Privacy Policy
Prime OS Lab, Inc. ("Prime Foundation", "we", "our", or "us") operates a service that aligns each customer's emotional, cognitive, linguistic, and behavioral patterns to design and deliver a personalized self-operating system (OS). Our offerings include self-reflection surveys and reports (for example, Reality Pattern Scan) and one-to-one alignment sessions with bespoke deliverables (for example, the START / SIGNATURE / MASTER OS product lines). This Privacy Policy explains how we collect, use, store, and protect your personal information.
Contact for all data and privacy matters: info@prime-foundation.com
Registered address: Prime OS Lab, Inc., 169 Madison Ave STE 16560, New York, NY 10016, USA
This policy is effective April 14, 2026.
1. Processing Purposes
We process your personal information only for the following purposes:
- Service delivery — creating and managing your account, providing surveys and reports, conducting one-to-one alignment sessions, and designing and delivering bespoke deliverables.
- Account management — authentication, session management, and account security.
- Payment processing — verifying that a completed purchase is associated with your account so that access to the product or service is granted.
- Report and deliverable generation — analyzing survey responses and information shared during one-to-one sessions to generate personalized reports and deliverables (alignment sheet, GPT promptbook, routine map, brand language chart, and similar outputs).
- Session operations — scheduling, conducting, and following up on one-to-one alignment sessions.
- Customer support — responding to inquiries, troubleshooting issues, and communicating service-related notices.
- Service improvement — understanding aggregate usage patterns (using only non-personal, aggregated data) to improve the product.
- Legal compliance — meeting our obligations under applicable law, including responding to lawful legal process.
2. Personal Information We Collect
Required information (collected with your consent)
The following data is provided by you and collected with your consent at the time of registration, purchase, survey, one-to-one session, or deliverable creation:
| Category | Items |
|---|
| Account / authentication | Email address, hashed authentication credentials (managed via Supabase Auth) |
| Purchase records | Stripe session ID, payment status (paid / not paid) |
| Survey responses | Your answers to self-reflection surveys |
| One-to-one session information | Session scheduling, attendance dates, and operational notes on content you share verbally or in writing during sessions |
| Deliverable content | Personalized outputs designed and produced from your information (alignment sheet, GPT promptbook, routine map, brand language chart, and similar outputs) |
| Contact information | Contact channel details (such as email) used for session scheduling and deliverable delivery |
Automatically collected information
The following technical data is collected automatically when you use the service:
- IP address — used for security and abuse prevention.
- Browser User-Agent — used for compatibility and security logging.
- Essential cookies — see Section 9 (Cookies) for details.
- Access logs — server-side request logs for security and operational purposes.
Payment data
We do NOT store card numbers or any other payment details.
Stripe, Inc. processes all payment information directly in its PCI-DSS compliant environment. We only store the Stripe session ID and payment status in our database. No card data ever reaches or is stored on Prime Foundation's systems.
3. Retention Periods
| Data category | Retention period | Basis |
|---|
| Account information (email, auth credentials) | Until account deletion | User consent / service contract |
| Purchase records | 5 years from transaction date | Act on Consumer Protection in Electronic Commerce (Korea) — records of payment and delivery |
| Survey responses | Until user requests deletion; maximum 2 years if no deletion request | User consent |
| One-to-one session operational notes | Until user requests deletion; maximum 2 years if no deletion request | User consent / service contract |
| Deliverable content | Until user requests deletion | User consent / service contract |
| Access logs | 3 months | Protection of Communications Secrets Act (Korea) — mandatory log retention |
When the applicable retention period ends, data is destroyed as described in Section 8.
4. Disclosure to Third Parties
We do not sell, rent, or share your personal information with third parties, except in the following limited circumstances:
- Legal process — when required by a valid court order, subpoena, or other lawful legal process issued by a competent authority.
- Protection of rights and safety — when disclosure is necessary to protect the rights, safety, or property of our users, our company, or the public, to the extent permitted by applicable law.
We do not share personal information for marketing, advertising, or any commercial purpose.
