PatchProof ← Trust & policies

Privacy Policy

Last updated 24 June 2026 · Version 0.1 (draft)

Draft for review. Placeholders marked […] must be completed with your final company details, and the whole document reviewed by a UK solicitor, before launch. Patch-test reaction data is special category (health) data under UK GDPR and needs particular care.

1. Who we are

PatchProof ("we", "us") provides software that lets beauty professionals record patch tests and the reactions their clients report. For data you enter about your business and your account, PatchProof Ltd ([company number], [registered address]) is the data controller. For data you enter about your clients, you (the practitioner) are the controller and PatchProof is your data processor — we process that data only to provide the service to you, under the Data Processing Agreement.

Data Protection contact: [privacy@patchproof.co.uk]. ICO registration: [reference].

2. What we collect

CategoryExamplesWhy
Account dataYour name, business name, email, login recordsTo create and secure your account
Billing dataSubscription status, Stripe customer referenceTo take payment (card details are handled by Stripe, not stored by us)
Client records you enterClient name, mobile, email, the products/services testedTo provide the patch-test record service
Health data (special category)Reported reactions, symptoms, allergies, skin conditions, intake answers, reaction photosTo create the compliance record and safety decision trail
Technical dataDevice/browser type, timestamps, error logsSecurity, reliability and support

3. Our lawful bases

4. How long we keep it

Patch-test records are retained for 7 years by default, reflecting the limitation period relevant to personal-injury claims in the UK — this is what makes the record useful to your insurer. Account and billing data are kept while your account is active and for the period required by law afterward. When you close your account you can request erasure; see section 7.

5. Who we share it with (sub-processors)

We use a small number of trusted providers to run the service. The current list and the data each handles:

ProviderPurposeLocation
SupabaseDatabase & file storageEU (Ireland)
NetlifyWebsite hosting / CDNEU edge
StripePaymentsUK / EU
TwilioWhatsApp remindersUK / EU
SentryError monitoringEU

We do not sell personal data. The live list is maintained on the Security page.

6. Where data is stored

We store data in UK/EU data centres. Where a provider transfers data outside the UK, we rely on appropriate safeguards (UK adequacy regulations or the International Data Transfer Agreement / addendum).

7. Your rights

Under UK GDPR you can request access, correction, erasure, restriction, portability, and you can object to certain processing. To exercise these, contact [privacy@patchproof.co.uk]. Where you are a client of a practitioner who uses PatchProof, please contact that practitioner first — they control your record — and we will support them in responding.

You can complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. Children

PatchProof is for professional use by adults. Practitioners are responsible for obtaining appropriate consent (including from a parent or guardian) where a client is under 18.

9. Changes

We will post any changes here and update the date above. Material changes will be notified by email.