Privacy Policy

Draft · Pending counsel review This document was self-drafted using regulatory research covering the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Privacy and Other Legislation Amendment Act 2024, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). It does not constitute legal advice and should be reviewed by qualified counsel before reliance.

01About us and this policy

Prosper Logic Inc. is a brand, product design, and AI automation studio based in Australia. We help businesses build brands, design digital products, and implement AI-powered workflows.

This privacy policy describes how we collect, use, disclose, and protect your personal information when you visit our website, sign in to the client portal, buy or read our education library, enquire about our services, or engage us as a client.

Trading entity: Prosper Logic Inc. (trading as Prosper Logic)
ABN: [ABN, TO BE FILLED IN BEFORE PUBLICATION]
Privacy contact: privacy@prosperlogic.ai
Other legal matters: legal@prosperlogic.ai
Postal address: [REGISTERED ADDRESS, TO BE FILLED IN BEFORE PUBLICATION]

We are based in Australia and operate under Australian privacy law as an APP entity. Where we serve clients in the United States or other jurisdictions, we also comply with applicable local privacy requirements, including the California Consumer Privacy Act (as amended by the CPRA).

Legal basis: Australian Privacy Principle (APP) 1.4(a)–(b).

02What personal information we collect

We collect the following categories of personal information depending on how you interact with us.

Information you provide directly

Enquiry and contact form data. Your name, email address, phone number (if provided), company name, and the content of your message when you contact us through our website or email.
Account identity. When you create or sign in to an account, our identity provider Clerk receives the email address you use to authenticate, a name (if you provide one), a password (hashed by Clerk; we never see it in clear text), and any verification factor you set up such as a passkey or one-time code.
Third-party sign-in. If you choose to sign in with Google, Google will share standard OAuth profile fields with Clerk: a stable Google account identifier, your email address, your display name, and (if available) a profile picture. We do not receive your Google password, and we do not request access to your Gmail, Calendar, Drive, or any other Google service.
Client project information. When you engage us for services, we may collect business details (company name, ABN, billing address), project briefs, brand assets, design files, content, credentials for third-party tools or platforms, and any other materials you provide to us for the purpose of delivering our services.
Communication records. Emails, messages, meeting notes, and other correspondence between us during the course of a project or enquiry.

Information collected automatically

Course progress. When you read a course, we store the slug of the course, the chapter you are on, your scroll position within that chapter, and timestamps for when you started and completed each chapter, in our database operated by Convex. These records are tied to your Clerk account identifier.
Purchase records. When you buy access to a course, we store a record of which course you purchased, when, the source of the purchase, and the Clerk account it is attached to.
Authentication and security events. Clerk records sign-ins, sign-outs, multi-factor verifications, suspicious activity, and similar events for your account.
Request metadata. Like most websites, when your browser requests a page, our hosting provider and the third-party CDNs we use receive an IP address, a user-agent string, the referring page if any, and timestamps. We use this to route traffic and to detect abuse.
Cookies and similar technologies. Session identifiers, preferences, and a small set of strictly-necessary local storage values. See section 05.

Information from third parties

Referrals. If someone refers you to us, we may receive your name and contact details from them before you contact us directly.
Publicly available information. We may collect business information that is publicly available (for example, from your company website or LinkedIn profile) to prepare for a project or respond to your enquiry.

We do not knowingly collect biometric information, precise geolocation, government-issued identifiers, financial-account numbers, or sensitive personal information as defined under California law. If you provide such information unprompted, for example, by emailing it to us, we will delete it promptly.

Legal basis: APP 1.4(c); APP 3.1–3.2 (collection); APP 3.5 (unsolicited information).

03How we collect your information

We collect personal information:

Directly from you, when you submit a contact or enquiry form, send us an email, upload project files, sign a services agreement, create an account, or communicate with us during a project.
Automatically through our website, via cookies, server logs, and the standard request metadata your browser sends when you load a page.
From third parties, via referrals, publicly available sources, or third-party platforms you authorise us to access as part of delivering our services (for example, your CMS, analytics accounts, or design tools).

We will not collect personal information by unlawful or unfair means. If we receive unsolicited personal information that we did not request and could not reasonably have collected under the APPs, we will destroy or de-identify that information as soon as practicable, unless it is contained in a Commonwealth record.

Legal basis: APP 1.4(d); APP 3.5–3.6 (unsolicited information).

