Back to home

PRIVACY POLICY

Last updated May 4, 2026

This Privacy Notice for Prospect ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:
  • Visit our website at https://myprospect.app or any website of ours that links to this Privacy Notice
  • Use Prospect. Prospect is a web-based college admissions planning tool that helps high school students build balanced school lists, estimate their chances of admission, and prepare application materials. The service collects student profile information including academic records (GPA, test scores, course history, AP scores), extracurricular activities, demographic information, and college preferences. This data is used to provide personalized school recommendations, admission probability estimates, essay brainstorming and feedback, mock interview practice, financial aid strategy guidance, and AI-powered counseling advice. The service uses artificial intelligence (Anthropic's Claude API) to generate personalized recommendations and feedback. Student profile data is transmitted to this third-party AI service for processing but is not stored by the AI provider beyond the duration of each request. The service integrates with Stripe for payment processing, Supabase for data storage, Google Analytics for usage analytics, and Sentry for error monitoring. Users may optionally sign in via Google OAuth.
  • Engage with us in other related ways, including any marketing or events
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at prospectapp.ai@gmail.com.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.

Do we process any sensitive personal information? When you choose to provide it, we may process information that qualifies as "sensitive personal information" under California law (CCPA) — specifically demographic information, family income range, and ZIP code — to support admissions and financial aid guidance. Learn more about how we handle sensitive information.

Are minors permitted to use our Services? Prospect is intended for high school students aged 13 and older. We do not knowingly collect personal information from children under 13. Learn more about children's privacy.

Do we collect any information from third parties? We receive limited profile information (your name, email address, and profile picture) from Google when you choose to sign in with Google. If you choose to connect your Google Drive, we additionally receive the content of Google Docs you have explicitly linked to Prospect through our app. We do not purchase or otherwise obtain personal information from data brokers.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.

In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties. Learn more about when and with whom we share your personal information.

How do we keep your information safe? We have adequate organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about how we keep your information safe.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Learn more about your privacy rights.

How do you exercise your rights? The easiest way to exercise your rights is by visiting https://myprospect.app/support, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
7. HOW DO WE HANDLE YOUR GOOGLE SIGN-IN?
8. HOW LONG DO WE KEEP YOUR INFORMATION?
9. HOW DO WE KEEP YOUR INFORMATION SAFE?
10. WHAT ARE YOUR PRIVACY RIGHTS?
11. CONTROLS FOR DO-NOT-TRACK FEATURES
12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
13. DO WE MAKE UPDATES TO THIS NOTICE?
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
16. CHILDREN'S PRIVACY

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:
  • name
  • email address
  • password (only if you sign up with email; not collected if you use Google sign-in)
  • contact preferences
  • academic information you provide: high school name, grade level, graduation year, GPA (overall, UC, and weighted), course history (course names, grades, AP/honors designation, term)
  • standardized test scores you provide: SAT (composite and section scores), ACT (composite and section scores), AP exam scores
  • extracurricular activities you describe: activity names, descriptions, time commitment (hours and years), leadership roles, awards or recognition
  • college planning preferences: target school list, intended majors, application round preferences (Early Decision, Early Action, Regular Decision)
  • essay content you create within Prospect: personal statement drafts, supplement essay drafts, brainstorms, revisions, UC Personal Insight Question responses, recommendation letter feedback drafts
  • AI-generated content based on your inputs: career match results, interest profile (RIASEC) results, personality assessment results, AI essay feedback, mock interview transcripts
  • demographic information you optionally provide: gender (collected only when you choose to provide it; not used to infer or profile)
  • sensitive demographic information you optionally provide (treated as sensitive personal information — see "Sensitive Information" below): race or ethnicity, first-generation college status
  • financial information you optionally provide (treated as sensitive — see "Sensitive Information" below): family income range
  • location information you optionally provide (treated as sensitive — see "Sensitive Information" below): state of residence, ZIP code
  • support communications: support requests you send us and our responses
Sensitive Information. When providing admissions and financial aid guidance, we may process information that qualifies as "sensitive personal information" under California's CCPA or "special categories of personal data" under the EU/UK GDPR. With your knowledge and only when you choose to provide it, this includes:
  • Racial or ethnic origin (only if you choose to provide demographic information)
  • Family financial information (the income range you provide for financial aid guidance)
  • Precise geolocation by ZIP code (used to localize summer program and college recommendations; we do not collect GPS coordinates)
  • Information about minors (our service is designed for high school students aged 13 and older — see "Children's Privacy" below)
You may decline to provide any sensitive information at any time, including by leaving the demographic and financial fields blank or by deleting them later in your profile. Doing so may limit certain features (such as financial aid suggestions or location-based recommendations) but will not prevent core use of the service. We do not sell or share sensitive personal information for cross-context behavioral advertising or any other purpose, and we do not infer characteristics about you from this information beyond the explicit scope of the feature you requested.

