Privacy Policy
Effective date: April 16, 2026 · Last updated: April 16, 2026
1. Who we are
Prsona is operated by Open Venture Group, LLC, a Delaware limited liability company (“Prsona,” “we,” “us”). Our principal place of business is the United States.
This Privacy Policy applies to the Prsona website (prsona.io), dashboard, and Chrome extension (together, the “Service”). It describes what data we collect, why we collect it, how we use and share it, and the rights you have over your data.
If you have questions or want to exercise any of the rights described below, contact us at info@prsona.io.
2. The short version
- We collect the minimum data needed to run the Service: your email, name, workspace details, and the prospect content you explicitly ask our AI to analyze.
- We never sell your data.
- We use a small list of sub-processors (Supabase, Anthropic, Upstash, Sentry, PostHog, Resend, Stripe, Vercel) — all named in Section 8.
- You can export your data, delete your account, or ask us what we have about you at any time — see Section 9.
- We comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).
3. What we collect
3.1 Account data
- Email address (used as your login)
- Full name
- Password (hashed — we never see or store your plaintext password)
- Organization name (the workspace you create or are invited into)
- Your role within your organization (owner, admin, or member)
- Date/time of account creation and last sign-in
3.2 Usage data
- Number of AI analyses and email drafts you run each billing period
- Which AI model was used for each analysis (for audit purposes — see Section 6)
- Your plan (free, starter, growth, or enterprise) and billing state
- IP address and browser user-agent when you sign in (for security lockouts)
- Product analytics events (button clicks, feature usage) via PostHog
- Error and performance traces via Sentry (may include IP address and technical metadata)
3.3 Prospect content (data you send us)
When you click “Analyze” on the Prsona Chrome extension, the visible text of the webpage you are currently viewing is sent to our servers and then to our AI provider (Anthropic) for analysis. This may include:
- Public information about the person or company on that page (name, role, company, bio, public posts)
- The URL you were viewing
- The result of the analysis (extracted contact details, conversation hooks, score)
You control this.The extension only captures content when you explicitly click Analyze. We do not observe your browsing otherwise. We never access tabs you haven't analyzed.
3.4 Brand voice settings (optional)
If you are on a paid plan, you may enter tone, product context, ICP, and custom rules in the Brand Voice settings. This text is used to personalize AI-generated drafts and is stored in our database.
3.5 Billing data
When you subscribe to a paid plan, Stripe collects and processes your payment information (credit card number, billing address). We never see or store your card details. Stripe sends us only your subscription status and plan.
3.6 Data we do NOT collect
- We do not read emails from your inbox.
- We do not watch tabs you have not explicitly analyzed.
- We do not collect biometric data.
- We do not collect data from or about children under 16.
- We do not use facial recognition.
4. Why we collect it (purposes + legal bases)
Under the GDPR, we must have a “lawful basis” for every use of your data. Here is what we use your data for and the lawful basis under Article 6 of the GDPR:
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Provide the Service (accounts, analyses, drafts) | Account, prospect, usage data | Performance of a contract (Art. 6(1)(b)) |
| Bill you for paid plans | Billing data, plan | Contract (Art. 6(1)(b)) |
| Security (brute-force, abuse detection) | IP, user-agent, login attempts | Legitimate interests (Art. 6(1)(f)) |
| Billing gate integrity monitoring | Plan, usage, model audit | Legitimate interests (Art. 6(1)(f)) |
| Product analytics (PostHog) | Feature clicks, funnel events | Consent via onboarding / Legitimate interest (Art. 6(1)(a)/(f)) |
| Error monitoring (Sentry) | Exception traces, technical metadata | Legitimate interests (Art. 6(1)(f)) |
| Transactional email (invites, receipts) | Email, name | Contract (Art. 6(1)(b)) |
| Marketing email (only if you opt in) | Email, name | Consent (Art. 6(1)(a)) |
| Legal/tax compliance | Billing records | Legal obligation (Art. 6(1)(c)) |
[REVIEW] If you start tracking conversion pixels or adtech, you will need to add consent-based legal bases here and surface a cookie banner in the EU.
5. How long we keep it
- Account data: for as long as your account is active, plus 30 days after deletion to complete any pending billing.
- Prospect content (analyses, drafts): for as long as you keep them in your workspace. Deleting them is immediate and permanent (after a 30-day database backup retention window).
- Brand voice settings: for as long as your account is active.
- Usage metrics: aggregated indefinitely; tied to your account for 12 months.
- Billing records: 7 years to comply with US tax regulations.
- Security logs (IP, user-agent): 90 days.
- Analytics events (PostHog): 12 months.
- Error traces (Sentry): 90 days.
When you delete your account (Section 9), we remove all data associated with your personal identity within 30 days, except billing records we are legally required to retain.
