Privacy Policy

This document is the PromptAndWear Privacy Policy. It applies from the effective date shown above until replaced, and the “Last Updated” line marks the most recent substantive change.

We write in plain language to align with Law 1581 of 2012, Decree 1377 of 2013, Superintendencia de Industria y Comercio guidance, Law 1480 of 2011, the GDPR, and the CPRA.

PromptAndWear S.A.S., located at Cra 71 94 111 in Medellín, designs and runs AI-assisted creation tools, asset storage, print-on-demand fulfillment, checkout, order tracking, notifications, optional WhatsApp/Instagram chat support, and analytics for visitors, creators, collaborators, and recipients.

This policy covers promptandwear.com, related subdomains, official mobile experiences, Meta/WhatsApp Business channels, and marketing programs where we act as controller; enterprise agreements or event notices supplement it when extra terms are needed.

Account and contact data. When you create an account, sign in with social login, or redeem a collaboration invite, we collect your name, username, contact details, language preferences, profile photo, authentication identifiers, two-factor tokens, and billing or shipping addresses.

Content and creative assets. We store prompts, reference imagery, design files, color palettes, collections, and print-ready exports plus metadata about version history, collaborators, and moderation status so you can recover and audit your creative work.

Order, shipment, and fulfillment data. Checkout flows capture cart contents, size and customization choices, recipient contact details, delivery addresses, tracking numbers, logistics milestones, and issue resolution notes so we can fulfill consumer obligations under Law 1480 of 2011.

Payment metadata. Card information is handled directly by trusted processors such as Wompi or Stripe. We receive only the tokenized payment confirmation, partial BIN data, fraud risk signals, and internal references needed to reconcile payouts and prevent abuse.

Device, usage, and analytics data. We log device type, browser version, operating system, referral URLs, language, approximate location derived from IP, session duration, feature usage, and crash diagnostics. Cookies or local storage help us remember preferences and maintain sessions.

Communications and support records. Emails, WhatsApp/Instagram chat transcripts, recorded calls, community posts, surveys, and in-product feedback help us respond and improve services, and may include proof of consent, opt-in status, or documents you voluntarily upload (such as tax IDs or design clearances).

We use personal data to operate PromptAndWear: authenticate you, render the AI editor, process orders, coordinate fulfillment, and keep you informed about status, shipping, and delivery.

We personalize experiences by suggesting templates, surfacing palettes, recommending products, and tailoring education. We also send transactional notices, beta invitations, or policy updates; answer support tickets; moderate content; and investigate fraud, counterfeiting, chargebacks, or platform abuse required by Colombian commerce regulations.

We rely on aggregated, de-identified insights to understand performance, and any significant automated decisions—such as fraud detection—can be escalated for human review.

Our processing relies on the legal grounds recognized by Habeas Data rules, the GDPR, and similar frameworks. Depending on the context we rely on:

Consent. We request explicit consent before sending marketing messages, ingesting your assets for community showcases, enabling social login data sharing, or connecting WhatsApp chat histories. You may withdraw consent at any time.

Contract performance. We process data to register you, run the AI editor, fulfill orders, deliver goods, provide warranties, or honor service-level agreements.

Legitimate interests. We analyze usage to improve features, secure our systems, and prevent misuse, always balancing our interests with your rights and offering opt-outs when feasible.

Legal obligations. We retain invoices, respond to authorities, and document consents when laws such as Law 1581 of 2012, Law 1480 of 2011, AML rules, tax regulations, or court orders require it.

PromptAndWear uses first-party cookies and similar technologies to keep you signed in, remember language preferences, secure forms, and store items in your cart. Optional cookies support personalization and limited marketing attribution.

Our analytics stack favors privacy-friendly tools that aggregate events, truncate IP addresses, and avoid cross-site profiling. When we rely on trusted partners, we configure them to respect “Do Not Track” when technically feasible and to honor consent banners.

You can control cookies through browser settings or in-product toggles. Essential cookies cannot be disabled because the site would not function. Detailed descriptions of each category, retention period, and opt-out mechanism appear in our Cookie Policy.

Our AI-assisted editor processes prompts, uploads, typography, and color palettes so you can preview apparel in real time, storing intermediate renders and final assets for collaboration, versioning, and re-orders.

Unless you opt in, we do not use your proprietary designs to train foundation models. We may use anonymized interaction data (such as prompt lengths or tool selections) to calibrate our algorithms, evaluate fairness, and improve safety filters. Where we rely on third-party AI providers, we bind them by contract to process your content solely to deliver the requested outputs.

Moderation teams may review flagged content to prevent hate, counterfeit goods, or IP abuse. Reviews are logged, access is restricted, and your creative rights remain yours under our Terms. You can delete assets at any time, subject to brief retention of backup copies for audit and fraud prevention.

We do not sell personal information. We share it with carefully vetted processors under written agreements that require confidentiality, data minimization, and alignment with this policy.

