Privacy Policy
Last updated 24 June 2026 · Version 0.1 (draft)
[…] must be completed with your final company details, and the whole document reviewed by a UK solicitor, before launch. Patch-test reaction data is special category (health) data under UK GDPR and needs particular care.1. Who we are
PatchProof ("we", "us") provides software that lets beauty professionals record patch tests and the reactions their clients report. For data you enter about your business and your account, PatchProof Ltd ([company number], [registered address]) is the data controller. For data you enter about your clients, you (the practitioner) are the controller and PatchProof is your data processor — we process that data only to provide the service to you, under the Data Processing Agreement.
Data Protection contact: [privacy@patchproof.co.uk]. ICO registration: [reference].
2. What we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Your name, business name, email, login records | To create and secure your account |
| Billing data | Subscription status, Stripe customer reference | To take payment (card details are handled by Stripe, not stored by us) |
| Client records you enter | Client name, mobile, email, the products/services tested | To provide the patch-test record service |
| Health data (special category) | Reported reactions, symptoms, allergies, skin conditions, intake answers, reaction photos | To create the compliance record and safety decision trail |
| Technical data | Device/browser type, timestamps, error logs | Security, reliability and support |
3. Our lawful bases
- Contract — to provide the service you subscribe to.
- Legitimate interests — to secure, support and improve the service.
- Legal obligation — to keep certain records and meet tax/accounting duties.
- Special category condition — health data is processed on the basis set out in your DPA; the practitioner relies on the client's explicit consent and/or the provision of treatment, captured at intake.
4. How long we keep it
Patch-test records are retained for 7 years by default, reflecting the limitation period relevant to personal-injury claims in the UK — this is what makes the record useful to your insurer. Account and billing data are kept while your account is active and for the period required by law afterward. When you close your account you can request erasure; see section 7.
5. Who we share it with (sub-processors)
We use a small number of trusted providers to run the service. The current list and the data each handles:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & file storage | EU (Ireland) |
| Netlify | Website hosting / CDN | EU edge |
| Stripe | Payments | UK / EU |
| Twilio | WhatsApp reminders | UK / EU |
| Sentry | Error monitoring | EU |
We do not sell personal data. The live list is maintained on the Security page.
6. Where data is stored
We store data in UK/EU data centres. Where a provider transfers data outside the UK, we rely on appropriate safeguards (UK adequacy regulations or the International Data Transfer Agreement / addendum).
7. Your rights
Under UK GDPR you can request access, correction, erasure, restriction, portability, and you can object to certain processing. To exercise these, contact [privacy@patchproof.co.uk]. Where you are a client of a practitioner who uses PatchProof, please contact that practitioner first — they control your record — and we will support them in responding.
You can complain to the Information Commissioner's Office (ICO) at ico.org.uk.
8. Children
PatchProof is for professional use by adults. Practitioners are responsible for obtaining appropriate consent (including from a parent or guardian) where a client is under 18.
9. Changes
We will post any changes here and update the date above. Material changes will be notified by email.