04Why we collect and use your information

We collect and use your personal information for the following purposes:

Purpose	Examples	Legal basis
Responding to enquiries	Replying to your contact form submission, providing a quote or proposal	APP 6.1, primary purpose
Delivering our services	Designing brands and products, building AI automations, managing client projects, accessing third-party tools on your behalf	APP 6.1, primary purpose
Operating the education library	Authenticating you, syncing course progress across devices, granting access to purchased courses	APP 6.1, primary purpose
Business administration	Invoicing, contract management, record-keeping, accounting	APP 6.1, primary purpose
Improving our website	Analysing aggregate traffic patterns, identifying popular content, fixing technical issues	APP 6.2(a), related secondary purpose
Marketing (with consent)	Sending you updates about our services, case studies, or industry insights, only if you have opted in	APP 6.2(b), with consent
Legal compliance	Responding to lawful requests, complying with tax and corporate obligations	APP 6.2(e), required or authorised by law

We do not use your personal information to train machine-learning or generative-AI models, and we do not allow our subprocessors to do so on our behalf. We will not use your personal information for a purpose other than the primary purpose of collection unless a permitted exception under APP 6 applies.

Legal basis: APP 1.4(e); APP 6.1–6.2.

05Cookies and tracking technologies

Our website uses cookies and similar local storage that are strictly necessary to operate the services. We do not use advertising cookies, retargeting pixels, or third-party trackers.

Essential cookies and storage

Clerk session cookies and storage (__client, __session, __clerk_*): set by Clerk to keep you signed in, remember a verification handshake during OAuth, and recover from interrupted sign-in flows. Without these you cannot remain signed in.
Theme preference (prosper-theme): a single value stored in localStorage to remember whether you chose dark or light mode. Not tied to your identity.
Cookie preference (prosper_cookie_consent_v1): a local preference record used to remember whether you accepted optional analytics or marketing storage if those categories are introduced later.
Auth-attempt hint (short-lived prosper-auth-* values): set briefly during a sign-in flow so that returning users land on the right page after an OAuth round-trip; cleared on a successful session or sign-out.

Analytics cookies

We do not currently run a third-party analytics tool. If we add one in future, we will list it in section 06 and update this policy with the category of data collected and an opt-out mechanism where required.

Marketing cookies and pixels

We do not currently use marketing or advertising cookies, retargeting pixels, or third-party trackers, no Meta Pixel, LinkedIn Insight Tag, or Google Ads remarketing.

Managing cookies

You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Note that disabling Clerk session cookies will sign you out and prevent you from accessing the client portal or courses.

If you are located in a jurisdiction that requires prior consent for non-essential cookies (for example, the EU/UK under GDPR), we will present a cookie consent mechanism before setting non-essential cookies.

Legal basis: APP 1.4(c)–(d); CCPA §1798.140(o) (sale/sharing via tracking technologies).

We do not sell personal information for money or other valuable consideration, and we do not “share” personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA).

We rely on a small number of subprocessors and other recipients that receive personal information to provide a specific function for us:

Recipient	Purpose	What they receive
Clerk Inc. (US)	Identity, authentication, session management	Email, name, password hash, OAuth profile (if Google sign-in), IP and session metadata, multi-factor secrets
Convex Inc. (US)	Database for course progress and purchase records	Clerk account identifier, course progress, purchase records, server-side timestamps
Google LLC (US)	OAuth identity provider (only if you sign in with Google); Google Fonts asset delivery	Google handles your authentication; receives request metadata when your browser fetches webfonts from `fonts.googleapis.com`
Iconify	Icon asset delivery	Request metadata (IP, user-agent) when icons load
Tailwind Labs (cdn.tailwindcss.com)	Stylesheet delivery on marketing pages	Request metadata when the stylesheet loads
Unicorn Studio	Background canvas asset on marketing pages	Request metadata when the canvas script loads
Hosting provider	Static file delivery and request routing	Standard request logs (IP, user-agent, path)
Subcontractors	Specialist contractors assisting on client projects (e.g. freelance developers or designers)	Only what is necessary for their role; bound by confidentiality and data-handling obligations
Professional advisors	Legal, accounting, or tax advice	Only what is necessary for the advice; bound by professional confidentiality
Regulatory authorities	Where required by law	The minimum required by the request (ATO, ASIC, OAIC, law enforcement under valid legal process)

We also disclose information in connection with a merger, acquisition, or sale of assets. If a transfer of that kind happens, we will give account holders advance notice and a meaningful chance to delete their data first.

