Privacy Policy

Last updated: April 28, 2026

Prepros AB ("prepros", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our production management platform at prepros.co (the "Service").

Prepros AB is the data controller for the purposes of the General Data Protection Regulation (GDPR) for personal data we process for our own purposes. If you have questions about this policy or your data, contact us at hello@prepros.co.

1. Beta Notice

The Service is currently in a closed beta phase. During the beta, we may iterate quickly on features, infrastructure, and data handling. We will notify you of material changes to this Privacy Policy as described in Section 14. The protections and rights described in this Privacy Policy apply during the beta period.

2. Our Role: Controller and Processor

Depending on how you interact with the Service, our role with respect to personal data may differ.

We act as a controller when we process personal data to operate our business and provide the Service to you. This includes account information, billing data, security and login data, and your interactions with our website and Service.

We act as a processor on behalf of our team and production owners when they upload content that includes personal information about other people — for example, crew member contact details, vendor information, model details, or invitee email addresses. In those cases, the team or production owner determines the purposes and means of processing, and we process the data on their behalf to provide the Service. See Section 3 for details and Section 13 for the Data Processing Addendum that governs this processing.

3. Information About Other People

The Service allows you to add information about other people to your productions — for example, crew members, vendors, models, location contacts, or invited collaborators. This information may include their name, email address, phone number, fee, role, and other contact or professional details.

When you add information about another person to the Service, you are the controller of that information and you are responsible for:

  • having a lawful basis to collect, share, and process their personal information under applicable law (such as their consent or your legitimate interest in operating your production);
  • informing them, where required, that you are using the Service to manage their information and how to exercise their rights;
  • keeping their information accurate and up to date, and removing it when it is no longer needed for your production.

We act as a processor for this information on your behalf. If a person whose information you have added to the Service contacts us directly to exercise their data protection rights (such as access, correction, or deletion), we will generally direct them to you as the controller, and we will assist you in responding to their request where reasonably possible. We may also act independently to delete or restrict processing of personal information where we believe it is necessary to comply with applicable law.

If you are an individual whose information has been added to the Service by a prepros user (rather than because you created your own account) and you wish to exercise your rights, please contact the prepros user who added your information. If you are unable to reach them or need our assistance, you can contact us at hello@prepros.co and we will help where we can.

4. Data We Collect

4.1 Account Information

When you register, we collect your name, email address, and password (stored as a bcrypt hash — we never store plaintext passwords). You may optionally provide a display name, profile image, first name, last name, and website.

4.2 Team and Production Data

Content you create within the Service, including productions, moodboards, shotlists, storyboards, locations, crew information, documents, calendar events, budgets, tasks, styling/looks, timelines, call sheets, and presentations. This also includes any images, files, or documents you upload.

When you invite collaborators or add crew members, you provide us with their email addresses and other information. You confirm that you have the right to share that information with us, as described in Section 3.

4.3 Billing Information

When you subscribe to a paid plan, payment processing is handled entirely by Stripe, which acts as a separate data controller for payment information under its own privacy policy. We do not store your credit card number, bank account details, or other payment credentials. We receive and store your Stripe customer ID, subscription status, plan tier, invoice history, and payment amounts for account management.

4.4 Usage and Analytics Data

With your consent, we collect aggregated usage data through Vercel Analytics and Vercel Speed Insights to understand how the Service is used and to improve performance. This may include pages visited, time on page, and performance metrics. The data is collected in a form that does not directly identify individual users.

4.5 Security and Log Data

To protect your account and detect unauthorized access, we collect:

  • IP address of each authentication attempt and significant account action
  • User-agent string (the browser, operating system, and version your device reports)
  • Timestamps of login attempts, password changes, and other security-relevant events
  • Approximate geographic location (country, region, and city where available), derived from your IP address by our hosting provider, Vercel, as part of routing your request at the network edge. We do not send your IP address to a separate third-party geolocation service.

We use this data for account security, fraud prevention, and abuse detection — including login anomaly detection, impossible-travel checks, and rate limiting. Login history is retained for the period described in Section 7. Some of this data also appears in audit logs of security-relevant actions, retained as described in Section 7.

4.6 Communication Data

Comments, feedback submissions, notifications, and messages you send through the Service, including @mentions and notification preferences. Comments and mentions are visible to other users with access to the same resource. When you @mention someone, that person receives a notification including your name and the context of the mention.