Payment Data. If you choose to make a purchase, payment is processed by Stripe. Stripe collects your card details directly through Stripe Elements; we never see, transmit, or store your card number, expiration date, or security code. We receive only a Stripe customer identifier and metadata about the transaction (plan, amount, status). You may find their privacy notice link(s) here: https://stripe.com/privacy.

Google Sign-In Data. We provide you with the option to register and sign in using your Google account. If you choose to do so, we will receive certain profile information from Google (your name, email address, and profile picture), as described in the section called "HOW DO WE HANDLE YOUR GOOGLE SIGN-IN?" below. We do not currently support sign-in with any other third-party identity provider.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookie Notice: https://myprospect.app/privacy#cookies.

The information we collect includes:
  • Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called "crash dumps"), and hardware settings).
  • Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
  • Location Data. We derive approximate location (country, region) from your IP address for security and routing purposes. We do not use GPS or other device-level geolocation services. The precise-geolocation information described in the "Sensitive Information" section above is the ZIP code that you optionally enter into your profile, not GPS-derived location.
  • Error/diagnostic data. via Sentry — stack traces, browser info

Google API Services and Limited Use

If you choose to connect your Google account to Prospect, we ask for your consent during sign-in to access specific Google services on your behalf via OAuth 2.0. We request only the following scopes:
  • Google Drive (drive.file): https://www.googleapis.com/auth/drive.file — Access only to specific Google Doc files that Prospect creates, or that you explicitly open through Prospect, inside an "ESSAYS" folder we create in your Drive. We do not list, read, or modify any other files in your Drive.
  • Google Docs (documents): https://www.googleapis.com/auth/documents — Read and write access to the body of Google Docs you have explicitly connected to Prospect through the drive.file scope above. We use this scope to (a) read essay text so our AI feedback can be anchored to specific passages, and (b) write essay content back to your Doc when you sync from Prospect.
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, with respect to data received from Google APIs:
  • We do not use Google user data to develop, improve, or train generalized AI or machine learning models
  • We do not transfer Google user data to any third-party AI tool to develop, improve, or train generalized AI/ML models
  • We do not sell, rent, or share Google user data with anyone
  • We do not use Google user data for advertising purposes, including personalized, retargeted, or interest-based advertising
  • We do not allow humans to read Google user data unless we have your affirmative consent for specific support purposes, the data is necessary to comply with applicable law, or the data is aggregated and used for internal operations such as security and abuse detection
We use Google API data solely to provide the user-facing features (essay sync to your Drive, AI feedback on essay text) that you have explicitly requested. While processing your essay text to generate AI feedback, we transmit the relevant text to our AI service provider (Anthropic) for the duration of the request only; the AI provider does not retain that text beyond the request, and the data is not used to train any AI model.
You may revoke Prospect's access to your Google account at any time at https://myaccount.google.com/permissions or by disconnecting Google in your Prospect account settings.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes only with your prior explicit consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
  • To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
  • To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service.
  • To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
  • To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
  • To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
  • To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
  • To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.
  • To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual's vital interest, such as to prevent harm.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:
  • Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. Learn more about withdrawing your consent.
  • Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
  • Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:
    • Analyze how our Services are used so we can improve them to engage and retain users
    • Diagnose problems and/or prevent fraudulent activities
    • Understand how our users use our products and services so we can improve user experience
  • Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
  • Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

If you are located in Canada, this section applies to you.

