Privacy Policy
Last Updated: 01 June 2026
Introduction
Graded Prompts Ltd ("we," "us," or "our"), a company registered in England and Wales (company number 17080335), operates the Graded Prompts marketplace at gradedprompts.com (the "Platform"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Platform as a buyer, as a seller, or as a visitor.
We do not sell your personal data and we do not run advertising on the Platform.
This policy explains how we process your data and the lawful bases we rely on, which are set out in Section 3. We rely on consent only where specifically stated (for example, optional marketing emails and any future non-essential cookies). If you disagree with how we handle your data, you can contact us at privacy@gradedprompts.com or discontinue use of the Platform.
1. Who This Policy Applies To
The Platform serves two main user groups, and parts of this policy apply differently to each:
- Buyers — visitors who browse and purchase prompts.
- Sellers — users who list prompts for sale and receive payouts.
A single account may act as both. Where a section applies to only one group, we say so.
Graded Prompts acts as the seller's disclosed agent: when you buy a prompt, your purchase contract for that prompt is with the seller, who licenses it to you directly. We operate the Platform and provide payment-facilitation, support, and dispute-handling services on the seller's behalf, and we may appear as merchant of record on the payment for operational and card-scheme purposes. This role is described in full in our Buyer Terms and Seller Terms.
Graded Prompts Ltd is the data controller for the buyer and seller personal data processed through the Platform. Sellers receive only order-level and aggregated information about sales of their own prompts (such as order ID, country, and amounts) — not buyers' contact details or payment information.
2. Information We Collect
2.1 Information You Provide (All Users)
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, username, password, profile picture | Account creation and personalisation |
| Content | Prompts, descriptions, examples, reviews, ratings | Platform functionality |
| Communications | Support requests, feedback, survey responses | Customer service |
| On-Platform Messages | Messages exchanged with other users via Platform messaging or order discussions | Service delivery, dispute resolution, fraud prevention |
2.2 Buyer-Specific Information
| Data Type | Examples | Purpose |
|---|---|---|
| Payment Information | Card details (processed by Stripe — we do not store full card numbers), billing address, billing country | Processing transactions, tax determination, fraud prevention |
| Purchase History | Prompts purchased, order amounts, download history | Order fulfilment, support, accounting |
2.3 Seller-Specific Information
| Data Type | Examples | Purpose |
|---|---|---|
| Payout Account Details | Stripe payout account details, collected and verified by Stripe during its Connect onboarding | Paying you for licensed prompt sales |
| Identity Verification (KYC) | Government ID, proof of address, date of birth — collected and verified by Stripe through its Connect onboarding when verification is required; we do not collect these documents directly | Anti-money-laundering, sanctions compliance, payout eligibility, and enforcing our Seller Terms (including the seller warranties and indemnity) |
| Tax Information | Tax residency, VAT number (where applicable), tax forms where required | Tax reporting and withholding obligations |
| Earnings and Sales Records | Commission calculations, payout history, sales analytics for your listings | Seller dashboards, accounting, statutory record-keeping |
| Public Seller Profile | Display name, avatar, bio, prompt listings, ratings received, optionally a sales count and verification/badges | Marketplace listings and buyer trust signals |
You control which optional profile information you publish (e.g. bio, links). Display name, avatar, and listings are necessarily public for the marketplace to function.
2.4 Information Collected Automatically
| Data Type | Examples | Purpose |
|---|---|---|
| Usage Data | Pages viewed, features used, search queries, time spent | Platform improvement |
| Device Information | Browser type, operating system, device identifiers | Security and optimisation |
| Log Data | IP address, access times, referring URLs | Security and fraud prevention |
| General Location | Country and region inferred from IP address | Compliance, tax determination, localisation |
We do not use third-party analytics or advertising trackers at this time.
2.5 Cookies
We use only strictly necessary cookies required to operate the Platform. Specifically:
- Authentication cookie — keeps you signed in.
- Anonymous cart cookie — preserves your basket before you sign in.
In addition, our bot-protection provider (Cloudflare Turnstile) may set a short-lived verification token on sign-up, login, and other public-facing forms. This token is used solely to confirm you are not an automated bot and is necessary for the security of a service you actively requested.
Because these cookies and tokens are essential to delivering a service you actively requested, no consent banner is required under UK PECR. We do not use cookies for analytics, advertising, or cross-site tracking. If we add any non-essential cookies in future, we will request consent before setting them and update this policy.
You can clear or block cookies through your browser, but doing so will prevent you from signing in or completing a purchase.
