PROSIGHTS PRIVACY POLICY

1) DEFINITIONS

• Personal Information (PI): Information that identifies, relates to, describes, or can reasonably be linked to an individual or household.
• Sensitive Personal Information (SPI): Categories defined by applicable law (e.g., account credentials).
• De-Identified, Aggregated, or Derived Data: Data that cannot reasonably be used to identify a person, including statistics, usage metrics, embeddings/vectors, and content transformed to remove direct and reasonably linkable identifiers. We maintain de-identification and contractually prohibit re-identification.

2) INFORMATION WE COLLECT

3) OUR USE OF SERVICE PROVIDERS AND TECHNOLOGY PARTNERS

We engage service providers and technology partners for infrastructure, compute/inference, analytics, security, support, and related operations.

• Feature delivery. To provide requested functionality, certain inputs may be processed under written agreements that restrict use to providing services to us, require appropriate security, and prohibit unauthorized secondary use.
• Free Users — de-identified/aggregated/derived data. From time to time, and where permitted by law, we may use and disclose de-identified, aggregated, and derived data related to Free User interactions for evaluation and improvement of features, research, safety and abuse prevention, quality assurance, reliability/performance analysis, and other business operations. Such data is not personal information; we maintain de-identification and prohibit re-identification by contract.
• No sale / no cross-context behavioral advertising. We do not sell personal information or share it for cross-context behavioral advertising.
• Subprocessor list. Our subprocessor information is available upon request in our Data Processing Agreement (DPA).

4) HOW WE USE PERSONAL INFORMATION

We use PI to:

• Provide and maintain the Services (authentication, account administration, feature functionality).
• Secure the Services (fraud/abuse detection, integrity, incident response).
• Support and communicate (troubleshooting, notices, product updates, and marketing where permitted). You may opt out of marketing communications at any time by using the unsubscribe links in our emails or by contacting support@prosights.co.
• Evaluate and improve features, safety, performance, and user experience; conduct analytics, quality assurance, and research.
• Comply with law and enforce terms; protect rights, safety, and property.

Where required (e.g., EEA/UK), legal bases include contract necessity, legitimate interests, consent (where applicable), and legal obligations.

5) SOURCES OF PERSONAL INFORMATION

• Directly from you;
• Automatically from your devices and use of the Services;
• From service providers/partners supporting identity, hosting, analytics, security, payments, support, and compute/inference.

6) DISCLOSURE OF PERSONAL INFORMATION

We disclose PI to:

• Service providers and subprocessors under written agreements that restrict use to providing services to us and require appropriate security;
• Successors/assignees in connection with mergers, acquisitions, financings, or similar transactions;
• Authorities or other parties where required to comply with law, enforce terms, or protect rights/safety; and
• Others as directed or authorized by you.

De-identified/aggregated/derived data may be used and disclosed as described in Section 3. We maintain measures to prevent re-identification and prohibit it contractually.

We do not sell personal information or share it for cross-context behavioral advertising.

7) INTERNATIONAL DATA TRANSFERS

We may transfer PI to jurisdictions with different data protection laws. Where required, we use appropriate safeguards (e.g., EU Standard Contractual Clauses and UK Addendum) and conduct transfer risk assessments. Our primary hosting region is the United States.

8) RETENTION & DISPOSITION

We retain PI only as long as necessary for the purposes described, to satisfy legal, accounting, or reporting requirements, and for security/fraud prevention. When PI is no longer needed, it is deleted or de-identified. If immediate deletion is not possible (e.g., backups), PI is segregated and access-restricted until deletion.

Retention criteria. We determine retention periods based on factors such as the amount, nature, and sensitivity of the data; potential risk from unauthorized use or disclosure; the purposes for which we process it and whether those purposes can be achieved through other means; applicable legal, regulatory, tax, accounting, or reporting requirements; and our security, fraud-prevention, resilience (RTO/RPO), and business continuity needs.

9) ANALYTICS & TELEMETRY (NO COOKIES)

We do not rely on browser cookies to operate the Services and do not use third-party advertising cookies. We collect usage telemetry to improve the Services, including via PostHog (feature use, performance metrics, error events). Contact support@prosights.co with questions about analytics settings.