We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:
  • If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way
  • For investigations and fraud detection and prevention
  • For business transactions provided certain conditions are met
  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
  • For identifying injured, ill, or deceased persons and communicating with next of kin
  • If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse
  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced
  • If the collection is solely for journalistic, artistic, or literary purposes
  • If the information is publicly available and is specified by the regulations

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations described in this section and/or with the following third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.

The third parties we may share personal information with are as follows:
  • AI Platforms: Anthropic (we send essay text, profile data, and prompts to generate AI feedback. Under Anthropic's standard API terms, customer inputs are not used to train AI models. Inputs may be retained briefly — typically up to 30 days — for safety review and are then deleted.)
  • Database and Authentication Infrastructure: Supabase (stores your account, profile, and content)
  • Hosting and Edge Network: Netlify (serves the website, runs server-side functions, and operates the CDN that handles every page request — IP address, request metadata, and timing). Cloudflare may also be used as the edge layer in front of Supabase for some database requests.
  • Invoice and Billing: Stripe (processes payments. Stripe collects your card details directly through Stripe Elements; we never see or store your card number, expiration date, or security code.)
  • Transactional Email: Resend (sends sign-in links, payment receipts, and support replies)
  • Web Analytics: Google Analytics 4 (aggregated usage statistics; IP anonymization enabled)
  • Error Monitoring: Sentry (captures error stack traces with personal information scrubbed before transmission)
We also may need to share your personal information in the following situations:
  • Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We use cookies and similar technologies (like local storage) only to keep you signed in, save your preferences, prevent fraud, measure aggregate usage, and assist with basic site functions. We do not use cookies for cross-site tracking, behavioral advertising, retargeting, or interest-based advertising. We do not permit any third party to use tracking technologies on our Services for advertising purposes.

A complete inventory of cookies and storage we use is provided in the "Cookie and Local Storage Inventory" subsection below.

Google Analytics

We use Google Analytics 4 to track and analyze aggregate use of the Services. We have IP anonymization enabled. To opt out of being tracked by Google Analytics across the Services, visit https://tools.google.com/dlpage/gaoptout. For more information on the privacy practices of Google, please visit the Google Privacy & Terms page.

Cookie and Local Storage Inventory

We use the following cookies and similar technologies. We do not use cookies for cross-site tracking or third-party advertising.
  • sb-tydywkhzpjxkdimpcwtv-auth-token (essential, first-party) — Supabase authentication session token. Required to keep you signed in. Cleared on sign-out.
  • _ga, _ga_X1NLE5QHWG (analytics, third-party) — Google Analytics 4 measurement cookies. Used to distinguish unique users and sessions. Expires after 2 years.
  • __stripe_mid, __stripe_sid (payment, third-party) — Set by Stripe during checkout for fraud prevention. Required to process a payment.
  • Local storage (essential, first-party) — We store your active profile state (school list, draft essays, preferences) in your browser's local storage so the application loads quickly. When you are signed in, this data is also synced to our servers under your account.
You can clear cookies and local storage at any time through your browser settings. Doing so will sign you out and may affect performance, but will not delete your account or data on our servers — those persist until you request deletion.

6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

In Short: We offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies.

As part of our Services, we offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies (collectively, "AI Products"). These tools are designed to enhance your experience and provide you with innovative solutions. The terms in this Privacy Notice govern your use of the AI Products within our Services.

Use of AI Technologies

We provide the AI Products through third-party service providers ("AI Service Providers"), including Anthropic. As outlined in this Privacy Notice, your input, output, and personal information will be shared with and processed by these AI Service Providers to enable your use of our AI Products for purposes outlined in "WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?" You must not use the AI Products in any way that violates the terms or policies of any AI Service Provider.