3. How We Use Your Information and Our Legal Bases (UK GDPR)
Under UK GDPR and the Data Protection Act 2018, we must rely on a lawful basis for each processing activity. Ours are:
| Purpose | Lawful Basis |
|---|---|
| Creating and operating your account; processing your purchases; paying sellers | Contract — necessary to perform our agreement with you |
| Customer support and handling disputes | Contract / Legitimate interest in resolving issues |
| Fraud detection, abuse prevention, account security | Legitimate interest in protecting the Platform and its users |
| Improving the Platform and its features | Legitimate interest in running and improving our service |
| Screening against the UK Sanctions List (UKSL) maintained by the FCDO | Legal obligation under UK financial sanctions law |
| Screening against non-UK sanctions lists (US OFAC SDN, EU consolidated list, UN consolidated list), including screening carried out by our payment partners as part of their own compliance obligations | Legitimate interest in preventing unlawful use of the Platform, and to enable our payment partners to meet their legal obligations |
| Tax, accounting, and statutory record-keeping | Legal obligation under UK Companies Act 2006, HMRC requirements, and equivalent rules in other jurisdictions |
| Due diligence on sellers and reporting of seller identity and sales information to HMRC under the UK Platform Operators (Due Diligence and Reporting Requirements) Regulations 2023 (and equivalent rules) | Legal obligation |
| Establishing, exercising or defending legal claims, and enforcing our Buyer Terms and Seller Terms (including the seller warranties and indemnity) | Legitimate interest in protecting our legal position / Legal obligation where applicable |
| Sending optional marketing emails (if any) | Consent — you can withdraw at any time |
| Responding to law-enforcement or regulatory requests | Legal obligation |
We do not:
- Sell personal data to third parties.
- Build advertising profiles.
- Use your data for purposes unrelated to operating the Platform.
4. How We Share Your Information
4.1 Service Providers (Processors Acting on Our Behalf)
We share data with trusted third parties who process personal data on our behalf to help us operate the Platform. They are contractually bound (Data Processing Agreements where required) to protect your data and use it only for the purposes we instruct.
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, infrastructure, and internal admin tooling used by Graded Prompts staff | All Platform data, hosted in us-east-1 (Virginia, USA) |
| Amazon CloudFront (AWS) | Content delivery network and edge caching in front of the Platform | IP addresses, request metadata, cached static assets |
| Cloudflare, Inc. (Turnstile) | Bot and abuse protection on sign-up, login, and other public-facing forms | IP address, browser/device signals, interaction data |
| Postmark (operated by ActiveCampaign, LLC) | Transactional emails (password resets, OTPs, order confirmations) | Email address, message content |
4.2 Payment Providers and Banking (Independent Controllers)
The following parties receive personal data in connection with payments, payouts, and settlement. Because they have their own legal obligations (under PSD2, anti-money-laundering rules, card-network rules, and similar), they generally act as independent data controllers for the data they process, not as our processors. Their own privacy policies govern how they handle that data, and we encourage you to review them.
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe (Stripe Payments Europe Ltd / Stripe Inc.) | Buyer payment processing, seller onboarding and identity verification (Stripe Connect), and seller payouts | Payment and payout details, billing/identity data for KYC where required |
| Wise Business (Wise Payments Limited) | Our operating bank — receives settlements paid to Graded Prompts Ltd | Aggregate settlement data; not individual buyer or seller personal data on our behalf |
A current and complete list of subprocessors and independent controllers is published at gradedprompts.com/legal/subprocessors and updated as we add or change providers.
4.3 Between Buyers and Sellers
- Sellers see only aggregated and order-level information about their sales (e.g. order ID, country, amounts) — not buyer payment details.
- Buyers see sellers' public profile information.
- On-platform messages may be reviewed by us where necessary for fraud prevention, dispute resolution, or enforcing our Terms (including our prohibition on moving communications off-platform once escrow is live).
4.4 Other Disclosures
We may disclose your information when:
- Required by law — responding to court orders, subpoenas, regulatory requests, or sanctions enforcement.
- Tax reporting — reporting seller identity and sales information to HMRC (and equivalent tax authorities) under the UK Platform Operators (Due Diligence and Reporting Requirements) Regulations 2023 and similar rules.
- Handling complaints and disputes — where reasonably necessary to handle a buyer complaint, dispute, refund, or chargeback, including disclosing a seller's identifying information to a buyer, a card scheme, our payment provider, or a competent authority, as set out in our Buyer Terms and Seller Terms.
- Protecting rights — enforcing our Terms or protecting users' safety.
- Business transfers — in connection with a merger, acquisition, or asset sale, with notice to you.
- With your consent — when you explicitly authorise sharing.
