Information to the service providers listed in Section 7.2 for the business purposes described in Section 6.
12.3 How to Exercise. Contact Luke@mcconversions.uk. We shall respond within forty-five (45) days, extendable by an additional forty-five (45) days with notice.
13. Children's Privacy
13.1 The Service is not directed to children under sixteen (16). We do not knowingly collect Personal Data from children under sixteen (16) without verifiable parental consent.
13.2 COPPA. For US users under thirteen (13), We comply with the Children's Online Privacy Protection Act. If We become aware that We have collected Personal Data from a child without appropriate consent, We shall delete that data promptly and terminate the associated Account.
13.3 If You believe a child has provided Personal Data to Us, please contact Luke@mcconversions.uk immediately.
14. Cookies & Tracking
14.1 We use cookies and similar tracking technologies as described in Our Cookie Policy.
14.2 PECR Compliance. In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and the EU ePrivacy Directive: (a) strictly necessary cookies are placed without consent; (b) all other cookies require Your prior consent; and (c) You may withdraw consent at any time via Our cookie preferences mechanism.
14.3 Do Not Track. We honour Do Not Track (DNT) browser signals where technically feasible.
15. Security Measures
15.1 We implement appropriate technical and organisational measures to protect Personal Data, including:
Encryption: TLS 1.2+ in transit; AES-256 encryption at rest.
Access Controls: Role-based access control (RBAC), principle of least privilege.
Authentication: Firebase Authentication with support for multi-factor authentication (MFA).
Infrastructure: Google Cloud Platform with ISO 27001, SOC 2 Type II certifications.
Monitoring: Sentry for error tracking; Cloud Logging for security events.
Backups: Automated daily backups with geographic redundancy.
15.2 NIS2 Compliance. We implement cybersecurity risk management measures in accordance with the Network and Information Security Directive 2 (EU 2022/2555) and report significant incidents to relevant authorities within required timescales.
15.3 No Absolute Guarantee. While We implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of Your data. You use the Service at Your own risk in this regard.
16. Data Breach Notification
16.1 Supervisory Authority. In the event of a Personal Data breach, We shall notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach (GDPR Art. 33).
16.2 User Notification. Where a breach is likely to result in a high risk to Your rights and freedoms, We shall notify You directly without undue delay (GDPR Art. 34), including: the nature of the breach, the categories of data affected, approximate number of individuals concerned, likely consequences, and the measures taken to mitigate the breach.
16.3 Records. We maintain a register of all Personal Data breaches, including facts, effects, and remedial actions, regardless of whether notification was required.
17. Impact Assessments
17.1 DPIAs. We conduct Data Protection Impact Assessments (DPIAs) in accordance with GDPR Article 35 where processing operations involving AI, automated decision-making, or large-scale processing are likely to result in a high risk to rights and freedoms.
17.2 Transfer Impact Assessments. We conduct Transfer Impact Assessments (TIAs) for all international data transfers to countries without adequacy decisions, in line with EDPB recommendations.
17.3 DPIA/TIA summaries are available upon request. Contact Luke@mcconversions.uk.
18. Automated Decision-Making
18.1 We do not use Your Personal Data for decisions based solely on automated processing that produce legal effects or similarly significant effects on You (GDPR Art. 22).
18.2 Where AI features are used to generate Output, this constitutes a tool for Your use and does not constitute automated decision-making about You.
18.3 If at any point We introduce automated decision-making with significant effects, We shall: (a) inform You in advance; (b) provide meaningful information about the logic involved; (c) implement the right to human intervention; and (d) enable You to express Your point of view and contest the decision.
19. Changes to This Policy
19.1 We may update this Policy from time to time. Material changes shall be notified via: (a) email to Your registered address; and/or (b) a prominent notice on the Service, at least thirty (30) days before taking effect.
19.2 The "Last Reviewed" date at the top of this Policy indicates the date of the most recent revision.
19.3 Continued use of the Service after the effective date of any changes constitutes acceptance of the updated Policy.
Security Commitments
We implement and maintain the following security measures:
Encryption: TLS 1.2+ in transit; AES-256 at rest
Access Controls: Role-based access (RBAC); MFA for admin access
Infrastructure: Google Cloud Platform (SOC 2 Type II, ISO 27001 certified)
Monitoring: Real-time security monitoring and automated alerting
Backups: Automated daily backups with point-in-time recovery
Penetration Testing: We commit to annual penetration testing by a certified third party
Cyber Essentials: We are committed to achieving Cyber Essentials Plus certification
Incident Response: Documented incident response plan with 48-hour notification SLA
20. Contact & Complaints
20.1 Data Controller Contact:
MC Conversions Ltd
Pantycrai, Adfa, Newtown, Powys, SY16 3BX, United Kingdom
Email: Luke@mcconversions.uk
Company No. 14019497
20.2 Supervisory Authority. If You believe Our processing of Your Personal Data infringes data protection law, You have the right to lodge a complaint with:
UK: Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
ico.org.uk/make-a-complaint
EU: Your local Data Protection Authority
20.3 We encourage You to contact Us first at Luke@mcconversions.uk before making a formal complaint, as We will endeavour to resolve any concerns promptly.
MC Conversions Ltd | Company No. 14019497 | Registered in England and Wales
Pantycrai, Adfa, Newtown, Powys, SY16 3BX, United Kingdom
📝 Change Log
| v3.0 — Mar 2026 | Enterprise rewrite. 20 sections. Full GDPR Art. 13/14, CCPA/CPRA, COPPA, PECR, NIS2, DPIA/TIA, breach notification. |
| v2.0 — Jan 2026 | Added sub-processor table, data retention schedule. |
| v1.0 — Dec 2025 | Initial release. |