Privacy Notice

Last updated: 2026-05-06 · This notice tells you how Prospera collects, uses and protects personal data.

Plain-English summary. Prospera is a UK B2B prospecting platform. We collect business contact details (mostly company directors) from publicly-available sources like Companies House and the open web, plus account data about people who sign up. We use this for B2B prospecting under the legitimate interests lawful basis. You have a full set of rights under UK GDPR — the most important is that you can ask us to delete or stop using your data at any time. The detail below explains exactly what we collect, where it comes from, who sees it, and how to exercise your rights.

Who we are
Who this notice covers
What personal data we process
Where the data comes from
Why we process it (purposes)
Lawful bases (UK GDPR Article 6)
Who we share data with
International data transfers
How long we keep it
Your rights
Direct marketing & PECR
Automated decision-making and AI
Security measures
Data breach notification
Children
Changes to this notice
How to contact us & complain to the ICO

1. Who we are

"Prospera" (the "Service", "we", "our", "us") is a trading name of Paul Smith, operating as a sole trader in England & Wales. The proprietor (Paul Smith) is the data controller for personal data processed for our own purposes (running the Service, billing, security, marketing). For data you (as a paying customer) upload or save inside your tenant — we are the data processor and you are the data controller; our roles in that case are governed by our Data Processing Agreement.

Business address: Merchant House, 12 Merchant Court, NE31 2EX, United Kingdom.
Email: [email protected]

ICO registration: we are in the process of registering with the UK Information Commissioner's Office as a data controller. The registration number will be added here on completion. If you need our reference before then, email [email protected].

Note on legal entity: Prospera is currently operated by Paul Smith as a sole trader. If the business incorporates as a UK limited company, this page will be updated with the company's registered office and registration number, and we will give 14 days' notice of the change here. Your rights under this notice do not change with the operating entity.

2. Who this notice covers

This notice covers four groups of people:

Account holders — anyone who signs up for, logs into, or uses Prospera.
Demo visitors — people who try the public demo on the homepage.
Prospects — UK company directors and other business contacts whose details appear inside the Service because they were collected from publicly-available sources. Per UK GDPR Article 14 (data not collected directly from the data subject), we explain below where this data comes from and how to opt out.
Visitors — anyone visiting our website who hasn't signed up.

3. What personal data we process

3.1 Account holders

Category	Examples
Identity & contact	Name, business email, company name, role.
Authentication	Hashed password, login timestamps, IP address used to sign in.
Billing	Subscription plan, payment history, last 4 digits of card and card brand (full card details are held by Stripe, not by us). Billing address.
Service usage	Searches you run, leads you save, notifications, settings, API key activity, error logs.
Communications	Support emails, in-app messages, marketing preferences.
Cookies & analytics	See Cookie Policy.

3.2 Demo visitors

Email address you enter on the demo form.
The criterion text you submitted.
IP address and browser user-agent (for rate limiting and abuse prevention).
Whether you opted in to marketing updates (optional — opting out does not block the demo).

3.3 Prospects (UK company directors and contacts)

Where Prospera surfaces information about UK companies and their directors, the personal data we hold may include:

From Companies House (public statutory register): full name, year of birth, nationality, country of residence, role, dates of appointment / resignation, occupation, partial address (town only, not full residential), correspondence address, persons-with-significant-control flags.
From the company's own website: published email addresses (e.g. [email protected], [email protected]), phone numbers, social-media links, publicly-listed staff names & roles where the company chose to publish them.
From the open web (search-engine results): the company's LinkedIn page URL, public news mentions, accreditations (ISO 9001 etc.), VAT number, tagline.
Derived via pattern detection (e.g. predicting firstname.lastname@ from a confirmed pattern), classification labels, AI-generated summaries / scores.

We do not systematically scrape LinkedIn or any other site that prohibits automated access in its terms. Where we hold a LinkedIn page URL, it is identified via search-engine results and stored as a link, not as a data extraction. See Data sources & attribution for the full source list.

3.4 Visitors

IP address, user-agent, pages visited, referrer URL.
Cookies as described in our Cookie Policy.

4. Where the data comes from

For account holders, we collect data directly from you when you sign up, use the Service, or contact us.

