Introduction

Welcome to Prism ("we," "our," or "us"). Prism is an AI-powered Amazon advertising management platform operated by Calibrated Intelligence Inc, a company registered in Delaware with registration number 10420624, having its registered office at 151 Summer St, Morrison, CO 80465, USA.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, applications, and related services (collectively, the "Service"). We are committed to protecting your privacy and handling your data in an open and transparent manner.

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

1. Information We Collect

We collect information in the following categories:

1.1 Account Information

When you create an account with Prism, we collect:

Email address - Used for account authentication, communications, and notifications
Full name - Used for account identification and personalization
Password - Stored in encrypted form using industry-standard hashing (via AWS Cognito)
Company/organization name - Used for team identification
Team information - Organization name and team membership for multi-tenant access
Role and permissions - Your role within your team for access control purposes

1.2 Amazon Advertising Data

When you connect your Amazon Advertising account to Prism via the Amazon Ads API, we access and store:

Campaign Data:

Campaign names, IDs, and configurations
Campaign budgets, bid amounts, and targeting settings
Campaign status (active, paused, archived)
Ad groups and their configurations
Product targeting settings
Sponsored Products, Sponsored Brands, and Sponsored Display campaigns

Keyword Data:

Keywords and keyword targeting configurations
Match types (broad, phrase, exact)
Negative keywords and negative targeting
Keyword bid amounts and bid adjustments
Search term reports

Performance Metrics:

Impressions, clicks, and click-through rates (CTR)
Advertising Cost of Sales (ACOS)
Return on Advertising Spend (ROAS)
Spend amounts and daily/lifetime budgets
Conversion data and attributed sales
Cost-per-click (CPC) metrics
New-to-brand metrics
Orders and units sold

Product Information:

ASINs (Amazon Standard Identification Numbers)
Product titles and categories
Product performance within advertising campaigns
Product eligibility status

Account Information:

Amazon Advertising profile IDs
Marketplace identifiers (US, UK, DE, FR, IT, ES, CA, MX, JP, AU, etc.)
Account-level settings and preferences
Seller account type

1.3 Usage Data and Analytics

We automatically collect certain information when you use our Service:

Log data - IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visits, time spent on pages
Device information - Device type, unique device identifiers, screen resolution
Feature usage - Which features you use, frequency of use, actions taken within the platform
AI interaction data - Queries submitted to our AI-powered chat features, recommendations generated, recommendations approved or rejected
Session information - Session duration, navigation patterns, error logs
Guardrail alerts - Budget exhaustion notifications, ACOS spike detections, and your responses to these alerts

1.4 Payment Information

We use Stripe as our payment processor. When you subscribe to a paid plan:

Stripe collects directly: Credit card numbers, bank account details, billing address
We receive from Stripe: Last four digits of your card, card type, expiration date, billing address, payment status, transaction history, subscription status
Fraud and dispute records we may create or receive: Billing identity details, payment-risk signals, refund or reversal history, dispute status, dispute evidence, and related communications with Stripe or payment counterparties
We do not store: Full credit card numbers or complete bank account details on our servers

1.5 Communications

When you contact us or we contact you:

Support tickets and correspondence
Feedback and survey responses
Email communication history
In-app chat communications

1.6 Referral Attribution, Fraud Review, and Dispute Response

If you use a referral link or participate in the referral program, we may collect and process:

The referral code contained in the URL and the code stored in your browser for attribution
Team identifiers and referral relationship data needed to determine eligibility and rewards
Referral milestone and reward status data needed to manage pending, approved, forfeited, and paid states
Fraud-review signals and abuse investigation records related to suspicious or disallowed referrals
Billing identity data, IP addresses, session or device signals, legal-acceptance records, billing history, support communications, and product-usage records for fraud review and dispute response
Stripe-related billing data to investigate refunds, reversals, and charge disputes

When you click a referral link, we store the referral code in first-party browser storage for up to 30 days so your signup can be attributed if you return later. If you use referral payout onboarding, Stripe may collect identity, tax, and bank-account information directly for Stripe Connect; we receive onboarding status and payout-account status so we can administer rewards.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Maintaining the Service

Authenticating your identity and managing your account
Connecting to and synchronizing with your Amazon Advertising accounts
Displaying your advertising campaigns, performance data, and analytics
Processing your requests and transactions
Managing your subscription and billing

2.2 AI-Powered Recommendations and Insights

Prism uses artificial intelligence and machine learning to:

Analyze your Amazon advertising performance data to identify optimization opportunities
Generate bid recommendations for keywords and targets
Suggest budget adjustments based on performance patterns
Detect anomalies such as budget exhaustion or ACOS spikes in real-time
Provide automated insights and alerts via our guardrails system
Suggest new keywords and targeting opportunities
Power conversational AI features for campaign analysis and assistance

Important: Our AI features process your Amazon advertising data to provide personalized recommendations. This analysis is performed using AWS Bedrock and related AI services.