4.7 Sharing Data

The Service lets you create share links that make individual resources (moodboards, locations, shotlists, looks, presentations, and similar) accessible to people inside or outside your team. Share links come in four access levels:

  • Public — accessible to anyone with the URL until revoked
  • Password-protected — accessible to anyone with the URL who can also enter the correct password
  • Specific users — accessible only to email addresses you list when creating the link
  • Team only — accessible only to authenticated members of the production's team

When you create a share link, we record the link's configuration (access level, expiry date, view limit, password hash if set, allowed email addresses if any, and the UI state of the resource at the time of sharing — including the sort order, filters, and search terms that were active).

When someone accesses a share link — whether the access is granted or denied — we record:

  • The link being accessed
  • The accessing user's account ID, if they are signed in to prepros
  • The IP address and user-agent string of the request
  • Whether access was granted, and if denied, the reason (expired link, view limit reached, wrong password, email not in allowlist, and similar)

This data is used to enforce access controls (view limits, expiry, allowlists), to detect abuse of share links, and to surface aggregate access counts to the link creator. Access records are retained while the share link is active. When a share link is revoked or expires, its access records are retained for up to 90 days for audit and abuse-investigation purposes, then deleted.

If you receive a share link from a prepros user, please be aware that opening it causes us to record the data described above. We act as a processor on behalf of the prepros user who created the link; if you have questions about why a link was shared with you or want to exercise data protection rights regarding the access record, please contact the person who shared the link with you. You can also contact us at hello@prepros.co for assistance.

4.8 Beta Waitlist Data

If you sign up for the beta waitlist, we collect:

  • The email address you submit
  • The IP address of the request, used briefly for rate-limiting and abuse prevention
  • The timestamp of your signup

We use double opt-in: when you submit the form, we send a verification email to the address you provided (delivered via Resend, our transactional email provider). Until you click the verification link, we keep your record in a pending state and do not add you to any marketing audience.

If you do not verify within seven days, we automatically delete your pending entry.

Once verified, we add your email to our marketing audience hosted by Resend, tagged for beta-launch communications. We may contact you about beta access, product updates, and the eventual public launch. You can withdraw at any time using the unsubscribe link in any email we send, or by emailing us at hello@prepros.co. When you create an account by accepting a beta invitation, your waitlist record is replaced by your user account, and waitlist-specific records are removed.

The waitlist signup form includes hidden fields not displayed to legitimate users; submissions that fill in these fields are discarded as automated abuse.

4.9 Consent Records

When you give or withdraw consent — including consent to non-essential cookies and analytics, consent to marketing communications, and acceptance of this Privacy Policy or our Terms of Service — we record:

  • The consent decision (what you accepted or declined)
  • The version of the policy or category in effect at the time
  • The timestamp of your decision

We retain consent records to demonstrate compliance with applicable law (including GDPR Articles 7 and 30) and to know when to ask you to re-confirm consent after material policy changes. Consent records are retained for the period described in Section 7.

5. How We Use Your Data

PurposeLawful Basis (GDPR Art. 6)
Providing and maintaining the ServicePerformance of contract (Art. 6(1)(b))
Account authentication and securityPerformance of contract; legitimate interest (Art. 6(1)(b), (f))
Processing payments and managing subscriptionsPerformance of contract (Art. 6(1)(b))
Sending transactional emails (verification, password reset, invoices)Performance of contract (Art. 6(1)(b))
Analytics and performance monitoringConsent (Art. 6(1)(a))
Security monitoring, fraud and abuse preventionLegitimate interest (Art. 6(1)(f))
Product updates and feature announcementsConsent (Art. 6(1)(a))
Responding to support requests and feedbackLegitimate interest (Art. 6(1)(f))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

5.1 Aggregated and De-identified Data

We may aggregate or de-identify data so it can no longer reasonably identify you. We may use such data for analytics, product improvement, business insights, and benchmarking. De-identified data is not subject to the restrictions in this Privacy Policy.

5.2 No Solely Automated Decisions

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing without human involvement. Our anomaly-detection systems may flag suspicious login attempts and trigger temporary account lockouts, but you can contact us to review such decisions and we maintain human oversight of consequential security actions.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with the following third-party processors who act on our behalf under data processing agreements (DPAs). For transfers of personal data outside the European Economic Area (EEA), we rely on the EU–US Data Privacy Framework (DPF) where the processor is certified, and on Standard Contractual Clauses (SCCs) approved by the European Commission in all other cases.

