Client Data Policy
What this policy covers
Prosable Outcomes is an AI-enabled business process operations firm that designs, builds, and operates intelligent workflows on behalf of enterprise clients. This policy describes how we handle the operating data, workflow data, and client information that flows through those processes.
This policy covers data handled during service delivery — not data collected from website visitors (see our Privacy Policy) or the technical controls we apply to protect it (see our Security Policy).
Engagement-specific terms, including any sector-specific compliance requirements, are defined in the applicable service agreement and Data Processing Agreement. In the event of any conflict between this policy and a signed service agreement or DPA, the contract terms control.
Data ownership
Client data belongs to the client. Prosable Outcomes does not claim ownership of any data provided to us, generated during service delivery, or produced as output by AI models processing client data. This includes raw inputs, derived data, decisions, classifications, and any other outputs. All ownership and intellectual property rights in client data and outputs remain with the client. Prosable Outcomes’ own intellectual property — including system prompts, workflow templates, methodologies, and proprietary tools — remains the property of Prosable Outcomes, whether developed before or during an engagement.
Nothing in this policy restricts Prosable Outcomes’ right to use residual knowledge, including general skills, experience, operational patterns, and know-how developed while providing services, provided such use does not disclose client confidential information or incorporate client data.
Upon engagement termination, all client data is returned or securely deleted according to the terms of the service agreement.
Data use restrictions
We use client data solely to deliver the services defined in the service agreement. Beyond that scope:
Client data is never used to benefit another client. Each client’s data is logically and operationally segregated: logically isolated storage, access controls, and processing environments designed to prevent cross-client access to data.
Client data is never sold, licensed, or shared with third parties except as necessary to deliver the agreed-upon service (for example, passing data through an approved AI model or cloud platform). Sub-processors used in service delivery are disclosed in the service agreement and are contractually bound by written agreements imposing data protection obligations consistent with this policy.
Client data is not used for Prosable Outcomes’ own marketing, sales, or business development purposes.
AI model data handling
Our service delivery routes client data through AI models for analysis, classification, decision support, and workflow execution. Two distinctions matter:
Inference versus training. Normal service delivery uses inference — data passes through a pre-trained model to generate an output. The model does not use client data to update model weights or train future versions of the model. Where technically necessary for service delivery, transient processing or logging may occur within the AI platform environment, subject to the platform’s contractual commitments regarding customer data use. Training — where data is used to update model weights — is a fundamentally different activity and is never performed on client data without the client’s explicit written authorization.
Model output ownership. Outputs generated by AI models processing client data belong to the client, subject to Prosable Outcomes’ retained rights in its own intellectual property (such as system prompts, workflow templates, and methodologies) that may be incorporated into deliverables. Prosable Outcomes does not claim rights to model outputs and does not use them beyond the scope of the engagement.
We select AI platforms (such as OpenAI, Anthropic, and others) based in part on their contractual commitments not to train on customer data. If a vendor modifies its terms in a way that would permit training on client data, we will either secure continued protections or cease using that vendor for the affected engagement. Prosable Outcomes configures AI platform settings, where available, to disable vendor training on customer data. Specific platforms and their data handling terms are documented in the service agreement.
AI-generated outputs may require human review or validation depending on the workflow design and client requirements. Engagement-specific controls governing automation levels, review thresholds, and decision authority are defined in the service agreement.
Operational metrics
Prosable Outcomes uses aggregated, de-identified operational metrics to improve service quality over time (for example, average processing times, exception rates, and model confidence distributions). These metrics are stripped of client-identifying information and cannot be traced back to any individual client. Aggregated metrics do not contain raw client data, customer records, or proprietary information from any individual client engagement.
Aggregated metrics are distinct from client data. They do not include raw inputs, outputs, or any information that could identify a specific client or their customers. If a client objects to the inclusion of their engagement data in aggregated metrics, this can be addressed in the service agreement.
Data retention and deletion
Client data is retained only for the duration of the engagement and any post-engagement period specified in the service agreement. Upon termination, Prosable Outcomes notifies the client, provides an opportunity to export data, and then securely deletes all client data — including from active systems and backup systems according to normal backup lifecycle schedules — in accordance with the terms of the service agreement and Data Processing Agreement. Deletion is performed and, where supported by the relevant platforms and services, verified and documented. Confirmation is provided to the client upon request.
If a legal obligation requires retention beyond the engagement period, we will notify the client of the requirement and its duration.
Regulatory alignment
Prosable Outcomes is designed to operate within applicable data protection frameworks. When processing personal data subject to GDPR, we act as a data processor under the client’s instructions. When processing personal information subject to CCPA, we act as a service provider. Engagement-specific compliance obligations, including any sector requirements such as HIPAA, SOX, or FERPA, are defined in the service agreement and supported by appropriate addenda.
We monitor emerging AI governance and data protection regulations and incorporate applicable requirements into our engagement terms and operating practices as they take effect. Our data handling practices are informed by widely recognized security frameworks such as ISO 27001 and SOC 2.
Changes to this policy
We may update this policy as our practices, services, or legal obligations evolve. Material changes will be communicated to clients with at least 30 days’ notice. The “Last updated” date above reflects the most recent revision.
Contact
- Privacy questions or data rights requests: legal@prosable.com
- Response time: We will respond to verified privacy rights requests within the time required by applicable law. General inquiries are typically answered within 5 business days.
If we cannot resolve your concern, you have the right to lodge a complaint with your local regulatory authority — including the California Attorney General, the California Privacy Protection Agency, your state’s Attorney General, or (for EU residents) your local data protection authority
This policy describes general operational practices and is provided for informational purposes. It does not create contractual obligations or modify any agreement between Prosable Outcomes and its clients.