For prospects (Article 14 disclosure), the data is collected from:

Companies House (developer.company-information.service.gov.uk) — used under the Open Government Licence v3.0. Companies House is the statutory UK company register and the data is public by Act of Parliament.
The company's own publicly-accessible website — pages such as /about, /contact, /team that the company has chosen to publish.
Search-engine results via SerpAPI — used to identify the company's website, LinkedIn page URL, and recent news mentions. SerpAPI returns Google's index of public web pages.
Hunter.io — third-party email-pattern provider that aggregates publicly-listed addresses to detect a company's email format.
DNS records — public MX records to identify the company's email infrastructure.

5. Why we process it (purposes)

Purpose	Lawful basis
Provide the Service to account holders	Contract (UK GDPR Art 6(1)(b))
Process payments and tax	Contract (Art 6(1)(b)) and legal obligation (Art 6(1)(c))
Surface UK company & director data for B2B prospecting	Legitimate interests (Art 6(1)(f))
Verify deliverability of business email addresses (Hunter)	Legitimate interests (Art 6(1)(f))
Operate the demo, prevent abuse / fraud, secure the platform	Legitimate interests (Art 6(1)(f))
Send service emails (password resets, billing, security)	Contract (Art 6(1)(b))
Send marketing emails to account holders	Soft opt-in under PECR + legitimate interests; opt-out at any time
Send marketing emails to demo visitors who ticked the optional opt-in box	Consent (Art 6(1)(a)); withdraw any time
Comply with law enforcement / regulatory requests	Legal obligation (Art 6(1)(c))

6. Legitimate-interests assessment (LIA)

Where we rely on legitimate interests for processing prospect data, we have considered the three-part test required by the ICO:

Purpose test: our legitimate interest is to provide a UK B2B prospecting service. Account holders' legitimate interest is finding qualified business prospects. Prospects' employer companies have an interest in being discoverable for legitimate B2B opportunities (which is precisely why the company has published its directors and contact details).
Necessity test: the processing is necessary for the purpose. We could not provide a B2B prospecting service without aggregating company and director information. We use the minimum data needed.
Balancing test: we balance our interest against the rights of data subjects. Mitigations: (a) we use only publicly-available sources; (b) directors are public-by-statute; (c) we do not collect special-category or sensitive data; (d) we honour all opt-out / erasure requests promptly; (e) account holders are bound by terms requiring lawful PECR / GDPR-compliant outreach; (f) we hold a global suppression list so a one-time opt-out applies across all future processing.

Conclusion: legitimate interests is an appropriate lawful basis for processing UK company-director data for B2B prospecting. We document this assessment internally and review it annually.

We use the following sub-processors. Full details — purposes, location, transfer safeguards — are on the Sub-processors page.

Stripe — payment processing.
OpenAI — AI-generated summaries / "why-now" rationales.
Hunter.io — email-pattern lookup.
SerpAPI — search-engine result aggregation.
Resend / similar transactional email provider — service emails (password reset, billing).
Hosting infrastructure provider — running the Service.
Companies House — public-data API consumer (one-way; we read, they don't receive personal data).

We do not sell personal data to third parties. We do not share data with advertising networks. We may disclose data when legally required (court order, regulatory request, or to protect the safety / rights of users or the public).

8. International data transfers

Some of our sub-processors are located outside the UK (notably the United States). When personal data is transferred internationally, we rely on the following safeguards as required by UK GDPR Articles 44-49:

The UK Government's adequacy decision for the EU/EEA where applicable.
The UK-US Data Bridge (Data Privacy Framework) for transfers to certified US providers.
Standard Contractual Clauses (UK Addendum) for transfers where DPF certification is not in place.
Sub-processors' own technical and organisational measures.

The current locations are listed on the Sub-processors page.

9. How long we keep it

Data category	Retention
Account-holder profile + login history	Whilst the account is active, plus 6 years after closure for tax / accounting / legal-defence purposes.
Billing records	6 years from the date of payment (UK statutory tax record-keeping requirement).
Demo capture (email + IP)	24 months from submission, or until the user requests deletion.
Prospect data inside a customer's tenant	Whilst the customer's account is active. On account closure, deleted within 90 days unless the customer asks for a final export first.
Aggregated cache data (CH, web pages)	Up to 90 days for the cache itself; refreshed on demand.
Suppression / opt-out / "do-not-contact" list	Indefinitely — this is the legally-correct way to stop processing your data without losing the record that you asked us to stop.
Web-server logs	Up to 90 days.

