Brand mention tracking Sentiment analysis Citation tracking Competitor discovery Prompt tracking Share of voice
ChatGPT Gemini Perplexity Claude AI Overview AI Mode Grok Copilot
All features
For brands For agencies For SaaS For SEO teams For ecommerce All solutions
Free tools Compare Glossary Docs Blog
Pricing
Log in Get started

Legal

Privacy Policy

Last updated: May 29, 2026

This Privacy Policy explains how Height Labs collects, uses, shares, and protects personal data when you visit our website or use Pineprompt, our AI search visibility platform. It also explains the rights you have over your personal data under the EU General Data Protection Regulation (GDPR) and how to exercise them.

We have tried to keep this policy plain and honest. Pineprompt is a young product, and we collect only what we need to run it. If anything here is unclear, contact us at [email protected].

1. Who we are

Pineprompt is operated by Height Labs, a general partnership (vennootschap onder firma) established in the Netherlands. For the purposes of the GDPR, Height Labs is the data controller for the personal data described in this policy.

Our details are as follows:

  • Controller: Height Labs (vennootschap onder firma)
  • Contact for privacy matters: [email protected]

We have not appointed a Data Protection Officer, as we are not required to under the GDPR. Privacy questions and requests reach us directly at the address above.

2. Scope of this policy

This policy covers the Pineprompt marketing website, the Pineprompt web application, and the Pineprompt REST API and MCP server. It applies to the people whose personal data we process: visitors to our site, the individuals who hold a Pineprompt account, and the members invited into an organization.

When you use Pineprompt to monitor a brand, you decide which prompts to run, which brands to track, and which members to invite. We process the content you create on your behalf, and only to provide the service to you. This is set out in more detail in our Terms of Service.

3. The personal data we collect

We collect the following categories of personal data.

Account data

When you create an account we store your email address and, if you choose to provide it, your name. Pineprompt does not use passwords. You sign in either with a one-time magic link sent to your email or with a Google or Microsoft account.

Authentication data

To sign you in we store a short-lived magic-link token tied to your email. If you connect a Google or Microsoft account, we store the identifier that provider returns so that we can recognize you on your next sign-in. We do not receive or store your Google or Microsoft password.

Organization and membership data

Pineprompt is organized around organizations. We store the organization name, the members who belong to it, each member's role, and the email addresses used to send and accept invitations.

Billing data

Payments are handled by Stripe. We do not see or store your full card number. We store the customer and subscription references Stripe returns, your plan, and your billing status so that we can give your organization access to the features it has paid for. The billing details you enter, such as your card and billing address, are held by Stripe under their own privacy policy.

Content you create

When you use Pineprompt you create projects, monitors, prompts, brands, tags, and similar records. A prompt is the exact query you ask us to run, so it may contain whatever you type into it. The AI answers we capture in response, along with the citations, brand mentions, and sentiment we extract, are stored against your project. This content is usually not personal data, but it may contain personal data if you choose to put it there.

Communications

When you email us or use a contact form, we keep your message and our reply so that we can support you and keep a record of the conversation.

Technical and usage data

Like most web services, our servers and infrastructure providers generate logs that may include your IP address, browser type, the pages you request, and timestamps. We use this data to operate the service, keep it secure, and diagnose problems. We do not build advertising profiles from it.

4. How and why we use your data

Under the GDPR we must have a lawful basis for each use of your personal data. The table below sets out what we do and the basis we rely on.

What we do Lawful basis (GDPR Article 6)
Create and maintain your account and sign you in. Performance of our contract with you.
Run your monitors and store the results so you can use the product. Performance of our contract with you.
Take payment and manage subscriptions. Performance of our contract with you; compliance with our legal obligations, such as tax and accounting.
Provide support and respond to your messages. Performance of our contract with you; our legitimate interest in helping our customers.
Keep the service secure, prevent abuse, and diagnose problems. Our legitimate interest in running a safe and reliable service.
Send service emails, such as sign-in links, billing notices, and important changes. Performance of our contract with you.
Send product and marketing emails about Pineprompt. Your consent, or our legitimate interest where the law allows. You may opt out at any time.
Comply with the law and respond to lawful requests. Compliance with our legal obligations.

Where we rely on consent, you may withdraw it at any time without affecting processing that took place before you withdrew it. Where we rely on legitimate interests, you may object, and we will stop unless we have compelling grounds to continue.

5. AI answer engines and the prompts you run

Pineprompt works by sending the prompts you configure to third-party AI answer engines and capturing what they reply. To provide the service we send each prompt, together with the country and language you set, to the engines you enable on a monitor. These include ChatGPT, Google Gemini, Perplexity, Claude, Google AI Overview, Google AI Mode, Grok, and Microsoft Copilot, reached either directly or through model-routing providers.

We also use AI models to analyze the answers we capture, for example to detect brand mentions and score sentiment. You should treat any prompt you create as content that will be sent to these third parties. You should not put personal data or confidential information into a prompt unless you have a clear reason to and the right to do so.