We do not use your data to train general-purpose AI foundation models.
We do not share your data with third parties for their model training.
Aggregated, de-identified data may be used to improve Prism's own recommendations.
Our infrastructure providers (AWS Bedrock) process data solely to deliver the Service and do not retain your prompts or responses for their own training.
Your data is not shared with other Prism customers.

2.3 Analytics and Service Improvement

Understanding how users interact with our Service
Identifying usage trends and patterns
Improving and optimizing the Service
Developing new features and functionality
Conducting research and analysis
Measuring the effectiveness of AI recommendations

2.4 Communication

Sending transactional emails (account verification, password resets, subscription confirmations)
Providing customer support
Sending service-related announcements (maintenance windows, security alerts, policy changes)
Sending performance alerts (budget warnings, ACOS spikes, campaign issues)
Sending marketing communications (with your consent, where required)

2.5 Security and Fraud Prevention

Detecting and preventing unauthorized access
Identifying and addressing security vulnerabilities
Investigating suspicious activity
Reviewing payment, refund, reversal, and chargeback risk
Preparing, using, and preserving account, billing, support, and product-usage evidence to respond to disputes
Enforcing our Terms of Service
Protecting your Amazon advertising accounts from unauthorized changes

2.6 Legal Compliance

Complying with applicable laws and regulations
Responding to legal requests and court orders
Protecting our legal rights and interests
Complying with Amazon API Terms of Service

3. Data Sharing and Disclosure

We do not sell your personal information. We share your information only in the following circumstances:

3.1 Amazon Ads API Integration

Your Amazon advertising data is accessed through the Amazon Ads API. This requires:

Sharing authentication tokens with Amazon to maintain your connection
Transmitting campaign changes and optimizations back to Amazon when you approve them
Compliance with Amazon's API Terms of Service and data handling requirements

Amazon may receive information about your use of the Prism platform as part of API access logging.

3.2 Infrastructure and Service Providers

We use the following categories of service providers:

Amazon Web Services (AWS):

Cloud hosting and infrastructure
Database services (RDS PostgreSQL, DynamoDB)
Authentication services (AWS Cognito)
Authorization services (AWS Verified Permissions)
AI/ML services (AWS Bedrock)
Caching and performance (ElastiCache Redis)
Message queuing (SQS, Kinesis)
Security and encryption services
Monitoring and logging (CloudWatch)

Stripe:

Payment processing
Subscription management
Billing and invoicing
Stripe Connect onboarding and payout-account status for referral rewards
Fraud monitoring, payment-risk review, and dispute-response operations

We may also share relevant billing, account, support, and usage evidence with payment processors, acquiring banks, card networks, fraud-prevention vendors, professional advisors, and law enforcement where required or reasonably necessary for fraud prevention, payment operations, legal compliance, or dispute defense.

Analytics and Monitoring Providers:

Service usage analytics
Error monitoring and logging
Performance monitoring

3.3 Within Your Team

If you are part of a team on Prism, other team members with appropriate permissions may be able to see:

Your name and email address
Actions you take on shared accounts
Recommendations you approve or reject
Comments and notes you add

3.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

Valid legal process (subpoenas, court orders, government requests)
Protecting our rights, privacy, safety, or property
Enforcing our Terms of Service
Responding to claims that content violates third-party rights
Protecting the safety of any person

3.5 Business Transfers

If Prism is involved in a merger, acquisition, financing, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal information.

