The Prompt Academy Profiles

1. Scope and Applicability

This Privacy Policy describes how The Prompt Academy LLC ("TPA," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information in connection with all TPA services, including:

• TPA Profiles (thepromptacademy.com) — public AI portfolio and project showcase platform
• TPA Learn (learn.thepromptacademy.com) — online courses and AI certification programs
• TPA Jobs — AI job portal and career opportunities
• TPA News (news.thepromptacademy.com) — AI industry news and newsletter
• Related websites, applications, tools, and communications

We encourage you to read this Privacy Policy in full. If you have questions about our data practices, please contact us at privacy@thepromptacademy.com before using our Services.

2. Information We Collect

We collect the following categories of personal information:

• Account and profile information: name, email address, phone number, username, professional title, biographical summary, GitHub username, LinkedIn URL, Twitter/X handle, website URL, and profile picture.
• Project and portfolio content: project titles, descriptions, tools and technologies used, demo links, GitHub links, video content, and other content you choose to publish.
• Educational and certification data: course enrollment, progress, assessment responses, certification status, and related learning records.
• Authentication and security data: one-time passcodes (OTPs), session identifiers, login timestamps, device and browser information, IP addresses (processed and hashed for security purposes), and fraud-prevention signals.
• Usage and analytics data: page views, profile view counts, feature interactions, referral sources, approximate geographic location derived from IP address, browser type, operating system, and behavioral events.
• Communications: messages and inquiries sent to us, support requests, legal notices, and records of our correspondence.
• Newsletter and marketing preferences: subscription status, email engagement data (opens, clicks, unsubscribes), and marketing communication preferences.
• Cookies and similar technologies: session cookies, security cookies, preference data, and tracking technologies used to authenticate users and understand platform usage (see Section 7).

3. How We Use Information

We use the information we collect to:

• Create, maintain, secure, and operate your account and profile
• Deliver and continuously improve the Services
• Authenticate users via one-time passcode (OTP) and session management
• Host and display public profile and portfolio content
• Enroll users in courses, issue certifications, and track educational progress
• Connect users with relevant job opportunities and career resources
• Send transactional emails (account verification, security notices, purchase receipts) via Postmark
• Send marketing newsletters, promotional offers, partner recommendations, and product updates via Brevo
• Measure platform performance, troubleshoot errors, and analyze user behavior via Appizer
• Deliver and serve media and profile images via Bunny.net CDN
• Process payments through Stripe (TPA does not store payment card data)
• Prevent fraud, abuse, spam, and security incidents
• Comply with legal obligations and enforce our agreements
• Respond to your requests, inquiries, and support needs

4. Public Profile Information

TPA Profiles is a public-facing platform. By default, your public profile — including your name, username, biography, professional title, project portfolio, skills, social media links, and profile picture — is visible to anyone with access to the internet, including employers, recruiters, search engines, and the general public. Please exercise care when deciding what personal information to publish on your profile. You may update or remove your public content at any time from your dashboard settings.

5. Newsletter and Email Communications; Consent

We operate two consent flows for newsletter and marketing communications:

Profile account holders: During registration on The Prompt Academy (thepromptacademy.com), you are given a separate, optional checkbox to consent to receive marketing communications from The Prompt Academy — including AI industry news, product updates, educational content, and career opportunity alerts. Marketing communications are only sent to users who have explicitly opted in, and are delivered via Brevo. This consent is separate from accepting our Terms of Use and is not a condition of creating an account.

News subscribers: By submitting your email address at news.thepromptacademy.com, you consent to receive TPA's news digest and newsletter delivered via Brevo.

Opt-out: You may withdraw consent to marketing communications at any time by clicking "Unsubscribe" in any marketing email or by contacting privacy@thepromptacademy.com. Opting out of marketing does not affect transactional emails (verification codes, security alerts, billing confirmations, and material policy notices), which are delivered via Postmark and may continue for as long as your account remains active.

6. How We Disclose Information; Named Service Providers

We may disclose personal information to the following categories of recipients:

Named technology service providers:

• Appizer — product analytics, user engagement measurement, and in-app feature delivery. Appizer receives behavioral and usage data to help us understand how users interact with the platform.
• Brevo (Sendinblue SAS) — email marketing and marketing automation. Brevo receives subscriber names, email addresses, and engagement data to deliver newsletters and marketing communications.
• Postmark (Wildbit, LLC) — transactional email delivery. Postmark receives recipient email addresses and message content necessary to deliver account-related and security emails.
• BunnyWay d.o.o. (operating as Bunny.net) — content delivery network (CDN) and media hosting. Bunny.net stores and delivers profile images and other media uploaded through TPA services.
• Stripe, Inc. — payment processing. Stripe handles all payment card data directly; TPA does not store or process payment card information.

