Prospectr Digital Steward

Privacy Policy

Last updated: June 14, 2026

Document version: 1.2 · Effective: June 14, 2026 · Added: transactional SMS consent, TCPA compliance, SMS opt-out

Prospectr Marketing Inc (DBA Prospectr Digital), a Minnesota corporation founded in 2006. Address: 3508 W 22nd St, Minneapolis, MN 55416, USA. Phone: (612) 293-0179. Email: info@prospectrdigital.com. Tagline: Every Channel. One Team. Engineered for Performance.
Download the full Privacy Policy (v1.1, PDF).

Entity. Prospectr Marketing Inc (DBA Prospectr Digital), a Minnesota corporation (“Prospectr,” “we,” “us”).

This Privacy Policy explains how we collect, use, share, retain, and protect personal information in connection with the Sovereign and Steward services (collectively, the “Services”) and our marketing websites at sovereign.prospectrdigital.com, steward.prospectrdigital.com, and b2bprospectrleads.com. It is incorporated by reference into both the Terms of Service and the Master Services Agreement (MSA) executed with paying customers.

It applies to (i) website visitors, (ii) Customers and Authorized Users, and (iii) prospects who engage with our sales and marketing.

For our handling of personal data about end-individuals processed through the Services on behalf of a Customer (e.g., the leads or contacts a Customer manages in a Steward skill), we act as a data processor and our obligations are governed by the Data Processing Agreement, not this Privacy Policy.

1. What we collect

1.1. Information you give us

  • Identity & contact data: name, work email, company, role, phone, billing address, tax ID (where required).
  • Account credentials: username and a salted, hashed password; MFA device data; SSO identifiers.
  • Order & payment data: subscription tier, order history. Payment cards are processed by Stripe; we receive a tokenized reference and metadata (brand, last four, expiration, billing zip) and never see or store full card numbers.
  • Communications: the content of emails, support tickets, chat sessions, voice notes, or call recordings.
  • Marketing data: information submitted through forms (intake wizard, contact, newsletter, demo request).

1.2. Information collected automatically

  • Usage telemetry: pages viewed, features used, clicks, time on page, referrer, device type, browser, IP (truncated for analytics where supported).
  • Service telemetry: login events, skill runs, error events, audit-log events, cost-meter readings. Collected on a legitimate-interest basis under GDPR Art. 6(1)(f) and the analogous CCPA business-purpose category.
  • Cookies: essential cookies for session management and CSRF protection plus a strict minimum of analytics cookies. No advertising cookies or trackers. See Section 9.

1.3. Information from third parties

  • Enrichment providers: we may verify or enrich your record from B2B firmographic providers (company name, headcount, industry) to help route your account.
  • SSO providers: if you sign in with Google, Microsoft, or another OIDC provider, we receive your name, email, and unique identifier.
  • Stripe: payment status and metadata (not card numbers).

1.4. Customer Input and Output (Services context)

For Steward, Inputs and Outputs are stored on Prospectr-managed infrastructure under the DPA. For Sovereign, they are stored in Customer’s own cloud account; we do not have routine access. We do not use Inputs or Outputs to train any AI model without Customer’s express opt-in.

2. Why we collect it

PurposeLegal basis (GDPR)
Provide and operate the Services and websitesContract (Art. 6(1)(b))
Process payments and bill subscriptionsContract; legal obligation
Provide supportContract; legitimate interest
Send transactional emails (receipts, security alerts, service notices)Contract; legitimate interest
Send transactional SMS (account alerts, lead notifications, billing confirmations)Contract; consent (TCPA)
Send marketing SMS (promotional offers, new features)Consent (TCPA — separate opt-in required)
Marketing to existing customers about related productsLegitimate interest; opt-out in every message
Marketing to new prospects who opt inConsent
Fraud, abuse, and security incident responseLegitimate interest; legal obligation
Compliance and legal processLegal obligation; legitimate interest
Improve the Services through aggregated, anonymized analyticsLegitimate interest
Train AI models on raw Inputs/OutputsOnly with prior written consent
De-identified aggregated data for Platform improvement (per MSA §7.4)Legitimate interest; customer opt-out available

3. Where it is stored

  • Primary region: AWS us-east-1 (Northern Virginia).
  • Backup / DR: AWS us-west-2 (Oregon).
  • Sovereign deployments: Customer Input, Output, and Customer Data remain in Customer’s own cloud account (AWS, GCP, or Azure) in the region Customer selects.
  • Operational metadata: logs, audit events, and billing data for both tiers are stored in the primary and DR regions above.