5. Third-Party Processors (Sub-processors)
We engage the following service providers, who process personal data on our behalf under contractual data-processing obligations:
| Processor | Country | Purpose |
|---|
| Stripe, Inc. | USA | Payment processing (PCI-DSS compliant) |
| Supabase, Inc. | USA / Singapore | Database, user authentication, file storage |
| Netlify, Inc. | USA | Web hosting and content delivery |
| Zoom Video Communications, Inc. (or similar video conferencing service) | USA | One-to-one alignment sessions (audio / video calls) |
These processors are permitted to process your personal data only as directed by us and in accordance with this policy.
6. International Data Transfers
Prime Foundation is headquartered in the United States. Your personal data is processed on servers located in the United States (Netlify hosting; Supabase US region) and potentially Singapore (Supabase Singapore region), operated by the processors listed in Section 5.
Items transferred: all personal data categories described in Section 2.
Recipients: Supabase, Inc. (database and auth), Netlify, Inc. (hosting), Stripe, Inc. (payment processing), Zoom Video Communications, Inc. or similar video conferencing service (one-to-one sessions).
Purpose of transfer: provision of the Prime Foundation service.
Retention: as described in Section 3.
Your right to object: You may withdraw consent to international transfer at any time by requesting account deletion at info@prime-foundation.com. Note that withdrawal will result in termination of your service access, because the service cannot be provided without these processors.
7. Your Rights
You have the following rights regarding your personal information:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your personal data (subject to retention obligations under law).
- Restriction — request that we restrict processing in certain circumstances.
- Withdrawal of consent — withdraw consent at any time, where processing is based on consent.
- Data portability — receive your data in a structured, machine-readable format.
- Objection — object to certain types of processing.
How to exercise your rights: Send your request by email to info@prime-foundation.com. We will respond within a reasonable time — typically within 10 business days for requests from Korean users under PIPA.
8. Data Destruction Procedure
When the retention period ends, or when you request deletion, we destroy your personal data irrecoverably using the following methods:
- Database records — rows are hard-deleted from our Supabase database (not soft-deleted or anonymized).
- File storage — any stored files or objects are permanently deleted from Supabase Storage.
- Backups — residual copies in database backups are purged in accordance with the standard backup rotation cycle (typically within 30 days of the deletion event).
Destruction is permanent and irreversible. We do not retain any personally identifiable information after destruction is complete.
9. Cookies
Prime Foundation uses essential cookies only. We do not use analytics, advertising, or third-party tracking cookies.
| Cookie | Purpose | Required? |
|---|
| Supabase authentication session | Maintains your authenticated session so you remain logged in | Yes |
| CSRF token | Prevents cross-site request forgery attacks on forms | Yes |
No analytics cookies. No advertising or marketing cookies. No third-party tracking cookies.
You may disable cookies in your browser settings. However, doing so will prevent sign-in and the service will not function correctly without the essential authentication cookie.
10. Minors
Where a minor uses our service, we ask that they do so with the awareness or consent of a parent or legal guardian. Minors and their guardians may at any time request access, correction, or deletion of personal information by contacting info@prime-foundation.com.
11. Privacy Officer / Data Protection Contact
Privacy Officer (DPO): Operations Team, Prime OS Lab, Inc.
Contact: info@prime-foundation.com
Mailing address: Prime OS Lab, Inc., 169 Madison Ave STE 16560, New York, NY 10016, USA
All data subject requests, privacy inquiries, and data breach notifications should be directed to the above contact.
12. California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- (a) Right to know — the right to know what personal information we have collected about you, including the categories, sources, purposes, and specific pieces of information.
- (b) Right to delete — the right to request deletion of personal information we have collected, subject to certain exceptions.
- (c) Right to correct — the right to request correction of inaccurate personal information.
- (d) Right to opt out of sale or sharing — Prime Foundation does not sell personal information and does not share personal information for cross-context behavioral advertising.
- (e) Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.
To submit a CCPA/CPRA request: Email info@prime-foundation.com. We will respond within 45 calendar days (with a possible 45-day extension where reasonably necessary, with notice).
13. Amendment History
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Publish the new version on this page with an updated effective date.
- Send an email notice to registered users.
- Display an in-service banner notifying users of the change.
Material changes will be announced at least 7 days before the new version takes effect.
Previous versions of this Privacy Policy are archived and available at /legal/privacy/history.
14. Effective Date
This Privacy Policy is effective April 14, 2026.
If you have any questions about this policy, please contact us at info@prime-foundation.com.