Privacy Policy

Last updated: 18 March 2026

Who we are

Pro-cess Business Solutions ("Pro-cess", "we", "us") operates the Pro-cess platform at app.pro-cess.co.uk. We provide cloud-based business management software for trades and service businesses across the United Kingdom.

If you have questions about this policy or how we handle your data, you can reach us at privacy@pro-cess.co.uk.

What this policy covers

This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. It applies to:

  • Business users - people who sign up for a Pro-cess account to manage their business
  • End customers - people whose details are stored by a business using Pro-cess (for example, if you book an appointment through one of our booking pages)
  • Website visitors - people browsing our marketing site or landing pages
  • Contractors - people who use our Tender Portal to bid on work

The data we collect

When you create a Pro-cess account

We collect your name, email address, password (stored securely using one-way hashing), business name, phone number, and address. We also collect billing details when you subscribe to a paid plan, though card details are handled entirely by Stripe and never touch our servers.

When a business adds you as a customer

If a business using Pro-cess stores your details, they may record your name, email, phone number, address, postcode, and notes related to the service they provide you. The business is the data controller for this information, and we process it on their behalf.

When you book an appointment

Our online booking system collects your name, email, phone number, and any details you provide about the service you need. This information is passed directly to the business you are booking with.

When you connect Google Calendar

If a business user connects their Google Calendar, we access their calendar events to sync appointments between Pro-cess and Google Calendar. We only read and write calendar event data (titles, times, descriptions). We do not access your emails, contacts, or any other Google data. You can disconnect Google Calendar at any time from your account settings, which immediately revokes our access.

When you use the Tender Portal as a contractor

We collect your company name, contact details, trade qualifications, insurance documents, and certifications. This information is shared with businesses who post tenders you bid on.

Automatically collected data

When you visit our site, we collect basic technical information through cookies. This includes your session data and a security token to prevent cross-site request forgery. We do not use tracking cookies or third-party analytics. See our Cookie Policy for full details.

How we use your data

We use personal data to:

  • Provide and maintain the Pro-cess platform
  • Process subscriptions and payments
  • Send appointment confirmations, invoices, and quotes on behalf of businesses
  • Send marketing emails, but only where you have given consent
  • Sync calendar data with Google Calendar where a user has connected their account
  • Respond to support requests
  • Prevent fraud and abuse

We will never sell your personal data to third parties.

Our legal basis for processing

Under UK GDPR, we process personal data on the following grounds:

  • Contract - to provide the service you have signed up for
  • Legitimate interest - to maintain security, prevent fraud, and improve the platform
  • Consent - for marketing communications and optional integrations like Google Calendar
  • Legal obligation - to keep financial records as required by HMRC

Data controllers and processors

When a business uses Pro-cess to manage their customers, that business is the data controller and Pro-cess is the data processor. This means the business decides what data to collect and why, and we store and process it on their behalf according to their instructions.

For data we collect directly (account registrations, website visitors, contractors), Pro-cess is the data controller.

Who we share data with

We share data with the following third parties, only as needed to provide the service:

  • Stripe - payment processing for subscriptions and invoices
  • Google - calendar synchronisation, only when a user connects their Google account
  • Email providers - to send transactional emails (confirmations, invoices, quotes)

We do not share data with advertisers, data brokers, or any other third parties for marketing purposes.

Where we store data

All data is stored on servers located in Germany (Hetzner data centre, Nuremberg), managed through Laravel Forge. Data may be transferred to the UK for backup purposes. All data transfers comply with UK GDPR requirements.

Sensitive data such as API keys and integration tokens are encrypted at rest using AES-256 encryption.

How long we keep data

  • Active accounts - we keep your data for as long as your account is active
  • Closed accounts - we delete personal data within 90 days of account closure, except where we need to keep financial records for legal reasons
  • Financial records - invoices and payment records are kept for 7 years to comply with HMRC requirements
  • Customer data (stored by businesses) - kept until the business deletes it or requests a GDPR purge, which anonymises all personal data while keeping financial records intact
  • Backups - database backups are kept for 7 days and then automatically deleted

Your rights

Under UK GDPR, you have the right to:

  • Access your data - request a copy of the personal data we hold about you
  • Correct your data - ask us to fix anything that is inaccurate or incomplete
  • Delete your data - ask us to erase your personal data (subject to legal retention requirements)
  • Restrict processing - ask us to limit how we use your data
  • Data portability - request your data in a common, machine-readable format
  • Object - object to processing based on legitimate interest
  • Withdraw consent - where processing is based on consent, you can withdraw it at any time

If you are a business user

You can access, update, or delete your data directly through your Pro-cess account settings. To request a full data export or account deletion, email privacy@pro-cess.co.uk.

If you are an end customer

Because the business you deal with is the data controller, your first step should be to contact them directly. They can access, update, or delete your data through their Pro-cess account. If you cannot reach the business or are not satisfied with their response, you can contact us at privacy@pro-cess.co.uk and we will help resolve the matter.

Data security

We take the security of your data seriously. Our measures include:

  • All connections are encrypted using TLS (HTTPS)
  • Passwords are hashed using bcrypt and never stored in plain text
  • Sensitive integration tokens are encrypted at rest
  • Access to production systems is restricted and protected by SSH key authentication
  • Daily database backups with 7-day retention
  • Rate limiting on authentication and public-facing endpoints
  • Security headers applied to all responses

Children

Pro-cess is not designed for use by anyone under 16. We do not knowingly collect data from children. If you believe a child's data has been stored on our platform, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify account holders by email. The "last updated" date at the top of this page shows when it was last revised.

Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO). You can find their contact details at ico.org.uk. We would appreciate the chance to address your concerns first, so please reach out to us at privacy@pro-cess.co.uk before contacting the ICO.