ProcessorPurposeData sharedLocationTransfer mechanism
Vercel (hosting, edge, storage)Hosting, edge network, edge-derived geolocation for security, file and image storageAll Service data; uploaded files; IP addressesUSADPF
Vercel (analytics)Aggregated usage and performance analytics (Vercel Analytics, Speed Insights)Aggregated usage data; performance metricsUSADPF
RailwayPostgreSQL database hosting, including automated database backupsAll stored Service dataUSADPF
StripePayment processing (acting as separate controller for payment data)Email, name, billing address, payment detailsUSADPF
ResendTransactional email delivery; storage of beta-launch and product-update marketing audienceEmail address, name, email contentUSADPF
SentryError monitoring and alertingError logs and stack traces (with PII automatically redacted before transmission)USADPF
InngestBackground job processing (email sending, image processing, data exports, scheduled cleanup)Job payloads (which may include user data relevant to the job)USASCCs
UpstashRate-limiting, session caching, idempotency cacheIP addresses, email addresses, and user IDs as cache key components, retained for short windows (typically minutes)USADPF

We may also disclose personal data: (a) where required by law, regulation, or legal process; (b) to enforce our Terms or investigate suspected violations; (c) to protect the rights, property, or safety of prepros, our users, or others; and (d) in connection with a merger, acquisition, financing, or sale of assets, in which case we will notify you by email or through the Service.

7. Data Retention

DataRetention period
Account and production data (active accounts)Until you delete your account
Soft-deleted accounts30-day grace period during which you can restore the account, after which the account record is anonymized; anonymized records may be retained indefinitely to preserve audit-trail integrity for actions previously taken
Login history and security eventsUp to 12 months on active accounts; deleted on anonymization
Approximate location data (derived from IP at edge)Stored as part of login history; same retention
Audit logsUp to 24 months; when an account is deleted or anonymized, personally identifying values in audit log records (such as email addresses and names) are scrubbed, while the underlying audit trail is preserved for integrity
NotificationsUp to 12 months or until you delete them
Comments and @mentionsPersist for the lifetime of the resource they are attached to. When a user is deleted, their name is replaced with "[Deleted User]" in any @mentions in existing comments
Beta waitlist dataPending entries deleted automatically after 7 days if unverified; verified entries retained until you create an account, ask us to remove the entry, or unsubscribe
Share-link configurationUntil the link is revoked or expires
Share-link access recordsWhile the link is active; up to 90 days after the link is revoked or expires
Invoices and payment recordsAs required by Swedish and EU tax law (currently 7 years)
Cookie and consent recordsUntil consent is withdrawn, or up to 24 months
Data export filesAvailable for download for 7 days after generation, then deleted
Database backupsOperated by our hosting provider Railway. Daily snapshots are retained for 6 days; weekly snapshots for one month; monthly snapshots for three months

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

RightHow to Exercise
Access — obtain a copy of your dataSettings → Account → Export Data
Rectification — correct inaccurate dataSettings → Profile, or contact us
Erasure — delete your account and dataSettings → Account → Delete Account
Portability — receive your data in a portable formatSettings → Account → Export Data (JSON format)
Restriction — limit how we process your dataContact hello@prepros.co
Objection — object to processing based on legitimate interestContact hello@prepros.co
Withdraw consent — for analytics and marketingCookie Settings (footer) or contact us

Data exports are generated asynchronously and delivered via email when ready. Exports include your account information, productions you own, and content you have created, in JSON format. Exports do not include data owned by other users (such as productions you are a member of but do not own).

When you delete your account, you may need to transfer ownership of teams or productions to another member before deletion. Content you have shared with others, comments you have posted, and similar activity that other users have a legitimate interest in may persist after your account is deleted, in anonymized form where appropriate.

We aim to respond to rights requests within 30 days. We may extend this period by up to two further months for complex or numerous requests, in which case we will inform you of the extension and the reasons within the first 30 days. We may need to verify your identity before responding. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Sweden, that authority is the Swedish Authority for Privacy Protection (IMY).

9. Cookies and Email Communications

9.1 Cookies

The Service uses cookies and similar storage mechanisms (such as localStorage) for the purposes described below.

CategoryPurposeExamplesConsent required
EssentialRequired for the Service to function: authentication session, CSRF protection, cookie consent stateNextAuth session token, CSRF token, c15t consent stateNo (strictly necessary)
AnalyticsAggregated performance and usage data via Vercel Analytics and Speed Insights, to help us improve the ServiceVercel Analytics, Vercel Speed InsightsYes

Vercel Analytics and Speed Insights are cookieless by default — they use rotating hashes of request metadata (such as IP address and user-agent) to count unique visitors, without setting tracking cookies and without persistently identifying you. Even so, they only collect data after you have given your consent.

No non-essential cookies, pixels, or tracking technologies are set before you give consent. We do not use cookies or pixels for advertising, retargeting, cross-site tracking, or marketing measurement, and we do not share any cookie-derived data with advertising platforms.

