Prospecco

GDPR Compliance

Last updated: February 2026

Our Commitment to GDPR

The EU General Data Protection Regulation (GDPR) is the most comprehensive data privacy framework in Europe, in effect since 25 May 2018. Prospecco is fully committed to complying with the GDPR and applies its principles across every aspect of our platform. As a B2B data enrichment service, we recognise the particular importance of responsible and transparent handling of business contact data.

This page explains how we comply with the GDPR, the roles we play in data processing, the rights available to data subjects, and how to exercise those rights.

Does This Affect You?

The GDPR applies to the personal data of EU and EEA residents, regardless of where the data controller or processor is located. If you use Prospecco to enrich or manage data that includes individuals based in the EU or EEA, the regulation applies to that processing. In practice, most businesses using B2B data enrichment services need to consider the GDPR.

Data Controller and Data Processor Roles

Under the GDPR, the data controller is the entity that determines the purposes and means of processing personal data. The data processor is an entity that processes personal data on behalf of a controller.

Prospecco operates in both capacities depending on the context:

Prospecco as Data Controller

Prospecco acts as a data controller for the following processing activities:

  • Customer account data: Information you provide when creating and managing your Prospecco account, including your name, email address, company details, and billing information
  • Platform usage data: Information about how you interact with our platform, used to improve our services, analyse usage patterns, and prevent fraud
  • Marketing and communications: Data processed to send you service updates, product announcements, and marketing communications where you have opted in
  • Compliance and legal obligations: Data we process to comply with applicable tax, accounting, and regulatory requirements

Prospecco as Data Processor

Prospecco acts as a data processor when enriching, verifying, or managing data on your behalf. This includes:

  • Dataset management: Contact and company records you upload or create within Prospecco datasets
  • Email finding and verification: Personal data processed when we find or verify email addresses for contacts in your datasets
  • Company data enrichment: Business records enriched with additional firmographic data such as company size, industry classification, and registered information
  • LinkedIn profile enrichment: Professional profile data retrieved and associated with contacts in your datasets
  • Web scraping enrichment: Data gathered from publicly available web sources to enrich your records

As a Prospecco customer, you are the data controller for the data you import, create, or enrich through our platform. This means you are responsible for determining the purpose and establishing the legal basis for processing that data. Prospecco processes it strictly in accordance with your instructions and our Data Processing Agreement.

Data Processing Agreement

Under Article 28 of the GDPR, data controllers must have a Data Processing Agreement (DPA) in place with their processors. Prospecco provides a DPA as part of our terms of service. If you require a separately signed copy, please contact dpo@prospecco.com.

Data Location

Prospecco is committed to processing data within secure, well-regulated jurisdictions. Our infrastructure is hosted as follows:

  • Application backend: Our backend services run on Convex, which provides real-time data storage and serverless compute
  • Web application hosting: Our web application is deployed on Cloudflare Workers, a globally distributed edge computing platform with data centres across the EU and worldwide
  • Payment processing: All billing and subscription data is handled by Stripe, which is certified under the EU-US Data Privacy Framework
  • Authentication: User authentication is managed through Better Auth with data stored in our primary backend infrastructure

Where data is processed outside the EEA, we ensure appropriate safeguards are in place as described in the International Transfers section below.

Purposes of Processing

We process personal data for specific, defined purposes depending on the service being used. Below is a breakdown by service type:

Email Finding

When you use our email finding service, we process the contact name and company domain you provide to locate a valid business email address. This involves querying third-party data providers and publicly available sources. The resulting email address is stored in your dataset and associated with the contact record.

Email Verification

Our email verification service processes email addresses to confirm their deliverability and validity. This includes checking syntax, domain MX records, and mailbox existence. Verification results are stored against the contact record in your dataset.

Company Data Enrichment

Company enrichment processes business identifiers (such as company name or registration number) to retrieve publicly available firmographic data including company size, industry classification, registered address, and filing history. This data is sourced from official registries and third-party business data providers.

LinkedIn Profile Enrichment

LinkedIn enrichment processes professional profile data to associate job titles, employment history, and professional details with contacts in your datasets. This data is sourced from publicly available professional profiles.

Web Scraping Enrichment

Web scraping enrichment processes publicly available web data to supplement contact and company records with additional information found on company websites and other public sources.

AI-Powered Analysis

Prospecco uses Google Generative AI to analyse and enhance data quality. AI processing is used to categorise, deduplicate, and standardise enriched data. AI-processed data is not used to train third-party models.

