Privacy Policy

Last updated: 23 May 2026

Who we are

Pro-cess Business Solutions ("Pro-cess", "we", "us") operates the Pro-cess platform at app.pro-cess.co.uk. We provide cloud-based business management software for trades and service businesses across the United Kingdom.

We also operate two marketplace tools for e-commerce sellers:

  • Pro-cess for eBay at ebay.pro-cess.co.uk - an eBay seller management tool for managing listings, orders, returns, and marketplace operations
  • Pro-cess for Shopify at shopify.pro-cess.co.uk - a Shopify app that bridges Shopify stores with eBay marketplace listings, distributed via the Shopify App Store

This policy applies to all three surfaces. If you have questions about how we handle your data, you can reach us at [email protected].

What this policy covers

This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. It applies to:

  • Business users - people who sign up for a Pro-cess account to manage their business
  • End customers - people whose details are stored by a business using Pro-cess (for example, if you book an appointment through one of our booking pages, or if you buy from a merchant who uses Pro-cess for eBay or Pro-cess for Shopify)
  • Website visitors - people browsing our marketing site or landing pages
  • Contractors - people who use our Tender Portal to bid on work
  • Marketplace sellers - eBay sellers using Pro-cess for eBay and Shopify merchants who install Pro-cess for Shopify on their store

The data we collect

When you create a Pro-cess account

We collect your name, email address, password (stored securely using one-way hashing), business name, phone number, and address. We also collect billing details when you subscribe to a paid plan, though card details are handled entirely by Stripe and never touch our servers.

When you sign in with Google

If you choose to sign in using your Google account, we receive your name, email address, and a unique identifier from Google. We use this to create or link your Pro-cess account. We do not receive your Google password, and we do not access any other data from your Google account through this process.

When a business adds you as a customer

If a business using Pro-cess stores your details, they may record your name, email, phone number, address, postcode, and notes related to the service they provide you. The business is the data controller for this information, and we process it on their behalf.

When you book an appointment

Our online booking system collects your name, email, phone number, and any details you provide about the service you need. This information is passed directly to the business you are booking with.

When you connect Google Calendar

If a business user connects their Google Calendar, we access their calendar events to sync appointments between Pro-cess and Google Calendar. We read and write calendar event data including titles, times, and descriptions. We do not access your emails, contacts, files, or any other Google data. You can disconnect Google Calendar at any time from your account settings, which immediately revokes our access.

When you use address lookup or maps

When you search for an address (for example, when adding a customer or planning a route), the address or postcode you type is sent to Google Maps to provide autocomplete suggestions, calculate distances, or display a map. We do not store these search queries beyond what is needed to complete the request.

When you use the Tender Portal as a contractor

We collect your company name, contact details, trade qualifications, insurance documents, and certifications. This information is shared with businesses who post tenders you bid on. Contractor accounts are not tied to a single business, so your profile may be visible to multiple businesses using the Tender Portal.

When you connect an eBay seller account

If you use Pro-cess for eBay (at ebay.pro-cess.co.uk) and connect your eBay seller account, we access data about your eBay business so we can show it back to you, sync it with other systems you have connected, and help you manage day-to-day operations. The data we read from eBay includes:

  • Your eBay seller identity (username, store name, feedback score, seller level, registration date)
  • Your listings (titles, descriptions, prices, quantities, item specifics, photos, performance metrics)
  • Your orders and the buyers attached to them (buyer username and any shipping address, contact details, and notes supplied for fulfilment)
  • Returns, refunds, cancellations, and case data linked to your orders
  • Buyer messages sent to you through eBay
  • Marketing activity you run on eBay (Promoted Listings, watcher metrics, ad campaigns)
  • Your business policies (shipping, returns, payment), categories, and warehouse addresses

We store an encrypted OAuth access token that lets us make calls to eBay on your behalf. We never see or store your eBay password. You can disconnect your eBay account at any time from settings, which immediately revokes our access.

We also subscribe to eBay's Notification API so that events on your account (a sale, a listing revision, a return opened) are pushed to us in near real-time. The full content of each notification eBay sends us is archived for audit purposes, and PII inside those archived notifications is removed on demand via the rights-handling process described below.

When a Shopify merchant installs our Shopify app

If you install Pro-cess for Shopify on your Shopify store, we receive Shopify webhooks for events on your store and (with your permission via the standard Shopify OAuth scopes) make calls to Shopify's Admin API to read store data. The data we receive includes:

  • Your store identity (shop domain, store name, plan, currency, timezone, primary address)
  • Products, variants, inventory levels and SKUs across all your Shopify locations
  • Orders, line items, refunds, and fulfillments
  • Customer information attached to orders (name, email, phone, shipping address, billing address) so the same orders can be mirrored to your eBay listings without losing buyer details
  • Store locations and stock allocations

We store an encrypted Shopify offline access token so we can keep your data synchronised between Shopify and eBay. You can uninstall the app at any time from your Shopify admin, which triggers Shopify's mandatory uninstall webhook to us - we then mark the connection as removed and revoke all subsequent access.