Legal basis: APP 1.4(f); APP 6.1; APP 8.

07International data transfers

We are based in Australia, but our authentication, identity, and database services are operated in the United States. If you are outside the US (including in Australia), your personal information will be transferred to, stored, and processed in the US, and in the other countries listed below:

Service	Country	Purpose
Clerk	United States	Identity and session management
Convex	United States	Database for course progress and purchases
Google (OAuth & Fonts)	United States	Optional sign-in and webfont delivery
Iconify, Tailwind, Unicorn Studio	Global CDNs	Static asset delivery (icons, stylesheets, canvas)
Hosting provider	United States and EU edge regions	Static file delivery and routing

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient complies with the Australian Privacy Principles, or is subject to a law or binding scheme substantially similar to the APPs (APP 8.2(a)). Where neither applies, we obtain your informed consent before the transfer.

The data-protection laws of the United States may differ from those of your country of residence. By using the services, you consent to this transfer to the extent your consent is required under your local law.

Legal basis: APP 1.4(g); APP 8.1–8.2.

08How we protect your information

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification, and disclosure. Our measures include:

Encrypted connections (HTTPS/TLS) on our website and all client communications.
Hosting on managed cloud platforms (Clerk and Convex) that operate established security programs.
Hashed credentials at rest, we never see passwords in clear text.
Role-scoped access: only team members who need access to your data for their role can access it.
Secure credential management for any third-party tools or platforms we access on your behalf during a project.
Regular review of third-party service providers’ security practices.
Secure deletion of client project data after the retention period (see section 09).

No method of electronic transmission or storage is completely secure. While we take commercially reasonable precautions, we cannot guarantee absolute security. If we become aware of a security incident that affects your personal information, we will notify you and any required regulator in line with our legal obligations, including under California data-breach notification law and the Notifiable Data Breaches scheme under the Australian Privacy Act 1988 (Cth).

Legal basis: APP 11.1 (security); APP 11.2 (destruction/de-identification); Privacy Act 1988 Part IIIC.

09How long we keep your information

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

Data type	Retention period	Reason
Enquiry form submissions (non-clients)	12 months after last contact	Follow-up and business development
Account identity (Clerk)	For as long as your account is active	To authenticate you across devices
Course progress and purchases (Convex)	For the active account; deleted or anonymised within 30 days of account closure (subject to tax retention)	To resume reading and prove access to purchased courses
Client project files and correspondence	2 years after project completion	Warranty period, follow-up work, dispute resolution
Invoices and financial records	7 years	Australian tax law (Income Tax Assessment Act)
Hosting and CDN logs	Per provider defaults (typically < 90 days)	Security monitoring and abuse detection
Marketing subscriber data	Until you unsubscribe	Ongoing consent

When the retention period expires, we securely delete or de-identify the information. For client project files, we will notify you before deletion and offer the opportunity to retrieve your materials.

Legal basis: APP 11.2 (destruction/de-identification when no longer needed).

10Your rights, all users

Regardless of where you are located, you have the right to:

Access the personal information we hold about you.
Request correction of inaccurate, out-of-date, incomplete, or misleading information.
Request deletion of your personal information (subject to legal retention obligations).
Receive a portable copy of your account-tied records in a structured, machine-readable format.
Withdraw consent for any processing based on consent (for example, marketing emails) at any time.
Complain if you believe we have mishandled your information (see section 16).

To exercise any of these rights, email privacy@prosperlogic.ai from the address attached to your account, or include enough information to allow us to verify your identity. We will respond within 30 days of receiving your request, or sooner if applicable law requires.

We will not charge you for making a request or for providing access to your information, unless the request is manifestly unfounded, excessive, or repetitive.

11Your rights, Australia

If you are located in Australia, your rights are governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Access (APP 12). You can request access to the personal information we hold about you. We will provide access in the manner you request (if reasonable and practicable), or in another reasonable manner. We may refuse access in limited circumstances permitted by APP 12.3 (for example, if access would unreasonably impact another person’s privacy), and if we do, we will explain why.
Correction (APP 13). If you believe the personal information we hold about you is inaccurate, incomplete, out-of-date, or misleading, you can ask us to correct it. If we refuse, we will explain why and you may request that we associate a statement with the information noting your view that it is inaccurate.
Complaints. You may lodge a complaint with us (see section 16). If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC).

