Legal

Privacy Policy

Last updated: March 1, 2026

1. Introduction

PromptBeat ("we," "our," or "us") provides a cloud-based mobile permission control and remote AI chat system for AI coding agents. This Privacy Policy explains how we collect, use, store, and protect your information when you use the PromptBeat mobile app, cloud platform, hook scripts, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information as described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — used for authentication and account recovery
  • Display name — shown within the app to identify your account
  • Password — stored as a bcrypt hash (we never store plaintext passwords)

2.2 Permission Request Data

When your AI agent requests permission to execute a tool, the following data is transmitted to our cloud servers:

  • Tool name — the type of action requested (e.g., Bash, Read, Write, Edit)
  • Tool input — the command or file path the agent wants to execute
  • Session ID — identifies the AI agent session
  • Context — optional reasoning text from the AI agent (last 5 lines)
  • Timestamps — when the request was created, responded to, or expired

When end-to-end encryption is enabled, tool input is encrypted on your development machine before transmission. Our servers store only the encrypted payload and cannot read the contents.

2.3 AI Chat Data

When you use the Remote AI Chat feature to run AI tool sessions (Claude Code, Aider, Codex, Goose, or Gemini) from your mobile device or web dashboard, the following data is transmitted:

  • Chat messages — prompts you send and AI responses received
  • Session metadata — session ID, tool type, working directory path, session name
  • Streaming data — AI responses are streamed in real-time via WebSocket connections

Chat messages and AI responses are stored in our database for session continuity. Chat sessions can be deleted by the user at any time.

2.4 Device Information

  • Device name — for identifying connected devices in the app
  • FCM token — Firebase Cloud Messaging token for push notifications
  • Platform — iOS, Android, watchOS, or Wear OS

2.5 Biometric Data

PromptBeat uses Face ID, Touch ID, or device biometrics for authentication before approving or denying permission requests. Biometric data is processed entirely on your device by the operating system. We never receive, transmit, or store biometric data.

2.6 Usage Analytics

We collect aggregated usage statistics including:

  • Approval/denial rates and response times
  • Tool usage breakdowns (which tools are requested most often)
  • Active session counts

This data is stored on our servers and used to power the analytics dashboard within your account.

3. How We Use Your Information

We use the information collected to:

  • Deliver permission requests from your AI agent to your mobile device
  • Send push notifications when new permission requests arrive
  • Authenticate your identity before allowing approve/deny actions
  • Enforce auto-approve and auto-deny rules you configure
  • Enable Remote AI Chat sessions with Claude Code, Aider, Codex, Goose, and Gemini from your mobile device or web dashboard
  • Stream AI agent responses in real-time via WebSocket connections
  • Generate audit logs for compliance and security review
  • Provide analytics dashboards showing tool usage patterns

4. Data Storage and Retention

All data is stored on servers we operate in secure data centers. Data is retained as follows:

  • Pending requests — automatically expired after 2 minutes if not responded to
  • Completed requests — deleted after 24 hours by default
  • Chat sessions — retained until deleted by user or account deletion
  • Audit logs — retained for 90 days
  • Account data — retained until you delete your account

We perform daily encrypted backups to ensure data durability and disaster recovery.

4.1 Encryption

PromptBeat supports end-to-end encryption of tool input data using HMAC-CTR stream cipher with PBKDF2 key derivation (100,000 iterations, SHA-256). When encryption is enabled:

  • Tool input is encrypted on your development machine before leaving
  • The server stores only the encrypted ciphertext
  • Decryption happens only on your mobile device
  • We cannot read encrypted tool input

5. Third-Party Services

5.1 Firebase Cloud Messaging (FCM)

We use Google Firebase Cloud Messaging to deliver push notifications to your device. Firebase receives your device's FCM token and notification metadata (title and body text). Google's privacy policy applies to this data: https://policies.google.com/privacy

5.2 No Other Third Parties

We do not sell, share, or transmit your data to any other third parties. We do not use advertising networks, analytics SDKs, or tracking services.

6. Data Security

We implement the following security measures:

  • Passwords hashed with bcrypt (12 rounds)
  • JWT tokens for session authentication with configurable expiration
  • HTTPS enforced for all connections
  • Optional end-to-end encryption for sensitive tool input data
  • Biometric authentication required before approve/deny actions
  • API keys with scoped permissions and revocation
  • Rate limiting on authentication endpoints (5 attempts per 15 minutes)
  • Account lockout after repeated failed login attempts
  • HSTS headers in production mode
  • CSP headers restricting content sources

7. Your Rights

You have the right to:

  • Access your data — view all permission requests, audit logs, and account information through the app and API
  • Export your data — download audit logs in JSON or CSV format via the app or API
  • Delete your data — delete your account, which removes all associated permission records, rules, API keys, and device registrations
  • Revoke devices — remove any connected device from your account at any time
  • Revoke API keys — disable any API key immediately
  • Disable notifications — opt out of push notifications through your device settings

8. Children's Privacy

PromptBeat is a developer tool not intended for use by individuals under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children.

9. International Data Transfers

Your data may be processed in the United States or European Union. We apply appropriate safeguards for international transfers in compliance with applicable data protection laws.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice in the app or sending an email to your registered address. The "Last updated" date at the top reflects the most recent revision.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: