Privacy Policy - Priority Prospect

Effective date: 6 February 2026

Priority Prospect OÜ ("Priority Prospect", "we", "us", "our") respects your privacy and is committed to protecting personal data in accordance with applicable data protection laws, including Regulation (EU) 2016/679, the General Data Protection Regulation ("GDPR").

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our websites, create an account, or use our services.

1. Who we are

Controller:
Priority Prospect OÜ
Registry ID: 14059959
VAT ID: EE101884183
Vandu tee 6-2, Hulja
Lääne-Viru County, Estonia, 45203

Data Protection Officer (DPO):
Priority Prospect has appointed an internal Data Protection Officer responsible for overseeing data protection compliance and handling data protection-related requests.

Contact details:
General support: support@priorityprospect.com
Data Protection Officer: data-protection@priorityprospect.com

2. Scope of this Privacy Policy

This Privacy Policy applies to:

Visitors of our websites
Users of our customer panel
Customers using our hosting, IP address, and related services
Individuals contacting us via support, email, or other communication channels

3. Roles under GDPR

3.1 When we act as a data controller

We act as a data controller when we determine the purposes and means of processing personal data, including:

Account registration and management
Billing and invoicing
Customer support
Security, fraud prevention, and abuse monitoring
Marketing and service related communications
Website analytics and advertising

3.2 When we act as a data processor

We act as a data processor when processing personal data on behalf of our customers, including:

Customer hosted website files and databases
Hosting backups
Malware scanning of hosting accounts
Technical support actions performed at the customer’s request

In these cases, our customers are the data controllers.

Where we act as a data processor, our processing of personal data is governed by our Data Processing Agreement (DPA), which forms part of and is incorporated into our Terms of Service.

Access to customer-hosted data is limited to automated security scanning and technical support activities, and only where necessary.

4. Age requirement

Our services are intended for adults only. You must be at least 18 years old to use our services.

We do not knowingly collect or process personal data of individuals under the age of 18. If we become aware that personal data of an individual under 18 has been collected, we will take steps to delete such data without undue delay.

5. Personal data we collect

5.1 Account and customer data

When you create an account or use our services, we may collect:

Full name
Company name
Email address
Physical address, city, postal code, country, and region
Account credentials
Service configuration data

We may request proof of address where required for verification, fraud prevention, or compliance purposes.

Proof of address documents are used solely for verification and are deleted no later than 30 days after the verification process is completed, unless a longer retention period is required by applicable law. Access to these documents is strictly limited to authorized personnel. Proof of address documents are stored in encrypted form where appropriate.

We request only the minimum information necessary for verification purposes.

5.2 Billing and payment data

Payments are processed by third-party payment providers, including PayPal, Nomupay, Cryptomus, and Binance Pay.

We do not store credit card numbers or banking credentials. We store only payment tokens and transaction references provided by payment processors.

5.3 Support communications

When you contact us, we process:
Support tickets
Live chat messages
Email communications
Attachments and information you choose to provide

5.4 Technical, log, and security data

For security, operational integrity, and audit purposes, we collect and process:

IP addresses
Browser user agent
Login timestamps
API usage logs
Action and audit logs
Error logs
Web server access logs

For active accounts, logs are retained on a rolling basis for up to 12 months.

After account closure, logs and security data are retained for up to 1 year.

5.5 Hosting, security scanning, and fraud prevention

We periodically scan hosting accounts using antivirus and security tools to detect malware and protect infrastructure, customers, and third parties.

In certain situations, we may perform risk-based checks or request additional information, such as proof of address, to prevent fraud, reduce abuse, and protect the integrity of our services. All such assessments are subject to human review. We do not use automated decision making with legal or similarly significant effects. Automated security tools, such as malware scanning, are used solely for detection and prevention purposes and do not produce legal or similarly significant effects on users.

We collect and process only the personal data that is necessary for the purposes described in this Privacy Policy.

6. Cookies and tracking technologies

We use cookies and similar technologies on our websites and panels.

6.1 Types of cookies

Essential cookies required for functionality
Analytics cookies (PostHog, Google Analytics)
Advertising and retargeting cookies (Google Ads, Reddit Ads, LinkedIn Ads, Facebook Ads)
Affiliate tracking cookies and UTM parameters

6.2 Cookie management

We use CookieYes as our consent management platform. You can manage or withdraw your consent at any time via our cookie banner or settings.

