Privacy Policy
Cardamom Labs LLC (“Prismara,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and protect information that relates to an identified or identifiable natural person (“Personal Data”). It also describes your rights and choices regarding your Personal Data and how you may contact us.
1. Personal Data We Collect
For purposes of this Policy, Personal Data means any information that relates to an identified or identifiable individual. We collect Personal Data in three main ways:
1.1 Information you choose to provide
| Category | Examples | Why we need it |
|---|---|---|
| Account credentials | Email address, password (hashed), optional display name, birth year (to confirm you are 18+) | Create and secure your Prismara account |
| Calendar Events | Event title, description, start/end time, location, attendees, attachments, reminders, recurrence rules, time-zone metadata | Provide core scheduling and timeline-generation features |
| Communications | Email messages, support tickets, in-app chat transcripts, feedback surveys, any files you attach | Respond to inquiries, troubleshoot issues, improve the Service |
| Billing details | Billing contact, postal address, plan tier, last 4 digits of card, subscription status | Process payments, send invoices, detect fraud |
Sensitive data notice: Calendar Events may incidentally reveal sensitive information about your health, religion, or other protected categories. Please avoid storing any data you do not want Prismara (or anyone with access to your account) to process.
1.2 Information collected automatically
| Category | Examples |
|---|---|
| Usage & device data | IP address, browser type, OS version, device identifiers, referring URL, pages visited, buttons clicked, session duration, time-zone, error logs |
| Cookies & local storage | First-party cookies to keep you logged in, remember preferences, and prevent fraud; analytics cookies (e.g., PostHog) to measure feature adoption. We do not set advertising or retargeting cookies. |
You can adjust cookie preferences at any time via the “Cookie Settings” link in the site footer.
1.3 Information from third parties
- Single Sign-On (SSO). If you sign in with Google, or another identity provider, we receive your verified email address and a provider-specific user ID.
- Payment processor. Stripe collects your full payment credentials; we receive transaction metadata only.
- Referral & marketing partners. If you arrive via an affiliate link, we store a referral code so we can credit the partner.
- Public sources. We may enrich business email addresses with publicly available company information (e.g., domain → company name) to personalize onboarding.
Failure to provide certain Personal Data. You are not obliged to share information with us, but if you decline to provide data that is necessary for key features (for example, an email address for account creation), you may be unable to use some or all of the Services.
2. Why and On What Basis We Process Personal Data
We only handle Personal Data when we have a lawful reason to do so. Those reasons, and the corresponding purposes, are set out in the table below. Some purposes rely on more than one legal basis—when that’s the case we list each basis that may apply.
| Purpose | What we do | Primary legal basis* |
|---|---|---|
| Operate the Service | Authenticate you, sync and store Calendar Events, keep back-ups, route notifications, and generally deliver the features you sign up for. | Contract necessity; Legitimate interest |
| Personalize your experience | Suggest time-blocks, templates, and analytics tailored to your usage patterns. | Contract necessity; Consent |
| Customer support | Respond to tickets, debug issues, and monitor error logs. | Contract necessity; Legitimate interest |
| Security & fraud prevention | Detect suspicious log-ins, enforce rate limits, and protect Prismara, our users, and the public from malicious activity. | Legitimate interest; Legal obligation |
| Product analytics & development | Aggregate usage metrics, run A/B tests, and build new features. Analytics is performed in a privacy-enhancing way wherever feasible (e.g., IP truncation, event sampling). | Legitimate interest; Consent (for optional analytics cookies) |
| Marketing & communications | Send product updates, newsletters, or surveys you have opted in to receive. You can unsubscribe at any time. | Consent; Legitimate interest |
| Billing & account administration | Issue invoices, process payments via Stripe, detect payment failures, and email you about renewal dates. | Contract necessity; Legitimate interest |
| Legal & regulatory compliance | Keep records required by tax or accounting law, respond to lawful requests, and enforce our Terms. | Legal obligation; Legitimate interest |
| Research & statistics (de-identified) | Create aggregated or anonymized statistics that no longer identify any individual; we may use or disclose these reports for any lawful purpose. | Legitimate interest |
* Legal bases explained (GDPR/CPA/CPRA terminology)
Contract necessity – processing needed to fulfil our agreement with you.