3.1. International transfers

For transfers from the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses Module Two and any successor mechanism, as incorporated into the DPA.

4. Who has access

4.1. Prospectr personnel

Engineering and operations, customer success, finance, and security personnel access on a least-privilege basis, with logging, MFA, and written confidentiality obligations.

4.2. Sub-processors

The following sub-processors may process personal data on our behalf, each under a written data-processing agreement no less protective than this Privacy Policy and the DPA:

  • Amazon Web Services, Inc. — Hosting, storage, transactional email (SES)
  • Anthropic, PBC — Claude AI model inference
  • OpenAI, LLC — GPT model inference (where selected)
  • Google LLC — Google Workspace, Google Analytics, optional Gemini inference
  • Microsoft Corporation — Azure infrastructure (optional, customer-selected)
  • Stripe, Inc. — Payment processing
  • Cloudflare, Inc. — DNS, edge security, WAF
  • Mailgun Technologies, Inc. — Transactional email delivery (where applicable)
  • Resend, Inc. / AWS SES — Transactional email delivery (primary)
  • Documenso, Inc. — E-signature and agreement workflow
  • ElevenLabs Inc. — Text-to-speech (where Customer enables voice features)
  • GoHighLevel (LeadConnector) — CRM (where applicable)
  • Bright Data Ltd. — SERP enrichment (where applicable)

We will give Customers at least thirty (30) days’ written notice before adding a new sub-processor, and Customer may object during that period (see DPA §4).

4.3. Other recipients

Legal, accounting, and financial advisors under confidentiality. Acquirers in a merger or sale of substantially all our assets, subject to the same privacy commitments. Government authorities, regulators, and courts in response to valid legal process.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising (CCPA/CPRA). We do not provide personal information to data brokers.

5. Retention

CategoryRetention period
Operational logs and audit logs90 days rolling, then deletion or aggregation
Service telemetry90 days at fidelity; aggregated indefinitely
Customer account recordDuration of relationship + tax-law period
Customer Input and Output (Steward)Per Customer configuration; default 90 days
Customer Input and Output (Sovereign)Stored in Customer’s own cloud — Customer controls
Billing and payment recordsSeven (7) years (U.S. tax)
Marketing analytics and website logsUp to 26 months
Support communications3 years after case closure
Backups35-day rotation cycle

Customer may request earlier deletion at any time, subject to the legal and contractual retention obligations.

6. Security

We maintain technical and organizational measures including:

  • TLS 1.2+ in transit; AES-256 at rest in primary stores and backups, with keys managed in AWS KMS and Secrets Manager;
  • Role-based access controls, least-privilege IAM, mandatory MFA on internal accounts;
  • Vulnerability management and dependency scanning;
  • Audit logging of administrative actions;
  • Documented incident response plan and breach notification SLA (see DPA §6);
  • Annual security review and a third-party SOC 2 Type II audit, targeted within the first twelve (12) months of Steward general availability (Customer Trust Center will publish progress).

7. Your rights

Depending on where you live, you may have rights to: access, correction, deletion, portability, restriction, objection, withdrawing consent, opt-out of sale or sharing, and non-discrimination.

To exercise a right, email privacy@prospectrdigital.com. We will acknowledge within five (5) business days and respond within thirty (30) days (or such period as law allows). You also have the right to lodge a complaint with a supervisory authority.

8. Children

The Services are not directed to children under thirteen (13) and we do not knowingly collect personal information from them. For individuals between 13 and 18, we require parental or guardian consent, expressed via the Customer’s authorized representative.

9. Cookies and tracking

  • Strictly necessary — authentication, session, CSRF protection.
  • Analytics — Google Analytics on marketing sites with IP truncation and 26-month retention. Opt out via browser controls or the GA opt-out add-on.

