Privacy Policy

This Privacy Policy explains how Prosper EX Pty Ltd (Prosper, we, us, our) collects, uses, discloses, and protects personal information in connection with our employee experience platform, Prosper (the Platform), and our website at prosperex.com.au.

We respect your privacy and we take our obligations seriously. This policy is designed to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the New Zealand Privacy Act 2020, and where applicable the EU General Data Protection Regulation (GDPR) and UK GDPR.

If anything in this policy is unclear, please contact us — details at the end of this document.

1. Who we are and how this policy applies

Prosper is an Australian software company based in Queensland. We provide the Prosper platform to organisations (our Customers) who use it to support their workforce — for example, through engagement surveys, recognition, performance reviews, and team communications.

There are two main ways your personal information may flow through Prosper:

• As a website visitor or marketing contact — when you visit prosperex.com.au, request a demo, or contact us, we act as the controller of your personal information and this policy applies directly.
• As an end user of the Platform — if you use Prosper because your employer (or a similar organisation) has subscribed to it, your employer is the controller of your personal information and decides what data is loaded into Prosper, who can access it, and how long it is kept. We act as a processor on their behalf. You should also read your employer's own privacy policy.

We will only handle end-user personal information in accordance with our agreement with the relevant Customer and applicable law.

2. The personal information we collect

The categories of personal information we may collect include:

• Identity and contact data — name, work email, work phone, job title, employer, manager, team. Provided by your employer or by you directly.
• Account and authentication data — user ID, hashed password, MFA settings, login timestamps, IP address, device and browser information. Generated when you use Prosper.
• Employment data — role, location, start date, employment type, training and certification records, performance review content. Provided by your employer.
• Survey and engagement data — responses to engagement, pulse and feedback surveys; recognition and comment content. Provided by you when you use Prosper.
• Usage data — pages visited, features used, actions taken, error logs, performance telemetry. Generated automatically when you use Prosper.
• Communications data — messages you send to our support team, feedback, and survey responses about Prosper itself. Provided by you.
• Marketing data (website only) — name, email, company, role, IP address, cookie identifiers. Provided by you or via cookies on prosperex.com.au.

Sensitive information

We do not seek to collect sensitive information (such as health, payroll, racial or ethnic origin, or religious beliefs) as part of the standard Prosper service. If a customer chooses to use Prosper to collect sensitive information — for example, through a custom survey — we will only process it on their instructions and in accordance with applicable law. Sensitive information is only collected with consent except where law permits otherwise.

Children

Prosper is a workplace product and is not directed at children. We do not knowingly collect personal information from anyone under 16.

3. How we collect personal information

We collect personal information in the following ways:

• Directly from you — when you fill in a form on our website, request a demo, sign up for marketing, contact our support team, or submit responses, comments, or content within Prosper.
• From your employer — when your employer subscribes to Prosper, they typically provide us with employee data (such as name, work email, role, manager) so the Platform can be set up and used.
• Automatically — when you use Prosper or our website, we automatically collect technical data such as IP address, device information, log data, and usage information through cookies and similar technologies.
• From third-party services — for example, identity providers (such as Microsoft Entra ID or Google Workspace) when single sign-on is used, and integrated HR systems where the Customer has chosen to integrate them.

4. How we use personal information

We use personal information for the following purposes:

• Providing the Platform — operating Prosper, authenticating users, delivering surveys and reports, enabling recognition and feedback, and providing technical and customer support.
• Improving the Platform — analysing usage patterns, fixing bugs, and developing new features. Where we use personal information for product improvement, we do so in aggregated or de-identified form wherever practical.
• Communicating with you — responding to enquiries, sending service-related notices (such as security alerts, billing notices, and changes to terms), and where you have opted in, sending marketing communications.
• Security and integrity — detecting and preventing fraud, abuse, and security incidents, and protecting our rights and the rights of our customers and their employees.
• Legal and compliance — meeting our legal, regulatory, audit, and contractual obligations.

Lawful basis (for individuals in the EU/UK)

Where the GDPR or UK GDPR applies, we rely on the following lawful bases: performance of a contract, legitimate interests (balanced against your privacy interests), consent (for marketing emails, optional cookies, and where consent is otherwise required), and legal obligation. You can withdraw consent at any time where we rely on consent.

5. Automated decision-making and AI

Prosper does not use personal information to make decisions that produce legal or similarly significant effects on individuals without human involvement. Some Platform features may use automation or machine learning to summarise survey results, surface themes, or suggest content to managers — these are tools to support human decision-makers, not to replace them.

We do not use Customer Data or end-user personal information to train third-party generative AI models.

6. How we share personal information

We do not sell personal information. We share it only as described below.

With your employer (for end users of Prosper)

Personal information loaded into Prosper by your employer, and content you submit through Prosper, is accessible to your employer in accordance with the access controls and configuration they choose. Your employer is responsible for who within their organisation can see what.

With our service providers (sub-processors)

We engage a limited number of trusted service providers to help us run the Platform. They are bound by contractual obligations to protect personal information and only use it on our instructions. Our key sub-processors are:

• Microsoft Azure — cloud hosting and infrastructure, Australian regions only.
• Twilio SendGrid — transactional email delivery.
• Other operational tools — for example, customer support, error monitoring, analytics, and payment processing.

A current list of sub-processors is available on request.

