Privacy Policy
1. Who we are
ProspeQ is a business-to-business sales-intelligence service operated by NovaSQ Pty Ltd (ABN 34 693 165 114, ACN 693 165 114) ("NovaSQ", "we", "us", "our"). "ProspeQ" is a business name of NovaSQ Pty Ltd.
- Registered office: Office 3959, Ground Floor, 470 St Kilda Road, Melbourne VIC 3004, Australia
- Privacy enquiries and complaints: info@prospeq.com.au
This policy explains what personal information we handle, how and why, who else handles it, and the rights available to you under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). ProspeQ is offered to customers in Australia.
2. The two kinds of people this policy covers
ProspeQ handles personal information about two distinct groups, and your rights differ slightly between them:
- (a) Customers and users - the people at businesses that subscribe to ProspeQ and log in to use it (account holders and their team members).
- (b) Prospects - individuals at other organisations (typically business contacts such as a named manager, engineer or buyer) whose work-related information our customers research using ProspeQ. If you believe your information appears in ProspeQ, you are in this group - see section 9 for how to access, correct or remove it.
3. What we collect
From customers and users (group a):
- Account information: work email, display name, organisation name, role, and a time-based one-time-password (TOTP) multi-factor-authentication secret. Multi-factor authentication is required for accounts created on or after 10 June 2026 and is set up at first sign-in; older accounts may enable it, and an organisation administrator can require it for all members.
- Content you create in your workspace: companies, contacts, leads, notes, attachments, ideal customer profile (ICP) settings, voice and tone settings, and outreach drafts.
- Usage and security telemetry: login times, requests served, AI jobs run and their outcomes, errors, and an audit log of data-modifying actions (who, what, when, source IP and user agent).
- Billing metadata: subscription tier, billing dates and invoice references. Card details are handled entirely by our payment processor (Stripe) and never reach NovaSQ's servers.
About prospects (group b):
- Business-context personal information sourced from public and customer-supplied sources - for example name, job title, employer, professional profile links, publicly listed business contact details, and publicly available company/role signals.
- Information we infer using AI - for example an estimated fit score, role-based priorities, and suggested talking points. This inferred information is generated by ProspeQ and is an opinion or hypothesis, not a verified fact (see section 6).
We do not seek to collect or infer sensitive information (such as health, racial, political or religious information) about prospects. Because outputs are AI-generated we cannot guarantee a sensitive inference will never appear; if you are a prospect and one does, tell us and we will remove it (section 9).
4. How we collect it
- From you directly (account sign-up, content you enter, support requests).
- From your organisation's other authorised users.
- For prospects: from publicly available sources and from data your organisation imports (for example a LinkedIn export or an exhibitor list), processed on your organisation's behalf. ProspeQ ingests only information that is publicly available or that your organisation is lawfully entitled to supply; it does not scrape login-gated or access-controlled platforms.
- From a CRM you choose to connect (for example HubSpot or Pipedrive): if you link your own CRM account, ProspeQ imports the contact and company records you select into your workspace. The flow is one-way inbound - we collect from your CRM at your direction and do not push your ProspeQ data out to it. These connections are optional and can be disconnected at any time.
- Automatically through your use of the service (telemetry; essential cookies and local storage - see section 11).
5. Why we handle it (APPs)
We handle personal information only where it is reasonably necessary for our functions, collected by lawful and fair means (APP 3), for these purposes (APP 6):
- To provide the service you or your organisation subscribed to.
- Prospect research and enrichment - collecting and collating publicly available business-context information about prospects so our customers can prepare for legitimate B2B sales engagement.
- Service communications - billing, security and maintenance notices.
- Security, fraud and abuse investigation, and aggregated, de-identified product analytics.
- Legal compliance, including retaining billing records for the period required by Australian tax law (currently seven years).
- Direct marketing of our own service - only with consent and always with a working opt-out (see section 10).
We do not sell or rent personal information, and we do not use customer workspace content to train AI models.
6. Automated processing and AI-generated profiles
ProspeQ uses artificial intelligence to research, score and profile companies and individual prospects - for example generating an ICP fit score and a stakeholder profile (inferred priorities, likely concerns and suggested approach) about a named individual.
Automated decision-making disclosure. ProspeQ uses automated processing to: (a) generate research summaries about companies and prospects from source material; (b) calculate an ICP fit score that ranks how well a prospect matches your criteria; and (c) generate stakeholder profiles and suggested approaches about named individuals. These automated outputs draw on the business-context personal information in section 3, together with customer-supplied inputs and settings. They are decision-support for our customers - a human decides what (if anything) to do with them, and we label them in-product as inferences, not verified facts. We make this disclosure consistent with the automated-decision-making transparency requirements introduced by the Privacy and Other Legislation Amendment Act 2024 (which APP entities must reflect in their privacy policies by 11 December 2026).
