Privacy Policy

Who we are

Pro-cess Business Solutions ("Pro-cess", "we", "us") operates the Pro-cess platform at app.pro-cess.co.uk. We provide cloud-based business management software for trades and service businesses across the United Kingdom.

If you have questions about this policy or how we handle your data, you can reach us at [email protected].

What this policy covers

This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. It applies to:

• Business users - people who sign up for a Pro-cess account to manage their business
• End customers - people whose details are stored by a business using Pro-cess (for example, if you book an appointment through one of our booking pages)
• Website visitors - people browsing our marketing site or landing pages
• Contractors - people who use our Tender Portal to bid on work

The data we collect

When you create a Pro-cess account

We collect your name, email address, password (stored securely using one-way hashing), business name, phone number, and address. We also collect billing details when you subscribe to a paid plan, though card details are handled entirely by Stripe and never touch our servers.

When you sign in with Google

If you choose to sign in using your Google account, we receive your name, email address, and a unique identifier from Google. We use this to create or link your Pro-cess account. We do not receive your Google password, and we do not access any other data from your Google account through this process.

When a business adds you as a customer

If a business using Pro-cess stores your details, they may record your name, email, phone number, address, postcode, and notes related to the service they provide you. The business is the data controller for this information, and we process it on their behalf.

When you book an appointment

Our online booking system collects your name, email, phone number, and any details you provide about the service you need. This information is passed directly to the business you are booking with.

When you connect Google Calendar

If a business user connects their Google Calendar, we access their calendar events to sync appointments between Pro-cess and Google Calendar. We read and write calendar event data including titles, times, and descriptions. We do not access your emails, contacts, files, or any other Google data. You can disconnect Google Calendar at any time from your account settings, which immediately revokes our access.

When you use address lookup or maps

When you search for an address (for example, when adding a customer or planning a route), the address or postcode you type is sent to Google Maps to provide autocomplete suggestions, calculate distances, or display a map. We do not store these search queries beyond what is needed to complete the request.

When you use the Tender Portal as a contractor

We collect your company name, contact details, trade qualifications, insurance documents, and certifications. This information is shared with businesses who post tenders you bid on. Contractor accounts are not tied to a single business, so your profile may be visible to multiple businesses using the Tender Portal.

When you receive SMS messages or phone calls

If a business sends you an SMS or calls you through Pro-cess, your phone number is shared with our telephony provider (Twilio) to deliver the message or connect the call. Call recordings, where enabled by the business, are stored securely and accessible only to that business.

When you enable push notifications

If you opt in to browser push notifications, we store a device-specific token that allows us to send notifications to your browser. This token does not identify you personally, and you can revoke it at any time through your browser settings.

Automatically collected data

When you visit our site, we collect basic technical information through cookies. This includes your session data and a security token to prevent cross-site request forgery. We do not use tracking cookies or third-party analytics. See our Cookie Policy for full details.

How we use your data

We use personal data to:

• Provide and maintain the Pro-cess platform
• Process subscriptions and payments
• Send appointment confirmations, invoices, and quotes on behalf of businesses
• Send marketing emails, but only where you have given consent
• Sync calendar data with Google Calendar where a user has connected their account
• Provide address autocomplete, route planning, and distance calculations via Google Maps
• Deliver SMS messages and phone calls through our telephony provider
• Sync financial data with accounting software where a business has connected their account
• Respond to support requests
• Monitor errors and maintain platform reliability
• Prevent fraud and abuse

We will never sell your personal data to third parties.

AI-assisted features

Some features, such as email marketing content suggestions, use artificial intelligence provided by OpenAI. When these features are used, the content of the request (for example, a brief or draft email text) is sent to OpenAI for processing. We do not send customer personal data to OpenAI unless it forms part of the content the user has chosen to include. OpenAI does not use data sent through our API for training their models. No automated decisions that affect individuals are made using AI.

Our legal basis for processing

Under UK GDPR, we process personal data on the following grounds:

• Contract - to provide the service you have signed up for
• Legitimate interest - to maintain security, prevent fraud, monitor errors, and improve the platform
• Consent - for marketing communications and optional integrations such as Google Calendar and Google sign-in
• Legal obligation - to keep financial records as required by HMRC

Data controllers and processors

When a business uses Pro-cess to manage their customers, that business is the data controller and Pro-cess is the data processor. This means the business decides what data to collect and why, and we store and process it on their behalf according to their instructions.

