Privacy Policy

Updated: 20 March 2026

Why And You Prosper Oy (Business ID 3505416-4) (“Prospr”, “we”) operates the Prospr platform at prosprapp.com. We are committed to processing personal data lawfully, transparently, and securely in accordance with the EU General Data Protection Regulation (GDPR, 2016/679) and applicable national data protection legislation.

This Privacy Policy describes how we collect, use, store, share, and protect your personal data when you use our website, platform, and services.

1. Data Controller

Why And You Prosper Oy Business ID: 3505416-4 Asemakatu 4, 76100 Pieksämäki, Finland Email: hello@prosprapp.com

Why And You Prosper Oy is the data controller for all processing of personal data described in this policy, unless otherwise stated. If you have any questions about the processing of your personal data, please contact us at the email address above.

2. Definition of Personal Data

Personal data means any information relating to an identified or identifiable natural person. Such data includes, for example, name, email address, IP address, payment details, identifiers, and online behaviour.

3. Personal Data Collected

We collect different categories of personal data depending on how you use Prospr.

3.1 Website Use

We automatically collect technical data to ensure the functioning and security of the website:

IP address
Date and time of visit
Pages visited
Browser type and version
Operating system
Language and approximate location
Referring website
Legal basis for processing: Legitimate interest (website security, functionality, and visitor statistics — GDPR Article 6(1)(f)).

3.2 Account Creation and Platform Use

When brands, influencers, or affiliates register and use the platform, we may collect the following data:

Name
Email address
Phone number
Company or brand name
Social media profiles
Billing and payment details
IP address and device information
If you link your social media accounts to your profile, we load data about you and your posts from those accounts: for example, your follower count, number of posts, view counts, and your most recent posts. This data is used when presenting you to companies, matching you to suitable programmes, and in certain cases for calculating commissions. Data loaded from a social media account is deleted when you remove the link to your social media account, or when you delete your account from Prospr.

Legal basis for processing: Performance of a contract (GDPR Article 6(1)(b)) and legitimate interest (GDPR Article 6(1)(f)).

3.3 Contact Enquiries

When you contact us by email, chat, or via forms, we collect the following data:

Name
Email address
Phone number
Message content
Legal basis for processing: Legitimate interest (customer service and communications — GDPR Article 6(1)(f)).

Data is retained for a maximum of 24 months, unless legislation requires a longer retention period.

3.4 Job Applications

In the recruitment process, we process:

CV and cover letter
Contact details
Employment and educational history
Legal basis for processing: Legitimate interest (recruitment — GDPR Article 6(1)(f)).

Data is retained for 24 months, unless the applicant requests earlier deletion.

3.5 Newsletter Subscription

When subscribing to the newsletter, we collect:

Name
Email address
We send marketing communications and product updates. Legal basis for processing: Consent (GDPR Article 6(1)(a)). You may cancel your subscription at any time via the link in the newsletter.

3.6 Affiliate Link Tracking

3.6.1 When you click on an affiliate link enabled by the Prospr platform as a web user
When influencers promote companies through the Prospr platform, Prospr receives information about web users who have clicked on influencers’ links. In this context, Prospr may store the following data about the web user:

The user’s IP address, which is recorded in logs solely for technical troubleshooting and temporarily for rate-limiting excessive traffic. It is not linked to the user’s activity on the destination website or to link tracking.
A functional cookie for recognising a returning click by the same user: this enables the possible revocation of tracking consent given in the Prospr service in relation to that specific link, as well as ensuring the correct redirection of the link to the destination website. The cookie is not used for any purpose other than this; it is not used, for example, to track the user on the site they are directed to.
Prospr may also ask whether your visit to the destination website may be tracked by placing a cookie or similar technical identifier specifically linked to the link you clicked.

If you permit tracking of your visit, Prospr passes your consent to the destination website, which is responsible for compliance with your consent. Even in this case, Prospr does not store in its own system any data that would link your visit to your personal data.

Legal basis for processing: Consent (GDPR Article 6(1)(a)) and legitimate interest (GDPR Article 6(1)(f)).

3.6.2 When you are an influencer on the Prospr platform
When you share links created on the Prospr platform and web users click on them, we track the clicks on your shared links and the events transmitted to Prospr by the destination website or system in connection with those links, such as conversions and purchases. This data is used to calculate fees, prevent misuse, and provide transparent reporting. We do not associate personal data of web users with this data.

