Privacy Policy

Overview

Prism is an independently operated tool for comparing physical climate risk data across providers. It is not operated by, endorsed by, or affiliated with any climate risk provider, financial institution, insurer, reinsurer, data vendor, or consultancy.

This policy explains what Prism collects, why it collects it, how it is used, where it is stored, and how long it is retained. The aim is to be clear and specific.

Cookies and session authentication

Prism does not use cookies for analytics, advertising, profiling, personalisation, or cross-site tracking. Prism does not set marketing cookies, analytics cookies, social media cookies, or third-party tracking cookies.

Prism does use a secure, httpOnly session cookie after you sign in. This cookie is used only to maintain your authenticated session and keep you signed in while you use the platform. It is not used to track you across websites, build behavioural profiles, or serve advertising.

The session cookie does not expose its contents to client-side JavaScript, is not shared for advertising purposes, and is removed or expires when your session ends. Because this cookie is used solely to deliver the service you requested, Prism does not use a cookie banner for analytics or advertising consent.

No analytics or behavioural tracking

Prism does not use Google Analytics, Mixpanel, Amplitude, Hotjar, Segment, Plausible, Fathom, Meta Pixel, LinkedIn Insight Tag, or similar analytics or tracking tools.

Prism does not use advertising pixels, session recording, heatmaps, fingerprinting, or cross-site tracking technologies. Prism is not built to profile users for marketing, advertising, or sale to third parties.

What data Prism collects

Prism is designed to collect only the data needed to operate the service.

Account data

Prism collects your email address when you create or access an account. This is used for authentication, account access, and service-related communication such as sign-in links or essential notices about your account.

Documents you upload

Prism stores documents you choose to upload, such as methodology PDFs, RFP responses, CSV portfolio files, and similar materials submitted for analysis. These files are stored in private storage and associated with your account or organisation context, depending on the relevant product area.

Analysis conversations

Prism stores the questions you submit and the responses generated so that your session and conversation history can function as intended. These records are used to provide the service to you, maintain continuity within the product, and support core operational and security needs.

Server and security logs

Prism retains standard server and security logs, which may include IP address, timestamp, request path, HTTP method, and response status. These logs are used for security, reliability, abuse prevention, and incident investigation. They are retained for up to 7 days unless a longer retention period is required to investigate misuse, fraud, or a security incident.

What Prism does not intentionally collect

Prism does not ask you to provide your phone number, postal address, payment card details, date of birth, or demographic information in order to use the service. Prism does not use adtech, third-party behavioural analytics, or social media integrations for tracking.

Prism also does not seek to collect device fingerprints, browsing activity across other websites, or precise location data. Standard network information may still appear in server and infrastructure logs as part of normal web operations.

Data isolation and access controls

Prism is designed so that user data is logically separated by account and product context. Users are not able to browse, search, or retrieve another user's private uploads or conversations through the product interface.

For providers using the Provider Portal, provider-submitted materials are scoped to the relevant provider organisation. Providers are not given access to user-uploaded files, user conversations, or another provider's private materials through the product.

Administrative access is restricted to operational needs such as infrastructure maintenance, abuse prevention, security review, and corpus management. Prism is intended to minimise operator access to private user content wherever reasonably possible, but access may occur where necessary for security, legal compliance, investigating abuse, resolving platform issues, or maintaining the service.

Independence and conflicts of interest

Prism is an independent project. It was created to support comparison of climate risk data and methodologies without relying on any single vendor's framing.

No provider can pay to be listed more prominently, ranked more favourably, or excluded from comparison. Where Prism offers analysis, it is intended to reflect the underlying source material, documented methodologies, and Prism's own editorial and product standards.

Data residency and international processing

Prism stores its primary application data in the European Union, including account records, uploaded files, and conversation history, using infrastructure configured for the EU region.

Prism currently uses Supabase for database and storage services in the EU region. Prism also uses Anthropic to process AI analysis requests. To provide that analysis, document content, prompts, and related inputs may be transmitted to Anthropic for processing.

Some processing by third-party providers may take place outside the European Union. Where that happens, Prism relies on the provider's contractual and legal safeguards that apply to those transfers.

Encryption and security

Prism uses HTTPS to encrypt data in transit. Data stored in managed infrastructure is protected using encryption at rest provided by the relevant infrastructure providers. Database connections are secured, and authentication tokens are generated securely, single-use where applicable, and time-limited.

Session cookies are marked httpOnly and secure, and are intended not to be accessible to client-side JavaScript.

Deletion and retention

You can permanently delete your account at any time from your user settings. When you do, Prism will make your account data, uploaded files, and conversations inaccessible in the product and schedule them for deletion from active systems.

Prism aims to permanently purge deleted data from active systems within 7 days. Backup copies and disaster recovery systems may retain data for a limited additional period until they rotate out in the normal course of operations.

Prism does not keep deleted user content indefinitely for product analytics or marketing purposes. Where retention is required for security investigations, fraud prevention, or legal compliance, Prism may retain limited data for longer where necessary.

If you experience any problem deleting your account or need help with a deletion request, contact the address listed at the bottom of this page.

Third-party services

Prism currently uses the following third-party services:

Supabase (database and file storage)

Supabase provides the hosted PostgreSQL database and file storage used by Prism. Prism configures these services for the EU region.

Anthropic (AI analysis)

Anthropic processes prompts, uploaded content, and related inputs required to generate AI responses within Prism. Prism uses Anthropic as a processor for analysis functionality, subject to Anthropic's applicable commercial and data processing terms.

Resend (email delivery)

Resend is used to deliver authentication emails and other essential service messages. This means your email address is shared with Resend for delivery purposes.

Cloudflare (DNS, network, and security services)

Cloudflare may process IP address, request metadata, and related network information as part of DNS resolution, traffic routing, SSL, caching, and security protection. Prism has enabled Cloudflare Analytics for the monitoring of traffic only to ensure that we can adequately service demand.

Prism does not use advertising networks, customer data platforms, retargeting pixels, or social media tracking integrations.

GDPR and your rights

If you are in the UK or EEA, data protection law may give you rights including the right to access, correct, delete, restrict, or object to certain processing of your personal data, and in some cases the right to data portability.

Prism processes personal data primarily because it is necessary to provide the service you requested. This includes account access, authentication, document handling, AI analysis, and storage of your conversation history within the product. Prism may also process limited personal data where required to comply with legal obligations and protect the platform from abuse or security threats.

To exercise your rights, contact the address below. Prism aims to respond within 30 days, subject to legal extensions or where additional verification is reasonably required.

Children

Prism is intended for professional use and is not directed at children under 18. Prism does not knowingly collect personal data from children.

Changes to this policy

Prism may update this policy from time to time. If that happens, the updated version will be posted on this page with a revised effective date or last updated date.

If Prism makes a material change to how personal data is handled, Prism will aim to provide reasonable notice through the service or by email where appropriate.

Contact

For privacy questions, data access requests, or help with account deletion (you can do this from your user dashboard), contact:

[email protected]