Privacy Policy
Last updated: 6 June 2026
Introduction
Graded Prompts Ltd ("we," "us," or "our"), a company registered in England and Wales (company number 17080335), operates the Graded Prompts platform at gradedprompts.com, including the seller portal at portal.gradedprompts.com (together, the "Platform"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Platform as a buyer, as a seller, or as a visitor. We do not sell your personal data and we do not run advertising on the Platform. This policy explains how we process your data and the lawful bases we rely on, which are set out in Section 3. We rely on consent only where specifically stated (for example, optional marketing emails and any future non-essential cookies). If you disagree with how we handle your data, you can contact us at privacy@gradedprompts.com or discontinue use of the Platform.
1. Who This Policy Applies To
The Platform serves two main user groups, and parts of this policy apply differently to each:
- Buyers — visitors who browse and purchase prompts.
- Sellers — users who list prompts for sale and receive payouts.
A single account may act as both. Where a section applies to only one group, we say so. Graded Prompts Ltd is the merchant of record for all purchases on the Platform: when you buy a prompt, you purchase it from Graded Prompts, not directly from the seller. Sellers are independent suppliers who license their prompts to us, and we sublicense those prompts to buyers under our Buyer Terms. We process payments, issue receipts, provide support, and handle refunds, chargebacks, and disputes in our own right as principal — not as the seller's agent. This role is described in full in our Buyer Terms and Seller Agreement. Graded Prompts Ltd is the data controller for the buyer and seller personal data processed through the Platform. Sellers receive only order-level and aggregated information about sales of their own prompts (such as order ID, country, and amounts), any messages a buyer chooses to send them through Platform messaging, and a buyer's public display name and reviews — not buyers' email or contact details or payment information.
2. Information We Collect
2.1 Information You Provide (All Users)
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, username, password, profile picture | Account creation and personalisation |
| Content | Prompts, descriptions, examples, reviews, ratings | Platform functionality |
| Communications | Support requests, feedback, survey responses | Customer service |
| On-Platform Messages | Messages exchanged with other users via Platform messaging or order discussions | Service delivery, dispute resolution, fraud prevention |
2.2 Buyer-Specific Information
| Data Type | Examples | Purpose |
|---|---|---|
| Payment Information | Card details (processed by Stripe — we do not store full card numbers), billing address, billing country | Processing transactions, tax determination, fraud prevention |
| Purchase History | Prompts purchased, order amounts, download history | Order fulfilment, support, accounting |
2.3 Seller-Specific Information
| Data Type | Examples | Purpose |
|---|---|---|
| Payout Account Details | Payout destination details (for example, bank or card details) collected and verified directly by our payout provider (currently Stripe) as part of its Stripe Connect onboarding | Paying you for the Prompt Licences you supply |
| Identity Verification (KYC) | Government ID, proof of address, date of birth, and — where you are an entity — beneficial-owner details. These are collected directly by Stripe as part of Stripe Connect onboarding; Stripe carries out the identity and anti-money-laundering checks under its own legal obligations and as an independent controller. We receive the verification outcome and limited records confirming a check was completed, not the underlying documents (see Sections 2.6 and 4.2) | Verifying payout eligibility, fraud prevention, sanctions compliance, and enforcing our Seller Agreement (including the seller warranties and indemnity) |
| Tax Information | Tax residency, VAT number (where applicable), tax forms where required | Tax reporting and withholding obligations |
| Earnings and Sales Records | Margin calculations, payout history, sales analytics for your listings | Seller dashboards, accounting, statutory record-keeping |
| Public Seller Profile | Display name, avatar, bio, prompt listings, ratings received, optionally a sales count and verification/badges | Platform listings and buyer trust signals |
You control which optional profile information you publish (e.g. bio, links). Display name, avatar, and listings are necessarily public for the platform to function.
2.4 Information Collected Automatically
| Data Type | Examples | Purpose |
|---|---|---|
| Usage Data | Pages viewed, features used, search queries, time spent | Platform improvement |
| Device Information | Browser type, operating system, device identifiers | Security and optimisation |
| Log Data | IP address, access times, referring URLs | Security and fraud prevention |
| General Location | Country and region inferred from IP address | Compliance, tax determination, localisation |
We do not use third-party analytics or advertising trackers at this time.
2.5 Cookies
We use only strictly necessary cookies required to operate the Platform. Specifically:
- Authentication cookie — keeps you signed in.
