Privacy Policy

Who we are

This privacy policy explains how Prism Scan handles personal data for the Prism website, browser extension, backend services, contact form, and issue reporting tools.

The controller is sole trader Adriano Barbet. You can contact us via the form on this website.

Prism is built for manual product checks. It is not designed to collect account profiles, payment details, advertising identifiers, or analytics data.

Website and contact form

When you use the website contact form, Prism Scan collects the name, email address, and message you submit so we can read, route, and respond to your request. If you submit uninstall feedback, Prism Scan collects the selected uninstall reasons, optional feedback text, creation time, client label, and user-agent header.

The website sends contact submissions and uninstall feedback to the Prism backend server-side. The backend stores contact messages in the reports collection and uninstall feedback in the uninstalls collection. Backend API keys and provider secrets are not exposed to the browser.

The website does not currently set non-essential cookies, use advertising pixels, or run product analytics. Standard hosting and security logs may still be created by infrastructure providers when you visit the site.

Extension data

The extension reads product-page content only to provide its user-facing product lookup features. This can include product title, brand, barcode or other product identifiers, ASIN, ingredients, category, image URL, quantity, source URL, and other visible product evidence needed to identify and score the product.

Prism stores preferences locally in Chrome storage on your device. Preferences can include diet choices, allergen flags, religious preference flags, skin profile, household safety choices, cosmetic avoidance choices, risk tolerance, price sensitivity, production-standard preferences, and custom notes.

The extension also stores local product history, saved products, product score caches, AI result caches, ingredient and additive hydration caches, and ASIN-to-barcode mappings. Score and AI caches are designed around time-limited local entries, with the main score cache using a 7-day default lifetime.

Content scripts do not call external APIs directly. They ask the extension background service worker to perform lookups, cache reads and writes, backend calls, and Open Facts requests.

Backend, AI, and reports

When you request backend hydration, additive lookup, evidence lookup, issue reporting, or AI analysis, the extension may send relevant product evidence and reduced preference context to the Prism backend. This can include product identity, ingredient or additive names, Open Facts scores, source URL, and selected preference signals.

Some preference categories may reveal sensitive information, such as allergies, religious dietary choices, health-related skin concerns, or other information you place in custom notes. Prism uses these fields only when you choose to save preferences and request features that need them. Do not enter sensitive information that is not needed for product analysis.

Issue reports submitted from the extension can include an optional email address and the message you write. Website contact messages and extension reports are stored in the backend reports collection so Prism Scan can respond, debug problems, improve safety, and maintain the service.

Server-side AI analysis is provided through DeepSeek. Prism sends the minimum product and preference context needed for the requested analysis and validates the returned structure before showing it in the extension.

Legal bases

Prism Scan processes contact messages, reports, product evidence, and preference context where it is necessary to provide the requested service, respond to you, operate the extension, protect the service, and improve product reliability.

Prism Scan processes uninstall feedback where it is necessary to understand why users leave Prism and improve product reliability, compatibility, privacy communication, and performance.

For GDPR purposes, the usual legal bases are performance of a requested service or pre-contract steps, legitimate interests in operating and securing Prism, compliance with legal obligations, and consent where you choose to provide sensitive preference information for personalized analysis.

You can remove local extension data by clearing Prism extension storage, uninstalling the extension, or using any cache and preference controls available in the extension.

Third parties

Prism uses Vercel to host the public website, Google Cloud Run to host backend services, and Google Firestore for backend data storage. The Firestore database is configured in the europe-west2 region.

The extension uses Open Food Facts for food product data and Open Beauty Facts for cosmetic product data. These projects are third-party open-data services, and their data may be incomplete, community-edited, delayed, or unavailable.

Prism may interact with Google and the Chrome Web Store for extension listing, installation, updates, browser storage, and browser extension platform services. Ecommerce websites you visit remain separate third parties and are not controlled by Prism Scan.

The use of information received through the Chrome extension complies with the Chrome Web Store User Data Policy, including the Limited Use requirements. Prism does not sell extension user data, use it for advertising, or transfer it for unrelated purposes.

Retention

Local extension preferences and saved products remain on your device until you change them, clear extension storage, or uninstall the extension. Local cache entries are generally time-limited, with score and AI caches designed for short product-lookup reuse.

Website contact submissions, uninstall feedback, and extension issue reports are normally kept for up to 24 months, unless a longer period is needed to resolve a request, handle a security issue, comply with law, or establish, exercise, or defend legal claims.

The current backend stores report and uninstall feedback records in Firestore. Prism Scan will need a backend cleanup policy or deletion workflow to enforce the 24-month retention target consistently.

Your rights

If GDPR applies to you, you may have rights to request access, correction, deletion, restriction, portability, or objection to the processing of your personal data. Where processing is based on consent, you may withdraw consent at any time without affecting earlier lawful processing.

Because Prism does not use accounts, Prism Scan may need enough information to identify the relevant contact message, report, or backend record before acting on a request.

You also have the right to lodge a complaint with a supervisory authority. In Ireland, the relevant authority is the Data Protection Commission.

Security and transfers

Prism Scan uses technical and organisational measures intended to protect personal data, including server-side handling of backend secrets, API authentication for backend routes, limited data flows, and browser-local storage for anonymous preferences where possible.

No internet service can be guaranteed to be fully secure. Data may be processed by providers outside your country, including infrastructure, browser platform, open-data, and AI providers. Where required, Prism Scan relies on appropriate safeguards or provider terms for those transfers.

Children and updates

Prism is not directed to children under 16. Do not use the contact form, issue report form, or personalized analysis features if you are under 16 without appropriate permission from a parent or guardian.

Prism Scan may update this policy as the website, extension, backend, providers, or legal requirements change. The date at the top shows when this policy was last updated.