Legitimate interest – processing that is useful to Prismara or its users and does not override your privacy rights.
Consent – you have expressly agreed (e.g., by ticking a box or enabling cookies).
Legal obligation – processing required by applicable law or court order.
Automated decision-making: Prismara does not engage in automated processing that produces legal or similarly significant effects on you (CPA § 6-1-1303(1)(a)).
Sensitive data: If Calendar Events reveal sensitive details (health appointments, religious meetings, etc.) we process that data solely to deliver the Service you request and never for targeted advertising.
3. How and When We Share Personal Data
We do not sell your Personal Data for money. We only disclose it under the circumstances listed below:
| Recipient category | Typical examples | Reason for disclosure |
|---|---|---|
| Service & infrastructure partners | Cloud hosting (e.g., Vercel), database back-ups, payment processor (Stripe), email provider (Loops), error logging, product analytics (Statsig) | Run, secure, and troubleshoot the Prismara platform |
| Product integrations | Google Calendar, Outlook, Slack, Notion, or any service you choose to connect | Sync events or push notifications at your direction |
| Professional advisers | Lawyers, accountants, auditors, insurers | Obtain business, tax, or legal advice; manage risk |
| Affiliates & future corporate family | Any parent company, subsidiaries, or entities under common control | Internal administration; unified customer experience |
| Business-transfer counterparties | Buyers, advisors, and their agents during a merger, acquisition, financing, or asset sale | Allow due diligence and complete the transaction |
| Legal & compliance recipients | Courts, regulators, law-enforcement agencies, or other third parties with lawful authority | Satisfy legal obligations, enforce our Terms, or protect Prismara, our users, or the public |
| Other users (only with your action) | People you invite to an event, public links you generate, or content you deliberately share | Provide collaboration features you request |
| Aggregated / de-identified data recipients | Industry researchers, analytics partners, marketing audiences | Insights and benchmarks that cannot reasonably identify you |
International transfers: Some recipients are located outside your state or country (including the United States). We rely on reasonable safeguards—such as Standard Contractual Clauses or equivalent mechanisms—when local law requires them. Details are provided in Section 9 (Cross-Border Transfers).
4. Data Retention & Deletion
We keep Personal Data only for as long as it serves a legitimate purpose. When that purpose ends, we either delete the data or irreversibly de-identify it.
| Data category | Typical examples | Standard retention window | What happens at the end of the window |
|---|---|---|---|
| Account & profile | Email, hashed password, SSO ID, display name | While the account is active + 30 days after you initiate closure | Secure deletion from primary databases and back-ups during the next purge cycle (≤ 35 days) |
| Calendar Events | Titles, descriptions, times, locations, attachments, attendee lists | Until you delete the event or close the account | Hard delete from production clusters within 24 hours |
| Billing records | Stripe customer ID, invoice PDFs, payment status | 7 years (tax & accounting requirement) | Archived to encrypted cold storage; destroyed after statutory period lapses |
| Support communications | Help-desk tickets, chat logs, call recordings | 2 years after ticket closure | Anonymized for training or permanently erased |
| Analytics & log data | IP address, device fingerprints, page views, error traces | 18 months rolling window | Aggregated & de-identified; raw logs deleted |
| Marketing consents | Mailing-list opt-ins, cookie preferences | Until you withdraw consent or delete your account | Records of consent stored for 4 years to demonstrate compliance, then purged |
Legal holds & exceptions
If we receive a preservation order, are litigating a dispute, or must comply with audit obligations, we may retain relevant data beyond the standard windows. We will delete it as soon as the hold is lifted and no other lawful basis applies.
Your right to accelerate deletion
You can:
- Delete individual events in the app (propagates within 24 hours).
- Close your account by emailing privacy@prismara.app.
- Request early erasure of any remaining Personal Data via privacy@prismara.app; we will honor the request within 45 days unless a legal hold applies.