Marketing and business partners: We may share limited personal information (such as name, email address, and professional interests) with vetted marketing partners and co-marketing collaborators for the purpose of presenting relevant offers, promotions, job opportunities, and educational resources to users. These partners are contractually restricted from using your information for any purpose other than those described in this Privacy Policy. Under certain U.S. state privacy laws, this sharing may constitute a "sale" or "sharing for cross-context behavioral advertising" — see Section 9 for your opt-out rights.

Legal and safety purposes: We may disclose information when required by law, court order, or governmental authority; when reasonably necessary to investigate or prevent fraud, abuse, security threats, or violations of our Terms; to enforce our agreements; or to protect the rights, safety, or property of TPA, its users, or the public.

Corporate transactions: In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of TPA's assets, your information may be transferred to or shared with a successor entity, subject to the terms of this Privacy Policy.

With your direction: When you request or authorize specific disclosure, we will share information accordingly.

7. Cookies and Tracking Technologies

We use cookies and similar technologies as described in the table below. When you first visit our platform, a cookie consent banner will ask for your permission before we activate any non-essential cookies.

You can change your cookie preferences at any time by clearing the tpa_consent cookie from your browser settings, which will cause the consent banner to reappear on your next visit. Disabling essential cookies may impair functionality, including your ability to stay logged in.

8. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Privacy Policy or as required by applicable law. The following retention periods apply:

Upon verified account deletion, we will remove your publicly visible content and personal data from active systems within 30 days. Aggregated or anonymized data that cannot reasonably be used to identify you may be retained beyond these periods.

9. No Sale of Personal Information; Do Not Share My Personal Information

We do not sell your personal information for money. However, we engage in marketing partnerships and co-marketing activities that may involve sharing limited personal information with vetted partners for promotional purposes. Under certain U.S. state privacy laws — including the California Consumer Privacy Act (CCPA/CPRA) and the Texas Data Privacy and Security Act (TDPSA) — this type of sharing may be classified as a "sale" or "sharing for targeted advertising purposes."

You have the right to opt out of this type of sharing at any time. To exercise this right, send an email to privacy@thepromptacademy.com with the subject line "Do Not Share My Personal Information" and include the name and email address associated with your account. We will process your request within 15 business days and confirm by reply email.

10. Your Rights and Choices

All Users:

• Access and correction: You may request a copy of the personal information we hold about you or ask us to correct inaccurate data.
• Deletion: You may request deletion of your account and personal data (see Section 11).
• Marketing opt-out: You may unsubscribe from marketing communications at any time (see Section 5).
• Do Not Share: You may opt out of personal information sharing for marketing partner purposes (see Section 9).

Texas Residents — Texas Data Privacy and Security Act (TDPSA):

If you are a Texas resident, you have the right to: (1) confirm whether TPA processes your personal data; (2) access a copy of the personal data we hold about you; (3) correct inaccuracies in your personal data; (4) delete personal data you have provided to or that we have collected about you; (5) obtain a portable copy of your personal data in a machine-readable format; and (6) opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects. To submit a request, email privacy@thepromptacademy.com. We will respond within 45 days of receipt, with one possible extension of an additional 45 days if we provide prior notice. If we decline your request, you have the right to appeal by emailing legal@thepromptacademy.com. If your appeal is denied, you may contact the Office of the Texas Attorney General.

California Residents — CCPA/CPRA:

If you are a California resident, you have the right to: (1) know what categories and specific pieces of personal information we collect, use, disclose, and sell; (2) access the personal information we hold about you; (3) request deletion of your personal information (subject to certain exceptions); (4) correct inaccurate personal information; (5) opt out of the sale or sharing of your personal information; (6) limit the use and disclosure of sensitive personal information (not currently applicable to our Services); and (7) not be discriminated against for exercising any of these rights. To submit a CCPA request, email privacy@thepromptacademy.com with sufficient information to verify your identity. We will respond within 45 calendar days.

Other U.S. Residents: We extend reasonable privacy rights — including access, correction, deletion, and marketing opt-out — to all U.S. residents to the extent practicable and as required by applicable law. Contact privacy@thepromptacademy.com to submit a request.

11. Rights of EU, EEA, and UK Residents (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent legislation applies to our processing of your personal data. This section sets out your rights and our obligations under that framework.

Lawful bases for processing: We process your personal data under the following lawful bases as applicable:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the Services you have signed up for, including account management, profile hosting, OTP authentication, and course delivery.
• Legitimate interests (Article 6(1)(f)): Fraud prevention, platform security, abuse detection, operational analytics, and activity logging, where our interests are not overridden by your rights.
• Consent (Article 6(1)(a)): Marketing emails and analytics cookies (Appizer), where you have given explicit, separate consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable law.

