Privacy Policy

Last updated: 18 February 2026

Proplio Ltd ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our compliance tracking platform ("the Service"). We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Proplio Ltd is the data controller for the personal data processed through the Service. If you have any questions about this policy, please contact us at privacy@proplio.co.uk.

2. What Data We Collect

Account Information

  • Name and email address (provided at registration)
  • Agency/organisation name
  • Hashed password (we never store plain-text passwords)

Property and Compliance Data

  • Property addresses and details
  • Tenant names, email addresses, and phone numbers
  • Compliance certificate details (types, references, dates, uploaded files)

Billing Data

  • Payment and subscription information is processed by Stripe. We store your Stripe customer ID and subscription status but do not store card details.

Usage Data

  • IP addresses, browser type, and device information (collected automatically for security and analytics)
  • Error reports via Sentry for service reliability

3. How We Use Your Data

We process your personal data for the following purposes:

  • Providing the Service: Managing your account, tracking compliance records, sending deadline reminders (legal basis: contract performance)
  • Email communications: Sending compliance reminders and service notifications via Resend (legal basis: contract performance)
  • Billing: Processing subscription payments via Stripe (legal basis: contract performance)
  • Security: Protecting against unauthorised access and abuse (legal basis: legitimate interest)
  • Service improvement: Monitoring errors and performance (legal basis: legitimate interest)

4. Third-Party Services

We share data with the following third-party processors, all of whom have appropriate data processing agreements in place:

ProviderPurposeData Shared
VercelHosting and infrastructureApplication data, request logs
NeonDatabase hostingAll application data
StripePayment processingEmail, subscription details
ResendEmail deliveryEmail addresses, notification content
SentryError monitoringError logs, request metadata

5. Data Retention

We retain your data for as long as your account is active. If you cancel your subscription and close your account, we will delete your data within 30 days, except where we are required by law to retain it for longer (e.g. financial records for HMRC).

6. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Passwords hashed with bcrypt
  • Rate limiting on authentication endpoints
  • Security headers (CSP, HSTS, etc.)
  • Regular security updates and dependency monitoring

7. Your Rights

Under UK GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Request your data in a machine-readable format (CSV export is available in the Service)
  • Restriction: Request that we limit processing of your data
  • Objection: Object to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@proplio.co.uk. We will respond within 30 days.

8. Cookies

We use essential cookies only — specifically a session cookie to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

9. International Transfers

Your data is primarily stored in EU/UK data centres. Where data is transferred outside the UK (e.g. to US-based processors such as Vercel and Stripe), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions.

10. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The "Last updated" date at the top reflects the most recent revision.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

13. Contact

For any privacy-related questions, please contact us at privacy@proplio.co.uk.