Start trial

Privacy Policy

Version 2.0 Last updated
On this page

This policy explains how Pro-cess Business Solutions Ltd collects, uses, shares and protects personal data, and your rights under UK data protection law. We provide cloud-based business management software for trades and service businesses across the United Kingdom.

1. Who we are #

Pro-cess Business Solutions Ltd ("Pro-cess", "we", "us") is a company registered in England and Wales, company number 17111409, with its registered office at 15 Gattison Lane, Doncaster, DN11 0NG. We operate the Pro-cess platform at app.pro-cess.co.uk.

For any privacy question, or to exercise your rights, contact us at [email protected]. We are registered with the UK Information Commissioner's Office (ICO); our registration reference is available on request.

2. Who this policy covers #

Pro-cess serves several groups, and our role differs for each:

  • Business users (tenants) who subscribe to and use the platform. We are the controller of their account data.
  • End customers whose details a business stores in Pro-cess. The business is the controller; we process on their behalf.
  • Website visitors to our marketing site.
  • Contractors who use the Tender Portal.
  • Marketplace buyers whose orders flow through our eBay and Shopify tools on a seller's behalf.

3. The data we collect #

When you create a Pro-cess account

We collect your name, email address, password (stored securely using one-way hashing), business name, phone number and address. We also collect billing details when you subscribe to a paid plan, though card details are handled entirely by Stripe and never touch our servers.

When you sign in with Google or Microsoft

If you sign in using your Google or Microsoft account, we receive your name, email address and a unique identifier from that provider, used to create or link your Pro-cess account. We do not receive your password and do not access any other data from that account through sign-in.

When a business adds you as a customer

If a business using Pro-cess stores your details, they may record your name, email, phone number, address, postcode and notes about the service they provide you. That business is the controller for this information and we process it on their behalf.

When you book an appointment

Our online booking system collects your name, email, phone number and any details you provide about the service you need, and passes them directly to the business you are booking with.

When you connect Google Calendar

If a business user connects their Google Calendar, we access their calendar events to sync appointments between Pro-cess and Google Calendar. We read and write calendar event data including titles, times and descriptions, and read your existing events so we can show when you are already busy. The calendar content belongs to you; we sync it on your instruction as your processor. We do not access your emails, contacts, files or any other Google data. You can disconnect at any time from your settings, which immediately revokes our access.

When you connect Google Search Console

If you connect a Google Search Console account, we use read-only access to retrieve the search performance data for the websites (properties) you choose to connect. This includes the search queries people used to find your site, impressions, clicks, average position, and the pages and countries those results relate to. We use this only to show you search performance reporting inside Pro-cess. We request read-only access (webmasters.readonly) only: we cannot change, add or remove anything in your Search Console account. We do not access any other Google data through this connection. You can disconnect at any time from your settings, which immediately revokes our access.

When you use address lookup or maps

When you search for an address (for example, adding a customer or planning a route), the address or postcode you type is sent to Google Maps to provide autocomplete suggestions, calculate distances or display a map. We do not store these search queries beyond what is needed to complete the request.

When you use the Tender Portal as a contractor

We collect your company name, contact details, trade qualifications, insurance documents and certifications. This is shared with businesses whose tenders you bid on. Contractor accounts are not tied to a single business, so your profile may be visible to multiple businesses using the Tender Portal.

When you visit our website

We collect basic technical information through cookies, including session data and a security token to prevent cross-site request forgery. We do not use advertising cookies. On our marketing site, if you choose "Accept all", we use first-party analytics and Google Analytics to understand how visitors use the site; both are consent-gated and neither runs in the logged-in app. See our Cookie Policy for detail.

4. Special category (including health) data #

Some businesses that use Pro-cess (for example aesthetics or personal-care providers) may record special category data about their own customers, such as health information, as part of consultation or intake forms. Where this happens:

  • the business is the controller and decides what to collect and why; we process it on their instruction as their processor;
  • the business is responsible for having a valid Article 9 condition (such as explicit consent) for that data;
  • we apply additional safeguards to this data, including encryption of sensitive intake responses and restricted internal access.

Pro-cess itself does not use special category data for any purpose other than providing the platform to the business that collected it.

5. How we use your data and our legal basis #

We use personal data to provide and operate the platform, take payment, provide support, keep the service secure, meet legal obligations, and (with consent) send marketing about our own products. Under UK GDPR we rely on:

  • Contract - to provide the service you signed up for;
  • Legitimate interest - to secure the platform, prevent fraud, fix errors and improve the product;
  • Consent - for marketing and optional integrations such as Google Calendar, Google Search Console and Google or Microsoft sign-in;
  • Legal obligation - to keep financial records as required by HMRC.

We will never sell your personal data. Where we send you marketing, every message includes a way to opt out, and you can withdraw consent at any time.

6. Controllers and processors #

When a business uses Pro-cess to manage its customers, that business is the controller and Pro-cess is the processor: the business decides what data to collect and why, and we store and process it on their documented instructions under our Data Processing Agreement (see our Terms of Service).

For data we collect directly (account registrations, website visitors, contractors), Pro-cess is the controller.