Lawful Basis for Processing

We rely on the following lawful bases for processing personal data:

  • Contractual necessity (Article 6(1)(b)): Processing account data and enrichment requests necessary to perform our contract with you. This covers account creation, service delivery, billing, and customer support
  • Legitimate interests (Article 6(1)(f)): Processing B2B contact data for the purpose of business-to-business data enrichment. We process only data that is already publicly available online for informational purposes. Our users have a legitimate interest in having easier access to publicly available business data and in connecting with other businesses. We have conducted a Legitimate Interest Assessment confirming that this interest does not override the fundamental rights of data subjects, considering the reasonable expectations of B2B contacts, the limited and professional nature of the data processed, and the safeguards we apply
  • Consent (Article 6(1)(a)): Where applicable, we obtain explicit consent for specific processing activities such as marketing communications
  • Legal obligation (Article 6(1)(c)): Processing required to comply with tax, accounting, and other regulatory requirements

Data Subject Rights

Under the GDPR, data subjects have the following rights, which we fully support:

  • Right of access (Article 15): Request a copy of the personal data we hold about you
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Article 17): Request deletion of personal data where there is no compelling reason for continued processing
  • Right to restrict processing (Article 18): Request that we limit processing of your data in certain circumstances
  • Right to data portability (Article 20): Receive your data in a structured, commonly used, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests, including profiling and direct marketing

To exercise any of these rights, please email support@prospecco.com. We will respond within 30 days. For requests relating to data we process on behalf of our customers (where we act as processor), we will refer the request to the relevant customer (as the data controller) and assist in fulfilling it.

Right of Erasure

Data subjects have the right to request deletion of their personal data under Article 17 of the GDPR. When we receive an erasure request, we will:

  • Delete the personal data from our own systems and databases within 30 days
  • Remove the data from any enrichment results and suppress it from future enrichment queries
  • Notify any sub-processors who have received the data to delete their copies
  • Confirm the deletion to the data subject in writing

Where we act as a data processor, we will forward the erasure request to the relevant data controller (our customer) and assist them in fulfilling it. We will also delete the data from our processing systems unless retention is required by law.

Opt-Out and Data Removal

If you are a data subject whose information appears in enrichment results provided through the Prospecco platform, you have the right to opt out and request removal of your data, even if you are not a Prospecco customer.

You can:

  • Request data removal: Have your personal data removed from our enrichment databases so it will no longer be returned in enrichment results
  • Opt out of future enrichment: We will add your details to our suppression list to ensure your data is excluded from all future enrichment queries
  • Request a data copy: Obtain a copy of any personal data we hold about you in our enrichment systems

To submit an opt-out or data removal request, please email support@prospecco.com with the subject line "Data Opt-Out Request". Include your full name and the email address(es) you wish to have removed. We will process your request within 30 days and confirm the action taken.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are as follows:

  • Customer account data: Retained for the duration of your active subscription and for up to 12 months after account closure, unless longer retention is required by law
  • Enrichment results: Stored in your datasets for as long as you maintain them. When you delete a dataset or individual records, the data is permanently removed within 30 days
  • Email finding and verification logs: Retained for 90 days after the enrichment request, then automatically purged
  • General service logs: Retained for 30 days for the purposes of monitoring, debugging, and fraud prevention, then automatically destroyed
  • Billing records: Retained for the period required by applicable tax and accounting regulations (typically 6 years in the UK)
  • Suppression list entries: Opt-out records are retained indefinitely to ensure continued compliance with data removal requests

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with the GDPR. You can contact our DPO at:

Sub-processors

We use a limited number of sub-processors to help deliver our services. All sub-processors are contractually bound to process data in accordance with the GDPR and our Data Processing Agreements. Our current sub-processors include:

  • Convex: Real-time backend infrastructure providing database storage, serverless compute, and data synchronisation
  • Cloudflare: Web application hosting, content delivery, and edge computing via Cloudflare Workers
  • Stripe: Payment processing for billing and subscription management
  • Google (Generative AI): AI-powered data analysis and enrichment quality enhancement
  • Third-party data providers: Specialised data sources used to fulfil email finding, company enrichment, and verification requests

We maintain an up-to-date list of sub-processors and will notify customers of any material changes. Customers may object to new sub-processors in accordance with our Data Processing Agreement.

International Transfers

Where personal data is transferred outside the European Economic Area (EEA), we implement appropriate safeguards in accordance with GDPR Chapter V:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs with all sub-processors located outside the EEA
  • Adequacy decisions: Where available, we rely on adequacy decisions recognising countries as providing adequate data protection, including the EU-US Data Privacy Framework
  • Supplementary measures: We implement additional technical and organisational measures, including encryption in transit (TLS 1.2+) and at rest (AES-256), to protect data during international transfers

Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of data subjects
  • Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
  • Notify our customers (as data controllers) without undue delay when a breach involves data we process on their behalf
  • Document all breaches, including the facts, effects, and remedial actions taken, in our internal breach register

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when introducing new processing activities that are likely to result in a high risk to data subjects. Our DPIA process includes:

  • Systematic assessment of the necessity and proportionality of the processing
  • Evaluation of risks to the rights and freedoms of data subjects
  • Identification and implementation of measures to mitigate identified risks
  • Consultation with our DPO and, where required, the supervisory authority

Technical and Organisational Measures

Prospecco implements appropriate technical and organisational measures to ensure the security of personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Role-based access controls with principle of least privilege
  • Regular security assessments and vulnerability monitoring
  • Secure authentication with support for single sign-on (SSO)
  • Automated data deletion in accordance with our retention schedules
  • Incident response procedures with defined escalation paths

Contact

For any questions about our GDPR compliance practices, please contact us:

You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, you may contact your national Data Protection Authority.