What we do when a government asks for user data.

Prism is a UAE-based company operating a consumer journaling service that processes deeply personal information — mental state, mood, behavioural patterns. When a government or law-enforcement agency asks for user data, we default to protecting the user. We require valid legal process, we challenge overbroad requests, we notify the affected user unless we are legally prohibited from doing so, and we publish aggregate statistics about the requests we receive.

We will not disclose user data in response to an informal request, however polite, however high-ranking the requester. Disclosure requires valid legal process issued to Prism under a law that applies to us:

·A court order, subpoena, or equivalent issued by a court of competent jurisdiction in the United Arab Emirates.

·An order from a UAE regulatory or law-enforcement authority with statutory authority to compel production.

·A mutual legal assistance treaty (MLAT) request or equivalent inter-governmental request properly executed under UAE law.

·For emergency disclosure: a good-faith belief, documented, that disclosure is necessary to prevent imminent death or serious bodily harm (and then only the minimum data necessary).

Foreign law-enforcement agencies (US, UK, EU, or others) must route requests through UAE authorities. We will not respond directly to a subpoena issued by a foreign court.

·Overbroad requests — requests that cover more users or more data than the investigating purpose justifies.

·Gag orders without a stated expiry — we will ask for a specific expiry date.

·Requests unsupported by the stated legal basis — we will ask for a written authority.

·Requests that violate the user’s constitutional or statutory privacy rights.

·Requests that seek content we cannot lawfully produce under UAE data protection law (PDPL Federal Decree-Law No. 45 of 2021).

Subject to the scope of the legal process:

·Basic account data — email address, signup date, subscription status, last login — in response to a UAE court order or regulator.

·Server logs for the specified time window.

·Entry content, Mirrors, behavioural-model records — only on a more specific order that demonstrates particular necessity and proportionality, given the sensitive-personal-data nature of this content under PDPL.

·Real-time interception — we do not provide this capability. Prism is not a telecommunications or surveillance provider.

We will notify the affected user of a government request for their data, unless we are legally prohibited from doing so (e.g. a valid gag order, ongoing investigation where notification would cause evidence destruction).

When we’re legally prohibited, we will notify the user as soon as the prohibition expires.

In an emergency involving risk of imminent death or serious physical harm, we may disclose the minimum information necessary to law enforcement without waiting for formal legal process. Any such disclosure is documented in our internal law-enforcement log and, where lawful, reported to the affected user afterwards.

·Journal-entry audio. Audio is streamed to OpenAI Whisper for transcription and immediately discarded; we never have a copy.

·AI model outputs from deleted entries. If the entry and the derived signals have been deleted, they are gone from our primary database; backup copies roll off on our standard cycle.

·Decrypted data without the user’s credentials. Prism does not hold user passwords in plaintext; if asked to produce a decrypted export of entries, we will produce what is decryptable on our infrastructure and explain what isn’t.

Starting from the first full year of operations, Prism will publish an annual transparency report containing, at minimum:

·The number of government requests received, broken down by requesting country / authority.

·The number of users affected by those requests.

·The number of requests complied with, partially complied with, and rejected.

·The number of requests for which we challenged scope or legality.

·The number of emergency disclosures.

Where publication of any category is prohibited by law, we will state that in the report.

·Legal process: legal@prismlens.net

·General privacy questions: privacy@prismlens.net

·DPO: dpo@prismlens.net