1) Who we are

This Privacy Policy explains how Defastra Tech Inc. (doing business as “Prospeo”) collects, uses, shares, and protects personal data across our web app, API, Chrome extension, and CSV enrichment tools (the “Services”).

Address: 1102-20 Eglinton Ave W, Toronto, ON M4R 1K8, Canada

Privacy: privacy@prospeo.io • Security: security@prospeo.io

Notices are provided in English.

B2B focus: Our Services are designed for professional/business use (B2B), not household use.

2) What this policy covers

This Policy applies to personal data we process through our Services and data we process to build, verify, and maintain Prospeo’s B2B dataset.

3) Our roles (controller vs. processor)

• Controller: Prospeo is a controller for our own dataset and for site/app telemetry.
• Processor: For Customer Uploads (e.g., lists you submit for enrichment), we act as a processor under our Data Processing Agreement (DPA).

4) What we collect

4.1 Business/dataset data: Professional, business‑context information such as name, job title, employer, business contact details, public professional profiles, and company attributes. We do not intentionally collect special‑category data or data about minors.

4.2 Customer Uploads (lists/CSV/CRM): You own your uploads. You grant Prospeo the rights needed to operate/improve the Service and to help grow, enrich, and verify our dataset (without publicly associating you as the source of specific records). Individuals’ legal rights always prevail.

4.3 Product & site telemetry: Limited technical data (device, app/browser, usage events) necessary to secure and improve the Services.

5) Where we get data (sources)

Public web content, licensed partners, and customer/crowdsourced contributions. We do not list vendor names publicly.

6) How we use data

To provide and improve the Services; verify and maintain our B2B dataset; support accounts and billing; communicate about the Services; ensure security and prevent abuse; comply with law; and conduct B2B marketing to professionals.

Customer outreach: When customers use Prospeo to contact prospects, they act as independent controllers and must provide their own notices and opt‑outs.

7) Lawful bases (GDPR/UK GDPR)

• Legitimate interests: building/maintaining our B2B dataset; B2B marketing to professionals; securing our systems.
• Contract: providing customer accounts, billing, and subscribed features.
• Legal obligation: complying with applicable laws (e.g., responding to valid requests).

8) Information for individuals whose data we obtained indirectly (GDPR Art. 14)

We collect professional contact data from public sources, licensed partners, and customer contributions. For those individuals, this Policy sets out the controller identity/contact, purposes and legal basis (legitimate interests), categories of data, categories of recipients, international transfers and safeguards, and retention criteria. Because contacting every individual would involve disproportionate effort, we rely on Art. 14(5)(b) and publish this information here, while honoring your rights (including Art. 21 right to object) and offering an opt‑out/deletion workflow.

9) Your privacy rights

Subject to local law, you may request: access, erasure, restriction, portability, and (where applicable) rectification.

Verification: We typically verify via a professional/business email and may request additional information to confirm identity.

Timelines: We aim to respond within 1 month (extendable where allowed for complex requests).

Opt‑out / deletion from Prospeo’s dataset: Use our opt‑out form or email privacy@prospeo.io; after verification we remove your profile from our active dataset.

Suppression list: If you opt out, we maintain a suppression record (e.g., business email/phone) solely to honor your request and prevent re‑addition.

9.1 Right to object (GDPR Art. 21)

If we process your personal data based on legitimate interests, you may object at any time on grounds relating to your situation. If you object, we will stop unless we demonstrate compelling legitimate grounds. You may object to direct marketing at any time, and we will stop immediately. You can exercise this via our opt‑out form or by emailing privacy@prospeo.io.

9.2 Complaints to supervisory authorities

You have the right to lodge a complaint with your local data‑protection authority. A list of EU supervisory authorities is available via the European Data Protection Board (EDPB).

10) U.S. state privacy (e.g., CA/CO/CT/VA/UT)

Sale/Share & Targeted Advertising: Licensing certain Output Data may be deemed a sale, sharing, or targeted advertising. We provide a “Your Privacy Choices (Do Not Sell/Share)” link and honor Global Privacy Control (GPC) signals.

Sensitive Personal Information (CPRA): We do not collect/use “Sensitive Personal Information” (e.g., government IDs, account logins with credentials, precise geolocation, health, union membership) in a way that triggers a “Limit the Use of My Sensitive Personal Information” link. Typical fields we handle (name, business role, business contact, city‑level location) are not SPI. If this changes, we will update this Policy and provide the required link.

Authorized Agents: We accept authorized‑agent requests as provided by applicable law.

Appeals: If we deny your request, you may appeal by emailing privacy@prospeo.io within 45 days. We will review and respond within 45 days with our decision and rationale.

10.1 CPRA “Notice at Collection” (summary)

We collect the following categories of personal information for the purposes stated below. Retention is based on the criteria described (e.g., dataset refresh cycles, account lifecycle, legal requirements).