Your rights under GDPR: You have the right to:

• Access (Article 15): Request a copy of the personal data we hold about you.
• Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Erasure (Article 17): Request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful.
• Restriction of processing (Article 18): Request that we restrict processing of your data (e.g., while you contest its accuracy, or while an objection is being assessed).
• Data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller, where processing is based on consent or contract and is carried out by automated means.
• Object to processing (Article 21): Object to processing based on legitimate interests, or to processing for direct marketing purposes (including profiling), at any time.
• Rights related to automated decision-making (Article 22): The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently engage in solely automated decision-making of this kind.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time by unsubscribing from marketing emails or adjusting your cookie preferences.

How to exercise your rights: Submit a request to privacy@thepromptacademy.com. We will respond within 30 days of receipt (extendable by a further two months for complex requests, with prior notice). We may ask you to verify your identity before processing your request.

Right to lodge a complaint: If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority — for example, the UK Information Commissioner's Office (ICO) at ico.org.uk, or the relevant national DPA in your EU member state. A list of EU DPAs is available at edpb.europa.eu.

EU/EEA representative: The Prompt Academy LLC is based in the United States. EU/EEA residents may direct all privacy inquiries and rights requests to privacy@thepromptacademy.com. TPA is committed to maintaining compliance with applicable EU/EEA data protection requirements, including GDPR Article 27.

12. How to Delete Your Profile and Data

You may request full deletion of your TPA account and associated personal data at any time through either of the following methods:

• In-app: Navigate to your account settings or dashboard and follow the profile deletion flow.
• By email: Send a deletion request to privacy@thepromptacademy.com from the email address associated with your account, with the subject line "Delete My Profile" and your username in the body.

Upon receipt of a verified deletion request, we will: (a) remove your public profile and all associated content from the platform; (b) delete your personal data from our active databases; (c) instruct relevant service providers (Brevo, Postmark, Appizer, Bunny.net) to delete your data consistent with our data processing agreements; and (d) confirm completion by email within 30 business days. Certain data may be retained beyond this period where required by law or for legitimate business purposes (such as tax records, fraud-prevention logs, or data subject to a legal hold). Aggregated or de-identified data derived from your use of the Services may be retained and used in accordance with this Privacy Policy.

13. Security

We implement reasonable administrative, technical, and organizational security measures — including password hashing, encrypted sessions (HTTPS), access controls, and periodic security reviews — designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. However, no security measure is completely infallible, and we cannot guarantee absolute security or uninterrupted protection.

Data breach notification: In the event of a personal data breach, we will assess the risk to affected individuals without undue delay. Where required by applicable law — including, for EU/EEA residents, within 72 hours of becoming aware of the breach under GDPR Article 33 — we will notify the relevant supervisory authority. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals directly as required by GDPR Article 34 and equivalent applicable laws. We maintain internal breach response procedures to support timely assessment and notification.

14. Children

TPA Services are not directed to individuals under 18 years of age, and we do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a person under 18, contact us immediately at privacy@thepromptacademy.com and we will investigate and promptly delete such information.

15. Cross-Border Data Processing

The Prompt Academy is based in the United States. Your personal information may be processed in the United States and, through our third-party service providers, in other jurisdictions. Data protection laws in those jurisdictions may differ from those in your home country.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following mechanisms to lawfully transfer personal data outside those regions:

• Standard Contractual Clauses (SCCs): Where our service providers do not participate in an adequacy framework, we enter into Standard Contractual Clauses approved by the European Commission (or equivalent) with those providers, including Postmark (Wildbit LLC), Appizer, and Stripe, Inc.
• Adequacy decisions and frameworks: BunnyWay d.o.o. (Bunny.net) is based in Slovenia, an EU member state, and processes data within the EU/EEA. Where applicable, we rely on adequacy decisions issued by the European Commission for data transfers to recognized adequate countries.

You may request a copy of the relevant Standard Contractual Clauses by contacting us at privacy@thepromptacademy.com.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The current version will always be available at thepromptacademy.com/privacy with the applicable effective date. We will make reasonable efforts to notify you of material changes — for example, by updating the effective date, posting a prominent notice within the Services, or sending an email to the address associated with your account. Your continued use of the Services following the effective date of an updated Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with a material change, your remedy is to cease using the Services and request deletion of your account.

17. Contact Us

For privacy questions, rights requests, deletion requests, "Do Not Share" requests, and general privacy concerns:

• Privacy Team — The Prompt Academy LLC
• 14425 Falcon Head Blvd Bldg E Suite 100, Austin TX 78738
• privacy@thepromptacademy.com

For legal notices and formal correspondence:

• legal@thepromptacademy.com
• (512) 601-5001