Privacy Policy

1. Data Controller

Prospect is the data controller responsible for your personal data. For questions about data processing or to exercise your rights, contact us at:

• Email: privacy@prospect.trade
• Data Protection Officer (DPO): dpo@prospect.trade

2. What Data We Collect

We collect the following categories of personal data:

• Account information: Name, email address, company name, and password (hashed)
• Simulation data: Trade simulation parameters you enter (HS codes, product values, origin/destination countries, shipping methods)
• Usage analytics: Pages visited, features used, session duration, and interaction patterns
• Payment information: Processed by Stripe; we do not store full credit card numbers
• Technical data: IP address, browser type, device information, and cookies

3. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance (GDPR Art. 6(1)(b) / LGPD Art. 7(V)): To provide the Service, manage your account, and process subscriptions
• Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7(IX)): To improve our Service, conduct analytics, and ensure security
• Consent (GDPR Art. 6(1)(a) / LGPD Art. 7(I)): For optional analytics cookies and marketing communications
• Legal obligation (GDPR Art. 6(1)(c) / LGPD Art. 7(II)): To comply with applicable legal and regulatory requirements

4. How We Use Your Data

• To provide and maintain the Service
• To process your trade simulations and tariff lookups
• To manage your account and subscription
• To send transactional emails (account confirmations, invoices)
• To improve the Service through aggregated, anonymized analytics
• To detect and prevent fraud or unauthorized access
• To comply with legal obligations

5. Third-Party Processors

We share your data with the following third-party processors, each bound by data processing agreements:

• Stripe (USA):Payment processing. Stripe's privacy policy applies to payment data.
• OVH (France, EU): Database hosting (PostgreSQL). Data stored within the EU.

6. Data Retention

• Account data: Retained for the duration of your account plus 30 days after deletion request
• Simulation data: Retained for the duration of your account; deleted within 30 days of account closure
• Usage analytics: Aggregated and anonymized data retained indefinitely; identifiable data deleted after 24 months
• Payment records: Retained for 7 years to comply with financial reporting obligations
• Server logs: Retained for 90 days

7. Your Rights (GDPR & LGPD)

Under GDPR and LGPD, you have the following rights regarding your personal data:

• Right of access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your personal data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest
• Right to restrict processing: Request limitation of data processing
• Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at privacy@prospect.trade. We will respond within 30 days (or 15 days under LGPD for simplified requests).

8. Cookie Usage

We use cookies and similar technologies to operate the Service. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

9. International Data Transfers

Your data is primarily stored on servers located in France (EU) hosted by OVH. When data is transferred to processors outside the EU/EEA (such as Stripe in the USA), we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission or Brazilian ANPD where applicable

For transfers involving Brazilian personal data, we comply with LGPD requirements for international data transfers as set out in Articles 33 to 36.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
• Notify the Brazilian ANPD and affected data subjects within a reasonable timeframe (LGPD Art. 48)
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms

11. LGPD-Specific Provisions

For users located in Brazil, the following additional provisions apply under the LGPD:

• Data Protection Officer (Encarregado): We have appointed a DPO who can be reached at dpo@prospect.trade
• Legal bases under LGPD: We process your data under the legal bases outlined in Article 7 of the LGPD, including consent, contract performance, legitimate interest, and legal obligation
• Right to review automated decisions: You may request review of decisions made solely based on automated processing of your personal data
• Right to information about sharing: You may request information about the public and private entities with which we share your data

12. Contact for Data Requests

For any data-related requests or concerns:

• General privacy inquiries: privacy@prospect.trade
• Data Protection Officer: dpo@prospect.trade

You also have the right to lodge a complaint with a supervisory authority in the EU or with the ANPD in Brazil.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through a notice on the Service. The "last updated" date at the top reflects the most recent revision.