We do not control how these third-party engines behave or what they return. Their handling of the data we send is governed by their own terms and privacy policies.

6. Who we share data with

We do not sell your personal data. We share it only in the following situations.

  • With service providers (sub-processors) who process data on our behalf to run Pineprompt, listed in the next section.
  • Within your organization. Other members of your organization can see the organization's projects, the content in them, and the membership list, according to their role.
  • For legal reasons, where we must comply with a law, regulation, or valid legal request, or to protect our rights, our users, or the public.
  • In a business transfer, if Height Labs is involved in a merger, acquisition, or sale of assets, in which case we will tell you before your data becomes subject to a different privacy policy.

7. Sub-processors

We use a small set of trusted providers to deliver Pineprompt. Each processes personal data only as needed for the purpose below, under a contract that requires them to protect it. The principal categories are as follows.

Provider Purpose
Cloud hosting and infrastructure Running the application, the database, and storage.
Stripe Payment processing and subscription billing.
Google and Microsoft Optional sign-in with a Google or Microsoft account.
Google Analytics and Google Fonts Understanding how the web application is used, and delivering the web fonts on our website.
Email delivery provider Sending sign-in links, billing notices, and other service email.
Product and lifecycle email provider Sending product and onboarding email, where you have not opted out.
AI answer engines and model-routing providers Running your prompts and analyzing the answers, as described in section 5.
Web crawling and search providers Fetching and processing the web pages and sources cited in AI answers.

If you would like the current list of named sub-processors, contact us at [email protected] and we will provide it.

8. International data transfers

Some of our providers, in particular the AI answer engines, our payment processor, and Google (which provides analytics in the web application and the web fonts on our website), are based outside the European Economic Area, most often in the United States. When we transfer personal data to a country that the European Commission has not found to provide an adequate level of protection, we rely on appropriate safeguards, typically the European Commission's Standard Contractual Clauses, to protect that data.

You may ask us for more information about the safeguards we use for a particular transfer by contacting us at [email protected].

9. How long we keep data

We keep personal data for as long as it is needed for the purpose we collected it.

  • Account and organization data is kept for as long as your account or organization is active.
  • Content you create, including monitors, prompts, and captured results, is kept while your organization is active so that you can analyze trends over time. Pineprompt does not back-fill historical results, so your history begins when a monitor is created.
  • Billing records are kept for as long as the law requires us to retain them, which for tax and accounting purposes in the Netherlands is generally seven years.
  • Support messages are kept for as long as needed to handle and document the conversation.

When you delete your account or close an organization, we delete or anonymize the associated personal data within a reasonable period, except where we must keep it to meet a legal obligation or to resolve a dispute.

10. Your rights

Under the GDPR you have the following rights over your personal data.

  • Access. You may ask for a copy of the personal data we hold about you.
  • Rectification. You may ask us to correct data that is wrong or incomplete.
  • Erasure. You may ask us to delete your personal data in certain circumstances.
  • Restriction. You may ask us to limit how we use your data while a concern is resolved.
  • Portability. You may ask us to provide certain data in a structured, machine-readable format, or to send it to another provider.
  • Objection. You may object to processing we carry out on the basis of legitimate interests, and to the use of your data for direct marketing.
  • Withdraw consent. Where we rely on your consent, you may withdraw it at any time.

To exercise any of these rights, email us at [email protected]. We will respond within the time the GDPR allows, normally within one month. We may need to verify your identity first.

If you believe we have not handled your personal data correctly, you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with the supervisory authority in your country of residence. We would, of course, appreciate the chance to address your concern first.

11. How we protect data

We take reasonable technical and organizational measures to protect personal data against loss, misuse, and unauthorized access. These include encryption of data in transit, access controls that limit who on our side can reach production data, and the use of reputable infrastructure providers. No online service can promise perfect security, but we work to keep your data safe and to keep our measures current.

If a personal data breach occurs that is likely to present a risk to your rights, we will notify the relevant supervisory authority, and you where required, within the timeframes the GDPR sets.

12. Cookies

Pineprompt uses cookies that are strictly necessary to run the service, such as the cookie that keeps you signed in and the cookie that protects forms against cross-site request forgery. These are required for the application to work.

In the Pineprompt web application we also use Google Analytics to understand how the product is used and to improve it. Google Analytics sets cookies and shares usage data, including your IP address, with Google acting as our analytics provider. This is not a strictly necessary use. You may prevent these cookies through your browser settings or Google's opt-out tools, and you may ask us not to track you by contacting [email protected].

We do not use cookies for advertising. If we add other non-essential cookies in the future, we will update this policy.

13. Children

Pineprompt is a business product and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time as the product and the law change. When we make a material change, we will update the date at the top of this page and, where appropriate, tell you by email or in the app. Your continued use of Pineprompt after a change means you accept the updated policy.

15. How to contact us

For any question about this policy or your personal data, email us at [email protected].