In line with Shopify's app developer requirements, we also handle the three mandatory privacy webhooks that Shopify sends:

  • customers/data_request - when one of your customers (or you on their behalf) asks for a copy of their data, Shopify notifies us. Within Shopify's 30-day SLA we email you (the merchant) a complete JSON export of every webhook event and sync action in our archive that references that customer, so you can forward it to them.
  • customers/redact - when a customer's data is redacted in your Shopify store, Shopify notifies us. We then walk our archived webhook events and audit log entries and strip the customer's personally-identifying fields (name, email, phone, address, geographic coordinates, locale) and any exact value matches of their customer ID, email, or phone. We retain the underlying business event (the fact that an order happened) without the buyer's identity.
  • shop/redact - 48 hours after you uninstall our app, Shopify notifies us to wipe everything for your store. We delete the store record, every archived webhook event for that shop, and every audit log entry tied to it, all within a single database transaction.

When you receive SMS messages or phone calls

If a business sends you an SMS or calls you through Pro-cess, your phone number is shared with our telephony provider (Twilio) to deliver the message or connect the call. Call recordings, where enabled by the business, are stored securely and accessible only to that business.

When you enable push notifications

If you opt in to browser push notifications, we store a device-specific token that allows us to send notifications to your browser. This token does not identify you personally, and you can revoke it at any time through your browser settings.

Automatically collected data

When you visit our site, we collect basic technical information through cookies. This includes your session data and a security token to prevent cross-site request forgery. We do not use tracking cookies or third-party analytics. See our Cookie Policy for full details.

How we use your data

We use personal data to:

  • Provide and maintain the Pro-cess platform
  • Process subscriptions and payments
  • Send appointment confirmations, invoices, and quotes on behalf of businesses
  • Send marketing emails, but only where you have given consent
  • Sync calendar data with Google Calendar where a user has connected their account
  • Provide address autocomplete, route planning, and distance calculations via Google Maps
  • Deliver SMS messages and phone calls through our telephony provider
  • Sync financial data with accounting software where a business has connected their account
  • Respond to support requests
  • Monitor errors and maintain platform reliability
  • Prevent fraud and abuse

We will never sell your personal data to third parties.

AI-assisted features

Some features, such as email marketing content suggestions, use artificial intelligence provided by OpenAI. When these features are used, the content of the request (for example, a brief or draft email text) is sent to OpenAI for processing. We do not send customer personal data to OpenAI unless it forms part of the content the user has chosen to include. OpenAI does not use data sent through our API for training their models. No automated decisions that affect individuals are made using AI.

Our legal basis for processing

Under UK GDPR, we process personal data on the following grounds:

  • Contract - to provide the service you have signed up for
  • Legitimate interest - to maintain security, prevent fraud, monitor errors, and improve the platform
  • Consent - for marketing communications and optional integrations such as Google Calendar and Google sign-in
  • Legal obligation - to keep financial records as required by HMRC

Data controllers and processors

When a business uses Pro-cess to manage their customers, that business is the data controller and Pro-cess is the data processor. This means the business decides what data to collect and why, and we store and process it on their behalf according to their instructions.

For data we collect directly (account registrations, website visitors, contractors), Pro-cess is the data controller.

Who we share data with

We share data with the following third-party providers, only as needed to deliver the service. We do not share data with advertisers, data brokers, or any other third parties for marketing purposes.

Provider Purpose Data shared
Stripe Payment processing for platform subscriptions. Also powers Stripe Connect, which allows businesses to accept payments from their own customers through Pro-cess. Billing name, email, payment card details (handled directly by Stripe, never stored on our servers)
Google Calendar sync, social login, maps, address lookup, route planning, distance calculations Calendar events (titles, times, descriptions), email and name (social login), addresses and postcodes (maps)
Brevo (formerly Sendinblue) Transactional email delivery (confirmations, invoices, quotes) Recipient email address, name, email content
Twilio SMS messaging and voice calls Phone numbers, message content, call recordings (where enabled)
OpenAI AI-assisted email content generation Email drafts and briefs provided by the user
Intuit (QuickBooks) Accounting software sync (where connected by a business) Invoice data, customer names, payment amounts
Microsoft Email delivery for procurement communications Recipient email address, email content
Sentry Error monitoring and platform reliability Technical error data (stack traces, request URLs). Personal data is not sent by default.
Cloudflare Content delivery, DDoS protection, and DNS All web traffic passes through Cloudflare's network as part of standard content delivery
eBay Marketplace operations for Pro-cess for eBay users: reading listings, orders and buyer details from your eBay account; writing listing revisions, fulfilment updates and notification subscriptions on your behalf Encrypted OAuth tokens we hold for you. Outbound calls to eBay may include your seller account ID, listing identifiers, order identifiers, and (for fulfilment) tracking numbers and buyer postage addresses
Shopify Marketplace operations for Pro-cess for Shopify users: reading product, inventory, order and customer data from your store; writing inventory adjustments and order fulfilment updates back when your eBay listing sells Encrypted offline access tokens we hold for you. Outbound calls to Shopify may include product IDs, inventory item IDs, location IDs, and (for fulfilment writes) tracking numbers
Telegram Operational alerting to Pro-cess staff (not customers) when our sync infrastructure fails so we can respond quickly Technical metadata only: event topic name, shop or seller domain, attempt counts, sanitised error messages. We do not send customer personal data through Telegram.
DVLA Vehicle registration lookups Vehicle registration numbers