Pseudonymity (APP 2). You are not required to provide your real name when making a general enquiry through our website. However, if you engage us as a client or create an account in the client portal, we will need your real identity and business details to enter into a services agreement and comply with tax and accounting obligations.

Statutory tort (POLA Act 2024). The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy, effective from mid-2025. This applies to all persons and organisations regardless of size and creates direct litigation rights for serious privacy breaches.

Legal basis: APPs 2, 12, 13; Privacy Act 1988 Part IIIC (Notifiable Data Breaches); POLA Act 2024.

12Your rights, United States

California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with additional rights:

Right to know what personal information we collect, use, disclose, and sell/share.
Right to delete your personal information (subject to exceptions).
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of your personal information. We do not sell personal information and we do not “share” it for cross-context behavioural advertising. If we use tracking technologies that constitute “sharing” under the CCPA in the future, you will be able to opt out via our cookie controls.
Right to non-discrimination for exercising your privacy rights.

CCPA category mapping:

CCPA category	What we collect	Sold?	Shared?
Identifiers (name, email, IP)	Contact form data, account identity, server logs	No	No
Commercial information	Course purchases, client project records, invoices	No	No
Internet/electronic activity	Course progress, request metadata, cookies	No	No
Professional/employment information	Company name, job title (if provided)	No	No
Geolocation (approximate)	City/region from IP address	No	No

To exercise your CCPA rights, email privacy@prosperlogic.ai. We will respond within 45 days. You may make a request through an authorised agent; we will verify their authority and your identity before responding.

Other US states

If you reside in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another US state with a comprehensive consumer privacy law, you may have similar rights to access, correct, delete, and opt out. Contact us at the email above to exercise any applicable rights.

Legal basis: CCPA §§1798.100–1798.199; CPRA; applicable state privacy laws.

13Children’s privacy

Our website and services are directed at adult businesses and professionals. We do not knowingly collect personal information from anyone under the age of 16. If you believe a person under 16 has provided personal information to us, contact privacy@prosperlogic.ai and we will delete it promptly.

14What we will never do

We will never sell your personal information to advertisers, data brokers, or any third party.
We will never use your project files or client data for marketing or case studies without your explicit written permission.
We will never use your identifiable data to train AI models. Where we use AI tools to deliver services, your data is processed only for your project and in accordance with the tool provider’s data processing terms. We select AI providers that do not use API inputs for training.
We will never share your information with third parties for their own marketing purposes.

15Changes to this policy

We may update this policy from time to time to reflect changes in our practices, services, or legal obligations. When we make material changes, for example, a new category of personal information, a new subprocessor, or a new purpose of use, we will:

Update the “Last updated” date at the top of this policy.
Where practicable, notify account holders and existing clients directly (for example, by email).
Where required by law, ask for fresh consent before the change takes effect.

We review this policy at least annually, even if no changes are made.

Legal basis: APP 1.3.

16Contact us and complaints

For any privacy question, request, or complaint:

Email: privacy@prosperlogic.ai
Other legal questions: legal@prosperlogic.ai
Post: [REGISTERED ADDRESS, TO BE FILLED IN BEFORE PUBLICATION]

We will acknowledge your enquiry within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response:

Australia. Lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au or by calling 1300 363 992.
United States. Contact your state Attorney General’s office; California residents may also contact the California Privacy Protection Agency at cppa.ca.gov.

Legal basis: APP 1.4(h); CCPA §1798.130.

AAppendix: Legal framework summary

This policy is designed to comply with the following laws and frameworks:

Law / framework	Jurisdiction	Key requirements addressed
Privacy Act 1988 (Cth)	Australia	APPs 1–13: collection, use, disclosure, access, correction, security, cross-border transfer
Privacy and Other Legislation Amendment Act 2024	Australia	Statutory tort for serious invasions of privacy; three-tier penalty regime (up to $50M+)
Notifiable Data Breaches scheme (Part IIIC)	Australia	Obligation to notify OAIC and affected individuals of eligible data breaches
CCPA / CPRA	California, USA	Rights to know, delete, correct, opt-out; category-level disclosure of data practices
State privacy laws (CO, CT, VA, TX, OR, MT, UT, others)	Various US states	Consumer rights similar to CCPA

This document does not constitute legal advice. We have prepared it in good faith based on our reading of the applicable laws; you should seek your own advice for your own circumstances.