3.6 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

4. Data Security

We implement robust security measures to protect your information:

4.1 Encryption

In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
At Rest: All stored data is encrypted using AES-256 encryption
Secrets Management: API keys, tokens, and credentials are stored in AWS Secrets Manager with encryption
Database Encryption: PostgreSQL and DynamoDB data encrypted at rest using AWS-managed keys

4.2 Access Controls

Role-based access control (RBAC) for internal systems
Multi-factor authentication for administrative access
Team-based isolation ensuring you can only access your team's data
Regular access reviews and principle of least privilege
AWS Verified Permissions for fine-grained authorization

4.3 Infrastructure Security

AWS-managed infrastructure with SOC 2, ISO 27001, and other compliance certifications
Network isolation using Virtual Private Clouds (VPCs)
Web Application Firewall (WAF) protection
Regular security patching and updates
Private subnets for sensitive services

4.4 Monitoring and Incident Response

Continuous security monitoring and logging
Automated anomaly detection
Documented incident response procedures
Regular security assessments
CloudWatch alerting for security events

4.5 Application Security

Input validation and sanitization
Protection against common web vulnerabilities (OWASP Top 10)
Secure session management
Regular dependency updates and vulnerability scanning

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Data Retention

5.1 Active Accounts

While your account is active, we retain:

Account information: For the duration of your account
Amazon advertising data: Synchronized data is retained to provide historical analytics, trend analysis, and performance tracking. Default retention is per tier:

Tier	Retention
Free	30 days
Explorer	90 days
Starter	90 days
Growth	180 days
Pro	1 yr
Enterprise	Unlimited

Usage data: Retained for up to 24 months for analytics purposes
AI interaction logs: Retained for up to 12 months to improve recommendations
Payment records: Retained as required for tax and accounting purposes (typically 7 years)

5.2 Account Termination

When you delete your account or your account is terminated:

Personal information: Deleted or anonymized within 30 days
Amazon advertising data: Deleted within 30 days, except where retention is required for legal compliance
Team data: If you are the last member of a team, all team data is deleted
Backups: Purged from backup systems within 90 days
Aggregate/anonymized data: May be retained indefinitely for analytics and service improvement
Billing, dispute, and fraud-review records: May be retained after account closure for accounting, legal, compliance, fraud-prevention, and dispute-defense purposes even when ordinary product data is deleted

5.3 Legal Acceptance Records

Records of your acceptance of our Terms of Service and Privacy Policy are retained indefinitely for legal compliance and audit purposes, even after account deletion. These records include:

Document type and version accepted
Timestamp of acceptance
IP address at time of acceptance
User agent information

These legal-acceptance records may also be retained and used alongside billing and usage evidence when Prism investigates fraud or defends a refund, reversal, or charge dispute.

5.4 Legal Holds

We may retain information longer if required by law, legal proceedings, regulatory requirements, fraud reviews, payment operations, or dispute defense obligations.

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

6.1 Right to Access

You have the right to request a copy of the personal information we hold about you. We will provide this information in a commonly used, machine-readable format (such as JSON or CSV) within 30 days of a verified request.

6.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal information. You can update most account information directly through your account settings. For other corrections, contact us using the information provided below.

6.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal information, subject to certain exceptions:

Legal compliance requirements
Exercising or defending legal claims
Legitimate business purposes where deletion would be unreasonably difficult
Tax and accounting record retention requirements

6.4 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit that data to another controller. This includes:

Your account information
Your Amazon advertising data and performance history
Your AI recommendation history

6.5 Right to Restrict Processing

You have the right to request restriction of processing of your personal information in certain circumstances, such as:

When you contest the accuracy of the data
When processing is unlawful but you oppose erasure
When we no longer need the data but you need it for legal claims

6.6 Right to Object

You have the right to object to processing of your personal information for:

Direct marketing purposes (you can opt out at any time)
Processing based on legitimate interests
Research or statistical purposes

6.7 Right to Withdraw Consent

Where we process your information based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

6.9 Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: support@calibratedintelligence.com
Mail: 151 Summer St, Morrison, CO 80465, USA.

We will respond to your request within 30 days. We may need to verify your identity before processing your request. If we cannot fulfill your request, we will explain why.

6.10 Automated Decision-Making

In accordance with GDPR Article 22 and similar regulations, we provide the following disclosures about automated decision-making:

AI-Powered Recommendations: Prism uses AI and machine learning to analyze your advertising data and generate recommendations for campaign optimization. These recommendations include bid adjustments, keyword suggestions, and budget allocations.

No Solely Automated Decisions with Legal Effects: Prism does not make decisions solely based on automated processing that produce legal effects or similarly significantly affect you. All AI recommendations are presented for your review and require your approval before implementation.

Human Review: You always have the right to:

Review AI recommendations before they are applied.
Request human review of any automated analysis or recommendation.
Understand the logic involved in automated recommendations (contact support for explanations).
Override or reject any AI-generated suggestion.