You can manage your cookie preferences at any time using the Cookie Settings link in the footer of any page. Withdrawing consent stops new analytics events from being collected; previously collected aggregated data is anonymous and is not associated with your identity.

9.2 Email Communications

The Service sends two kinds of emails:

Transactional emails are required for the Service to function or to deliver information you are legally entitled to. These include account verification, password reset, magic-link sign-in, security alerts, billing receipts, payment-failure and dunning notifications, subscription cancellation confirmations, and waitlist verification. Transactional emails are sent on the basis of contract performance (GDPR Art. 6(1)(b)) or legal obligation (Art. 6(1)(c)) and continue regardless of your marketing preferences.

Optional emails are split into three categories you can manage independently:

  • Product updates — occasional emails about new features, announcements, and tips
  • Billing notices — reminders about renewals, trial endings, and plan changes (you will still receive receipts and payment-failure alerts as transactional emails)
  • Invitations — invitations to join teams, productions, or the beta from other users or our team

Optional emails are sent on the basis of your consent (GDPR Art. 6(1)(a)) or legitimate interest where applicable (Art. 6(1)(f)). You can withdraw consent or change your preferences at any time by:

  • Clicking the unsubscribe link at the bottom of any optional email
  • Using your email client's one-click unsubscribe button — we support RFC 8058 List-Unsubscribe headers, which Gmail, Apple Mail, and Outlook surface as a built-in unsubscribe action
  • Updating your preferences in Settings → Notifications
  • Emailing us at hello@prepros.co

We retain a record of when consent was given or withdrawn so we can demonstrate compliance with GDPR Art. 7(1).

10. Data Security

We apply technical and organizational measures appropriate to the risks of processing personal data, including:

  • Passwords hashed with bcrypt before storage; we never store plaintext passwords
  • Two-factor authentication (TOTP-based) with backup codes, available to all users in account security settings
  • CSRF protection on all state-changing requests
  • Rate limiting on authentication, password-reset, magic-link, and abuse-prone endpoints
  • Account lockout with progressive backoff after repeated failed login attempts
  • Login anomaly detection including impossible-travel checks and IP-based threat monitoring
  • Session invalidation on password change, account deletion, and other security-relevant events, including across browser tabs
  • Encryption in transit (TLS) for all connections to the Service
  • Encryption at rest for stored data, provided by our hosting and database providers
  • PII redaction in application logs, error reports sent to Sentry, and audit details on account deletion
  • Continuous security monitoring via Sentry, with alerting on critical events

No system is completely secure. In the event of a personal data breach, we will notify the relevant supervisory authority and affected users as required by applicable law, including the timelines set out in the GDPR (notification to the supervisory authority within 72 hours of becoming aware of the breach where feasible).

11. Access by prepros Personnel

The prepros team is small. Authorized personnel — currently the founders and any employees or contractors we engage — may access user data on a need-to-know basis for the following purposes:

  • Customer support — investigating issues you have reported to us, with the minimum access needed to reproduce or resolve the issue
  • Security and abuse investigation — looking into suspected violations of our Terms, account compromise, or security incidents
  • Operating, maintaining, and troubleshooting the Service — for example, diagnosing a production bug, recovering data after an incident, or migrating data between systems
  • Account administration — actions taken through our internal admin tools, including suspending accounts that violate our Terms, transferring team or production ownership at the request of authorized parties, processing manual deletion or data-export requests, sending beta invitations, and managing feature flags
  • Billing and fraud prevention — investigating payment failures, chargebacks, or suspected fraudulent activity
  • Legal obligations — responding to lawful requests from authorities, court orders, or other legal processes

Access to admin tools is restricted to personnel with the SUPER_ADMIN role. Sensitive admin actions — including suspending or reactivating accounts, transferring ownership, hard-deleting productions, sending bulk communications, and accessing the audit log — are themselves recorded in an internal admin audit log. We do not currently have a customer-facing access log, but you can request a record of admin actions affecting your account by contacting us at hello@prepros.co.

Personnel with access to user data are required to maintain confidentiality. We do not access the content of your productions for purposes unrelated to operating the Service or as otherwise described in this Privacy Policy. We do not use your production content to train machine-learning models or for any commercial purpose other than providing the Service to you.

12. Children's Privacy

The Service is intended for professional and business use. We do not direct the Service to children, and we require all users to be at least 16 years of age regardless of whether their local jurisdiction sets a lower digital-consent threshold.

We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, contact us at hello@prepros.co and we will delete the relevant data promptly. If we discover that we have inadvertently collected data from a user under 16, we will delete the account and associated data without further request.