Typical partners include payment processors (such as Wompi, Stripe, or another PCI-DSS provider), fulfillment networks that manufacture and ship garments, cloud hosting such as Vercel, Firebase, or AWS, authentication and social login providers, Meta’s WhatsApp Business API for chat support, analytics tools, and email or SMS platforms for transactional communications.

We also share data with professional advisors, auditors, legal counsel, authorized marketing partners, and public authorities when required. If ownership changes, we will ensure any successor honors our commitments or obtain new consent.

Although headquartered in Colombia, some infrastructure and processors operate in the United States, the European Union, or other jurisdictions, so cross-border flows follow Habeas Data requirements and GDPR Chapter V safeguards.

We rely on the European Commission’s Standard Contractual Clauses (2021/914/EU) or equivalent mechanisms, along with encryption in transit and strict access controls. You may request a summary of the relevant safeguards or an executed copy via jdlopez@promptandwear.com or by referencing our data transfer overview at promptandwear.com/legal/scc.

Where partners offer Binding Corporate Rules or similar certifications, we review them annually and pause transfers until additional safeguards exist if laws require it.

We retain personal information only as long as needed for business purposes, lawful requirements, or dispute resolution. When data is no longer required, we securely delete or irreversibly anonymize it.

Account and consent records. Profiles and proof of authorization stay while the account is active and up to three years after inactivity so you can recover history unless you request earlier deletion.

Orders and billing. Transactional files, invoices, and warranty references stay for up to ten years to satisfy tax, customs, and consumer statutes.

Creative assets. Designs remain until you delete them or 24 months after your subscription lapses, with encrypted backups overwriting within about 90 days.

Communications. Chats, tickets, and recordings are stored for roughly 24 months unless a dispute requires more time.

Analytics. Aggregated metrics may be kept indefinitely, while raw logs rotate every 24 months.

Law 1581 of 2012, Decree 1377 of 2013, and SIC guidance grant you control over your personal data, and we respond within 10 business days for consultations and 15 for complaints unless a request is manifestly unfounded.

Access and proof. You may ask whether we process your data, obtain copies, and receive evidence of any authorization granted.

Update or rectify. If information is inaccurate or incomplete, request corrections via the dashboard or support.

Deletion or cancellation. Request deletion when processing is excessive or the purpose expired; we will retain only what laws still require.

Revocation and complaints. Withdraw consent for optional processing or escalate unresolved issues to the Superintendencia de Industria y Comercio at sic.gov.co.

How to exercise your rights. Use the privacy tab in your account, email jdlopez@promptandwear.com, call +57 323 871 3138, or mail Cra 71 94 111, Medellín with your name, identification number, contact details, requested right, and (if applicable) proof you are authorized to act for someone else.

Sample email template. Feel free to adapt the text below:

Subject: Habeas Data Request - [Your Full Name] Hello PromptAndWear Privacy Team, I am exercising my Habeas Data rights under Law 1581 of 2012. I request [access/update/deletion/proof of authorization] for the personal data associated with my account ([email/phone]). Identification number: [ID number] Please confirm receipt. Thank you, [Name]

We will acknowledge receipt, validate identity, and respond within the legal timeframe. Complex cases may require an extension, which we will explain in writing.

Security is embedded in our development lifecycle. We use encryption in transit and at rest, enforce role-based access, separate production and staging environments, monitor for anomalies, and run regular penetration tests. We maintain incident response playbooks aligned with SIC and GDPR notification requirements.

No system is perfect, so we also empower you: enable multi-factor authentication, rotate credentials, review active sessions, and notify us immediately at jdlopez@promptandwear.com if you suspect unauthorized access.

PromptAndWear is designed for users who are at least 13 years old. Minors between 13 and 18 should only use the service with permission from a parent or legal guardian. We do not knowingly collect data from children under 13, and if we learn that we have inadvertently done so, we will delete the information and terminate the account.

We may update this Privacy Policy to reflect new features, legal requirements, or operational changes. If changes are material, we will notify you via email, dashboard banner, or in-product modal at least 15 days before the effective date when required by Colombian law. Continued use of the services after the update becomes effective constitutes acceptance of the revised policy.

You can reach our Data Protection Officer at jdlopez@promptandwear.com by calling +57 323 871 3138, or by mailing Cra 71 94 111, Medellín, Antioquia, Colombia. Please include “Privacy Request” in the subject line so we can route your inquiry quickly.

References: Colombian Law 1581 of 2012, Decree 1377 of 2013, Law 1480 of 2011 (Consumer Statute), SIC circulars on Habeas Data, EU GDPR (Regulation (EU) 2016/679), and California CCPA as amended by the CPRA. These citations are provided for transparency only and are not legal advice.

This Privacy Policy is for informational purposes only and does not constitute legal advice; you should consult your own counsel for guidance specific to your situation.