Privacy Policy

Table of Contents

01 Introduction
02 Information We Collect
03 How We Use Information
04 Data Retention
05 Data Sharing
06 International Transfers
07 Your Rights
08 Cookies
09 Security
10 Changes to This Policy
11 Contact Us

01. Introduction

Prynt, Inc. ("Prynt," "we," "us," or "our") operates a device intelligence platform that enables businesses to identify devices, detect fraud, and protect their applications from malicious actors. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at prynt.io, use our dashboard at app.prynt.io, or interact with our API and SDKs (collectively, the "Service").

We are committed to protecting the privacy of both our customers and the end users whose device data flows through our platform. This policy applies to all data processed by Prynt, whether collected directly from you or provided to us through the use of our device intelligence services.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our Service immediately.

02. Information We Collect

Account Information

When you register for a Prynt account, we collect personal information that you voluntarily provide to us, including your name, email address, company name, and billing information. This data is necessary to create and maintain your account, process payments, and provide customer support.

Device Intelligence Data

When our SDK or API is deployed by a customer, we collect technical signals from the end user's device for the purpose of generating a persistent device identifier and risk assessment. This data includes, but is not limited to:

Browser attributes: user agent string, installed plugins, language settings, timezone, screen resolution, color depth, and WebGL renderer information
Network attributes: IP address, connection type, and derived geolocation data (city, region, country level)
Device attributes: operating system, device model, available hardware characteristics, and platform-specific identifiers
Behavioral signals: canvas fingerprint hashes, AudioContext signatures, font enumeration results, and other technical parameters used for device identification
Anomaly indicators: VPN or proxy detection flags, bot behavior markers, browser tampering indicators, and incognito mode detection results

Important: By default, Prynt does not collect or store any personally identifiable information (PII) such as names, email addresses, physical addresses, or financial information from end users. All device signals are technical in nature and are processed to generate probabilistic device identifiers.

Usage Data

We automatically collect certain information when you use our dashboard or API, including access timestamps, API endpoints called, request volume, response codes, and performance metrics. We use this data to monitor service health, investigate issues, and improve our platform.

03. How We Use Information

We use the information we collect for the following purposes:

Fraud detection and prevention: Generating device identifiers, computing risk scores, evaluating signals, and delivering real-time verdicts (allow, challenge, or block) to our customers
Service delivery: Providing, maintaining, and operating the Prynt platform, including the API, SDKs, dashboard, and rules engine
Service improvement: Analyzing aggregate usage patterns to improve identification accuracy, reduce latency, and develop new detection capabilities
Account management: Managing your account, processing billing, communicating important service updates, and providing technical support
Security: Detecting and preventing unauthorized access, abuse, or attacks against our infrastructure and our customers' implementations
Legal compliance: Meeting applicable legal and regulatory obligations, responding to valid legal process, and enforcing our Terms of Service

04. Data Retention

Prynt retains device intelligence data for a configurable period determined by each customer's account settings. The default retention period is 90 days from the date of collection. After this period, device data is automatically and permanently deleted from our active systems.

Customers on Pro and Enterprise plans may customize their retention period between 30 days and 365 days, depending on their regulatory and business requirements. Aggregate, anonymized analytics data may be retained beyond the configured retention period for the purpose of improving our models and reporting.

Account information is retained for as long as your account remains active. Upon account termination, we will delete your account data within 30 days, except where retention is required by applicable law or to resolve disputes.

Backup copies of data may exist in our disaster recovery systems for up to an additional 30 days beyond the primary deletion date.

Prynt is built on a foundational principle: we do not sell your data. We do not sell, rent, trade, or otherwise share personal information or device intelligence data with third parties for their own marketing or commercial purposes.

We may share data in the following limited circumstances:

With the customer who owns the data: Device intelligence data collected through a customer's implementation is shared only with that specific customer. Each customer's data is logically isolated and never shared across customer accounts.
Service providers: We engage a limited number of trusted service providers (e.g., cloud hosting, payment processing, customer support tools) who process data on our behalf under strict contractual obligations and data processing agreements.
Legal obligations: We may disclose information when required by law, court order, subpoena, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or ensure user safety.
Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, data may be transferred as part of the transaction. We will notify affected customers prior to any such transfer.