For data we collect directly (account registrations, website visitors, contractors), Pro-cess is the data controller.

Who we share data with

We share data with the following third-party providers, only as needed to deliver the service. We do not share data with advertisers, data brokers, or any other third parties for marketing purposes.

Some integrations (such as QuickBooks, Twilio, and Stripe Connect) are only active when a business chooses to connect them. Data is only shared with these providers while the integration is enabled.

Google API Services

Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only use Google Calendar data to provide and improve the calendar sync feature you have opted into
• We do not use Google data for advertising or to build advertising profiles
• We do not sell Google data to third parties
• We do not use Google data for purposes unrelated to the features you have enabled
• Human access to Google data is limited to what is necessary for support, debugging, or legal compliance, and only with your consent or where required by law

You can revoke our access to your Google data at any time by disconnecting your Google account from your Pro-cess settings. Disconnecting immediately stops all data access.

Where we store data

Our primary servers are located in the United Kingdom (AWS, London region), managed through Laravel Forge. All customer data is stored and processed within the UK, with automated backups retained in the same region.

Sensitive data such as API keys and integration tokens are encrypted at rest using AES-256 encryption.

International data transfers

While our own servers are in the UK, some of the third-party providers listed above are based in the United States. When data is shared with these providers (for example, when sending an email through Brevo or processing a payment through Stripe), it may be transferred outside the UK.

These transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the UK Information Commissioner's Office, and the UK's adequacy assessment for international data transfers. Each provider maintains their own data protection and privacy commitments, which we review before integrating with them.

How long we keep data

• Active accounts - we keep your data for as long as your account is active
• Closed accounts - we delete personal data within 90 days of account closure, except where we need to keep financial records for legal reasons
• Financial records - invoices and payment records are kept for 7 years to comply with HMRC requirements
• Customer data (stored by businesses) - kept until the business deletes it or requests a GDPR purge, which anonymises all personal data while keeping financial records intact
• Google Calendar data - synced events are removed from our platform when you disconnect Google Calendar. Events created within Pro-cess remain as platform appointments.
• Backups - database backups are kept for 7 days and then automatically deleted

Your rights

Under UK GDPR, you have the right to:

• Access your data - request a copy of the personal data we hold about you
• Correct your data - ask us to fix anything that is inaccurate or incomplete
• Delete your data - ask us to erase your personal data (subject to legal retention requirements)
• Restrict processing - ask us to limit how we use your data
• Data portability - request your data in a common, machine-readable format
• Object - object to processing based on legitimate interest
• Withdraw consent - where processing is based on consent, you can withdraw it at any time

If you are a business user

You can access, update, or delete your data directly through your Pro-cess account settings. You can disconnect any third-party integration (Google Calendar, QuickBooks, Stripe Connect) at any time, which immediately stops data sharing with that provider. To request a full data export or account deletion, email [email protected].

If you are an end customer

Because the business you deal with is the data controller, your first step should be to contact them directly. They can access, update, or delete your data through their Pro-cess account. If you cannot reach the business or are not satisfied with their response, you can contact us at [email protected] and we will help resolve the matter.

Data security

We take the security of your data seriously. Our measures include:

• All connections are encrypted using TLS (HTTPS)
• Passwords are hashed using bcrypt and never stored in plain text
• Sensitive integration tokens are encrypted at rest
• Access to production systems is restricted and protected by SSH key authentication
• Daily database backups with 7-day retention
• Rate limiting on authentication and public-facing endpoints
• Security headers applied to all responses
• All web traffic is protected by Cloudflare's DDoS mitigation and web application firewall

Children

Pro-cess is not designed for use by anyone under 16. We do not knowingly collect data from children. If you believe a child's data has been stored on our platform, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify account holders by email. The "last updated" date at the top of this page shows when it was last revised.

Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO). You can find their contact details at ico.org.uk. We would appreciate the chance to address your concerns first, so please reach out to us at [email protected] before contacting the ICO.