Privacy Policy

Last updated: May 13, 2026

This Privacy Policy describes how Prospex (“Prospex”, “we”, “us” or “our”) collects, uses, stores, and protects information from users (“you”) of the Prospex application (the “Service”), available at tryprospex.com and app.tryprospex.com.

About Prospex: Prospex is an autonomous AI outbound sales platform that sends cold email campaigns on your behalf, detects inbound replies to pause sequences and surface them in your inbox, and books meetings with qualified leads via Calendly.

1. Information we collect

• Account information: name and email address you provide at sign-up.
• Usage data: access logs, actions performed in the Service, and technical metadata (IP address, browser, operating system).
• User content: prospecting data, contacts, message templates, and configurations you create or import.
• Email credentials: SMTP/IMAP credentials (host, port, app password) for the mailboxes you connect, encrypted at rest. We do not use Google OAuth or any Gmail API restricted scopes.
• Lead data imported by you: names, business emails, companies, job titles, and any custom fields you add for campaign execution. You are the controller of this data and are responsible for ensuring a valid legal basis to process it.
• Scheduling data: when a prospect books a meeting through your Calendly link, the booking metadata returned by Calendly (name, email, scheduled time) is associated with the corresponding lead.

2. How we use information

• Operate, maintain, and improve the Service.
• Authenticate access and protect the security of your account.
• Send outbound email campaigns through your connected mailbox and detect inbound replies via IMAP so we can pause sequences and surface them in your inbox.
• Generate and refine campaign copy with AI: when you ask the Service to draft, rewrite, or score messages, the relevant inputs (campaign context, prospect fields, and your prompt) are sent to a third-party large language model provider for processing. Outputs are returned to you for review and editing. Inputs and outputs are not used by us or by the provider to train their models.
• Communicate updates, security alerts, and provide technical support.
• Comply with legal obligations and prevent fraud.

3. Storage and security

The Service is hosted on cloud infrastructure located in the United States. SMTP/IMAP credentials are encrypted at rest (AES-GCM 256-bit), isolated per organization (workspace), and never exposed to other tenants or shipped to the browser. All communication between your browser, Prospex servers, and your mail provider occurs exclusively over TLS. We apply access controls, internal multi-factor authentication, and continuous monitoring. While we follow industry best practices, no system can be guaranteed 100% secure. In the event of a confirmed security incident affecting your personal data, we will notify you and the appropriate authorities as required by applicable law.

4. Sharing and sub-processors

Your email credentials and message content are not shared with third parties, are not used to train AI models, and are not sold. To operate the Service we rely on the following categories of sub-processors, each bound by contractual confidentiality and data protection obligations:

• Cloud hosting and database: compute, storage, and managed Postgres for application data and encrypted credentials.
• Transactional email: delivery of product notifications (sign-in links, alerts) sent by Prospex itself — separate from outbound campaigns, which always leave through your own mailbox.
• AI model providers: processing of campaign context and prompts for message drafting and scoring features. No training on your data.
• Scheduling: Calendly, when a prospect books a meeting via your Calendly link. Calendly receives the prospect's name, email, and answers to their booking form, governed by Calendly's own policies.
• Analytics and error monitoring: aggregate usage metrics and crash diagnostics to keep the Service reliable.

We may also disclose data to comply with legal obligations, court orders, or the regular exercise of rights.

5. Retention and deletion

We retain your data while your account is active. Your mailbox credentials and any cached message content are deleted when you:

• Disconnect the mailbox inside Prospex (Settings → Integrations → Disconnect);
• Delete your Prospex workspace; or
• Email cleber@esfera.studio and request deletion.

Upon any of the events above, we remove the corresponding data within 30 days, except where retention is required by law. You can also revoke the app password Prospex uses at any time from your mail provider's settings (for Gmail and Workspace accounts, that's myaccount.google.com/apppasswords).

6. Your rights

You may request, at any time: confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. Contact cleber@esfera.studio.

7. Cookies

We use essential cookies for authentication and Service operation, plus analytics cookies to understand aggregate usage. You can configure your browser to refuse cookies, but doing so may limit functionality.

8. Children

The Service is not intended for users under 18 years of age.

9. Changes to this Policy

We may update this Policy periodically. The “Last updated” date at the top will be revised, and material changes will be communicated by email or in-Service notice.

10. Contact

Privacy and data protection questions: cleber@esfera.studio
General support: cleber@esfera.studio