PROSPELLO PRIVACY POLICY

This Privacy Policy explains how Prospello collects, uses, discloses, and protects information when you use our websites, applications, APIs, and AI sales platform (the "Service"). Capitalized terms not defined here have the meanings in our Terms of Service.

1. Scope & Roles

This Policy applies to information we process as a controller (e.g., account, billing, marketing, site analytics) and as a processor when we process Customer Content and personal data on behalf of a business customer through the Service (e.g., contact records, emails, calendar events). Role allocations are governed by contract (including our DPA) consistent with GDPR guidance.

2. Data We Collect

Account & Billing Data (name, email, company, seat/plan, billing and transaction data).

Service Usage & Logs (device, IP, identifiers, timestamps, feature interactions, diagnostics, crash reports).

Integration Data (OAuth tokens and metadata necessary to connect Google/Microsoft email and calendar; CRM connectors; import/export wizard metadata).

Customer Content (data you submit to or through the Service: prompts, contacts/companies/deals, emails, calendar details, notes, uploaded docs).

Support & Communications (tickets, chat, feedback).

Marketing & Website Data (cookies/SDKs, referral URLs, campaign tags).

Usage Data for Credits (Prospello Credits consumption, feature usage, and related telemetry to enforce plan limits, provide usage analytics, ensure fair use, and maintain platform stability).

Enrichment Data (contact/company information enhanced using publicly available sources and licensed business databases; enriched results become part of Outputs/Service Data subject to our IP rights).

We may derive De-identified/Aggregated Data from the above; it cannot reasonably identify a person and is used for analytics and service improvement.

3. Sources

• Directly from you (sign-up, profile, in-product actions).
• From your organization/administrator (when your seat is provisioned).
• From connected services you authorize (Google/Microsoft mail and calendar; CRM integrations as released).
• From our website and product telemetry.
• From service providers (payment, analytics, security/fraud).
• From publicly available sources and licensed data vendors for enrichment (see above).

4. How We Use Data (Purposes)

Provide and secure the Service (authenticate users, run agents, send emails/replies, book meetings, maintain CRM, detect abuse).

Integrations you enable (send/receive emails and calendar invites from your accounts via OAuth according to provider policies).

Customer support and communications (service messages, notices).

Improvement & analytics (troubleshooting, performance, feature development; using de-identified/aggregated data).

Legal, compliance, and safety (enforce terms, respond to lawful requests, protect rights).

When we access Google user data (e.g., Gmail/Calendar) through Google API Services, we comply with Google's API Services User Data Policy, including the Limited Use requirements.

5. Legal Bases (EEA/UK/Swiss)

Where GDPR/UK GDPR applies, our bases include: performance of contract (to provide the Service), legitimate interests (security, product improvement, limited analytics balanced against your rights), consent (where required, e.g., certain marketing), and legal obligation.

6. Automated Decision-Making & Profiling

The Service uses automated processing for lead scoring, qualification, and deal value estimation. Where GDPR applies, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, and to request human review of such decisions, subject to statutory exceptions (e.g., necessity for contract).

7. Email Sending Practices

When sending emails on your behalf, we: (a) use your authenticated email accounts via OAuth; (b) maintain sending-reputation monitoring and throttles; (c) comply with applicable anti-spam laws (e.g., CAN-SPAM) including accurate headers, non-deceptive subject lines, a valid physical address, and functional opt-outs; and (d) never store your email credentials directly.

8. Data Sharing & Disclosures

We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under California law. If this changes, we will update this Policy and provide required opt-out mechanisms (including honoring Global Privacy Control (GPC) signals).

We disclose data to:

• Service providers/sub-processors (infrastructure, email delivery, analytics, payments, support) under contract and confidentiality. We maintain a current sub-processor list at /subprocessors.
• Integration providers you enable (e.g., Google/Microsoft; HubSpot/Salesforce when released) per your configuration and their terms.
• Corporate transactions (merger, acquisition, financing, or asset sale).
• Legal/safety (to comply with law or protect rights, security, or safety).

9. International Transfers

We may transfer, store, and process information in countries other than where it was collected. Where required for transfers from the EEA/UK/Switzerland, we rely on the European Commission's 2021 Standard Contractual Clauses (SCCs) and, where applicable, the UK addendum, along with supplementary measures.

