PROMPTFOO PRIVACY NOTICE

Last Updated: March 13, 2026

This Privacy Notice describes how Promptfoo, Inc. (“we”, “us,” “our”, “Promptfoo”) collects, uses and discloses personal information about consumers who use our website (https://www.promptfoo.dev/) applications, products and services, tools and features, or otherwise interact with us for their personal, family or household purposes (collectively, the “Services”).

Please note that this Privacy Notice does not apply to:

• Business Customers. Personal information that we process as a processor or service provider for our business customers. When we serve as a processor or service provider, we process personal information at the direction of our business customers, and our business customers determine how they will use Promptfoo’s Services, including what (if any) personal information Promptfoo’s Services may process. If you have any questions about our business customers’ use of Promptfoo’s Services, please direct your question to the relevant business customer.
• Business Representatives. Personal information of individuals representing businesses is not covered by this Privacy Notice.
• Employees and Job Applicants. Personal information collected from our employees and individuals applying for employment with Promptfoo is not covered by this Privacy Notice.

Please read this Privacy Notice carefully. By using any of the Services, you agree to the collection, use, and disclosure of your personal information as described in this Privacy Notice. If you do not agree to this Privacy Notice, please do not use or access the Services.

CHANGES TO THIS PRIVACY NOTICE​

We may modify this Privacy Notice from time to time, in which case we will update the “Last Updated” date at the top of this Privacy Notice. If we make material changes to the way in which we use or disclose personal information we collect, we will use reasonable efforts to notify you (such as by emailing you at the last email address you provided us or by posting notice of such changes on the Services) and will take additional steps as required by applicable law. If you do not agree to any updates to this Privacy Notice, please do not continue using or accessing the Services.

COLLECTION AND USE OF YOUR PERSONAL INFORMATION​

When you use or access the Services, we collect certain categories of personal information about you from a variety of sources.

Information You Provide to Us​

Some features of the Services may require you to directly provide us with certain personal information about yourself. You may elect not to provide this personal information, but doing so may prevent you from using or accessing these features. Personal information that you directly submit through our Services includes:

• Basic contact information, such as name, address, phone number, and email. We use this information to create and maintain your account and provide the Services, and to communicate with you (including to tell you about products or services that may be of interest to you).
• Account information, such as username and password, which we collect when you create an account and log in to use our Services. We use this information to provide the Services and to maintain and secure your account with us. If you choose to register an account, you are responsible for keeping your account credentials safe. We recommend you do not share your access details with anyone else. If you believe your account has been compromised, please contact us immediately.
• Communications information, such as any other personal information you choose to include in communications with us, for example, when sending a message through the Services.
• Other personal information not specifically listed here, which we will use as described in this Privacy Notice or as otherwise disclosed at the time of collection.

When you use the Promptfoo Command Line Interface (CLI) and library locally, the source code is executed on your machine, and any call to Language Model (LLM) APIs (OpenAI, Anthropic, etc.) are sent directly to the LLM provider. We do not have access to these requests or responses unless you provide us with access.

Information We Collect Automatically​

We also automatically collect certain information about your interaction with the Services (“Usage Data”). To do this, we may use cookies, javascript, local storage technologies, web beacons/clear gifs, and other tracking technologies (“Tracking Technologies”). Usage Data includes:

• Device information, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers, language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.
• Location information, such as approximate location based on IP address.
• Online activity data, such as pages or screens you viewed, search history, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
• Telemetry data, which helps us decide how to spend time on development. Unless you change the settings, an event is recorded when a command is run (such as init, eval, view) or an assertion is used. Telemetry data includes the assertion type (for example, is-json, similar, llm-rubric).

If you opt-in, some features (called SimulatedUser and red team) send prompts to Promptfoo’s servers to generate responses, unless you change the settings. However, the AI model you are testing or evaluating always runs on your own system, not on Promptfoo’s servers.

We use Usage Data to provide our services, protect against fraud or abuse, for analytics, and to better understand user interaction with the Services. For more information on how we use Tracking Technologies and your choices, see the section below, Cookies and Other Tracking Technologies.

Information Collected From Other Sources​

We may obtain personal information about you from outside sources, including personal information that we collect directly from third parties and personal information from third parties that you choose to share with us.

Any personal information we receive from outside sources will be treated in accordance with this Privacy Notice and as permitted by applicable law. We are not responsible for the accuracy of the personal information provided to us by third parties and are not responsible for any third party’s policies or practices. For more information, see the section below, Third Party Websites and Links.