Some integrations (such as QuickBooks, Twilio, and Stripe Connect) are only active when a business chooses to connect them. Data is only shared with these providers while the integration is enabled.

Google API Services

Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only use Google Calendar data to provide and improve the calendar sync feature you have opted into
  • We do not use Google data for advertising or to build advertising profiles
  • We do not sell Google data to third parties
  • We do not use Google data for purposes unrelated to the features you have enabled
  • Human access to Google data is limited to what is necessary for support, debugging, or legal compliance, and only with your consent or where required by law

You can revoke our access to your Google data at any time by disconnecting your Google account from your Pro-cess settings. Disconnecting immediately stops all data access.

Where we store data

Our primary servers are located in the United Kingdom (AWS, London region), managed through Laravel Forge. All customer data is stored and processed within the UK, with automated backups retained in the same region.

Sensitive data such as API keys and integration tokens are encrypted at rest using AES-256 encryption.

International data transfers

While our own servers are in the UK, some of the third-party providers listed above are based in the United States. When data is shared with these providers (for example, when sending an email through Brevo or processing a payment through Stripe), it may be transferred outside the UK.

These transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the UK Information Commissioner's Office, and the UK's adequacy assessment for international data transfers. Each provider maintains their own data protection and privacy commitments, which we review before integrating with them.

How long we keep data

  • Active accounts - we keep your data for as long as your account is active
  • Closed accounts - we delete personal data within 90 days of account closure, except where we need to keep financial records for legal reasons
  • Financial records - invoices and payment records are kept for 7 years to comply with HMRC requirements
  • Customer data (stored by businesses) - kept until the business deletes it or requests a GDPR purge, which anonymises all personal data while keeping financial records intact
  • Google Calendar data - synced events are removed from our platform when you disconnect Google Calendar. Events created within Pro-cess remain as platform appointments.
  • eBay account data - retained while your eBay account is connected. When you disconnect it, we retain archived eBay notifications for 90 days for audit purposes before deletion; you can request immediate deletion via [email protected].
  • Shopify store data - archived webhook events and audit log entries are retained while the app is installed. Shopify's shop/redact webhook (sent 48 hours after uninstall) triggers immediate, complete deletion of all store data within a single database transaction. Individual customer redactions via Shopify's customers/redact webhook strip personal data from existing archived events on demand.
  • Backups - database backups are kept for 7 days and then automatically deleted

Your rights

Under UK GDPR, you have the right to:

  • Access your data - request a copy of the personal data we hold about you
  • Correct your data - ask us to fix anything that is inaccurate or incomplete
  • Delete your data - ask us to erase your personal data (subject to legal retention requirements)
  • Restrict processing - ask us to limit how we use your data
  • Data portability - request your data in a common, machine-readable format
  • Object - object to processing based on legitimate interest
  • Withdraw consent - where processing is based on consent, you can withdraw it at any time

If you are a business user

You can access, update, or delete your data directly through your Pro-cess account settings. You can disconnect any third-party integration (Google Calendar, QuickBooks, Stripe Connect) at any time, which immediately stops data sharing with that provider. To request a full data export or account deletion, email [email protected].

If you are an end customer

Because the business you deal with is the data controller, your first step should be to contact them directly. They can access, update, or delete your data through their Pro-cess account. If you cannot reach the business or are not satisfied with their response, you can contact us at [email protected] and we will help resolve the matter.

Data security

We take the security of your data seriously. Our measures include:

  • All connections are encrypted using TLS (HTTPS)
  • Passwords are hashed using bcrypt and never stored in plain text
  • Sensitive integration tokens are encrypted at rest
  • Access to production systems is restricted and protected by SSH key authentication
  • Daily database backups with 7-day retention
  • Rate limiting on authentication and public-facing endpoints
  • Security headers applied to all responses
  • All web traffic is protected by Cloudflare's DDoS mitigation and web application firewall

Children

Pro-cess is not designed for use by anyone under 16. We do not knowingly collect data from children. If you believe a child's data has been stored on our platform, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify account holders by email. The "last updated" date at the top of this page shows when it was last revised.

Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO). You can find their contact details at ico.org.uk. We would appreciate the chance to address your concerns first, so please reach out to us at [email protected] before contacting the ICO.