We do not use advertising cookies, third-party cross-context trackers, or social-media re-targeting pixels on the Services consoles. We honor Global Privacy Control (GPC) signals as a request to opt out of analytics, where required.

10. Marketing communications

Transactional emails are not marketing emails. Marketing emails are sent only to opt-in recipients or to existing customers about related products, with an opt-out link in every message. All marketing emails comply with CAN-SPAM, GDPR, CASL, and the AUP §1.4.

10a. SMS / Text message communications

Transactional SMS

By providing your mobile phone number and purchasing or activating a Prospectr service, you expressly consent to receive transactional SMS messages from Prospectr Marketing Inc. (short code or 10-digit long code, depending on deployment) related to:

  • Account sign-up confirmations and onboarding steps;
  • Service status alerts (campaign live, deployment complete, deliverability warnings);
  • Security notifications (new login, password reset, MFA codes);
  • Billing confirmations, payment receipts, and renewal reminders;
  • Lead delivery notifications (new qualified lead received in your Autopilot or Steward account);
  • Support follow-up when you have an open ticket.

Message frequency: Transactional messages are event-driven. You may receive up to 10 transactional messages per month depending on account activity. During active campaign periods, delivery notifications may be more frequent.

Message and data rates may apply depending on your carrier plan.

Marketing SMS

We will only send promotional or marketing SMS messages if you separately opt in at the time of sign-up or via your account portal. Marketing SMS is not required to receive the Services. You will always be given a clear opportunity to opt in or decline at the point of collection.

How to opt out of SMS

You may opt out of SMS messages at any time by replying STOP to any message we send. You will receive one confirmation message and no further messages unless you re-subscribe. To opt out of transactional SMS, email privacy@prospectrdigital.com with your mobile number and request.

For help, reply HELP to any message or email info@prospectrdigital.com.

TCPA compliance

Our SMS program complies with the Telephone Consumer Protection Act (TCPA), CTIA Messaging Principles and Best Practices, and applicable A2P 10DLC carrier requirements. We do not send SMS to numbers on the National Do Not Call Registry for marketing purposes. Consent to receive SMS is not a condition of purchasing any product or service.

Carrier and SMS sub-processors

SMS delivery is routed through one or more of the following carriers/sub-processors, each bound by appropriate data-processing terms:

  • Twilio Inc. or equivalent A2P 10DLC-registered messaging provider
  • GoHighLevel (LeadConnector) — where SMS is sent through RevEngine workflows

11. Do Not Track

We do not respond to browser Do Not Track signals due to inconsistent industry standard. We do honor Global Privacy Control as described in Section 9.

12. California-specific disclosures

Categories of personal information collected in the preceding twelve months: identifiers (name, email, IP), customer records, commercial information (purchase history), internet activity (telemetry), approximate geolocation (from IP), professional/employment information, and inferences for routing and support.

Categories disclosed for business purposes: identifiers and account information to the sub-processors in Section 4.2.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes other than as permitted by CCPA/CPRA §7027.

13. EEA, UK, and Switzerland

  • Controller: Prospectr Marketing Inc, 3508 W 22nd St, Minneapolis, MN 55416, USA, for personal data about Visitors and Authorized Users.
  • EU/UK representative: to be appointed and disclosed prior to EEA/UK launch.
  • Legal bases: Section 2.
  • Transfers: Section 3.1 and the DPA.
  • Rights: Section 7 and the right to complain to your supervisory authority.

14. SOC 2 and audit status

We maintain a documented information-security program aligned with SOC 2 Type II criteria. A third-party SOC 2 Type II audit is targeted within the first twelve (12) months of Steward general availability. Audit progress and any resulting report will be available under NDA via the Customer Trust Center.

15. Contact

Privacy questions, rights requests, complaints: privacy@prospectrdigital.com
General contact: info@prospectrdigital.com · (612) 293-0179

Prospectr Marketing Inc (DBA Prospectr Digital)
Attn: Privacy Officer
3508 W 22nd St · Minneapolis, MN 55416 · USA

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least thirty (30) days in advance by email and in-product notice. Non-material clarifications may be made on the page with an updated “Last updated” date.