In addition to the specific uses described above, we may use your personal information for the below purposes or as otherwise described at the time of collection. We may use your personal information to:

Service delivery and operations​

• provide and improve the Services;
• maintain our business relationship, including by enhancing the safety and security of our Services (e.g., troubleshooting, data analysis, testing, system maintenance, and reporting), and fraud prevention;
• personalize the service, including remembering the devices from which you have previously logged in and remembering your selections and preferences as you navigate the Service;
• establish and maintain your user profile on the Service;
• provide customer support for the Service, and respond to your requests, questions and feedback;
• send service and other non-marketing communications, including by sending Service-related announcements, updates, security alerts, user-to-user communications, and support and administrative messages;
• monitor and analyzing trends;
• conduct internal research and development;
• comply with applicable legal obligations;
• enforce any applicable terms of service; and
• protect the Services, our rights, and the rights of our employees, users, or other individuals.

Compliance and protection​

• comply with applicable laws, lawful requests, and legal processes, such as to respond to subpoenas, court orders, investigations or requests from government authorities;
• protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
• audit our internal processes for compliance with legal and contractual requirements or our internal policies;
• enforce the terms and conditions that govern the Service; and
• prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

With your consent​

• In some cases, we may specifically ask for your consent to collect, use, or share your personal information for further purposes, for example, if those purposes are not compatible with the initial purpose for which that personal information was collected.

Finally, we may deidentify or anonymize your personal information such that it cannot reasonably be used to infer personal information about you or otherwise be linked to you (“deidentified information”) (or we may collect personal information that has already been deidentified/anonymized), and we may use such deidentified information for any purpose. To the extent we possess or process any deidentified information, we will maintain and use such information in deidentified form and not attempt to re-identify the information, except for the purpose of determining whether our deidentification process satisfies legal requirements.

COOKIES AND OTHER TRACKING TECHNOLOGIES​

As described above, we and third parties use Tracking Technologies to collect certain information about your interactions with the Services. Most browsers accept cookies automatically, but you may be able to control the way in which your devices permit the use of Tracking Technologies. If you so choose, you may block or delete our cookies from your browser; however, blocking or deleting cookies may cause some of the Services, including certain features and general functionality, to work incorrectly. If you have questions regarding the specific information about you that we process or retain, as well as your choices regarding our collection and use practices, please contact us using the information listed below. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit http://www.allaboutcookies.org.

Your browser settings may allow you to transmit a “Do Not Track” signal when you visit various websites. Like many websites, our website is not designed to respond to such signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

DISCLOSURE OF YOUR PERSONAL INFORMATION​

We may disclose your personal information to third parties subject to this Privacy Notice, including the following categories of third parties:

• Our affiliates or others in our corporate group.
• Vendors or other service providers (such as CloudFlare) who help us provide the Services, including for system administration, artificial intelligence platforms, cloud storage, security, customer relationship management, communications (including marketing communications), and web analytics.
• Third parties in connection with or anticipation of an asset sale, merger, reorganization, bankruptcy, or other business transaction, including to counterparties in the diligence process and to the successor or affiliate as part of the transaction.
• Third parties designated by you with whom we may share your personal information where you have instructed us or provided your consent to do so. For example, if you use the “Share” command in the Service, you may share relevant results with us or other users of your choosing. If you share your inputs and outputs, this information will be stored at the shared location for two weeks.
• We may also disclose your information as needed to comply with applicable law or any obligations thereunder or to cooperate with law enforcement, judicial orders, and regulatory inquiries, to enforce any applicable terms of service, to exercise or defend legal claims, and for security reasons such as to detect and prevent against fraudulent or illegal activity, and to ensure the safety and security of our business, employees, and users. We do not sell to, or trade data with, outside parties.

THIRD PARTY WEBSITES AND LINKS​

We may provide links to third-party websites or platforms. If you follow links to sites or platforms that we do not control and are not affiliated with us, you should review the applicable privacy notice, policies and other terms. We are not responsible for the privacy or security of, or information found on, these sites or platforms. Information you provide on public or semi-public venues, such as third-party social networking platforms, may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators.

DATA SECURITY​

We have implemented security measures designed to protect your personal information from unauthorized access, use or disclosure. However, despite our efforts to protect your information, no security measures are impenetrable, and we cannot guarantee “perfect security.” Any information you send to us electronically, while using the Services or otherwise interacting with us, may not be secure while in transit or while in storage. We recommend that you do not use unsecure channels to send us sensitive or confidential information.

INTERNATIONAL DATA TRANSFER​

We are headquartered in the United States and may use service providers that operate in other countries. Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.

HOW TO CONTACT US​

Should you have any questions about our privacy practices or this Privacy Notice, please email us at inquiries@promptfoo.dev.