How We Process Your Data Using AI

All personal information processed using our AI Products is handled in line with our Privacy Notice and our agreement with third parties. This ensures high security and safeguards your personal information throughout the process, giving you peace of mind about your data's safety.

How to Opt Out

About automated decision-making: Prospect's chancing engine produces probability estimates from a deterministic, rule-based model using publicly disclosed admissions data. It is informational only; it does not make any decision that produces legal or similarly significant effects on you, and it does not control your access to any opportunity. Colleges make their own admissions decisions and have no access to Prospect's data.

How to opt out of AI features: You may opt out of all AI-powered features at any time by simply not using them. The core profile, school list, and chancing engine work without AI. AI-powered features (essay feedback, mock interview, brainstorming, AI counselor, AI major strategy, etc.) are optional, separately initiated by you, and Pro-gated. Choosing not to use them does not prevent core use of the service.

7. HOW DO WE HANDLE YOUR GOOGLE SIGN-IN?

In Short: If you choose to register or log in using your Google account, we receive your name, email address, and profile picture from Google.

Our Services offer you the ability to register and log in using your Google account. If you choose to do this, we receive the following profile information from Google: your name, email address, and profile picture. We use this information only to create and manage your Prospect account.

Google sign-in for account creation is separate from connecting your Google Drive (which uses additional, narrowly-scoped permissions described in the "Google API Services and Limited Use" section above). You can use Prospect without connecting Google Drive.

We do not control, and are not responsible for, other uses of your personal information by Google. We recommend that you review the Google Privacy Policy to understand how Google collects, uses, and shares information.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information only as long as necessary to provide our Services or comply with legal obligations. Specific retention periods for each category are below.

We retain personal information according to the following schedule:
  • Account data (profile, school list, essays, AI-generated content): retained while your account is active. Deleted within 30 days of an account-deletion request.
  • Payment records (Stripe transaction history, invoices): retained for 7 years to comply with U.S. tax recordkeeping requirements.
  • Error and diagnostic logs (Sentry): rolling 30-day retention.
  • Analytics data (Google Analytics 4): user-level data retained for 14 months; anonymized aggregate statistics retained indefinitely.
  • Database backups (encrypted at rest): rolling 7-day retention. After deletion of your account data, residual copies in backups are purged within this window.
  • Support communications: retained for 2 years after resolution to assist with follow-up questions or recurring issues.
  • Authentication tokens and session records: retained until expiration or sign-out (typically 1 hour for access tokens, 30 days for refresh tokens).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it. If immediate deletion is not possible (for example, because the data is in encrypted backup archives), we will securely store it and isolate it from any further processing until deletion is possible within the rolling backup window.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

10. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

We will consider and act upon any request in accordance with applicable data protection laws.

Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Account Information, Export, and Deletion

You have the following self-service options for managing your account data:
  • Review and update: Most personal information (academic profile, school list, demographic answers, essay drafts, preferences) can be reviewed and edited directly in your Prospect account at any time.
  • Export your data: To request a copy of the personal information we hold about you in a portable, machine-readable format, email prospectapp.ai@gmail.com with the subject line "Data Export Request." We will fulfill the request within 30 days. The export includes your profile, school list, activities, course history, test scores, essay content, AI feedback, and account metadata as JSON.
  • Delete your account: To delete your account and associated data, email prospectapp.ai@gmail.com with the subject line "Account Deletion Request." Deletion is processed within 30 days, including removal from active databases and Stripe customer cancellation; encrypted backup copies are purged within the rolling 7-day backup window after that.
Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. For further information, please see our Cookie Notice: https://myprospect.app/privacy#cookies.

If you have questions or comments about your privacy rights, you may email us at prospectapp.ai@gmail.com.

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.