- Anonymous cart cookie — preserves your basket before you sign in.
In addition, our bot-protection provider (Cloudflare Turnstile) may set a short-lived verification token on sign-up, login, and other public-facing forms. This token is used solely to confirm you are not an automated bot and is necessary for the security of a service you actively requested. Because these cookies and tokens are essential to delivering a service you actively requested, no consent banner is required under UK PECR. We do not use cookies for analytics, advertising, or cross-site tracking. If we add any non-essential cookies in future, we will request consent before setting them and update this policy. You can clear or block cookies through your browser, but doing so will prevent you from signing in or completing a purchase.
2.6 Information We Receive From Others
Some information about you reaches us from the providers we work with rather than directly from you. We use it for the purposes already described in this policy — chiefly payment processing, identity verification, fraud prevention, and account security — and we treat it under this Privacy Policy from the point we receive it. From Stripe, we receive the outcome and status of identity and payout-account verification (Stripe Connect), fraud and risk signals, and limited payment metadata such as the card brand, the last four digits, and the issuing country; we do not receive full card numbers. From our bot-protection provider Cloudflare (Turnstile), we receive bot and abuse-risk signals generated when you complete our sign-up, login, or other protected forms.
2.7 Whether You Must Provide Information
Providing the account and payment information described in Sections 2.1 and 2.2 is necessary to create an account and to buy or sell on the Platform: without it, we cannot enter into or perform our contract with you, and you will not be able to complete a purchase. Where identity, tax, or sanctions-screening information is required by law (for example, to make seller payouts or to meet our reporting obligations), providing it is a legal requirement, and we cannot make payouts to you without it. Other information is optional, and not providing it will not affect your ability to use the core features of the Platform.
3. How We Use Your Information and Our Legal Bases (UK GDPR)
Under UK GDPR and the Data Protection Act 2018, we must rely on a lawful basis for each processing activity. Ours are:
| Purpose | Lawful Basis |
|---|---|
| Creating and operating your account; processing your purchases; paying sellers | Contract — necessary to perform our agreement with you |
| Customer support and handling disputes | Contract / Legitimate interest in resolving issues |
| Fraud detection, abuse prevention, account security | Legitimate interest in protecting the Platform and its users |
| Improving the Platform and its features | Legitimate interest in running and improving our service |
| Verifying seller identity and payout-account eligibility (carried out by Stripe through Stripe Connect onboarding) | Contract — necessary to pay you for the Prompt Licences you supply — together with our Legitimate interest in preventing fraud and confirming eligibility. The underlying identity and anti-money-laundering checks are performed by Stripe under its own legal obligations, as an independent controller |
| Screening against the UK Sanctions List (UKSL) maintained by the FCDO | Legal obligation under UK financial sanctions law |
| Screening against non-UK sanctions lists (US OFAC SDN, EU consolidated list, UN consolidated list), including screening carried out by our payment partners as part of their own compliance obligations | Legitimate interest in preventing unlawful use of the Platform, and to enable our payment partners to meet their legal obligations |
| Tax, accounting, and statutory record-keeping | Legal obligation under UK Companies Act 2006, HMRC requirements, and equivalent rules in other jurisdictions |
| Due diligence on sellers and, to the extent these obligations apply to us, reporting of seller identity and income information to HMRC under the UK Platform Operators (Due Diligence and Reporting Requirements) Regulations 2023 (and equivalent rules in other jurisdictions) | Legal obligation |
| Establishing, exercising or defending legal claims, and enforcing our Buyer Terms and Seller Agreement (including the seller warranties and indemnity) | Legitimate interest in protecting our legal position / Legal obligation where applicable |
| Sending optional marketing emails (if any) | Consent — you can withdraw at any time |
| Responding to law-enforcement or regulatory requests | Legal obligation |
We do not:
- Sell personal data to third parties.
- Build advertising profiles.
- Use your data for purposes unrelated to operating the Platform.
Service communications are separate from marketing. Messages we send to operate your account and your transactions — for example email or phone verification, password resets, security alerts, order and download confirmations, payout notices, and notices about changes to our Terms or this policy — are not marketing. We send them on the Contract or Legal obligation bases set out above, and you cannot opt out of them while you hold an account. Opting out of optional marketing emails does not stop these service communications.
4. How We Share Your Information
4.1 Service Providers (Processors Acting on Our Behalf)
We share data with trusted third parties who process personal data on our behalf to help us operate the Platform. They are contractually bound (Data Processing Agreements where required) to protect your data and use it only for the purposes we instruct.
