Privacy Policy
Last updated: 23 April 2026
Proplio ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our compliance tracking platform ("the Service"). We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
Proplio is the data controller for the personal data processed through the Service. If you have any questions about this policy, please contact us at support@proplio.co.
2. What Data We Collect
Account Information
- Name and email address (provided at registration)
- Agency/organisation name
- Hashed password (we never store plain-text passwords)
Property and Compliance Data
- Property addresses and details
- Tenant names, email addresses, and phone numbers
- Compliance certificate details (types, references, dates, uploaded files)
Billing Data
- Payment and subscription information is processed by Stripe. We store your Stripe customer ID and subscription status but do not store card details.
Usage Data
- IP addresses, browser type, and device information (collected automatically for security and analytics)
- Product analytics events via PostHog (pages viewed, actions taken) — only if you accept analytics cookies
- Error reports via Sentry for service reliability
Advertising Data
- If you arrived via a Google Ads campaign and accept advertising cookies, Google sets cookies to attribute your visit to the ad
- When you register, we send a hashed version of your email address (and, where provided, first and last name) to Google Ads so it can match your sign-up back to the ad you clicked. This is called Google "Enhanced Conversions" — we never send plain-text identifiers
3. How We Use Your Data
We process your personal data for the following purposes:
- Providing the Service: Managing your account, tracking compliance records, sending deadline reminders (legal basis: contract performance)
- Email communications: Sending compliance reminders and service notifications via Resend (legal basis: contract performance)
- Billing: Processing subscription payments via Stripe (legal basis: contract performance)
- Security: Protecting against unauthorised access and abuse (legal basis: legitimate interest)
- Service improvement: Monitoring errors and performance (legal basis: legitimate interest)
4. Third-Party Services
We share data with the following third-party processors, all of whom have appropriate data processing agreements in place:
| Provider | Purpose | Data Shared |
|---|---|---|
| Vercel | Hosting and infrastructure | Application data, request logs |
| Neon | Database hosting | All application data |
| Stripe | Payment processing | Email, subscription details |
| Resend | Email delivery | Email addresses, notification content |
| Sentry | Error monitoring | Error logs, request metadata |
| PostHog | Product analytics (EU-hosted) | Usage events, device info (only with consent) |
| Google Ads | Advertising conversion measurement | Hashed email and name at sign-up (only with consent) |
| Vercel Blob | Certificate file storage | Uploaded compliance certificates (private access only) |
| Trustpilot | Review widget | No personal data shared; widget loaded on public pages |
Vercel
Hosting and infrastructure
Data: Application data, request logs
Neon
Database hosting
Data: All application data
Stripe
Payment processing
Data: Email, subscription details
Resend
Email delivery
Data: Email addresses, notification content
Sentry
Error monitoring
Data: Error logs, request metadata
PostHog
Product analytics (EU-hosted)
Data: Usage events, device info (only with consent)
Google Ads
Advertising conversion measurement
Data: Hashed email and name at sign-up (only with consent)
Vercel Blob
Certificate file storage
Data: Uploaded compliance certificates (private access only)
Trustpilot
Review widget
Data: No personal data shared; widget loaded on public pages
5. Sub-Processors
Under GDPR Article 28, we maintain a list of sub-processors who process personal data on our behalf. We ensure each sub-processor has appropriate data processing agreements in place.
| Sub-Processor | Location | Purpose | Safeguards |
|---|---|---|---|
| Vercel Inc. | USA | Application hosting and serverless infrastructure | SCCs, SOC 2 Type II |
| Neon Inc. | USA (EU storage) | PostgreSQL database hosting | SCCs, SOC 2 Type II, data stored in EU |
| Stripe Inc. | USA | Payment processing and subscription billing | SCCs, PCI DSS Level 1 |
| Resend Inc. | USA | Transactional email delivery | SCCs |
| Functional Software (Sentry) | USA | Error monitoring and performance tracking | SCCs, SOC 2 Type II |
| PostHog Inc. | EU | Product analytics (consent-based) | EU-hosted, GDPR compliant |
| Google LLC | USA | Advertising conversion measurement (consent-based) | SCCs, adequacy decision |
| Trustpilot A/S | Denmark (EU) | Customer review widget on public pages | EU-based, GDPR compliant |
Vercel Inc.
USA — Application hosting and serverless infrastructure
Safeguards: SCCs, SOC 2 Type II
Neon Inc.
USA (EU storage) — PostgreSQL database hosting
Safeguards: SCCs, SOC 2 Type II, data stored in EU
Stripe Inc.
USA — Payment processing and subscription billing
Safeguards: SCCs, PCI DSS Level 1
Resend Inc.
USA — Transactional email delivery
Safeguards: SCCs
Functional Software (Sentry)
USA — Error monitoring and performance tracking
Safeguards: SCCs, SOC 2 Type II
PostHog Inc.
EU — Product analytics (consent-based)
Safeguards: EU-hosted, GDPR compliant
Google LLC
USA — Advertising conversion measurement (consent-based)
Safeguards: SCCs, adequacy decision
Trustpilot A/S
Denmark (EU) — Customer review widget on public pages
Safeguards: EU-based, GDPR compliant
We will update this list if we add or change sub-processors. If you have questions about any sub-processor, contact us at support@proplio.co.
6. Data Retention
- We retain your data for as long as your account is active
- If you cancel and close your account, we delete your data within 30 days
- Exception: data we are required by law to retain longer (e.g. financial records for HMRC)
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Passwords hashed with bcrypt
- Rate limiting on authentication endpoints
- Security headers (CSP, HSTS, etc.)
- Regular security updates and dependency monitoring
8. Your Rights
Under UK GDPR, you have the following rights:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Request your data in a machine-readable format (CSV export is available in the Service)
- Restriction: Request that we limit processing of your data
- Objection: Object to processing based on legitimate interest
To exercise any of these rights, contact us at support@proplio.co. We will respond within 30 days.
9. Cookies
We use three categories of cookies:
- Essential cookies — required for the Service to work (session cookie to keep you logged in, CSRF protection). These are always on.
- Analytics cookies — PostHog, to understand how the Service is used. Only set if you accept in the cookie banner.
- Advertising cookies — Google Ads, to measure whether ads led to sign-ups. Only set if you accept in the cookie banner.
You can accept or reject non-essential cookies using the banner shown on your first visit. You can change your mind at any time by clearing your browser's site data for proplio.co, which will cause the banner to reappear. We use Google Consent Mode v2, which means advertising and analytics tags respect your choice before setting any cookies or sending identifiers.
10. International Transfers
- Your data is primarily stored in EU/UK data centres
- Where data is transferred outside the UK (e.g. to US-based processors such as Vercel and Stripe), we ensure appropriate safeguards are in place
- Safeguards include Standard Contractual Clauses (SCCs) and adequacy decisions
11. Children
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
12. Changes to This Policy
- We may update this Privacy Policy from time to time
- We will notify you of material changes via email
- The "Last updated" date at the top reflects the most recent revision
13. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
14. Contact
For any privacy-related questions, please contact us at support@proplio.co.