Privacy Policy

Last updated: April 2026

This Privacy Policy explains how ProPainterTools ("we", "us", "our") collects, uses, stores, and protects your personal data, and describes the rights you have under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and applicable data protection law.

1. Data Controller

The data controller responsible for your personal data is:

ProPainterTools Contact: via the in-app feedback panel

If you have any questions about this policy or how we handle your data, please contact us at the address above.

2. What data we collect and why

We collect only the data necessary to provide and improve the service. For each category, we state the lawful basis under Article 6 UK/EU GDPR.

Account and identity data

  • Username, first name, last name, company name, phone number, and password (stored as a bcrypt hash — your plain password is never stored)
  • Lawful basis: Performance of a contract (Art. 6(1)(b)) — this data is required to create and maintain your account and deliver the service

Team member data

  • When an account owner adds team members, we process those members' usernames and names
  • Lawful basis: Performance of a contract (Art. 6(1)(b)) — necessary to provide multi-user account functionality

Project and business data

  • Client details, job site measurements, material lists, labour estimates, and invoice records that you enter into the application
  • Lawful basis: Performance of a contract (Art. 6(1)(b)) — this is the core data the service exists to manage on your behalf

Feedback data

  • If you submit feedback through the in-app feedback panel, we collect the title, type (bug / feature request / general), and message content of your submission, as well as any follow-up messages in the conversation thread
  • Lawful basis: Legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in understanding how to improve the product; this does not override your rights

Usage and security data

  • Standard server logs: IP address, request path, HTTP status code, and timestamp
  • Lawful basis: Legitimate interests (Art. 6(1)(f)) — necessary to detect and respond to security threats and diagnose technical issues

3. What we do NOT collect

  • We do not collect email addresses (the application does not use email-based login or communication)
  • We do not collect payment card or banking information (no payments are processed by this application)
  • We do not use advertising cookies or tracking pixels
  • We do not sell, rent, or share your data with third parties for commercial or marketing purposes
  • We do not carry out automated decision-making or profiling that produces legal or similarly significant effects

4. Cookies and session tokens

We use strictly necessary cookies and browser storage to keep you logged in:

  • Authentication tokens — short-lived JWT tokens are used to authenticate your session. These are necessary for the application to function and do not require consent under the "strictly necessary" exemption
  • We do not use analytics, advertising, or third-party cookies

5. Data processors

We share your data with the following trusted processors who act solely on our instructions under Data Processing Agreements (DPAs):

ProcessorPurposeLocation
DigitalOcean, LLCManaged database and hosting infrastructureUS data centre (DigitalOcean DPA and SCCs in place)
Cloudflare, Inc.TLS termination, DDoS protection, CDNProcesses transit data only; no storage

No other third parties receive your personal data.

6. International data transfers

Your data is stored in a DigitalOcean data centre located in the United States. This means your personal data is transferred to and processed in a country outside the UK and EU/EEA. We ensure this transfer is lawful by relying on Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO, which are incorporated into our Data Processing Agreement with DigitalOcean. Cloudflare may also process transit data across its global network; appropriate safeguards are in place under their DPA and SCCs.

7. How long we keep your data

Data categoryRetention period
Account, project, and business dataRetained while your account is active; permanently deleted within 30 days of an account deletion request
Team member dataDeleted when the member is removed or the account is deleted, whichever comes first
Feedback messagesRetained for as long as your account is active; deleted with your account
Server logsAutomatically deleted after 90 days

8. Security

We take appropriate technical and organisational measures to protect your data, including:

  • Passwords hashed using bcrypt with a salt
  • JWT tokens for session authentication, short-lived and not stored server-side
  • HTTPS enforced on all connections via Cloudflare and Let's Encrypt
  • Database access restricted to application servers; not publicly accessible
  • Database encrypted at rest and in transit

9. Your rights

Under UK/EU GDPR you have the following rights. To exercise any of them, please use the feedback panel inside the application. We will respond within 30 days.

  • Right of access (Art. 15) — request a copy of all personal data we hold about you
  • Right to rectification (Art. 16) — correct inaccurate data; much of your data can be updated directly within the application
  • Right to erasure (Art. 17) — request permanent deletion of your account and all associated data
  • Right to restriction of processing (Art. 18) — ask us to pause processing of your data (for example, while a dispute is resolved) without deleting it
  • Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) so you can transfer it to another service. This right applies to data you provided to us that we process on the basis of contract or consent
  • Right to object (Art. 21) — object to processing based on legitimate interests (e.g. server logs, feedback analysis); we will stop unless we can demonstrate compelling legitimate grounds
  • Right to withdraw consent — where we rely on consent as a lawful basis, you may withdraw it at any time without affecting the lawfulness of prior processing

10. Right to lodge a complaint

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with a supervisory authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
  • EU: The data protection authority in your EU member state of residence

We would always appreciate the opportunity to address your concerns directly before you approach a regulator.

11. Changes to this policy

We may update this policy as the application evolves. When we make material changes, we will display a notice inside the application and update the "Last updated" date at the top of this page.

12. Contact

For any privacy-related questions, data requests, or complaints, contact us at:

Please use the feedback panel inside the application to reach us. Select the "General" type for privacy-related enquiries.