10) SECURITY MEASURES (TECHNICAL, ORGANIZATIONAL & PHYSICAL)

We employ layered safeguards, including:

• Encryption in transit and at rest (e.g., TLS 1.2+, AES-256);
• Access controls (least privilege, role-based access, SSO/MFA, privileged access management, secrets management);
• Secure development (code review, CI/CD gates, dependency scanning);
• Monitoring (centralized logging/SIEM, anomaly detection, vulnerability scanning);
• Annual penetration tests by qualified professionals;
• Personnel security (confidentiality agreements, background checks, and annual security & privacy training for employees and contractors);
• Event logs retained for three months;
• Quarterly access recertification across systems holding confidential or personal information.

No method is 100% secure. See Section 11 for incident response.

Resilience targets: RTO 4 hours for critical services (AI systems included); RPO 1 hour via frequent backups and resilient storage. Targets are non-contractual; any binding service levels are set out in applicable customer agreements.

11) SECURITY INCIDENTS & BREACH NOTIFICATIONS

We maintain an Incident Response Plan (detection, containment, eradication, recovery, post-incident review, and notifications). If a breach results in unauthorized access to PI, we will investigate, mitigate, and notify affected parties without undue delay and within applicable legal timelines.

Recipients may include affected individuals, regulators/authorities, and law enforcement where appropriate. We may defer notice at the request of law enforcement if disclosure would impede an investigation. See Annex B.

12) YOUR PRIVACY RIGHTS, EU/UK REPRESENTATIVE & HOW TO EXERCISE RIGHTS

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to certain processing, and to withdraw consent where consent applies.

• Submit requests or questions to support@prosights.co.
• We will verify your identity and respond within required timeframes (for example, generally within 45 days for certain U.S. state laws).
• Authorized agent requests are honored as permitted by law.
• Appeals: If we decline a request, you may appeal via support@prosights.co. If your appeal is denied, you may contact your applicable regulator.

13) US STATE-SPECIFIC DISCLOSURES

We do not sell personal information or share it for cross-context behavioral advertising.

Categories collected in the last 12 months (California definitions):

California "Shine the Light." We do not disclose personal information for third-party direct marketing.

14) GOVERNANCE & ACCOUNTABILITY

• Authority. The Chief Technology Officer (CTO) is authorized by the Board to implement and enforce privacy and security programs.
• Management reporting. The team issues quarterly reports to executive leadership covering audit results, incidents, risk assessments, and remediation status.
• Monitoring & audits. We conduct annual penetration tests, routine vulnerability scanning, centralized logging/SIEM, and track findings to closure.
• Requests & referrals. All requests for personal information (from individuals, law enforcement, media, or others) are referred to trained personnel via support@prosights.co; employees and contractors complete annual security & privacy training.
• Suspicious attempts. Employees must report attempted social engineering or unauthorized PI requests to support@prosights.co immediately; events are logged for three months.
• Identity & access governance. Role-based access, MFA, least privilege, quarterly access reviews, segregation of duties, and centralized logging.

15) CONTACT US

16) CHANGES TO THIS NOTICE

We may update this notice periodically. We will post the updated version with a new "Last updated" date and, where appropriate, provide prominent notice or direct communication for material changes.

ANNEX A — SECURITY CONTROLS OVERVIEW

• Physical security (hosting providers). Facilities employ 24×7 professional security, CCTV, badge access, and visitor logging.
• Asset & media controls. Devices are inventoried and encrypted; media is sanitized consistent with NIST 800-88 upon decommissioning.
• Identity & access. SSO + MFA, least privilege, quarterly access reviews, privileged session logging, and emergency break-glass procedures with approval and post-use review. Identity and access practices align to NIST 800-53 control families.
• Network & application security. Segmentation, WAF, rate limiting, secure configuration baselines, dependency monitoring, and security headers.
• Monitoring & response targets (non-contractual). Centralized logging/SIEM, alerting, and vulnerability management with target response objectives: P1 (critical) initial response ≤ 1 hour; containment ≤ 4 hours. P2 (high) initial response ≤ 4 hours. P3 (moderate/low) initial response next business day.
• Resilience. RTO 4 hours for critical services (AI systems included). RPO 1 hour via frequent backups and resilient storage.

ANNEX B — BREACH NOTIFICATION: RECIPIENTS & TIMELINES

Recipients (as applicable): affected individuals; regulators/authorities; law enforcement where appropriate; and internal leadership per escalation procedures.

Notice content typically includes: nature of incident, categories of PI affected, approximate number of individuals, likely consequences, measures taken/proposed, and contact points. We may reasonably delay notification when requested by law enforcement if notice would impede an investigation.