Privacy Policy

Effective date: 10 June 2026 · Last updated: 10 June 2026

1. Who we are

ProspeQ is a business-to-business sales-intelligence service operated by NovaSQ Pty Ltd (ABN 34 693 165 114, ACN 693 165 114) ("NovaSQ", "we", "us", "our"). "ProspeQ" is a business name of NovaSQ Pty Ltd.

This policy explains what personal information we handle, how and why, who else handles it, and the rights available to you under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). ProspeQ is offered to customers in Australia.

2. The two kinds of people this policy covers

ProspeQ handles personal information about two distinct groups, and your rights differ slightly between them:

3. What we collect

From customers and users (group a):

About prospects (group b):

We do not seek to collect or infer sensitive information (such as health, racial, political or religious information) about prospects. Because outputs are AI-generated we cannot guarantee a sensitive inference will never appear; if you are a prospect and one does, tell us and we will remove it (section 9).

4. How we collect it

5. Why we handle it (APPs)

We handle personal information only where it is reasonably necessary for our functions, collected by lawful and fair means (APP 3), for these purposes (APP 6):

We do not sell or rent personal information, and we do not use customer workspace content to train AI models.

6. Automated processing and AI-generated profiles

ProspeQ uses artificial intelligence to research, score and profile companies and individual prospects - for example generating an ICP fit score and a stakeholder profile (inferred priorities, likely concerns and suggested approach) about a named individual.

Automated decision-making disclosure. ProspeQ uses automated processing to: (a) generate research summaries about companies and prospects from source material; (b) calculate an ICP fit score that ranks how well a prospect matches your criteria; and (c) generate stakeholder profiles and suggested approaches about named individuals. These automated outputs draw on the business-context personal information in section 3, together with customer-supplied inputs and settings. They are decision-support for our customers - a human decides what (if anything) to do with them, and we label them in-product as inferences, not verified facts. We make this disclosure consistent with the automated-decision-making transparency requirements introduced by the Privacy and Other Legislation Amendment Act 2024 (which APP entities must reflect in their privacy policies by 11 December 2026).

If you are a prospect and believe an inference about you is inaccurate, you may ask us to correct or remove it (section 9).

7. AI providers, sub-processors and overseas handling

To deliver the service we share limited personal information with third parties that process it on our behalf. The current list - who they are, what they receive, where they hold it, and their security posture - is published at /subprocessors and kept current. We will give customers at least 30 days' notice (by email and on that page) before adding a new sub-processor that handles customer or prospect personal information.

AI processing. By default, AI research, scoring and drafting use a ProspeQ-managed key with OpenAI, over an encrypted connection (which can include prospect business-context information in the prompt). A customer may instead bring their own provider key (BYOK) to use OpenAI, Anthropic (Claude) or Google (Gemini) under their own provider account. We use providers' no-training / no-retention settings where available, and we do not use your content to train models.

Overseas disclosure (APP 8). Your information is stored on Australian servers - a primary server in Melbourne and an encrypted offsite replica, both located in Australia - and our backups are also held in Australia. Some processing necessarily involves recipients outside Australia - the AI providers above (United States), our web-search provider (Serper), our payment processor (Stripe), and our CDN/edge provider (Cloudflare). (A CRM you connect, such as HubSpot or Pipedrive, is a source we collect from at your direction, not a recipient we disclose your data to - see section 4.) We take reasonable steps to ensure overseas recipients handle the information consistently with the APPs, including by contract. We do not claim that all processing happens in Australia - where your information is processed overseas, that is disclosed here and on the sub-processors page.

8. Who else we disclose to

We do not otherwise disclose personal information to third parties for their own purposes.

9. Your rights - including if you are a prospect

If you are a customer or user (group a):

If you are a prospect (group b) - your dedicated channel:

You can ask us, without needing an account, to tell you whether we hold information about you and provide access to it, correct it, or remove your information from ProspeQ. Use the request form at /privacy-request or email info@prospeq.com.au with the subject "Prospect privacy request". We verify your identity before acting - typically by confirming you control the email address or identifiers in the record (a double opt-in confirmation) and matching that against the information we hold; we may ask for reasonable additional proof. We action genuine requests within a reasonable time and confirm the outcome. Removal is a service we offer voluntarily - Australian law has no general "right to erasure" - and we can remove our copy and suppress future re-collection, but cannot remove information from the original public sources, which are controlled by others.

10. Direct marketing

We only send you marketing about our own services if you have opted in, and every marketing message contains a working unsubscribe (Spam Act 2003 (Cth)). This is separate from service communications (billing, security, maintenance), which all customers receive.

11. Cookies and local storage

ProspeQ uses only strictly-necessary cookies - a single secure, httpOnly cookie that carries your sign-in / SSO state during login - together with your browser's local storage to keep you signed in and remember preferences. We do not use analytics, advertising or third-party tracking cookies, and there is no separate cookie-consent banner: Australian law does not require consent for strictly-necessary cookies.

12. Data security and retention

We protect personal information with measures including encrypted transport (TLS), encryption at rest (data held on an AES-256 encrypted volume), hashed passwords, multi-factor authentication (required for new accounts), per-tenant logical isolation enforced at the database layer (row-level security), access logging, and an incident-response process. Our current security posture is described on our Security page.

We keep personal information only as long as needed: active-account data while your subscription is active; deleted-account content soft-deleted for 30 days then purged; encrypted backups (daily snapshots, held in Australia) cycle out within 30 days (an additional offsite copy in Australia is being added); audit logs for 12 months; billing records 7 years (tax law); and prospect records reviewed and purged on a defined schedule or on a valid removal request.

13. Complaints

If you think we have mishandled your information, contact us first at info@prospeq.com.au and we will investigate. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

14. Changes to this policy

We will notify active customers by email at least 30 days before any substantive change. The "Last updated" date above reflects every change.

15. Contact

NovaSQ Pty Ltd (ABN 34 693 165 114) trading as ProspeQ
Office 3959, Ground Floor, 470 St Kilda Road, Melbourne VIC 3004, Australia
Privacy enquiries and complaints: info@prospeq.com.au