• Identifiers (business name, business email/phone) — Sources: public sources; licensed partners; customer contributions. Business purposes: provide/enhance Services; maintain B2B dataset; customer support; security. Sharing/disclosure: customers via Output Data; service providers (e.g., hosting). Retention: dataset schedule (refresh ≤24 months); remove stale within ~12 months; suppression retained to honor opt‑outs.
• Professional/Employment information (title, employer, department) — Sources: public sources; licensed partners; customer contributions. Business purposes: provide/enhance Services; maintain B2B dataset; analytics. Sharing/disclosure: customers via Output Data; service providers. Retention: same as above.
• Internet/Technical data (limited telemetry, truncated IP, device/app) — Sources: your device/browser; our applications. Business purposes: security, fraud prevention, reliability, diagnostics. Sharing/disclosure: service providers (security/ops); not sold/shared for advertising. Retention: account lifecycle + security logs per policy (typically ≤12–24 months).

We do not knowingly collect Sensitive Personal Information as defined by CPRA, nor do we use or disclose it to infer characteristics.

11) Customer Uploads & contribution license (Model C)

Customer Uploads & Contribution License

You retain ownership of the files and records you upload to Prospeo (for example, contact lists, CRM exports, or CSV files). When you submit these uploads, you grant Prospeo a perpetual, worldwide, royalty‑free license to ingest, use, and retain the contained data to operate, maintain, improve, and expand Prospeo’s B2B dataset.

This means Prospeo may permanently keep and reuse the business‑contact information and related signals derived from your uploads to verify and enrich its dataset, even after your account is closed.

Your individual account data (for example, the uploaded file itself and its association with your account) will be deleted from active systems within 90 days after account closure, with backups rolling off on a 90‑day cycle. However, the underlying professional data and aggregated verification signals contributed to Prospeo’s dataset will continue to be stored and processed in accordance with this Policy and applicable data‑protection laws.

Prospeo will never publicly attribute you as the source of specific records, and individuals’ legal rights (such as the right to erasure or objection) always prevail.

12) Aggregated and de‑identified data

We may create and use aggregated or de‑identified data for analytics, reporting, and to improve the Services. We commit not to attempt to re‑identify such data, and we require service providers to do the same.

13) Retention (dataset & backups)

Prospeo master dataset: refresh/re‑verify within ~24 months; delete stale/unreachable entries within ~12 months after being flagged. Backups: rolling 90 days.

14) International transfers & hosting

Primary hosting is in the USA (AWS us‑east‑1). For EU→Canada we rely on the EU adequacy decision for Canada’s PIPEDA. For EU/UK→US we use Standard Contractual Clauses (and, where relevant, the UK Addendum). AWS participates in the EU‑U.S. Data Privacy Framework; we reference this in our transfer assessments.

15) Sub‑processors & change notices

We don’t publish a public list. Customers can subscribe for change notices by emailing privacy@prospeo.io; we will email subscribed addresses ≥30 days before changes and allow objections within that window (as mirrored in our DPA).

16) Cookies

In the EU/UK/Quebec, we geo‑block non‑essential cookies (analytics/ads/session replay). Elsewhere, you can manage preferences and use Your Privacy Choices; we honor Global Privacy Control (GPC). See the Cookie Policy.

17) Security

We use industry‑standard measures including encryption in transit and at rest, role‑based access with least privilege, SSO/MFA where supported, regular security reviews, and annual third‑party penetration testing.

Security incidents & breach notification: If a personal data breach occurs that is likely to result in risk to individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours (GDPR Art. 33), and notify affected individuals when required. For Canada (PIPEDA), where there is a real risk of significant harm, we will notify affected individuals as soon as feasible, report where required, and maintain a breach log for 24 months.

18) Representatives in the EU & UK (GDPR Art. 27)

EU Representative: Kevin Viotti — 20 Rue de Belleville, 75020 Paris, France — gdpr-rep@prospeo.io

UK Representative: Sales Upskill LTD — 20 Wenlock Road, London, N1 7GU, UK — gdpr-rep@prospeo.io

19) Data Protection Officer

Prospeo has not appointed a GDPR Data Protection Officer (DPO) because we do not currently meet the criteria in GDPR Article 37.

Privacy Officer (Quebec Law 25 / public contact): Hugo Fredon — privacy@prospeo.io.

20) Children

Our Services are not intended for children. We do not knowingly process minors’ data in our dataset design.

21) Payments

Payments are processed by our payment partner (e.g., Stripe). We do not store full payment card details on Prospeo systems.

22) Google/Microsoft integrations (Limited Use)

Where you choose to connect Google or Microsoft accounts, our use of data obtained via their APIs complies with the Google API Services User Data Policy (including the Limited Use requirements) and the applicable Microsoft API terms. These connections are optional and controlled by you.

23) AI/automated processing & profiling

We may use algorithmic and automated processes to verify, score, and maintain data quality in our B2B dataset and to operate the Services. We do not engage in solely automated decision‑making that produces legal or similarly significant effects concerning individuals. Where our processing is based on legitimate interests, you have the right to object.

24) Changes to this Policy

We may update this Policy to reflect changes in our practices or legal requirements. Material changes will be notified (e.g., email/in‑app or site notice) and become effective on the stated date.

25) Privacy Center & self‑service

For quick actions—including access/export, deletion, opt‑out, Your Privacy Choices, and unsubscribe—visit our Privacy Center or contact privacy@prospeo.io.