6. AI processing and automated decisions
Prsona uses third-party AI models from Anthropic (Claude) to analyze prospect content and generate email drafts. When you click Analyze:
- The page content you send is transmitted to Anthropic over TLS.
- Anthropic processes it per their Privacy Policy.
- Anthropic does not use content sent via their commercial API to train their models.
- We store the AI's output in our database under your workspace.
Prsona does notmake automated decisions that have legal or similarly significant effects on you (GDPR Article 22). The AI generates recommendations (a “score” and a draft email) that a human on your team decides whether to act on.
7. Who we share data with
We do not sell your data. We share data only with the sub-processors listed in Section 8, and only to the extent needed to run the Service.
We may disclose your data if required by law (subpoena, court order, etc.) — and will notify you unless legally prohibited.
8. Sub-processors
The following service providers process your data on our behalf. All have signed standard data-processing agreements with us or operate under their public DPAs.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | US-East |
| Anthropic | AI model for prospect analysis and draft generation | US |
| Upstash | Rate limiting + analysis caching (Redis) | US |
| Sentry | Error monitoring and alerting | US |
| PostHog | Product analytics | US |
| Resend | Transactional email delivery | US |
| Stripe | Payment processing | US / global |
| Vercel | Website and dashboard hosting | US |
We will update this list when we add or remove sub-processors. Material changes are announced 30 days in advance by email.
9. Your rights
9.1 Everyone (US + EU)
- Access — ask us for a copy of the personal data we hold about you
- Correct — fix inaccurate data via your account settings or by emailing us
- Delete — remove your account and all associated data (see Section 9.3)
- Export — download your workspace contacts, drafts, and settings in CSV / JSON format
- Opt out of marketing — unsubscribe link in every marketing email
9.2 EU / UK residents (GDPR)
You also have the right to:
- Restriction of processing — ask us to pause certain uses of your data (GDPR Art. 18)
- Object — object to processing based on legitimate interests (Art. 21)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Withdraw consent — for any processing based on your consent (Art. 7(3))
- Lodge a complaint — with your local data protection authority. A list is available at EDPB members.
9.3 California residents (CCPA/CPRA)
In addition to the rights above, California residents may:
- Request the categories and specific pieces of personal information we have collected about you
- Request deletion of personal information (with some exceptions for legal retention)
- Opt out of any “sale” or “sharing” of personal information — we do neither, so there is nothing to opt out of today
- Not receive discriminatory treatment for exercising these rights
9.4 How to exercise your rights
Email info@prsona.iowith “Data Rights Request” in the subject line. We will verify your identity (usually by confirming the email associated with your account) and respond within 30 days — faster where required by law.
To delete your account directly, go to Settings → Delete Account in the dashboard. [REVIEW] Delete-account flow is on the roadmap; see Section 14.
10. International data transfers
Prsona is operated from the United States. If you are in the EU, UK, Switzerland, or another country with data-transfer restrictions, your data will be transferred to the US and processed by our US-based sub-processors.
We rely on the European Commission's Standard Contractual Clauses (2021/914) for transfers of EU personal data to our US sub-processors. Where applicable, we also rely on the UK International Data Transfer Addendum and the Swiss-US Data Privacy Framework. [REVIEW] If you sign an enterprise customer with specific DTIA requirements, review with counsel.
11. Security
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256, provided by Supabase).
- Passwords are hashed with bcrypt; we never store plaintext.
- Database-level Row-Level Security isolates every organization's data; no cross-tenant access is possible.
- Billing state and subscription changes are locked to our Stripe webhook pathway; no user-facing action can elevate a plan without payment.
- We run automated integrity checks every 15 minutes against our billing and access controls, with alerts paging us immediately on any deviation.
- Account sessions use HttpOnly, Secure, SameSite cookies.
[REVIEW] Remove any specific measure that becomes inaccurate (e.g., if we change Supabase for another provider). Over-promising here is a reputational risk.
12. Cookies and tracking
Prsona uses a small number of cookies, all strictly necessary or for first-party analytics:
- Authentication cookies (HttpOnly) — keep you signed in
- CSRF protection cookies — security
- PostHog analytics cookie — anonymous product usage measurement. You may disable this in your browser; the Service still works fully.
We do not use third-party advertising cookies or retargeting pixels.
13. Changes to this policy
We may update this policy as our Service evolves. Material changes will be announced by email to active users at least 14 days before the new version takes effect. Minor clarifications take effect on publication. The “Last updated” date at the top of this page always reflects the current version.
14. Contact
Questions, complaints, or data-rights requests:
Email: info@prsona.io
Subject line:“Privacy” or “Data Rights Request”
Postal address:
Open Venture Group, LLC
c/o United States Corporation Agents, Inc. (Registered Agent)
131 Continental Drive, Suite 305
Newark, DE 19713
United States
Note: the postal address above is our registered agent for service of process. For faster responses to privacy or data-rights requests, please email us first at info@prsona.io.