Some jurisdictions provide additional protections for minors (for example, the U.S. Children's Online Privacy Protection Act applies to children under 13). Where such protections apply and we discover applicable data has been collected, we will handle it in accordance with the relevant law.

13. Data Processing Addendum (B2B Customers)

When you use prepros to manage a production that involves the personal data of other people — for example, crew contact details, vendor information, or invitee email addresses — you are the controller of that personal data and prepros acts as a processor on your behalf, as described in Section 2.

If you require a written Data Processing Addendum (DPA) under Article 28 of the GDPR or equivalent law, our standard DPA — which incorporates the European Commission's Standard Contractual Clauses (SCCs) for international transfers — is available at /dpa. By accepting our Terms of Service and using the Service to process personal data of third parties, you accept that DPA as it applies to your use of the Service.

If your organization requires a signed counterpart of the DPA, or has additional requirements (for example, custom audit rights or specific subprocessor approval workflows), contact us at hello@prepros.co. We will work with reasonable requests during the beta period.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting an announcement in the Service or sending an email to the address associated with your account at least 30 days before the changes take effect. Non-material changes (clarifications, reorganization, contact updates) may be made without advance notice; we will update the "Last updated" date in either case. Your continued use of the Service after the changes take effect constitutes acceptance of the updated policy.

15. Contact

For any questions about this Privacy Policy or to exercise your data protection rights, please contact:

Prepros AB
Email: hello@prepros.co

Appendix A — United States Information Notice

This appendix provides supplemental information for individuals located in the United States, including residents of California. It supplements, and should be read together with, the main Privacy Policy above. Except as expressly stated here, all information about how we collect, use, and disclose personal data is described in the main Privacy Policy.

Categories of Personal Information We Collect

In the preceding twelve months, we have collected the following categories of personal information, as defined under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Identifiers: name, email address, IP address, account identifiers.
  • Customer records: billing information, profile information, contact details.
  • Commercial information: subscription history, invoices, transaction details.
  • Internet or other electronic activity: browsing and usage data, interactions with the Service.
  • Geolocation data: approximate location derived from IP address (city, region, country) for security purposes.
  • Inferences: none drawn for profiling purposes.
  • User-generated content: content you upload to or create within the Service.

We collect this information for the purposes described in the main Privacy Policy. We retain each category for the periods described in the retention table.

Sale and Sharing of Personal Information

We do not sell personal information in exchange for monetary consideration. We do not share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes that would require us to offer a right to limit its use under California law.

California Privacy Rights

If you are a California resident, you have the following rights under the CCPA/CPRA, in addition to the rights described in Section 8 of the main Privacy Policy:

  • Right to know — request information about the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to correct — request that we correct inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so this right does not currently apply, but you may still submit a request and we will confirm.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that would require this right to be available, but you may still submit a request.
  • Right to non-discrimination — we will not deny, charge different prices for, or provide a different level of quality of the Service because you exercised your privacy rights.

To exercise any of these rights, contact us at hello@prepros.co. We may need to verify your identity before responding. You may designate an authorized agent to make a request on your behalf, in which case we may require proof of authorization and verification of your identity.

We aim to respond to verifiable consumer requests within 45 days, with a possible 45-day extension if reasonably necessary. We will notify you if we need additional time.

Other US State Privacy Laws

Residents of other US states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and Montana) may have similar rights to access, correct, delete, or port their personal information, and to opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects. To exercise any such rights, contact us at hello@prepros.co. We do not engage in targeted advertising, sale, or significant-effect profiling.

Shine the Light (California)

California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for those parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Appendix B — Canadian Information Notice

This appendix provides supplemental information for individuals located in Canada. It supplements the main Privacy Policy.

PIPEDA

We process personal information about Canadian residents in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. The rights described in Section 8 of the main Privacy Policy apply, including the right to access and correct your personal information.

Quebec (Law 25)

If you are a resident of Quebec, you have additional rights under Quebec's Act respecting the protection of personal information in the private sector (Law 25), including the right to data portability and the right to be informed about automated decision making. As described in Section 5.2 above, we do not make consequential decisions about you based solely on automated processing.

The person responsible for the protection of personal information at prepros can be reached at hello@prepros.co.

Cross-Border Transfers

As described in the main Privacy Policy, your personal information may be processed and stored in countries outside Canada, including Sweden, the European Union, and the United States. Laws in those countries may differ from Canadian privacy laws. We take contractual and technical measures to protect personal information when it is transferred internationally.

You may file a complaint about our handling of personal information with the Office of the Privacy Commissioner of Canada or, in Quebec, with the Commission d'accès à l'information.