Privacy Policy
Last updated: April 30, 2026
This policy describes how Prospector AI collects, uses, retains and protects personal data in the course of operating its B2B prospecting service. It complies with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and the amended French Loi Informatique et Libertés (French Data Protection Act).
Language notice. This English translation is provided for convenience only. In the event of any discrepancy or conflict of interpretation, the French version prevails.
1. Nature of the data collected
1.1 Company data (our users’ prospects)
Prospector AI uses exclusively public business data, aggregated from several third-party sources and updated regularly: company name, business address, business phone number, business website, business email where it is publicly displayed, average rating, number of reviews, opening hours.
This data is voluntarily published by companies on public directories and platforms, accessible without authentication, and is B2B in nature.
1.2 Data about our users (account holders)
When you create an account, we collect:
- Business email address (login identifier)
- Password (stored only as a bcrypt hash)
- Preferred language (for transactional emails)
- Login IP address (server logs, 30 days)
- Billing data (handled by Stripe — see §6)
- Notification preferences
1.3 Technical usage data
Search logs (industry, city, date), token transactions, logs of AI-generated emails (subject line, sending status). No fine-grained behavioral data, no advertising tracking.
2. Legal basis for processing
The legal basis for collecting and using public company data for B2B prospecting is legitimate interest (art. 6.1.f GDPR). This use is expressly recognized as legitimate by the CNIL (the French data protection authority) for B2B commercial prospecting based on public business data.
The legal basis for processing our users’ data is the performance of the contract (art. 6.1.b GDPR) — the contract formed by acceptance of the ToS and payment of the subscription.
3. Purposes of processing
- Providing the company-scanning and AI email generation service
- Managing user accounts and billing
- Ensuring the security of the service (fraud detection, anti-abuse)
- Sending strictly necessary transactional emails
- Improving service quality (aggregated and anonymized metrics)
No data is resold, shared with third parties for advertising purposes, or used for automated profiling producing legal effects.
4. Rights of data subjects
4.1 Rights of companies appearing in our data
Any company (or its executive) may request the deletion of its data from our cache by sending an email to contact@prospector-ai.fr with the subject line « Suppression données B2B » (B2B data deletion) together with the company name and address concerned.
The request will be processed within 30 days at most, with an email confirmation once the deletion is effective.
4.2 Rights of users (account holders)
In accordance with the GDPR, you have the following rights:
- Right of access to your data (art. 15)
- Right to rectification (art. 16)
- Right to erasure (“right to be forgotten”, art. 17)
- Right to restriction of processing (art. 18)
- Right to data portability (art. 20)
- Right to object (art. 21)
- Right to set post-mortem directives
To exercise these rights, write to contact@prospector-ai.fr or use your account area. Response within 30 days at most.
In the event of disagreement, you may lodge a complaint with the CNIL (the French data protection authority).
5. Data retention
| Category | Retention period | Notes |
|---|---|---|
| User account (email, profile) | Duration of the contract + 30 days after termination | Withdrawal period and possible restoration |
| Billing data (Stripe invoices) | 5 years | Legal accounting obligation |
| SearchRequest (scan logs) | Rolling 12 months | Anonymization (user_id → NULL) beyond that |
| TokenTransaction (token transactions) | 5 years | Accounting obligation |
| EmailLog (AI email logs) | 12 months | Anonymization beyond that |
| HTTP server logs (access, IP) | 30 days | Automatic deletion |
| Area cache (company data) | 90 days per area | Renewed at the next scan |
6. Subprocessors and recipients
To provide the service, Prospector AI relies on the following providers, all selected for their GDPR compliance:
- Hosting (EU): Railway / Render — PostgreSQL database, Redis, FastAPI
- Payments: Stripe Inc. — payment data processed in PCI-DSS compliance
- Transactional emails: Resend / Brevo — sending of notification emails
- Third-party APIs used: providers of public B2B data (collection of aggregated and updated company information), Anthropic Claude (AI email generation — prompts are anonymized on Anthropic’s side)
All subprocessors have signed a data processing agreement (DPA) guaranteeing GDPR compliance. Transfers outside the EU are governed by the European Commission’s standard contractual clauses.
7. Security
- Encryption in transit: HTTPS / TLS 1.3
- Encryption at rest: PostgreSQL with disk encryption, encrypted Redis
- Passwords: bcrypt hash (never stored in plain text)
- OAuth tokens (Gmail/Outlook): encrypted in the database with a KMS key
- Authentication: signed JWT, revocable, short-lived
- Regular internal audit of access and logs
8. Cookies
Prospector AI uses a limited number of cookies:
pai_token: JWT session cookie (24-hour lifetime, SameSite=Strict) — strictly necessary for the service to workpai_ref: affiliate cookie (30-day lifetime, SameSite=Lax) — set only when you arrive via a referral link/ref/CODE
No advertising cookie or third-party tracking cookie (Google Analytics, Meta Pixel, etc.) is set. No prior consent is therefore required for strictly necessary functional cookies.
9. Account deletion
You can request the closure of your account from your account area or by email to contact@prospector-ai.fr.
- Timeframe: 30 days before effective deletion. You can cancel the request during this period.
- Personal data: deleted in full (account, email, scan history, EmailLog).
- Area cache: retained (it contains no personal data relating to you).
- Accounting data: retained for 5 years (legal obligation).
10. Changes to this policy
Prospector AI may amend this policy to reflect technical, regulatory or organizational changes. Any substantial change will be notified by email 30 days before it takes effect. You may cancel free of charge during this period.
11. DPO contact
For any question relating to the processing of your data or the exercise of your rights: contact@prospector-ai.fr
