Legal

Security

Cloud Creator LLC · preprompt.studio

EFFECTIVE DATE: March 9, 2026  ·  LAST UPDATED: March 9, 2026

This page describes the security practices, data protection measures, and third-party processors used by PrePrompt Studio (Cloud Creator LLC).

1. Infrastructure Security

Transport Encryption

All connections to preprompt.studio and app.preprompt.studio use TLS 1.2 or higher. Cloudflare provides automatic HTTPS for all traffic with HSTS headers enforced.

Hosting

The application is served via Cloudflare Pages. API requests are handled by a Cloudflare Worker. Both benefit from Cloudflare's DDoS protection, WAF (Web Application Firewall), and global CDN. Data is not stored in third-party compute instances beyond Cloudflare Workers KV and R2 storage.

Authentication

User authentication is handled by Firebase Authentication (Google). We use Google Sign-In and email/password authentication. All auth tokens are short-lived (1-hour) Firebase ID tokens validated by the Cloudflare Worker on every API request. Passwords are never stored by PrePrompt — Firebase handles credential storage.

API Keys

PrePrompt's AI provider API keys (Anthropic, xAI, Blockade Labs, World Labs) are stored as Worker secrets — environment variables that are never exposed in logs or client responses. BYOK keys provided by users are encrypted in transit and not persisted to storage.

2. Data Storage

User project data (scripts, generation metadata, project configurations) is stored in Firebase Firestore, scoped to each user's UID with server-side security rules. Generated assets (images, character sheets) are stored in Cloudflare R2 with access mediated through the Cloudflare Worker — direct public R2 URLs are not issued.

3. Rate Limiting

The API Worker enforces rate limits per IP address (60 requests/minute) and per generation operation type (30 generation requests/minute) using Cloudflare's native rate limiting. This protects both the service and users from abuse and runaway credit consumption.

4. Sub-Processors

The following third-party processors handle data on behalf of PrePrompt Studio:

  • Google Firebase — Authentication, Firestore database. Google Privacy Policy applies.
  • Cloudflare — CDN, Workers, KV, R2, DDoS protection. Cloudflare Privacy Policy applies.
  • Stripe — Payment processing. Stripe Privacy Policy applies. PrePrompt never sees raw card data.
  • Anthropic — Claude API for Eden AI assistant and script analysis. Anthropic Privacy Policy applies. Inputs are not used for training.
  • xAI — Grok API for image and text generation. xAI Privacy Policy applies.
  • Blockade Labs — Skybox AI for 360° environment generation. Blockade Labs Privacy Policy applies.
  • World Labs — Marble API for Gaussian splat generation. World Labs Privacy Policy applies.

5. Vulnerability Disclosure

If you discover a security vulnerability in PrePrompt Studio, please report it responsibly to support@preprompt.studio with "SECURITY" in the subject line. We will acknowledge receipt within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.

Please do not publicly disclose vulnerabilities before we have had the opportunity to investigate and remediate them.

6. Contact

Security concerns: support@preprompt.studio
Cloud Creator LLC, c/o Northwest Registered Agent, 30 N Gould St Ste R, Sheridan, WY 82801

Terms of Service Privacy Policy Refund Policy Security Acceptable Use DMCA & Content Cookie & Analytics AI Content Policy