7. Who we share data with #

We share data with the trusted providers below only as needed to deliver the service. We do not share data with advertisers, data brokers or any third party for their own marketing. The full, canonical list, with data category and hosting region, is on our Sub-processors page.

Third-party providers we share data with
Provider Purpose
Amazon Web ServicesApplication hosting, database, storage (London, eu-west-2)
Stripe, GoCardless, SumUpCard, Direct Debit and in-person payments (card and bank details handled by the provider, not stored by us)
Google, MicrosoftSign-in, Calendar sync, Maps, Search Console reporting
Twilio, Brevo, BeehiivSMS and voice, transactional email, newsletter delivery
Anthropic (primary), OpenAI (fallback)AI content suggestions from your brand-voice context and prompts. No end-customer personal data is sent, and this data is not used to train their models.
Xero, Intuit (QuickBooks)Accounting sync, when a tenant connects it
Google AnalyticsMarketing-site analytics only, consent-gated. Not used in the app.

Integrations such as Google, Xero, QuickBooks and the payment providers are only active when a business chooses to connect them, and data is shared only while the integration is enabled.

8. Google API Services #

Some Pro-cess features connect to your Google account through Google APIs. Depending on the features you choose to use, this may include:

  • Google sign-in - your name, email address and Google account identifier, used to create or sign you in to your Pro-cess account
  • Google Calendar (calendar.events, calendar.readonly) - reading and writing calendar events to keep your Pro-cess diary and your Google Calendar in sync, and reading your existing events so we can show when you are already busy
  • Google Search Console (webmasters.readonly) - read-only access to the search performance data for the properties you connect, used to show you search reporting inside Pro-cess

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

  • We only use Google user data to provide and improve the specific features you have connected and enabled
  • We do not transfer Google user data to others except as necessary to provide or improve those features, to comply with applicable law, or in connection with a merger or acquisition
  • We do not use Google user data for advertising, and we do not build advertising profiles from it
  • We do not sell Google user data
  • We do not use Google user data to train or improve artificial intelligence or machine learning models, and Google user data is never sent to our AI providers
  • We do not allow humans to read Google user data unless we have your consent for a specific action (for example, resolving a support request you have raised), it is necessary for security or to comply with the law, or the data has been aggregated and anonymised for internal operations

You can revoke Pro-cess's access to your Google data at any time by disconnecting the relevant integration in your Pro-cess settings, or from your Google Account permissions page. Disconnecting immediately stops all further access.

9. Where we store data and international transfers #

Our primary servers are in the United Kingdom (AWS, London region). Customer data is stored and processed in the UK, with encrypted backups held in the UK and the EU. Sensitive data such as API keys and integration tokens is encrypted at rest using AES-256.

Some of the providers we use are based outside the UK, mainly in the United States (for example, some AI and email providers). When your data goes there, we make sure it is protected to UK standards using the safeguards approved by UK law, and we check the risk of each transfer before we rely on it. The specific mechanisms we use are the UK "adequacy" regulations where they apply, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and the UK Extension to the EU-US Data Privacy Framework where the provider is certified.

10. How long we keep data #

  • Active accounts - we keep your data for as long as your account is active.
  • Closed accounts - we delete personal data within 90 days of closure, except where we must keep records for legal reasons.
  • Financial records - invoices and payment records are kept for 7 years to comply with HMRC requirements.
  • Customer data (stored by businesses) - kept until the business deletes it or requests a GDPR purge, which anonymises personal data while keeping financial records intact.
  • Google Calendar / Search Console data - removed from our platform when you disconnect the integration.
  • Backups - encrypted database backups are retained for up to 30 days and then automatically deleted.

11. Data security #

We protect your data with TLS in transit, bcrypt password hashing, encryption of sensitive tokens and intake data at rest, tenant isolation, restricted production access over SSH keys, rate limiting, security headers, and Cloudflare DDoS and web-application-firewall protection. For the full detail, see our Security overview.

12. Your rights #

Under UK GDPR you have the right to access, correct, delete, restrict or object to the processing of your data, to data portability, and to withdraw consent where processing is based on it. We will respond to any request within one month.

If you are a business user

You can access, update or delete your data through your Pro-cess account settings, and disconnect any integration at any time. For a full export or account deletion, email [email protected].

If you are an end customer

Because the business you deal with is the controller, contact them first; they can access, update or delete your data through their Pro-cess account. If you are not sure who the business is, the booking or message you received from them will show their name. If you cannot reach them, contact us at [email protected] and we will help.

13. Data breaches #

We maintain procedures to detect, investigate and respond to personal-data breaches. Where we are the controller and a breach is likely to result in a risk to your rights, we will notify the ICO within 72 hours where required, and tell affected individuals where the risk is high. Where we act as a processor for a business, we will notify that business without undue delay so they can meet their own obligations.

14. Children #

Pro-cess is not designed for anyone under 16 and we do not knowingly collect children's data. If you believe a child's data has been stored on our platform, contact us and we will delete it promptly.

15. Changes and complaints #

We may update this policy from time to time. If we make significant changes we will notify account holders by email; the "last updated" date above shows when it was last revised.

If you are unhappy with how we handle your data, please contact us first at [email protected]. You also have the right to complain to the Information Commissioner's Office at ico.org.uk.