Your Controls: You control whether to apply AI recommendations. Campaign changes are only made when you explicitly approve them or configure automated rules with your specified parameters.

7. Jurisdiction-Specific Rights

7.1 European Union (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

Legal Basis for Processing:

Processing Purpose	Legal Basis
Account management	Contract performance
Amazon data synchronization	Contract performance
AI recommendations	Contract performance
Analytics	Legitimate interest
Security monitoring	Legitimate interest
Marketing communications	Consent
Legal compliance	Legal obligation

Data Protection Contact: Dean Hart

Supervisory Authority: You may contact your local data protection authority to lodge a complaint.

7.2 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to Know:

Categories of personal information collected (see Section 1)
Sources of personal information (directly from you, Amazon Ads API, automatic collection)
Business purposes for collection (see Section 2)
Categories of third parties with whom we share information (see Section 3)

Right to Delete: Request deletion of your personal information, subject to legal exceptions.

Right to Correct: Request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising.

Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by CPRA.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Financial Incentives: We do not offer financial incentives for personal information.

Authorized Agent: You may designate an authorized agent to make requests on your behalf with proper verification.

Categories of Personal Information Disclosed for Business Purposes:

Identifiers (to AWS, Stripe)
Commercial information (to AWS, Stripe)
Internet activity (to AWS)

7.3 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Protecao de Dados:

Confirmation of the existence of processing
Access to your data
Correction of incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion of unnecessary or excessive data
Data portability to another service provider
Deletion of data processed with consent
Information about public and private entities with which your data has been shared
Information about the possibility of denying consent and the consequences
Revocation of consent

Data Protection Contact: support@calibratedintelligence.com

7.4 Canada (PIPEDA)

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act:

Access to your personal information
Challenge the accuracy and completeness of your information and have it amended
Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)

7.5 US State Privacy Laws

Residents of Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, and other US states with comprehensive privacy laws have similar rights to California residents, including:

Right to Access: Request a copy of personal data we hold about you.
Right to Correct: Request correction of inaccurate personal data.
Right to Delete: Request deletion of personal data, subject to legal exceptions.
Right to Opt Out: Opt out of targeted advertising and the sale of personal data.
Right to Appeal: Appeal denied requests within a reasonable timeframe.

To exercise these rights, contact support@calibratedintelligence.com. We will respond within the timeframe required by your state's law (typically 45 days). We do not sell personal information or use it for targeted advertising.

8. International Data Transfers

8.1 Transfer Locations

Your information may be transferred to and processed in:

United States: Primary data processing location
AWS Regions: Data may be processed in various AWS regions (us-east-1, eu-west-1, etc.) to optimize performance and comply with data residency requirements

8.2 Transfer Safeguards

We rely on appropriate transfer mechanisms as applicable, including:

Standard Contractual Clauses (SCCs) / International Data Transfer Agreement (IDTA): We use EU-approved Standard Contractual Clauses and the UK IDTA for international transfers.
EU-US Data Privacy Framework: Where certified and applicable.
AWS Compliance: AWS maintains certifications including participation in the EU-US Data Privacy Framework.
Supplementary Measures: Additional technical and organizational measures as appropriate, including encryption in transit and at rest.
Other mechanisms: Recognized under applicable law as transfer safeguards evolve.

Transfer mechanisms may change as legal frameworks evolve; we will update this policy accordingly.

8.3 Data Localization

If you require data to be stored in a specific region for compliance purposes, please contact us to discuss available options and any applicable additional terms.

9. Browser Storage and Tracking Technologies

Prism uses a mix of in-memory browser state, browser storage, and essential cookies. This section explains the main categories of data involved in authentication, referral attribution, and product functionality.

9.1 In-Memory Session State

Some authentication state is kept only in memory while the app is open and is not persisted to browser storage:

Data	Purpose	Category
`accessToken`	JWT token for API authentication	Essential
`idToken`	Identity claims returned at sign-in time	Essential

9.2 Local Storage (Persistent)

Data stored in localStorage persists until you explicitly clear your browser data or Prism removes it:

Storage Key	Purpose	Category
`csrfToken`	CSRF token mirrored for authenticated browser requests	Essential
`prism-team-id`	Your selected team identifier	Essential
`prism-active-context`	Selected account and marketplace	Essential
`prism-ui-theme`	Your theme preference (light/dark)	Preference
`prism_referral_code`	Referral attribution code retained for signup/checkout	Essential
`pre-oauth-route`	Temporary return route during Amazon account connection	Essential