4.5 Public Information
Information you choose to publish (seller profile, listings, public reviews you write as a buyer) is visible to other users and may appear in search-engine results.
5. Data Security
We implement reasonable security measures, including:
- Encryption — all data is transmitted via TLS; sensitive data is encrypted at rest.
- Access controls — restricted access to personal data on a need-to-know basis.
- Payment security — card data is processed by PCI-DSS compliant providers (Stripe). We never store full card numbers.
- Monitoring — security reviews and vulnerability monitoring on our infrastructure.
No system is completely secure. We take reasonable measures but cannot guarantee absolute security.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | While your account is active |
| Deleted account data | Up to 30 days after deletion request (recovery window), then permanently deleted or anonymised |
| Transaction and accounting records | At least 6 years from end of the accounting period (UK Companies Act 2006 / HMRC requirements) |
| Seller payout and tax records | At least 6 years (or longer where required by law) |
| Sanctions screening records | Minimum 5 years from the date of the relevant transaction |
| Support communications | 3 years after resolution |
| On-platform messages | While account is active; retained for dispute or investigation where relevant |
Publicly shared content (listings, reviews) may remain visible after account deletion in anonymised or attributed form where necessary for buyer protection and platform integrity.
7. Your Rights
Depending on your location, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Correction | Update inaccurate or incomplete information |
| Deletion | Request erasure of your data (subject to legal retention obligations above) |
| Portability | Receive your data in a machine-readable format |
| Restriction | Limit how we process your data |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Revoke previously given consent for any consent-based processing |
To exercise any right, email privacy@gradedprompts.com. We will respond within one month (extendable by two further months for complex requests, as permitted by UK GDPR).
8. Regional Privacy Rights
8.1 United Kingdom
UK GDPR and the Data Protection Act 2018 apply. Graded Prompts Ltd is the data controller. You can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
8.2 European Economic Area
Where the EU GDPR applies, you have equivalent rights and may lodge a complaint with your local supervisory authority. You can also contact us directly at privacy@gradedprompts.com on any data protection matter.
8.3 California (CCPA/CPRA)
We do not believe Graded Prompts Ltd currently meets the thresholds that make the CCPA/CPRA mandatory. As a courtesy, we extend the following rights to California residents regardless:
- Right to know the categories and specific pieces of data collected.
- Right to delete personal information (subject to legal exemptions).
- Right to opt-out of sale or sharing — we do not sell or share personal information as defined under CCPA.
- Non-discrimination for exercising your rights.
Submit requests to privacy@gradedprompts.com.
8.4 Other Jurisdictions
We aim to comply with applicable privacy laws wherever our users are located. Contact us for region-specific inquiries.
9. International Data Transfers
Graded Prompts Ltd is registered in the UK. Our primary platform infrastructure is hosted in the United States (AWS, us-east-1), and several of our service providers and payment partners are located in or transfer data to the United States, which does not benefit from a UK adequacy decision.
When personal data is transferred outside the UK or EEA to a country without an adequacy decision, we rely on appropriate safeguards, including:
- The UK International Data Transfer Agreement (IDTA), or
- The UK Addendum to the EU Standard Contractual Clauses, or
- Other valid transfer mechanisms approved by the ICO,
together with a transfer risk assessment and supplementary measures (such as encryption) where appropriate.
Copies of the relevant safeguards are available on request.
10. Sanctions and Compliance Screening
As a UK-registered company processing payments and payouts internationally, we are required to screen accounts and transactions against the UK Sanctions List (UKSL) maintained by the FCDO. In addition, we and our payment partners screen against the US OFAC Specially Designated Nationals (SDN) List, the EU consolidated list of persons, groups and entities subject to financial sanctions, the UN Security Council Consolidated List, and other applicable sanctions lists used by our payment providers. We may refuse service, freeze funds, or report transactions where required by law. Limited identity and transaction data is processed for this purpose.
11. Children's Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we discover we have collected information from a minor, we will promptly delete it. If you believe a minor has provided us data, contact us immediately at privacy@gradedprompts.com.
12. Third-Party Links
The Platform may contain links to third-party websites (for example, sample outputs hosted on AI provider sites). We are not responsible for their privacy practices and encourage you to review their policies before providing any personal information.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top.
- We will notify you by email or via a prominent Platform notice.
- Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
14. Contact Us
For questions, concerns, or to exercise your privacy rights:
Email: privacy@gradedprompts.com Registered Office: Graded Prompts Ltd, 128 City Road, London, EC1V 2NX, United Kingdom Company Number: 17080335
We aim to respond to all inquiries within one month.
This Privacy Policy was last reviewed and updated on 01 June 2026.