With professional advisers and authorities

We may disclose personal information to our legal, accounting, audit, and insurance advisers under confidentiality obligations, and to regulators, courts, or law enforcement where we are required or permitted by law.

In connection with a corporate transaction

If we are involved in a merger, acquisition, financing, restructure, or sale of assets, personal information may be transferred to the relevant party, subject to appropriate confidentiality protections and continued application of this policy or an equivalent.

7. International data transfers

Prosper EX is an Australian company and we host all Customer Data in Microsoft Azure regions located in Australia (primary: Australia East / Sydney; backups: Australia Southeast / Melbourne). Customer Data does not leave Australia in the normal course of providing the Platform.

Some of our operational service providers (for example, support and analytics tools) may be located overseas, including in the United States and the United Kingdom. Where this involves a transfer of personal information outside Australia, New Zealand, the EU, or the UK, we take reasonable steps to ensure the recipient handles the personal information in a manner consistent with applicable law, including selecting providers with recognised security and privacy practices, putting appropriate contractual protections in place (such as Standard Contractual Clauses), and restricting access to what is needed for the relevant service.

8. How we protect personal information

We take reasonable and appropriate technical and organisational measures to protect personal information from loss, misuse, unauthorised access, disclosure, alteration, and destruction. These include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Role-based access control and the principle of least privilege
• Multi-factor authentication for all Prosper EX personnel accessing internal systems and production environments
• Network security, vulnerability scanning, and dependency monitoring within our build and deployment pipelines
• Logging and monitoring of administrative actions
• A documented incident response process
• Hosting on Microsoft Azure infrastructure that is independently certified to ISO/IEC 27001 and IRAP-assessed

No system is completely secure. While we work hard to protect personal information, we cannot guarantee its absolute security.

9. Data breach notification

If we become aware of a confirmed or suspected data breach affecting personal information, we will assess and respond in line with our internal incident response process. Where a breach is likely to result in serious harm to affected individuals, we will notify the relevant Customer (where Customer Data is involved) and, where required, the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme, the Office of the Privacy Commissioner of New Zealand, and supervisory authorities under the GDPR or UK GDPR.

We will notify Customers without undue delay and, in any case, within 24 hours of becoming aware of a breach affecting their data.

10. How long we keep personal information

We keep personal information only for as long as we need it for the purposes described in this policy, or as required by law.

• Customer Data within the Platform — kept for the duration of our agreement with the Customer and deleted or returned in accordance with that agreement on termination (typically within 30 days, subject to limited backup retention).
• Marketing data — kept until you unsubscribe or ask us to delete it and then removed from active marketing systems within a reasonable period.
• Support and communications — kept for as long as needed to resolve the matter and for a reasonable period afterwards for record-keeping and dispute purposes.
• Financial and legal records — kept for the period required by Australian tax, corporations, and other applicable law (generally up to 7 years).

11. Your privacy rights

Rights available to all individuals (Australia, NZ, EU, UK)

• Access — to ask for a copy of the personal information we hold about you.
• Correction — to ask us to correct information that is inaccurate, out of date, incomplete, or misleading.
• Complaint — to make a complaint about how we have handled your personal information.

Additional rights under the GDPR and UK GDPR

• Erasure — to ask us to delete your personal information in certain circumstances.
• Restriction — to ask us to restrict our processing of your personal information.
• Portability — to receive your personal information in a structured, machine-readable format.
• Objection — to object to our processing where we rely on legitimate interests, including for direct marketing.
• Withdraw consent — where we rely on consent, you can withdraw it at any time.
• Lodge a complaint with a supervisory authority in your country.

How to make a request

If you want to exercise any of these rights, please contact us at support@prosperex.com.au. We will respond within the timeframes required by applicable law (in Australia, normally within 30 days).

If you are an end user of Prosper because your employer subscribes to it, your employer controls most of your personal information in the Platform. Please direct access, correction, deletion, and similar requests to them in the first instance — we will support them in giving effect to your rights.

12. Cookies and similar technologies

Our website uses cookies and similar technologies to make the site work, remember your preferences, understand how the site is used, and (where you have consented) measure the performance of marketing activity.

You can manage cookies through your browser settings and where required by law we will ask for your consent before using non-essential cookies. The Prosper application uses only the cookies and storage strictly necessary for authentication and to operate the service.

13. Marketing communications

Where you have provided your details through our website or signed up to receive updates, we may send you marketing communications about Prosper. You can opt out at any time by clicking the unsubscribe link in the email or contacting us. Service-related communications (such as security alerts and billing notices) are not marketing and will continue while your account is active.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the version and effective date at the top of this policy and, where appropriate, provide additional notice (for example, via the Platform or by email).

15. Contact us

If you have questions, concerns, or requests about this Privacy Policy or how we handle personal information, please contact us:

Privacy contact: support@prosperex.com.au
Postal address: Prosper EX Pty Ltd, 2/23 Foster Street, Surry Hills, New South Wales 2010
ABN: 36 646 927 531

If you are not satisfied with our response

If you have raised a privacy concern with us and are not satisfied with our response, you can contact:

• Australia — Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
• New Zealand — Office of the Privacy Commissioner at privacy.org.nz
• EU — your local data protection supervisory authority (a list is available at edpb.europa.eu)
• UK — Information Commissioner's Office (ICO) at ico.org.uk