9.3 Session Storage (Temporary)

Data stored in sessionStorage is automatically cleared when you close your browser tab:

Storage Key	Purpose	Category
`apiKey`	AWS API Gateway access key for your active session	Essential
`pendingApiKey`	Temporary API key awaiting propagation	Essential
`prism_terms_accepted`	Terms acceptance state during signup	Essential
`prism_terms_version`	Version of Terms accepted	Essential
`prism_privacy_version`	Version of Privacy Policy accepted	Essential
`prism_checkout_tier_token`	Selected subscription tier during signup	Essential
`prism_signup_first_name`	First name for team creation	Essential

9.4 Essential Cookies

Prism also uses essential cookies for authentication and referral attribution:

Cookie	Purpose	Category
`refresh_token`	HttpOnly refresh token used to renew authenticated sessions	Essential
`csrf_token`	HttpOnly CSRF token paired with authenticated API requests	Essential
`prism_ref`	30-day referral attribution cookie used during signup	Essential

Security Mitigations: We implement multiple security controls including Content Security Policy (CSP), in-memory access-token handling, HttpOnly authentication cookies, CSRF protections, short-lived token rotation, and server-side session validation. Users should ensure their devices remain secure and avoid using Prism on shared or untrusted computers.

9.5 Server-Side Security Tokens

For security-critical operations, we use server-side tokens stored in Redis (not in your browser):

CSRF tokens: Generated server-side for OAuth flows to prevent cross-site request forgery
Rate limiting data: Request counts to prevent abuse

9.4 Managing Browser Storage

You can control browser storage through:

Logging out: Clears authentication tokens from localStorage
Browser settings: Clear site data via browser settings or developer tools
Private/Incognito mode: Storage is automatically cleared when the window closes

Note that clearing essential storage items will log you out and may reset your preferences.

9.5 Referral Attribution Cookie

Prism uses a first-party cookie named prism_ref to preserve referral attribution for up to 30 days. This cookie is used for functional attribution and referral administration, not for third-party advertising or cross-site tracking.

9.6 Third-Party Cookies

We do not use third-party advertising or tracking cookies. Our analytics are collected server-side.

9.7 Do Not Track

Some browsers have a "Do Not Track" feature that signals to websites that you do not want your online activities tracked. We currently do not respond to "Do Not Track" browser signals, as there is no consistent industry standard for handling these signals.

10. Children's Privacy

The Service is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at support@calibratedintelligence.com.

If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to delete that information promptly.

11. Third-Party Links and Services

Our Service may contain links to third-party websites or services that are not operated by us, including:

Amazon Seller Central and Advertising Console
Payment processor portals
Help documentation hosted externally

If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you of changes:

Material Changes: We will notify you by email to your registered email address and/or by prominent notice within the Service at least 30 days before the changes take effect
Minor Changes: Updates will be posted on this page with an updated "Last Updated" date

We encourage you to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page unless otherwise stated.

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you must stop using the Service and may request deletion of your account.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries: Email: support@calibratedintelligence.com

Data Protection Contact: Email: support@calibratedintelligence.com

Mailing Address: Calibrated Intelligence Inc Attn: Privacy Team 151 Summer St Morrison, CO 80465 USA

Response Time: We aim to respond to all privacy inquiries within 5 business days and to fulfill data subject requests within 30 days.

14. Additional Information

14.1 Data Processing Agreement

If you require a Data Processing Agreement (DPA) for compliance purposes, please contact us at support@calibratedintelligence.com to request one. We provide standard DPAs that comply with GDPR and other applicable regulations.

14.2 Sub-Processors

A current list of our sub-processors is available upon request. We may change sub-processors and infrastructure providers from time to time. Material changes will be reflected in this policy. Enterprise customers with Data Processing Agreements may receive advance notice per their agreement terms.

Current primary sub-processors include:

Amazon Web Services, Inc. (infrastructure, AI services)
Stripe, Inc. (payment processing)

14.3 Security Certifications

Our infrastructure provider (AWS) maintains the following certifications:

SOC 1, SOC 2, SOC 3
ISO 27001, ISO 27017, ISO 27018
PCI DSS Level 1
HIPAA eligible services

14.4 Compliance Documentation

For enterprise customers requiring additional compliance documentation, we can provide:

Security questionnaire responses
Data Processing Agreements
Sub-processor lists
Technical and organizational measures documentation

Contact support@calibratedintelligence.com for these requests.