If you are a prospect and believe an inference about you is inaccurate, you may ask us to correct or remove it (section 9).
7. AI providers, sub-processors and overseas handling
To deliver the service we share limited personal information with third parties that process it on our behalf. The current list - who they are, what they receive, where they hold it, and their security posture - is published at /subprocessors and kept current. We will give customers at least 30 days' notice (by email and on that page) before adding a new sub-processor that handles customer or prospect personal information.
AI processing. By default, AI research, scoring and drafting use a ProspeQ-managed key with OpenAI, over an encrypted connection (which can include prospect business-context information in the prompt). A customer may instead bring their own provider key (BYOK) to use OpenAI, Anthropic (Claude) or Google (Gemini) under their own provider account. We use providers' no-training / no-retention settings where available, and we do not use your content to train models.
Overseas disclosure (APP 8). Your information is stored on Australian servers - a primary server in Melbourne and an encrypted offsite replica, both located in Australia - and our backups are also held in Australia. Some processing necessarily involves recipients outside Australia - the AI providers above (United States), our web-search provider (Serper), our payment processor (Stripe), and our CDN/edge provider (Cloudflare). (A CRM you connect, such as HubSpot or Pipedrive, is a source we collect from at your direction, not a recipient we disclose your data to - see section 4.) We take reasonable steps to ensure overseas recipients handle the information consistently with the APPs, including by contract. We do not claim that all processing happens in Australia - where your information is processed overseas, that is disclosed here and on the sub-processors page.
8. Who else we disclose to
- Service providers / sub-processors (section 7), under contract.
- Our payment processor, for billing.
- Authorities or third parties where required or permitted by law, or to protect our rights or safety.
- A successor entity in connection with a sale or restructure of the business (subject to this policy).
We do not otherwise disclose personal information to third parties for their own purposes.
9. Your rights - including if you are a prospect
If you are a customer or user (group a):
- Access (APP 12): request a copy of the personal information we hold about you - via the "My data" area in Settings, or by emailing info@prospeq.com.au. We respond within a reasonable time.
- Correction (APP 13): most fields are editable in-app; otherwise email us.
- Deletion: delete your account in Settings, or ask us; we confirm in writing.
If you are a prospect (group b) - your dedicated channel:
You can ask us, without needing an account, to tell you whether we hold information about you and provide access to it, correct it, or remove your information from ProspeQ. Use the request form at /privacy-request or email info@prospeq.com.au with the subject "Prospect privacy request". We verify your identity before acting - typically by confirming you control the email address or identifiers in the record (a double opt-in confirmation) and matching that against the information we hold; we may ask for reasonable additional proof. We action genuine requests within a reasonable time and confirm the outcome. Removal is a service we offer voluntarily - Australian law has no general "right to erasure" - and we can remove our copy and suppress future re-collection, but cannot remove information from the original public sources, which are controlled by others.
10. Direct marketing
We only send you marketing about our own services if you have opted in, and every marketing message contains a working unsubscribe (Spam Act 2003 (Cth)). This is separate from service communications (billing, security, maintenance), which all customers receive.
11. Cookies and local storage
ProspeQ uses only strictly-necessary cookies - a single secure, httpOnly cookie that carries your sign-in / SSO state during login - together with your browser's local storage to keep you signed in and remember preferences. We do not use analytics, advertising or third-party tracking cookies, and there is no separate cookie-consent banner: Australian law does not require consent for strictly-necessary cookies.
12. Data security and retention
We protect personal information with measures including encrypted transport (TLS), encryption at rest (data held on an AES-256 encrypted volume), hashed passwords, multi-factor authentication (required for new accounts), per-tenant logical isolation enforced at the database layer (row-level security), access logging, and an incident-response process. Our current security posture is described on our Security page.
We keep personal information only as long as needed: active-account data while your subscription is active; deleted-account content soft-deleted for 30 days then purged; encrypted backups (daily snapshots, held in Australia) cycle out within 30 days (an additional offsite copy in Australia is being added); audit logs for 12 months; billing records 7 years (tax law); and prospect records reviewed and purged on a defined schedule or on a valid removal request.
13. Complaints
If you think we have mishandled your information, contact us first at info@prospeq.com.au and we will investigate. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
14. Changes to this policy
We will notify active customers by email at least 30 days before any substantive change. The "Last updated" date above reflects every change.
15. Contact
NovaSQ Pty Ltd (ABN 34 693 165 114) trading as ProspeQ
Office 3959, Ground Floor, 470 St Kilda Road, Melbourne VIC 3004, Australia
Privacy enquiries and complaints: info@prospeq.com.au