We use secure wipe commands or encryption-key destruction to ensure data is unrecoverable.
5. Your Privacy Choices & Rights
We recognise that different privacy laws grant different entitlements. The table below summarises every right you may have, explains how to exercise it, and notes which laws trigger it.
| Right | What it lets you do | Where it applies* | How to exercise | Standard response time |
|---|---|---|---|---|
| Access / Know | Obtain a copy of—or key facts about—the Personal Data we hold about you. | GDPR Art 15; CPA § 6-1-1306; CPRA § 1798.110 | email privacy@prismara.app | 30 days (extendable to 60) |
| Correction / Rectification | Fix inaccurate or incomplete data. | GDPR Art 16; CPA; CPRA | Same as above | 30 days |
| Deletion / Erasure | Ask us to permanently delete your Personal Data. | GDPR Art 17; CPA; CPRA; CTDPA; VCDPA; UCPA | Same as above | 45 days |
| Opt-out of • targeted advertising • sale of Personal Data • profiling with legal effects | Stop certain cookies/SDKs, prevent downstream “sale,” and halt automated decisions that materially affect you. | CPA; CPRA; CTDPA; VCDPA; UCPA | Toggle in Cookie Settings or send request | Immediate for cookies; 15 days for backend services |
| Withdraw consent | Revoke consent for marketing emails or optional analytics. | GDPR Art 7(3); all state laws | Click Unsubscribe in email footer | Immediate |
| Restrict processing | Pause all non-essential processing while we investigate an objection. | GDPR Art 18 | Email request | 30 days |
| Appeal a denial | Ask us to reconsider if we refuse your CPA/CTDPA/VCDPA request. | CPA; CTDPA; VCDPA | Email privacy@prismara.app within 30 days of our decision | 45 days |
| Lodge a complaint | Raise concerns with a regulator. | GDPR Art 77; CPA; CPRA | See contact list below | Regulator-specific |
What we need from you
- Verification. To protect your account, we verify requests using your login session, a confirmation email, or (for sensitive actions) a one-time code.
- Authorized agents. You may appoint an agent; we require written permission and may ask you to confirm directly.
Regulator contact points
| Region | Supervisory authority | Web |
|---|---|---|
| Colorado | Colorado Attorney General, Consumer Protection Section | https://coag.gov/privacy |
| California | California Privacy Protection Agency | https://cppa.ca.gov |
| European Economic Area | See list of Data Protection Authorities | https://edpb.europa.eu/about-edpb/board/members_en |
| United Kingdom | Information Commissioner’s Office (ICO) | https://ico.org.uk |
6. Third-Party Sites, Services, and Integrations
The Prismara platform contains links to, or makes use of, software, content, and services that are not operated by Prismara. We provide the information below so that you understand where our responsibility ends and yours begins.
6.1 External websites
From time to time you may click a hyperlink that takes you to another company’s website (for example, a help-article reference, a partner blog post, or a Stripe-hosted checkout page). Those destinations have their own privacy policies and data-handling practices, which may differ from ours. We do not control, endorse, or monitor the privacy or security of such third-party websites, and this Policy no longer applies once you leave the Prismara domain. Please review the applicable privacy notice of every site you visit before submitting Personal Data.
6.2 Embedded content & widgets
Our application may embed third-party components—such as a Google Maps address picker, a YouTube tutorial, or a “Sign in with Google” button. Even though these elements appear inside the Prismara interface, the content is served directly from the third party and is subject to that party’s own terms and privacy rules. Your interactions with the widget (e.g., pressing play on a video, authenticating via OAuth) are governed exclusively by the provider of that widget.
6.3 Integrations you authorise
If you choose to connect an external calendar, communication tool, or cloud-storage account, you instruct Prismara to send and receive data to and from that provider on your behalf. The data exchanged, and the provider’s subsequent use of that data, are dictated by the integration’s permission scope and the third party’s policy. Disconnecting the integration in your Prismara settings stops future data flow but does not automatically delete data already held by the third party; you must contact them directly for that.
