prapi.dev

Privacy Policy

Effective May 2, 2026 (revised)

This Privacy Policy describes how StartVest LLC (“StartVest”, “we”, “our”) collects, uses, and protects personal information when you use PRAPI (the “Service”) at prapi.dev and app.prapi.dev.

1. Information we collect

Information you provide

  • Account information. When you sign in via Google, GitHub, Microsoft, or a one-time email link, we receive your email address and (where the provider supplies it) your display name and profile photo.
  • Brand context you author. Brand bios, voice rules, banned phrases, channel limits, submission assets, and other content you enter through the dashboard or via our API.
  • Content forwarded to your address. Each PRAPI account gets a unique u_<token>@prapi.dev forwarding address. Emails you forward (typically journalist source-requests from HARO, Featured, Help a B2B Writer, and similar) are received, parsed, and scored against your brand context.
  • Drafts and outputs. Pitches and scores generated by the Service on your behalf, plus your edits and approvals.

Information collected automatically

  • Authentication cookies. Used to keep you signed in across page loads. Set as HttpOnly and Secure with the __Host- prefix where supported.
  • Server logs. IP address, user agent, and request paths for security, abuse prevention, and operational diagnostics. Logs are retained for up to 30 days unless required for an active security investigation.

Note on third-party data. Queries you forward to your PRAPI address typically include personal information about journalists (their name, work email, outlet, story angle, deadline). PRAPI receives and processes this content on your behalf to score, draft, and route. You are the data controller for that information; PRAPI is the processor.You are responsible for any legal basis required (legitimate interest, contract, consent, etc.) under applicable law for handling journalists’ contact details in your pitch workflow.

Information from third parties

  • OAuth providers (Google, GitHub, Microsoft Entra) confirm your identity and supply the email + display name described above. We do not request additional scopes beyond openid email profile.
  • Stripe processes payments. We receive only the customer ID, plan, and status from Stripe — never your full card number.
  • Outlet diligence sources (Domain authority APIs, archive lookups). We send only the publicly known domain or URL of a journalist’s outlet — never your account information.

2. How we use information

  • To authenticate you and operate the Service.
  • To draft pitches in your authored voice and score inbound queries. AI generation uses Anthropic’s Claude API; the brand context you provide is sent as part of the prompt.
  • To bill you (via Stripe) and provide customer support.
  • To monitor for abuse, fraud, and unauthorized access. We may aggregate de-identified usage data to improve the Service.

We do not sell your personal information. We do not train AI models on your private content; the Anthropic API is invoked per-request and is governed by Anthropic’s zero-retention agreement with us.

3. How we share information

We share information only with the service providers required to run PRAPI:

  • Microsoft Azure — hosting (App Service, SQL Database, Blob Storage, Communication Services).
  • Anthropic — large-language-model inference for draft generation and scoring.
  • Stripe — payment processing and subscription management.
  • Cloudflare — DNS, CDN, and edge security for prapi.dev and app.prapi.dev.
  • OAuth providers — authentication only.

We may also disclose information if required by law, to protect rights and safety, or in connection with a sale or transfer of all or part of our business, in which case the acquirer will be bound by terms at least as protective as those described here.

Subprocessor changes. The list above is the full set of subprocessors as of the effective date. We will notify active customers by email at least 30 days before adding a new subprocessor that materially changes how we process your data.

4. Data retention

  • Account data — retained while your account is active and for up to 90 days after closure for backup and dispute resolution.
  • Forwarded emails — retained while the linked query is active in your inbox view, then archived for up to 12 months.
  • Drafts and scores — retained as long as the related brand exists; deleted with the brand.

5. Your rights

Subject to applicable law (GDPR, CCPA, and similar), you have the right to access, correct, export, and delete your personal information. To exercise any of these rights, email tom@startvest.ai from the address on your account.

Data Processing Agreement. If you process personal data of EU, UK, or other jurisdictions that require a Data Processing Agreement (DPA), email tom@startvest.ai and we will execute one with you.

6. International transfers

We are based in the United States and our infrastructure runs in U.S. Microsoft Azure regions. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

7. Children

PRAPI is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

8. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to active customers at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

9. Contact

StartVest LLC — Newark, DE (an SDVOSB)
Email: tom@startvest.ai