10. Data Minimization

We practice data minimization, collecting only information necessary to provide and improve the Service. You, or your organization's admin, may request deletion of unnecessary data at any time, subject to applicable law and this Policy.

11. Retention

We retain personal data only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods are:

• Active account data: Subscription duration + 90 days
• Logs and analytics: 12 months
• Billing records: 7 years (or longer if legally required)
• Customer Content: Deleted within 30 days of verified account termination request (subject to lawful retention, backups, and dispute holds)

12. Your Rights

EEA/UK/Swiss Residents

Subject to law, you may request access, rectification, erasure, restriction, portability, and objection to certain processing (including direct marketing); you may also withdraw consent at any time without affecting prior processing. You may lodge a complaint with your local supervisory authority. Requests can be made at privacy@prospello.ai.

U.S. Residents (e.g., CA, CO, CT, VA, UT, TX)

Depending on your state, you may have rights to know/access, delete, correct, port, and opt-out of targeted advertising, sale, or profiling for significant automated decisions. We honor Global Privacy Control (GPC) signals as an opt-out of sale/share where required (e.g., California), and recognize Colorado's universal opt-out mechanism designation for GPC effective July 1, 2024. Submit requests at privacy@prospello.ai or via our in-app Privacy Center; we will verify your identity as required.

We do not discriminate for exercising rights.

13. Google & Microsoft Integrations

When you connect Gmail/Google Calendar, our use of Google user data complies with the Google API Services User Data Policy (Limited Use). We access and use data only to provide user-facing features you enable (e.g., draft/send emails, manage replies, create calendar events), and we do not transfer Google data except as allowed by that policy and your configuration. You can revoke access in your Google account permissions.

When you connect Microsoft 365 (Outlook/Calendar), access and permissions follow your tenant's consent and Microsoft policies; admins can review and revoke OAuth grants at any time.

14. Security & Incident Notification

We implement administrative, technical, and organizational safeguards appropriate to the risk (access controls, encryption in transit, environment segregation, logging/monitoring). No system is 100% secure. If we become aware of a security incident affecting personal data, we will act consistent with applicable law and our contractual commitments, and notify affected customers without undue delay and, where feasible, within 72 hours for GDPR-covered data.

You must promptly notify us of any actual or suspected unauthorized access to the Service or to your accounts or credentials. You remain responsible for activity under your accounts until we receive such notice and have reasonable time to act.

15. Automated Communications & Anti-Spam

We support compliance with applicable anti-spam laws. Commercial messages sent via the Service must include accurate headers, non-deceptive subject lines, a valid physical address, and a working opt-out. Opt-out requests must be honored as required by law.

16. Competitive Research Boundaries

Market and competitor research performed by our AI agents uses publicly available information and licensed business datasets. We do not use unauthorized access to competitor systems or confidential information.

17. Cookies & Tracking

We use cookies and similar technologies for authentication, preferences, analytics, and performance. See our Cookie Policy for details and controls.

18. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, contact us and we will take appropriate steps under COPPA.

19. Model Training & Opt-Out Choices

Customer Content is not used to train our core AI models without your explicit consent.

You may opt-out of contributing de-identified data to model improvements in account settings (where available) or by contacting privacy@prospello.ai.

20. Data Subject/Consumer Requests

To exercise applicable rights or make privacy inquiries:

• Email: privacy@prospello.ai (or legal@prospello.ai)
• Postal: Privacy Request, Prospello, LLC, 5038 N Marble Fox Way, Lehi, UT 84048

Provide sufficient information for us to verify your identity (or your authority as an agent) and describe your request in detail.

21. Retention, Deletion & Backups

Upon account closure or request from your organization's admin, we will delete or return Customer Content within commercially reasonable timeframes, subject to lawful retention, dispute resolution, and backup restoration windows. Certain logs may be retained for security, audit, or legal purposes.

22. Third-Party Links & Services

Our Service may link to third-party sites or services. Their privacy practices are governed by their own policies; review them before use.

23. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice (e.g., in-app or email). The "Effective Date" above reflects the latest version. For California-specific presentation and availability requirements, see applicable regulations.

24. Contact Us

Questions or complaints about this Policy or our data practices: privacy@prospello.ai or legal@prospello.ai. EEA/UK/Swiss residents may also contact or complain to their supervisory authority.