6.4 Social-media pages
Prismara maintains profiles on platforms such as LinkedIn or X (Twitter). Any information you post on those pages is governed by the platform’s privacy policy, not this one. We may receive aggregated engagement metrics from the platform, but we do not have control over how the platform itself processes your personal information.
6.5 No endorsement or liability
Links and integrations are provided for convenience or functionality only; they do not constitute an endorsement, sponsorship, or recommendation. Prismara disclaims all responsibility and liability for the privacy, security, content, or accuracy of third-party offerings and for any damages or losses that may result from your use of them.
7. Security
We take protecting your Personal Data seriously and apply widely accepted security measures. However, any transfer or storage of information online carries some risk, and no system can be made completely impenetrable. Therefore, despite our best efforts, absolute security cannot be guaranteed.
8. Children's Privacy
We do not intentionally gather or keep Personal Data from anyone under 18, and the Service is not designed for minors. If you become aware that a person under 18 has shared Personal Data with us, please let us know right away via the contact information listed at the end of this Policy so we can remove it.
9. Cross-Border Data Movement
Prismara's servers sit in the United States. By using the Service from another country, you understand that your Personal Data will travel to—and be stored or processed in—the United States, where privacy laws may be different from those in your home jurisdiction.
If you reside in the European Economic Area, the United Kingdom, or Switzerland (collectively "Europe"), we transfer your Personal Data only when a lawful mechanism is in place—such as: (i) an adequacy decision issued by the relevant authority, (ii) the EU/UK Standard Contractual Clauses or Swiss-approved equivalents, or (iii) another transfer method recognised by applicable data-protection law. You can request a copy of the specific safeguards we rely on by contacting us at the email address listed at the end of this Policy.
10. Colorado Resident Privacy Rights
If you reside in Colorado, the Colorado Privacy Act (“CPA”) grants you specific rights regarding your Personal Data. Prismara honors those rights as follows:
| Your right | What it means | How to exercise it |
|---|---|---|
| Access / Know | Obtain a copy of the Personal Data we hold about you. | Submit a request via privacy@prismara.app |
| Correction | Ask us to correct inaccurate Personal Data. | Same channels as above. |
| Deletion | Request deletion of Personal Data we collected from or about you. | Same channels as above. |
| Opt-out of • targeted advertising • sale of Personal Data • profiling in furtherance of decisions that produce legal or similarly significant effects | • We do not sell your Personal Data for monetary consideration. • We do use limited first-party and third-party cookies/SDKs for analytics and (optionally) personalized product tips. You may opt out at any time through the “Cookie Settings” link at the footer or by emailing us. • We do not engage in automated decision-making that produces legal or similarly significant effects. | Toggle the setting in “Cookie Settings,” or send an email. |
How we verify and fulfill your request
- We will respond within 45 days of receipt. If we need more time (up to an additional 45 days), we will tell you why and when you can expect a response.
- To protect your information, we verify requests by matching the email address on file and (for sensitive requests) asking for a second factor such as a verification code sent to your registered email.
- You may designate an authorized agent to make a request on your behalf. The agent must present signed written authorization or power of attorney and we may still require you to confirm the request directly.
Appeals
If we deny your request, you may appeal by emailing privacy@prismara.app within 30 days of our decision. We will respond in writing within 45 days. If your appeal is unsuccessful, you may contact the Colorado Attorney General at https://coag.gov/privacy.
