Legal

Privacy Policy

Last updated: February 25, 2026

tl;dr

flompt collects minimal, anonymized analytics to understand how the tool is used. Your prompts are processed to generate structured output but are never stored after the job completes. No account required. No tracking profile. No selling your data.

1. Who we are

flompt (available at flompt.dev) is an open-source visual prompt engineering tool developed and maintained by Nyrok, an independent developer. This policy applies to the flompt.dev website and the flompt browser extension.

For any questions or data-related requests, contact us at contact@flompt.dev or open an issue on GitHub.

2. What we collect and why

Usage analytics

We use PostHog (EU region, hosted on eu.i.posthog.com) to collect anonymized usage data — pages visited, features used, and session duration. This helps us understand what's working and prioritize improvements. No personal identifiers are intentionally captured.

Legal basis: Legitimate interest in improving the product.

Prompt decomposition requests

When you use the AI-powered decomposition feature, your prompt is sent to our backend API, which forwards it to an AI provider (Anthropic or OpenAI) to process and return a structured result. We do not store your prompt content once the job is complete. The result is held temporarily in memory to deliver the response, then discarded.

Legal basis: Performance of the service you're explicitly requesting.

What we don't collect

No email address. No name. No user account. No payment information. No browsing history beyond anonymized analytics on flompt.dev. We don't build a profile on you, and we don't serve ads.

3. Third-party services

We work with a small number of services to operate flompt. Here's what each of them does:

Service Purpose Location Privacy policy
PostHog Usage analytics EU (Frankfurt) posthog.com/privacy
Anthropic AI decomposition United States anthropic.com/privacy
OpenAI AI decomposition (fallback) United States openai.com/privacy

When you trigger AI decomposition, your prompt is forwarded to the relevant provider. Anthropic and OpenAI are based outside the EEA; transfers rely on standard contractual clauses (SCCs) as a safeguard under GDPR Article 46.

4. The browser extension

The flompt extension injects a sidebar panel on ChatGPT, Claude, and Gemini. It does not read your conversations, message history, or any personal information on those platforms. It interacts exclusively with the chat input field, and only when you explicitly click "Send to AI."

The extension uses Chrome's storage.local API to save your sidebar preferences (open or closed state) between sessions. This data stays on your device and is never transmitted to our servers.

5. Cookies

We don't use advertising or third-party tracking cookies. PostHog may set a session cookie to maintain continuity for analytics purposes. You can clear or block these at any time through your browser settings without affecting the core functionality of flompt.

If your browser has Do Not Track (DNT) enabled, PostHog respects it. You can also use a content blocker (uBlock Origin, etc.) to block the PostHog script entirely.

6. Data retention

  • Analytics data — retained by PostHog according to their default policy (currently 1 year). You can request deletion by contacting us.
  • Prompt content — not retained after the API job completes, typically within a few seconds.
  • Extension preferences — stored locally on your device. Deleted when you uninstall the extension or clear browser data.

7. Your rights under GDPR

If you're located in the EU or EEA, you have the following rights regarding your personal data:

Access Request a copy of any personal data we hold about you
Rectification Ask us to correct inaccurate or incomplete data
Erasure Request deletion of your data ("right to be forgotten")
Restriction Limit how we process your data in certain circumstances
Portability Receive your data in a machine-readable format
Object Opt out of processing based on legitimate interest

Given that we collect very little identifiable data, exercising most of these rights means requesting deletion of PostHog analytics data. Reach out to contact@flompt.dev and we'll take care of it promptly.

You also have the right to lodge a complaint with your national data protection authority. In France, that's the CNIL.

8. Security

All traffic to flompt.dev is served over HTTPS with HSTS enabled. The API runs behind a reverse proxy with standard security headers (CSP, X-Frame-Options, etc.). We keep things simple, which also means fewer attack surfaces.

No system is completely immune to incidents. If you discover a security vulnerability, please report it responsibly via GitHub Issues rather than exploiting it.

9. Changes to this policy

If we make meaningful changes to this policy, the "last updated" date at the top will change. For significant changes, we'll note them in the GitHub changelog. Continuing to use flompt after changes are published means you accept the updated policy.

10. Contact

Questions, data requests, or anything else: contact@flompt.dev
Or open an issue at github.com/Nyrok/flompt.