10. Your rights

Under UK GDPR you have the following rights, all of which we honour without charge in the vast majority of cases. Statutory deadline: one calendar month from a complete request.

Access (Art 15) — a copy of the personal data we hold about you.
Rectification (Art 16) — correction of inaccurate data.
Erasure / "right to be forgotten" (Art 17) — deletion, except where retention is required by law (e.g. tax records).
Restriction of processing (Art 18) — pause processing while a dispute is resolved.
Data portability (Art 20) — receive your data in a structured machine-readable format.
Object to processing (Art 21) — including a specific right to object to direct marketing and to processing under legitimate interests.
Not be subject to automated decision-making (Art 22) — see section 12 below.
Withdraw consent at any time, where consent is the lawful basis used.

To exercise any right, email [email protected]. We may need to verify your identity before responding.

10.1 The "remove me from your database" path for prospects

If you are a UK company director and you don't want your details surfaced inside Prospera, email [email protected] with the company name and your name. We will:

Within 7 days: confirm receipt and remove your record from active surfacing.
Within 30 days: complete the erasure across our database.
Add your details to our permanent suppression list so re-import never re-creates the record.

Note: information such as your name and director appointments will still appear on the Companies House public register itself. We can only control what's in our copy.

11. Direct marketing & PECR

The Privacy and Electronic Communications Regulations (PECR) layer extra rules on top of GDPR for marketing emails, calls and texts. Our position:

Marketing emails to account holders: we rely on PECR's "soft opt-in" for our own customers (Reg 22(3)) and on legitimate interests under GDPR. Every marketing email contains a one-click unsubscribe.
Marketing emails to demo visitors: we rely on consent — only sent if you ticked the optional opt-in box at demo time.
Marketing calls: we do not perform phone outreach to data subjects ourselves. Any phone outreach by an account holder using data they obtained from Prospera is the account holder's responsibility, including TPS / CTPS screening and consent / soft-opt-in checks where applicable.
Marketing texts: we do not send marketing texts.

12. Automated decision-making and AI

Prospera uses AI (large-language models) to:

Generate plain-English summaries of company financials and "why-now" outreach rationales.
Score lead suitability based on the data we have collected.
Translate user-typed search criteria into structured filter sets.

These are advisory outputs shown alongside source data; they do not constitute solely-automated decision-making producing legal or similarly significant effects on a data subject (UK GDPR Art 22). Account holders are required by our Terms to verify any AI-derived information against the underlying source before acting on it. AI outputs may be plausible-sounding but factually inaccurate; we explicitly do not warrant accuracy.

The Business Health Indicator and any score we surface are not credit ratings and are not regulated financial products. We are not a Credit Reference Agency.

13. Security measures

We apply the following technical and organisational measures (UK GDPR Art 32):

HTTPS / TLS for all traffic in transit.
Encryption at rest for the database and backups.
Per-tenant data isolation enforced at the application layer (TenantScopedQuery pattern).
Hashed passwords (bcrypt or equivalent); never stored in plaintext.
Per-tenant API keys hashed at rest; never logged.
Stripe holds card details under PCI-DSS Level 1 — we never see or store the card number.
Role-based access control on the application; super-admin actions audit-logged.
Backups taken at least daily, retained for at least 7 days, encrypted.
Vulnerability monitoring of dependencies; security patches applied promptly.
Sub-processor due-diligence — listed on Sub-processors page.

14. Data breach notification

In the event of a personal-data breach that poses a risk to data subjects, we will notify the ICO within 72 hours of becoming aware (UK GDPR Art 33). Where the breach is likely to result in a high risk to data subjects, we will also notify affected individuals without undue delay (Art 34).

15. Children

Prospera is a B2B service for adult business users. We do not knowingly collect data from anyone under 16. Contact us if you believe we hold data on a minor and we will delete it promptly.

16. Changes to this notice

We may update this notice. Material changes will be notified by email to account holders at least 14 days before they take effect. The "last updated" date at the top of the page reflects the most recent revision.

17. How to contact us & complain to the ICO

Email: [email protected] for any privacy or data-protection question.

You also have the right to complain to the UK Information Commissioner's Office (ICO):

Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would prefer to address concerns directly first — please contact us before raising a complaint.