Privacy Policy

This Privacy Policy explains how Progressio.AI ("Progressio", "we", "us") handles personal data when you visit our website, communicate with us, or use the Progressio.AI platform (the "Service"). It is written to align with the EU General Data Protection Regulation (GDPR) and equivalent local laws.

We have built the Service for organisations operating in regulated sectors such as financial services, insurance, and medtech. Privacy and data protection are part of how the Service is designed, not a layer added on top.

1. Who is responsible for your data

For our website, marketing communications, and recruitment activities, Progressio acts as the data controller. When you use the Service as part of a customer organisation, that organisation is the controller of the personal data submitted into the Service, and Progressio acts as a processor on its behalf under the terms of our Data Processing Addendum.

If you are an end user accessing the Service through your employer or another organisation, please direct questions about that organisation's use of your personal data to it in the first instance.

2. Personal data we collect

We collect the following categories of personal data:

• Account and contact data: name, business email, role, organisation, and the credentials or single sign-on identifiers used to access the Service.
• Communications: messages, attachments, and metadata when you contact sales, support, or other Progressio teams, and any feedback you choose to share.
• Usage and device data: pages and features accessed, timestamps, approximate location derived from IP address, browser type, operating system, and similar technical information.
• Customer Data submitted into the Service: documents, system descriptions, evidence files, and other content uploaded by your organisation. This may incidentally contain personal data, which we process only as a processor on behalf of the customer.
• Billing data: company billing details, purchase orders, and tax identifiers, where you are a paying customer.
• Recruitment data: information you provide when applying for a role, including your CV and the contents of your application.

We do not knowingly seek to collect special categories of personal data through the website. Where the Service is used in contexts that involve such data, customers are responsible for assessing the lawful basis and applying appropriate safeguards.

3. How and why we use personal data

We use personal data for the following purposes, relying on the legal bases noted in brackets:

• Providing, securing, and supporting the Service, including authentication, troubleshooting, and audit trails (performance of a contract; legitimate interests in operating a reliable platform).
• Responding to enquiries, providing customer support, and managing the customer relationship (performance of a contract; legitimate interests).
• Sending service-related communications, such as security notices, billing notices, and material changes to these documents (legitimate interests; legal obligation).
• Sending marketing communications about Progressio products and events to business contacts, where permitted (legitimate interests or consent, depending on your jurisdiction). You can unsubscribe at any time using the link in our emails.
• Improving the Service, for example by analysing aggregated usage patterns, diagnosing performance issues, and prioritising features (legitimate interests). We do not use Customer Data to train foundation models or to develop generally available features that are not specific to a customer's tenancy.
• Meeting legal, regulatory, and contractual obligations, including responding to lawful requests from authorities (legal obligation; legitimate interests).
• Assessing applications for employment (legitimate interests; consent where required).

4. How we share personal data

We do not sell personal data. We share it only in the following limited circumstances:

• Sub-processors: a small set of vetted vendors that help us run the Service, such as cloud hosting, observability, customer support tooling, and selected model providers. Each sub-processor is bound by written terms that include confidentiality and data protection obligations consistent with GDPR. A current list is available on request.
• Within your organisation: when you use the Service, your activity may be visible to administrators and other authorised users of your organisation's workspace.
• Professional advisers: lawyers, auditors, and accountants who are bound by professional duties of confidentiality.
• Legal and safety: where we are required to do so by law, in response to a valid legal process, or to protect the rights, property, or safety of Progressio, our customers, or others.
• Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections and continued application of this Policy or a substantially similar one.

5. International transfers and EU data residency

Customer Data submitted into the Service is stored and primarily processed within the European Union. Where personal data is transferred outside the European Economic Area, for example because a sub-processor operates from another jurisdiction, we put in place appropriate safeguards such as the European Commission's Standard Contractual Clauses, supplemented by additional technical and organisational measures where required. Details of the safeguards used for a specific transfer are available on request.

6. Security

We protect personal data with a layered set of administrative, technical, and physical controls. These include encryption in transit (TLS 1.3) and at rest (AES-256), tenancy isolation, role-based access controls, least-privilege access for personnel, immutable audit logging, regular vulnerability scanning, secure software development practices, and incident response procedures. No system can be guaranteed to be completely secure, and you remain responsible for protecting the credentials used to access your accounts.

7. Retention

We retain personal data only for as long as needed to fulfil the purposes set out in this Policy. Customer Data is retained for the duration of the subscription and made available for export for at least thirty (30) days after termination, after which it is deleted from active systems in line with our retention schedule, subject to backups and any legal hold. Account, billing, and communication records are retained for the period required by tax, accounting, and other applicable laws.

8. Your rights

Subject to applicable law, you have the right to access the personal data we hold about you, to request correction of inaccurate data, to request erasure or restriction of processing, to object to processing based on legitimate interests, to receive your data in a portable format, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights with respect to data we hold as a controller, contact us using the details below. If your request relates to data processed within the Service on behalf of a customer, please contact that customer first; we will support them in responding.

9. Cookies and similar technologies

Our website uses a small number of cookies that are strictly necessary to deliver the site, remember your preferences, and measure aggregated traffic. We do not use cookies for cross-site advertising. You can control cookies through your browser settings; disabling some cookies may affect site functionality.

10. Children

The Service and our website are intended for use by businesses and adults acting in a professional capacity. They are not directed at children, and we do not knowingly collect personal data from anyone under the age of 18.

11. Changes to this Policy

We may update this Policy from time to time to reflect changes to the Service, our practices, or applicable law. When we make material changes, we will update the "Last updated" date above and, where appropriate, give notice through the Service or by email. We encourage you to review this Policy periodically.

12. Contact us

For privacy questions, requests under data protection law, or to reach our data protection contact, write to privacy@progressio.ai. For security reports, write to security@progressio.ai. For general enquiries, see our Contact page.