Legal basis for processing: Performance of a contract and legitimate interest (GDPR Article 6(1)(b) and (f)).

4. Purposes of Processing Personal Data

We use personal data for the following purposes:

Providing and maintaining the Prospr platform
Connecting brands with influencers and affiliates
Tracking campaign results and fees
Preventing fraud and misuse
Improving and developing our services
Communicating with users
Sending marketing communications (with consent)
Fulfilling statutory obligations
We do not use personal data for automated decision-making or profiling, with the sole exception that if you have registered on the Prospr platform as an influencer and have consented to Prospr creating a profile of you based on your linked channels, Prospr’s staff and automated systems may use this profile to recommend you for suitable programmes as quickly and accurately as possible. In this case, Prospr reads the data and content of your linked channels, including follower counts, content themes, and similar information that helps identify suitable programmes. Influencers may also always apply to programmes of their own choosing.

5. Data Retention Periods

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including legal, accounting, and contractual obligations. Typical retention periods:

Account data: for as long as your account is active
Support requests: up to 24 months
Marketing data: until you withdraw your consent
Billing and payment data: data required directly for invoicing for 6–9 months, with invoice-related data retained for the period required by legislation

6. Data Sharing and Processors

We do not sell personal data to third parties.

We may share data with trusted data processors who assist us in providing our services, such as:

Hosting and cloud service providers
Payment processors
Analytics and marketing platforms
Customer service tools
Email and CRM service providers
All processors are bound by data processing agreements in accordance with the GDPR. We do not permit processors to use data for purposes other than those agreed.

We may also disclose data to authorities where we have a statutory obligation to do so.

6.1. Third Parties and Personal Data Processing

Processor

Country

Purpose

Further information

Google Cloud EMEA Limited

Ireland

Cloud services and platform infrastructure

Subprocessors

UpCloud Oy

Finland

Data storage

Data processing agreement

Plus Five Five, Inc. (Resend)

United States

Email services

Subprocessors

Notion Labs, Inc.

United States

Internal workspace platform

Subprocessors

Sendinblue SAS (Brevo)

France

Newsletter and marketing automation

Data processing agreement

7. International Data Transfers

Data held by Prospr is stored in data centres located within the EU/EEA. Some of our service providers are located outside the EU/EEA, including in the United States, meaning data may be temporarily processed outside the EU/EEA. When data is transferred outside the EU/EEA, we use the following safeguards:

EU Standard Contractual Clauses (SCCs)
GDPR-approved safeguards
We ensure that all international data transfers take place with appropriate safeguards and in accordance with GDPR requirements.

8. Rights of the Data Subject

Under the GDPR, you have the following rights in relation to the processing of your personal data:

Right of access — you may request a copy of the data we hold about you
Right to rectification — you may request the correction of inaccurate or incomplete data
Right to erasure — you may request the deletion of your data where the basis for processing no longer applies
Right to restriction of processing — you may request the restriction of processing in certain circumstances
Right to object — you may object to processing based on legitimate interest
Right to withdraw consent — you may withdraw any consent you have given at any time
Right to data portability — you may request your data in a machine-readable format
Right not to be subject to automated decision-making — you have the right to request a human review
To exercise your rights:

If you are a Prospr platform user, you may delete your data by deleting your account directly through the Prospr platform or application.
In other cases, please contact us at hello@prosprapp.com
We aim to respond to requests within 30 days as required by the GDPR. You also have the right to lodge a complaint with the data protection authority:

Office of the Data Protection Ombudsman P.O. Box 800, 00531 Helsinki, Finland tietosuoja@om.fi | www.tietosuoja.fi

Data Security
We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, or alteration. These measures include, among others:

Encryption of data in transit and at rest
Access controls and restriction of user privileges
Regular security assessments
Staff training on data protection matters
In the event of a data breach, we will notify the competent supervisory authority within 72 hours in accordance with GDPR Article 33, and where necessary, also notify the affected data subjects.

Changes to the Privacy Policy
We may update this Privacy Policy from time to time. We will notify data subjects of any significant changes by email or via the platform before the changes take effect. The latest version is always available at prosprapp.com.