Privacy Policy
Last updated: April 2026
This Privacy Policy explains how ProPainterTools ("we", "us", "our") collects, uses, stores, and protects your personal data, and describes the rights you have under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and applicable data protection law.
1. Data Controller
The data controller responsible for your personal data is:
ProPainterTools Contact: via the in-app feedback panel
If you have any questions about this policy or how we handle your data, please contact us at the address above.
2. What data we collect and why
We collect only the data necessary to provide and improve the service. For each category, we state the lawful basis under Article 6 UK/EU GDPR.
Account and identity data
- Username, first name, last name, company name, phone number, and password (stored as a bcrypt hash — your plain password is never stored)
- Lawful basis: Performance of a contract (Art. 6(1)(b)) — this data is required to create and maintain your account and deliver the service
Team member data
- When an account owner adds team members, we process those members' usernames and names
- Lawful basis: Performance of a contract (Art. 6(1)(b)) — necessary to provide multi-user account functionality
Project and business data
- Client details, job site measurements, material lists, labour estimates, and invoice records that you enter into the application
- Lawful basis: Performance of a contract (Art. 6(1)(b)) — this is the core data the service exists to manage on your behalf
Feedback data
- If you submit feedback through the in-app feedback panel, we collect the title, type (bug / feature request / general), and message content of your submission, as well as any follow-up messages in the conversation thread
- Lawful basis: Legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in understanding how to improve the product; this does not override your rights
Usage and security data
- Standard server logs: IP address, request path, HTTP status code, and timestamp
- Lawful basis: Legitimate interests (Art. 6(1)(f)) — necessary to detect and respond to security threats and diagnose technical issues
3. What we do NOT collect
- We do not collect email addresses (the application does not use email-based login or communication)
- We do not collect payment card or banking information (no payments are processed by this application)
- We do not use advertising cookies or tracking pixels
- We do not sell, rent, or share your data with third parties for commercial or marketing purposes
- We do not carry out automated decision-making or profiling that produces legal or similarly significant effects
4. Cookies and session tokens
We use strictly necessary cookies and browser storage to keep you logged in:
- Authentication tokens — short-lived JWT tokens are used to authenticate your session. These are necessary for the application to function and do not require consent under the "strictly necessary" exemption
- We do not use analytics, advertising, or third-party cookies
5. Data processors
We share your data with the following trusted processors who act solely on our instructions under Data Processing Agreements (DPAs):
| Processor | Purpose | Location |
|---|---|---|
| DigitalOcean, LLC | Managed database and hosting infrastructure | US data centre (DigitalOcean DPA and SCCs in place) |
| Cloudflare, Inc. | TLS termination, DDoS protection, CDN | Processes transit data only; no storage |
No other third parties receive your personal data.
6. International data transfers
Your data is stored in a DigitalOcean data centre located in the United States. This means your personal data is transferred to and processed in a country outside the UK and EU/EEA. We ensure this transfer is lawful by relying on Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO, which are incorporated into our Data Processing Agreement with DigitalOcean. Cloudflare may also process transit data across its global network; appropriate safeguards are in place under their DPA and SCCs.
7. How long we keep your data
| Data category | Retention period |
|---|---|
| Account, project, and business data | Retained while your account is active; permanently deleted within 30 days of an account deletion request |
| Team member data | Deleted when the member is removed or the account is deleted, whichever comes first |
| Feedback messages | Retained for as long as your account is active; deleted with your account |
| Server logs | Automatically deleted after 90 days |
8. Security
We take appropriate technical and organisational measures to protect your data, including:
- Passwords hashed using bcrypt with a salt
- JWT tokens for session authentication, short-lived and not stored server-side
- HTTPS enforced on all connections via Cloudflare and Let's Encrypt
- Database access restricted to application servers; not publicly accessible
- Database encrypted at rest and in transit
9. Your rights
Under UK/EU GDPR you have the following rights. To exercise any of them, please use the feedback panel inside the application. We will respond within 30 days.
- Right of access (Art. 15) — request a copy of all personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate data; much of your data can be updated directly within the application
- Right to erasure (Art. 17) — request permanent deletion of your account and all associated data
- Right to restriction of processing (Art. 18) — ask us to pause processing of your data (for example, while a dispute is resolved) without deleting it
- Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) so you can transfer it to another service. This right applies to data you provided to us that we process on the basis of contract or consent
- Right to object (Art. 21) — object to processing based on legitimate interests (e.g. server logs, feedback analysis); we will stop unless we can demonstrate compelling legitimate grounds
- Right to withdraw consent — where we rely on consent as a lawful basis, you may withdraw it at any time without affecting the lawfulness of prior processing
10. Right to lodge a complaint
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with a supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
- EU: The data protection authority in your EU member state of residence
We would always appreciate the opportunity to address your concerns directly before you approach a regulator.
11. Changes to this policy
We may update this policy as the application evolves. When we make material changes, we will display a notice inside the application and update the "Last updated" date at the top of this page.
12. Contact
For any privacy-related questions, data requests, or complaints, contact us at:
Please use the feedback panel inside the application to reach us. Select the "General" type for privacy-related enquiries.