This policy describes how Prospectra processes personal data of its Users (account holders) within the meaning of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (« GDPR ») and French law no. 78-17 of 6 January 1978, as amended, on data processing, files and freedoms.
Processing of Prospect data imported by Users (B2B contacts who receive the campaigns) is covered by a separate policy.
1. Controller
The controller is:
(à configurer par l'opérateur)
Contact: —
2. GDPR contact point
For any question regarding the processing of your personal data, or to exercise your rights, please contact:
Prospectra is not required, under current regulations, to designate a data protection officer (DPO) within the meaning of article 37 of the GDPR. A GDPR contact point has nevertheless been designated to respond to data subjects' requests.
3. Data collected
The following categories of data are collected and processed:
3.1 Registration and account data
- professional email address;
- password (stored only as a strong cryptographic hash, bcrypt);
- company name and display name (optional);
- locale and display preferences.
3.2 Billing data (for paid plans)
- corporate name, billing address, intra-EU VAT number;
- payment means (card details are processed and stored exclusively by the payment provider, never by Prospectra);
- invoice history.
3.3 Technical data and logs
- IP address (anonymised by truncation before long-term storage);
- user agent (browser, operating system);
- timestamps of logins and sensitive actions (creation, deletion, exports);
- error traces and application logs needed for diagnosis.
3.4 Service usage data
- saved message templates, prompts, campaign parameters;
- sending history and aggregated statistics;
- notification preferences.
3.5 Support data
- content of exchanges with the support team (tickets, messages, screenshots you send us).
4. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Creation and management of the User account | Performance of contract (art. 6.1.b) |
| Provision of the subscribed Service | Performance of contract (art. 6.1.b) |
| Billing and collection | Performance of contract (art. 6.1.b) + legal obligation (art. 6.1.c) for accounting retention |
| Operational communications (alerts, Terms change notifications) | Performance of contract (art. 6.1.b) |
| Commercial communications about similar services | Legitimate interest (art. 6.1.f) with simple right to object |
| Security, fraud and abuse prevention, logging | Legitimate interest (art. 6.1.f) — Service security |
| Production of aggregated and anonymous usage statistics | Legitimate interest (art. 6.1.f) |
| Responding to requests from competent authorities | Legal obligation (art. 6.1.c) |
5. Recipients
The data collected is accessible, within the limits of their duties, to:
- authorised persons within (à configurer par l'opérateur) (support, administration);
- other Users of the same client account (team members), for data shared within that workspace;
- technical processors of Prospectra listed in paragraph 7.
No data is sold or transferred to third parties for commercial purposes.
6. Transfers outside the European Union
The Service is hosted within the European Union (see legal notice for the host's identity).
Some technical processors (notably AI model providers) may process data outside the European Economic Area. In such cases, the transfer is framed either by an adequacy decision of the European Commission, or by the standard contractual clauses adopted by the Commission, or by any other appropriate guarantee provided for in chapter V of the GDPR. The list of processors and the countries concerned are specified in paragraph 7 below.
7. Processors
The main processors of Prospectra are listed below. The up-to-date list is available on request at .
| Processor | Purpose | Processing location | Safeguards |
|---|---|---|---|
| (à configurer par l'opérateur) | Infrastructure hosting | See legal notice | Data processing agreement in accordance with art. 28 GDPR |
| AI model providers (OpenAI, Anthropic, Mistral AI, Groq depending on the Client's configuration) | AI-assisted content generation, suggestions | European Union or United States depending on the provider | EC standard contractual clauses — API data not used for retraining (per contract) |
| SMTP relay providers (configured by the Client) | Delivery of outgoing messages | Variable depending on the Client's configuration | Under the Client's responsibility, as the Client configures their own provider |
| Payment provider (if applicable) | Subscription processing | European Union | PCI-DSS certified |
8. Retention periods
| Data | Period |
|---|---|
| Active account data | For the duration of the contract |
| Account data after termination | Thirty (30) days to allow reactivation and export, then deletion. Backups purged within ninety (90) days |
| Billing data | Ten (10) years from the close of the relevant accounting year (article L.123-22 of the French Commercial Code) |
| Security logs (logins, audit) | Thirteen (13) months, in line with French CNIL doctrine |
| Support tickets | Three (3) years after closure of the ticket |
| Prospecting data (for Prospectra communications) | Three (3) years from the last contact, in line with French CNIL deliberation no. 2016-264 |
Beyond these periods, data is deleted or irreversibly anonymised.
9. Your rights
In accordance with articles 15 to 22 of the GDPR, you have the following rights regarding your data:
- Right of access (art. 15): obtain confirmation that your data is being processed and receive a copy;
- Right to rectification (art. 16): obtain correction of inaccurate or incomplete data;
- Right to erasure (art. 17): obtain deletion of your data in cases provided for by the GDPR;
- Right to restriction of processing (art. 18);
- Right to portability (art. 20): receive your data in a structured, machine-readable format;
- Right to object (art. 21): object to the processing of your data on grounds relating to your particular situation, or at any time for commercial prospecting purposes;
- Right to define directives for the retention, deletion and communication of your data after your death (article 85 of the French Data Protection Act);
- Right to withdraw consent at any time, where processing is based on consent.
How to exercise your rights
To exercise your rights, you may:
- use the export and deletion features integrated into your personal area ();
- send an email to the GDPR contact point: ;
- send postal mail to the address of (à configurer par l'opérateur) indicated in the legal notice.
A response will be provided within one month of receipt of your request, extendable by two months in case of particular complexity.
A copy of your ID may be requested in case of reasonable doubt about your identity. Such a copy will only be retained for the strict time necessary for verification.
Lodging a complaint with the supervisory authority
If, after contacting us, you consider that your rights have not been respected, you may lodge a complaint with the French data protection authority (CNIL):
- 3 Place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07 — France
- Phone: +33 1 53 73 22 22
- Online: www.cnil.fr/plaintes
You may also lodge a complaint with the supervisory authority of your habitual residence within the European Union.
10. Security
Prospectra implements technical and organisational measures to preserve the confidentiality, integrity and availability of your data, including:
- encryption of communications in transit (TLS);
- strong cryptographic hashing of passwords (bcrypt);
- role-based access control, logging of sensitive actions;
- regular encrypted backups;
- internal secret management policies and security reviews.
As no system is infallible, these measures are deployed as a best-efforts obligation. In the event of a data breach posing a risk to your rights and freedoms, you will be informed in accordance with article 34 of the GDPR.
11. Cookies
The Service uses only strictly necessary cookies (session, CSRF protection). No advertising or invasive analytics cookies are deposited. See the cookie policy.
12. Changes
This policy may be updated to reflect legislative or technical developments. Substantial changes are notified to Users in advance and, where applicable, are subject to a new acceptance request in accordance with the Terms.
The version history is available at the bottom of this page.