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, infrastructure, and internal admin tooling used by Graded Prompts staff | All Platform data, hosted in us-east-1 (Virginia, USA) |
| Amazon CloudFront (AWS) | Content delivery network and edge caching in front of the Platform | IP addresses, request metadata, cached static assets |
| Cloudflare, Inc. (Turnstile) | Bot and abuse protection on sign-up, login, and other public-facing forms | IP address, browser/device signals, interaction data |
| Postmark (operated by ActiveCampaign, LLC) | Transactional emails (password resets, OTPs, order confirmations) | Email address, message content |
4.2 Payment Providers and Banking (Independent Controllers)
The following parties receive personal data in connection with payments, payouts, and settlement. Because they have their own legal obligations (under PSD2, anti-money-laundering rules, card-network rules, and similar), they generally act as independent data controllers for the data they process, not as our processors. Their own privacy policies govern how they handle that data, and we encourage you to review them.
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe (Stripe Payments Europe Ltd / Stripe Inc.) | Processing buyer card payments for Graded Prompts as merchant of record; seller payout-account onboarding, identity verification, and payouts (Stripe Connect) | Payment and payout details, billing and identity data for KYC where required |
| Wise Business (Wise Payments Limited) | Our operating bank — receives settlements paid to Graded Prompts Ltd | Aggregate settlement data; not individual buyer or seller personal data on our behalf |
A current and complete list of subprocessors and independent controllers is published at gradedprompts.com/legal/subprocessors and updated as we add or change providers.
4.3 Between Buyers and Sellers
- Sellers see aggregated and order-level information about their sales (for example, order ID, country, and amounts), and — where a buyer contacts them through Platform messaging — the buyer's public display name and message content. Sellers do not receive buyers' email or contact details or any payment information. When a seller receives your display name and message content in this way, the seller acts as an independent controller of that limited information and is required, under our Seller Agreement, to use it only to respond to you and to handle it in line with data protection law.
- Buyers see sellers' public profile information.
- On-platform messages may be reviewed by us where necessary for fraud prevention, dispute resolution, or enforcing our Terms (including our prohibition on moving Platform transactions off-platform).
4.4 Other Disclosures
We may disclose your information when:
- Required by law — responding to court orders, subpoenas, regulatory requests, or sanctions enforcement.
- Tax reporting — where these obligations apply to us, reporting seller identity and income information to HMRC (and equivalent tax authorities) under the UK Platform Operators (Due Diligence and Reporting Requirements) Regulations 2023 and similar rules.
- Handling complaints and disputes — where reasonably necessary to handle a buyer complaint, dispute, refund, or chargeback, including disclosing a seller's identifying information to a buyer, a card scheme, our payment provider, or a competent authority, as set out in our Buyer Terms and Seller Agreement.
- Protecting rights — enforcing our Terms or protecting users' safety.
- Business transfers — in connection with a merger, acquisition, or asset sale, with notice to you.
- With your consent — when you explicitly authorise sharing.
4.5 Public Information
Information you choose to publish (seller profile, listings, public reviews you write as a buyer) is visible to other users and may appear in search-engine results.
5. Data Security
We implement reasonable security measures, including:
-
Encryption — all data is transmitted via TLS; sensitive data is encrypted at rest.
-
Access controls — restricted access to personal data on a need-to-know basis.
-
Payment security — card data is processed by PCI-DSS compliant providers (Stripe). We never store full card numbers.
-
Monitoring — security reviews and vulnerability monitoring on our infrastructure.
No system is completely secure. We take reasonable measures but cannot guarantee absolute security.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | While your account is active |
| Deleted account data | Up to 30 days after deletion request (recovery window), then permanently deleted or anonymised |
| Transaction and accounting records | At least 6 years from end of the accounting period (UK Companies Act 2006 / HMRC requirements) |
| Seller payout and tax records | At least 6 years (or longer where required by law) |
| Sanctions screening records | Minimum 5 years from the date of the relevant transaction |
| Support communications | 3 years after resolution |
| On-platform messages | While account is active; retained for dispute or investigation where relevant |
Publicly shared content (listings, reviews) may remain visible after account deletion in anonymised or attributed form where necessary for buyer protection and platform integrity.