12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, or any other U.S. state with a comprehensive consumer privacy law, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

We have not sold any personal information, and we have not shared personal information for cross-context behavioral advertising, in the preceding twelve (12) months. We do not sell personal information, do not share personal information for cross-context behavioral advertising, and have no current plans to do so in the future. We do not engage in targeted advertising and do not use algorithmic systems to recommend addictive content to known minors. If our practices change, we will update this Privacy Notice and provide notice as required by applicable law.

Right to limit use of sensitive personal information. Under California's CCPA (Cal. Civ. Code § 1798.121), you have the right to limit our use and disclosure of your sensitive personal information. As described in the "Sensitive Information" section above, we use sensitive personal information solely to provide the specific service you requested (admissions guidance, financial aid suggestions, location-based recommendations) and we do not infer characteristics about you beyond the explicit scope of that feature. This use falls within the exceptions at § 1798.121(a)(1)–(2), so the right to limit does not impose additional obligations on us. If you wish to remove sensitive personal information from your account, you can do so directly in your profile or by contacting us at prospectapp.ai@gmail.com.

Your Rights

You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:
  • Right to know whether or not we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to request the deletion of your personal data
  • Right to obtain a copy of the personal data you previously shared with us
  • Right to non-discrimination for exercising your rights
  • Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California's privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")

How to Exercise Your Rights

To exercise these rights, you can contact us by visiting https://myprospect.app/support, by emailing us at prospectapp.ai@gmail.com, or by referring to the contact details at the bottom of this document.

Appeals

Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at prospectapp.ai@gmail.com. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.

California "Shine The Light" Law

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?"

13. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, please email us at prospectapp.ai@gmail.com.

Data Controller: Prospect LLC, a California limited liability company, is the data controller for personal information processed by Prospect. Prospect targets users in the United States; we have no European Union representative and we do not direct our Services to EU/UK users. EU/UK residents who voluntarily create an account can exercise the rights described above by contacting us at the email above.

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, see the "Account Information, Export, and Deletion" section above, visit https://myprospect.app/support, or email prospectapp.ai@gmail.com.

16. CHILDREN'S PRIVACY

In Short: Our Services are intended for users 13 and older. We do not knowingly collect personal information from children under 13.

Prospect is designed for high school students aged 13 and older planning their college applications. We require all users to confirm during signup that they are at least 13 years old. We do not knowingly collect, use, or share personal information from children under the age of 13, and the Services are not directed to children under 13 within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA).

If we learn that we have collected personal information from a child under 13 without verified parental consent, we will delete that information promptly. If you believe a child under 13 has provided personal information to us, please contact us immediately at prospectapp.ai@gmail.com with the subject line "COPPA Concern" and we will investigate and delete the information within 7 days.

For users aged 13 to 17: By creating an account, you represent that your parent or legal guardian has reviewed our Terms of Service and this Privacy Notice and has agreed to your use of Prospect. During signup we offer the option to provide a parent or guardian email address; if provided, we will send a notification email so the parent or guardian can review our Privacy Notice and contact us with any concerns. We do not engage in targeted advertising, do not sell personal information, do not use algorithmic systems to recommend addictive content, and do not engage in automated decision-making that produces legal or similarly significant effects on minors. These commitments are intended to satisfy the heightened-protection requirements for known minors under laws including the California Age-Appropriate Design Code, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Florida Digital Bill of Rights, and the Texas SCOPE Act, where applicable.

Parents and guardians: If you are the parent or legal guardian of a Prospect user under 18 and you wish to review the information we have collected about your child, request corrections, or request deletion of their account, please email prospectapp.ai@gmail.com with the subject line "Parent/Guardian Request." Provide your child's account email and a brief description of your relationship; we may ask for additional verification before acting on the request. Where the student is 13 or older, we may notify the student before sharing their account information with you, consistent with applicable state minor-privacy laws.

FERPA notice: Prospect is a direct-to-consumer service. We are not an "educational agency or institution" and do not act as a "school official" under the Family Educational Rights and Privacy Act (FERPA). The academic information in your Prospect profile is provided directly by you (or imported with your consent) — it is not received from your school's education records system. Your school does not have access to your Prospect account or any data within it.
Terms of ServiceHome