06. International Transfers

Prynt operates globally and may process data in jurisdictions outside of your country of residence. Our primary data processing infrastructure is located in the United States (AWS us-east-1 and us-west-2 regions), with additional processing nodes in the European Union (eu-west-1) and Asia-Pacific (ap-southeast-1) for latency optimization.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, Prynt relies on the EU-US Data Privacy Framework (DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework, as applicable. Prynt has certified its compliance with these frameworks to the U.S. Department of Commerce.

Where the Data Privacy Framework does not apply, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for cross-border data transfers. Copies of these clauses are available upon request.

Customers with strict data residency requirements may contact us about our EU-only processing option, available on Enterprise plans.

07. Your Rights

GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

Right of Access: You may request a copy of the personal data we hold about you.
Right to Rectification: You may request correction of inaccurate or incomplete personal data.
Right to Erasure: You may request deletion of your personal data, subject to certain legal exceptions.
Right to Restrict Processing: You may request that we limit how we process your personal data under certain circumstances.
Right to Data Portability: You may request a machine-readable copy of personal data you have provided to us.
Right to Object: You may object to the processing of your personal data for certain purposes, including direct marketing.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@prynt.io. We will respond to verified requests within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

CCPA Rights (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share data.
Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Opt-Out: You have the right to opt out of the "sale" or "sharing" of your personal information. Note: Prynt does not sell personal information as defined by the CCPA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, email privacy@prynt.io or write to us at the address listed in Section 11.

08. Cookies

Prynt uses a minimal set of cookies on our website and dashboard, strictly limited to those necessary for core functionality. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

The cookies we use fall into the following categories:

Essential cookies: Session cookies required for authentication, security (CSRF protection), and maintaining your preferences. These cookies are strictly necessary and cannot be disabled.
Functional cookies: Cookies that remember your dashboard settings, selected timezone, and interface preferences to provide a better user experience.

Our SDK, deployed on customer websites, does not set cookies on end users' browsers. Device identification is performed entirely through client-side signal collection and server-side processing, without relying on cookie-based tracking.

09. Security

Prynt implements comprehensive security measures to protect the data we process. Our security program includes, but is not limited to:

SOC 2 Type II Certification: Prynt has completed a SOC 2 Type II audit conducted by an independent third-party auditor, verifying the effectiveness of our security controls over an extended observation period. Audit reports are available to customers under NDA.
Encryption at rest: All data stored in our databases and object stores is encrypted using AES-256 encryption.
Encryption in transit: All data transmitted between our clients, API endpoints, and internal services is encrypted using TLS 1.3. We enforce HSTS (HTTP Strict Transport Security) and support only modern cipher suites.
Access controls: We implement role-based access control (RBAC) with the principle of least privilege across all internal systems. Access to production data is strictly limited, logged, and subject to periodic review.
Infrastructure security: Our infrastructure is hosted on AWS with network-level isolation, automated vulnerability scanning, intrusion detection, and 24/7 security monitoring.
Incident response: We maintain a documented incident response plan with defined escalation procedures. In the event of a data breach, we will notify affected customers within 72 hours as required by applicable law.

While we take extensive measures to protect your data, no method of electronic transmission or storage is 100% secure. We encourage customers to use strong authentication, rotate API keys regularly, and follow the security best practices outlined in our documentation.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you through one or more of the following methods:

A prominent notice on our website
An email notification to the primary email address associated with your account
An in-dashboard notification banner

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the Service after a revised policy becomes effective constitutes your acceptance of the updated terms.

For material changes that significantly affect how we process personal data, we will provide at least 30 days advance notice before the changes take effect.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or need to report a privacy concern, please contact us through the following channels:

Email: privacy@prynt.io
Data Protection Officer: dpo@prynt.io
Mailing address: Prynt, Inc., 548 Market Street, Suite 46382, San Francisco, CA 94104, United States

For EU-specific inquiries, you may also contact our EU representative: Prynt EU B.V., Herengracht 420, 1017 BZ Amsterdam, Netherlands.

We aim to respond to all privacy-related inquiries within 5 business days and to fulfill data subject requests within 30 days of receipt of a verified request.