11. California Resident Privacy Rights
If you reside in California, the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), grant you specific rights regarding your Personal Data. Prismara honors those rights as follows:
Your Rights Under CCPA/CPRA
| Your right | What it means | How to exercise it |
|---|---|---|
| Right to Know About Personal Information Collected, Disclosed, or Sold | You can request that we disclose: (1) categories of Personal Data we've collected about you; (2) categories of sources from which we collected it; (3) our business purpose for collecting or selling it; (4) categories of third parties with whom we share it; and (5) specific pieces of Personal Data we've collected about you. | Submit a request via privacy@prismara.app |
| Right to Delete Personal Information | You can request deletion of Personal Data we collected from you, subject to certain exceptions (e.g., completing transactions, security, legal obligations). | Same as above |
| Right to Correct Inaccurate Personal Information | You can request that we correct any inaccurate Personal Data we maintain about you. | Same as above |
| Right to Opt-Out of Sale or Sharing of Personal Information | You have the right to opt-out of the "sale" or "sharing" of your Personal Data. Note: Prismara does not sell your Personal Data for monetary consideration. We do share limited data with service providers and analytics partners in ways that might constitute "sharing" under CPRA. | Same as above |
| Right to Limit Use and Disclosure of Sensitive Personal Information | You can limit our use of sensitive Personal Data to what's necessary to provide the Services. | Email privacy@prismara.app with your specific limitation request |
| Right to Non-Discrimination | We cannot discriminate against you for exercising any of your CCPA rights (e.g., by denying services, charging different prices, or providing a different quality of service). | This right is automatic |
Information We Collect (Last 12 Months)
| Category | Examples | Collected? | Business Purpose | Sold? | Shared? |
|---|---|---|---|---|---|
| Identifiers | Email, name, account ID, IP address | ✓ | Account creation, security, support | ✗ | ✓ (service providers) |
| Personal Information (Cal. Civ. Code § 1798.80(e)) | Password (hashed), billing address, payment method (last 4 digits) | ✓ | Authentication, billing | ✗ | ✓ (payment processor) |
| Commercial Information | Subscription type, billing history, feature usage | ✓ | Service delivery, improvements | ✗ | ✗ |
| Internet/Network Activity | Browser type, device info, page views, click data | ✓ | Analytics, debugging, security | ✗ | ✓ (analytics providers) |
| Geolocation Data | IP-based location (city level), timezone | ✓ | Localization, fraud prevention | ✗ | ✗ |
| Professional Information | Calendar events, meeting details, work patterns | ✓ | Core service functionality | ✗ | ✗ |
| Inferences | Usage patterns, feature preferences, suggested time blocks | ✓ | Personalization, recommendations | ✗ | ✗ |
| Sensitive Personal Information | May be revealed in calendar content (health, religion, etc.) | ✓ (incidental) | Service delivery only | ✗ | ✗ |
How We Handle Your Requests
- Response Time: We will acknowledge receipt within 10 business days and respond substantively within 45 days. If we need more time (up to 90 days total), we'll explain why.
- Verification: We verify your identity by matching your email address and may send a confirmation code. For requests to know specific pieces of information or delete particularly sensitive data, we may ask for additional verification.
- Frequency: You may make a verifiable request twice within a 12-month period.
- Format: We'll deliver responses electronically in a portable and readily useable format (typically JSON or CSV).
- No Fee: We don't charge for up to two requests per year. Excessive or manifestly unfounded requests may incur a reasonable fee or be declined.
Authorized Agents
You may designate an authorized agent to make requests on your behalf. Your agent must:
- Provide written proof of authorization (e.g., power of attorney)
- Verify their own identity
- You may still need to verify your identity directly with us or confirm you provided the agent permission
Appeals
If we deny your request, you may appeal by emailing privacy@prismara.app within 30 days. Include:
- Your original request reference number
- Why you believe our decision was incorrect
- Any additional information that supports your appeal
We'll respond within 45 days. If your internal appeal is denied, you may submit a complaint to the California Privacy Protection Agency at https://cppa.ca.gov/.
Contact for California Privacy Rights
For any CCPA/CPRA requests or questions:
Email: privacy@prismara.app
12. Policy Changes
We review and revise this Privacy Policy whenever our data-handling practices evolve. Each new version will carry an updated "Last updated" date at the top. If a revision significantly alters how we use or share Personal Data we've already collected, we'll give you advance notice—through an in-app banner, email, or another clear channel—before the change takes effect.
13. Contact
Cardamom Labs LLC is the "data controller" for all Personal Data described in this Policy. For questions, concerns, or to exercise any privacy rights, please contact us at privacy@prismara.app.For any questions about this Privacy Policy or our handling of Personal Data, reach out to us using the email address listed above or by writing to us at Cardamom Labs LLC, 1500 North Grant Street, Suite N, Denver, CO, 80203, USA.