7. Your Rights
Depending on your location, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Correction | Update inaccurate or incomplete information |
| Deletion | Request erasure of your data (subject to legal retention obligations above) |
| Portability | Receive your data in a machine-readable format |
| Restriction | Limit how we process your data |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Revoke previously given consent for any consent-based processing |
| Automated Decisions | Where a decision producing legal or similarly significant effects is taken solely by automated means, the right to be informed about it, to make representations, to obtain human intervention, and to contest the decision |
To exercise any right, email privacy@gradedprompts.com. We will respond within one month (extendable by two further months for complex requests, as permitted by UK GDPR).
8. Regional Privacy Rights
8.1 United Kingdom
UK GDPR and the Data Protection Act 2018 apply. Graded Prompts Ltd is the data controller. You can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
8.2 European Economic Area
Where the EU GDPR applies, you have equivalent rights and may lodge a complaint with your local supervisory authority. You can also contact us directly at privacy@gradedprompts.com on any data protection matter.
8.3 California (CCPA/CPRA)
We do not believe Graded Prompts Ltd currently meets the thresholds that make the CCPA/CPRA mandatory. As a courtesy, we extend the following rights to California residents regardless:
- Right to know the categories and specific pieces of data collected.
- Right to delete personal information (subject to legal exemptions).
- Right to opt-out of sale or sharing — we do not sell or share personal information as defined under CCPA.
- Non-discrimination for exercising your rights.
Submit requests to privacy@gradedprompts.com.
8.4 Other Jurisdictions
We aim to comply with applicable privacy laws wherever our users are located. Contact us for region-specific inquiries.
9. International Data Transfers
Graded Prompts Ltd is registered in the UK. Our primary platform infrastructure is hosted in the United States (AWS, us-east-1), and several of our service providers and payment partners are located in or transfer data to the United States. The United States benefits from UK "data bridge" adequacy regulations (the UK Extension to the EU–US Data Privacy Framework, or "DPF") only for organisations that hold an active certification under it. Where we transfer personal data to a US provider that holds an active UK Extension certification — currently Amazon Web Services, Cloudflare, and ActiveCampaign (Postmark) — we rely on the UK–US data bridge as the transfer mechanism. Our payment provider, Stripe, is also DPF-certified and acts as an independent controller, handling its own transfers (see Section 4.2). For any transfer to a country without a UK adequacy decision, or to a US provider not covered by the data bridge, we rely on appropriate safeguards, including:
- The UK International Data Transfer Agreement (IDTA), or
- The UK Addendum to the EU Standard Contractual Clauses, or
- Other valid transfer mechanisms approved by the ICO, together with a transfer risk assessment and supplementary measures (such as encryption) where appropriate. We also keep these safeguards in place as a fallback should a provider's DPF certification lapse. Copies of the relevant safeguards are available on request.
10. Sanctions and Compliance Screening
As a UK-registered company processing payments and payouts internationally, we are required to screen accounts and transactions against the UK Sanctions List (UKSL) maintained by the FCDO. In addition, we and our payment partners screen against the US OFAC Specially Designated Nationals (SDN) List, the EU consolidated list of persons, groups and entities subject to financial sanctions, the UN Security Council Consolidated List, and other applicable sanctions lists used by our payment providers. We may refuse service, freeze funds, or report transactions where required by law. Limited identity and transaction data is processed for this purpose. Automated decision-making and human review. Parts of the fraud-prevention and sanctions screening described above are automated, including risk checks carried out by our payment partners. In limited cases an automated check may, on its own, lead to a decision that significantly affects you — for example declining a transaction, suspending an account, or holding or freezing a payout pending review. Where that happens, you can ask us to review the decision: a member of our team will reconsider it, you can put your point of view to us, and you can contest the outcome. To request a review, email privacy@gradedprompts.com. Some sanctions-related steps are required by law, and in those cases our ability to change the outcome may be limited by our legal obligations.
11. Children's Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we discover we have collected information from a minor, we will promptly delete it. If you believe a minor has provided us data, contact us immediately at privacy@gradedprompts.com.
12. Third-Party Links
The Platform may contain links to third-party websites (for example, sample outputs hosted on AI provider sites). We are not responsible for their privacy practices and encourage you to review their policies before providing any personal information.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top.
- We will notify you by email or via a prominent Platform notice.
- Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
14. Contact Us
For questions, concerns, or to exercise your privacy rights: Email: privacy@gradedprompts.com Company details and registered office: gradedprompts.com/legal/company-information We aim to respond to all inquiries within one month.
This Privacy Policy was last reviewed and updated on 3 June 2026.