7. Purposes and legal bases for processing

We process personal data based on the following legal grounds:

Contract. Account creation, service delivery, billing, and customer support.
Legal obligation. Accounting, invoicing, tax compliance, and regulatory requirements.
Legitimate interests. We process personal data where necessary to operate, secure, and improve our services. This includes preventing fraud and abuse, ensuring infrastructure security, maintaining logs for audits and incident investigation, and improving service reliability. We balance these interests against your rights and freedoms.
Consent. Marketing communications and non-essential cookies, where required.

You may withdraw consent at any time where processing is based on consent.

8. Marketing communications and opt-out

We may send marketing or product update emails to users who have created an account.

You can opt out at any time by:

clicking the unsubscribe link in the email, or
changing your communication preferences in the customer panel, or
contacting our support team

Where permitted by applicable law, we may send marketing or product update emails to existing customers based on our legitimate interests in promoting and improving our services. You have the right to object to such marketing at any time.

Service-related communications, such as billing notices, security alerts, and important service updates, are not marketing communications and cannot be opted out of while you maintain an active account.

9. Voluntary nature of data provision

Providing personal data is not a statutory requirement. However, certain personal data is necessary to create an account, enter into a contract, and use our services. If required data is not provided, we may be unable to offer certain services.

10. Data sharing and recipients

We share personal data only when necessary and with appropriate safeguards.

Categories of recipients include hosting and infrastructure providers, payment processors, email and communication service providers, analytics and monitoring providers, and security and abuse prevention service providers.

Where we act as a data processor, we may engage carefully selected sub-processors to support the provision of our services, including infrastructure, network routing, backup, security, and monitoring providers. These sub-processors are subject to contractual confidentiality, data protection, and security obligations.

Further information about sub-processors may be provided upon request, where required by applicable law.

We do not sell personal data.

11. International data transfers

11.1 Data locations

Customer panel: Germany
Support tickets system: Germany
Live chat systems: Netherlands
Hosting servers and hosting backups: United States

Some analytics and advertising partners may process personal data outside the EU or EEA depending on your cookie choices and our configuration.

11.2 Transfer safeguards

Where personal data is transferred to the United States, we rely on the EU-U.S. Data Privacy Framework adequacy decision where our service providers are certified. For all other transfers, we utilize European Commission-approved Standard Contractual Clauses (SCCs).

You may request additional information about these safeguards by contacting our Data Protection Officer.

Some infrastructure and network service providers may be located outside the European Union. Where applicable, transfers are protected through adequacy decisions, Standard Contractual Clauses, and additional technical and organizational measures.

12. Data retention

Account data: up to 1 year after account closure
Billing and accounting records: up to 7 years
Support tickets: retained for the duration of the customer account and for up to five (5) years after account closure for support continuity and legal defense. Support tickets may be deleted or anonymized earlier upon request, where feasible and legally permissible.
Logs and security data: rolling 12 months for active accounts, up to 1 year after account closure
Hosting backups: up to 30 days
Customer panel backups: up to 12 months, depending on backup type and operational requirements

Where personal data cannot be deleted due to legal retention obligations, we will restrict processing and, where feasible, anonymize the data so it can no longer be associated with an identifiable individual.

We review our data retention periods periodically to ensure that personal data is not kept longer than necessary.

13. Your rights under GDPR

You have the right to access, rectify, erase, restrict processing, object to processing, receive a copy of your data, and lodge a complaint with a supervisory authority. Data will be provided in a commonly used, machine-readable format where technically feasible.

To protect your data, we may request additional information to verify your identity before processing a request.

Requests can be submitted via our support tickets system or by contacting our Data Protection Officer. We respond within one month and do not charge fees.

In the event of a personal data breach, we will comply with applicable notification obligations under the GDPR.

Where required, we notify supervisory authorities without undue delay and in accordance with GDPR timelines.

14. Supervisory authority complaints

You have the right to lodge a complaint with a data protection supervisory authority.

Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

We encourage you to contact our Data Protection Officer first so we can address concerns directly.

15. Automated decision making

We do not use automated decision making or profiling that produces legal or similarly significant effects.

16. Security measures

We implement appropriate technical and organizational measures, including access controls, network firewalls, logging and monitoring, encryption where appropriate, and malware and abuse detection systems.

Access to personal data is limited to authorized personnel who are subject to confidentiality obligations.

Where appropriate, we use encryption to protect personal data both in transit and at rest.

Backups are protected using access controls and encryption where appropriate, and access is limited to authorized personnel.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version will always be available on our website. Continued use of our services after the effective date indicates acknowledgement of the updated policy.

18. Contact

Data Protection Officer:

Email: data-protection@priorityprospect.com

Address: Vandu tee 6-2, Hulja
Lääne-Viru County, Estonia, 45203