Legal

Privacy Policy

Last updated: 30 April 2026

1. Who we are

Proofley (“Proofley”, “we”, “our”, or “us”) is a deliverable approval platform for creative and digital agencies. We operate the website at proofley.com and the web application accessible after sign-up.

For questions about this policy, contact us at privacy@proofley.com.

2. What data we collect

Account data

When you sign up we collect your email address, name, and agency name. If you connect a Google account we receive the profile data Google shares (name, email, profile photo).

Project and deliverable data

We store the projects, deliverables, files, and comments you create. Files are uploaded to and stored in Google Cloud Storage within your workspace’s storage bucket.

Client review data

When a client opens a review link we log their self-reported name, the IP address of the request (masked to the first three octets in display, stored in full for audit purposes), browser user-agent, and the timestamp of any approval action. This data forms the approval certificate and is the core audit trail Proofley provides.

Usage and analytics data

We collect standard server logs and may use privacy-respecting analytics to understand how the product is used. We do not use advertising trackers or sell usage data.

Billing data

Payment is processed by Stripe. We do not store card numbers. We receive and store a Stripe customer ID and subscription status.

Early-access emails

If you submit your email on our marketing page we store it to send you product updates. You can unsubscribe at any time.

3. How we use your data

  • To provide and operate the Proofley service
  • To generate approval certificates and audit records on your behalf
  • To send transactional emails (review links, approval notifications, password resets)
  • To process billing and manage your subscription
  • To respond to support requests
  • To improve the product based on aggregate, anonymised usage patterns

We do not use your data or your clients’ data for advertising purposes.

4. Legal basis for processing (GDPR)

If you are based in the EEA or UK, our legal basis for processing is:

  • Contract performance — processing needed to provide the service you signed up for
  • Legitimate interests — security, fraud prevention, product improvement
  • Legal obligation — retaining records as required by applicable law
  • Consent — for marketing emails, which you can withdraw at any time

5. Data sharing

We share data only with the sub-processors necessary to run the service:

  • Google Firebase / Firestore / Cloud Storage — database and file storage
  • Stripe — payment processing
  • Resend — transactional email delivery

We do not sell, rent, or trade your personal data to any third party.

6. Client data and your responsibilities

When you send a review link to your client, your client’s name, IP address, and approval timestamp are collected and stored as part of the approval certificate. As a Proofley user you are responsible for informing your clients that their approval action is recorded, timestamped, and IP-logged for audit purposes. We recommend including a brief note in your client communications.

7. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days except where we are required to retain it for legal or billing dispute purposes (typically up to 7 years for billing records).

Approval certificates may be retained longer at your request to support dispute resolution.

8. Security

All data is transmitted over HTTPS. Files are stored in Google Cloud Storage with access controlled per workspace. Approval tokens are cryptographically random single-use identifiers. Firestore security rules enforce that each workspace can only access its own data.

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to security@proofley.com.

9. Your rights

Depending on your jurisdiction you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (“right to be forgotten”)
  • Object to or restrict certain processing
  • Receive a copy of your data in a portable format
  • Withdraw consent for marketing emails at any time

To exercise any of these rights, email privacy@proofley.com. We will respond within 30 days.

10. Cookies

Proofley uses only essential cookies required for authentication (a session cookie set after login). We do not use advertising cookies or third-party tracking cookies.

11. Children

Proofley is not directed at children under 16. We do not knowingly collect data from anyone under 16.

12. Changes to this policy

We may update this policy from time to time. We will notify registered users by email of material changes at least 14 days before they take effect. The “Last updated” date at the top will always reflect the current version.