Proco · Privacy Policy

How we handle your data

Effective 29 May 2026 · Last updated 29 May 2026

This policy explains what data Proco collects when you use procohq.com — to buy a supplement stack, join our support membership, or take part in the member community — why we collect it, who we share it with, how long we keep it, and the rights you have over it. It is written in plain language. If anything is unclear, email hello@procohq.com.

Who runs Proco. Proco Technologies Limited is an Irish company (No. 670796) registered in Ireland. We are the data controller for the information described below.

Contents

  1. What we collect
  2. Why we collect it (legal bases)
  3. Who we share it with
  4. How long we keep it
  5. International transfers
  6. Your rights
  7. Children
  8. Security
  9. Changes to this policy
  10. Contact

1. What we collect

We collect only the data we need to operate procohq.com, fulfil orders, and run the membership and community areas.

Account information

Order and payment information

Community content

We do not collect specific medical conditions, diagnoses, medications, or any data that constitutes "special category" health data under GDPR Article 9.

Usage and marketing data

We do not collect: precise location, contacts, photos, microphone or call data, browsing history outside our own site, or any data that would allow building a profile about you outside procohq.com.

2. Why we collect it (legal bases)

WhatWhyGDPR basis
Account informationTo create and operate your accountPerformance of contract (Article 6(1)(b))
Shipping and order dataTo fulfil and ship your orderPerformance of contract (Article 6(1)(b))
Payment data (via Stripe)To process payment and manage your subscriptionPerformance of contract (Article 6(1)(b))
Community posts and repliesTo operate the member community featurePerformance of contract (Article 6(1)(b))
Transactional emails (welcome, receipts)To confirm actions you tookPerformance of contract (Article 6(1)(b))
Marketing emails and CRM data (HubSpot)To share content and product updatesConsent (Article 6(1)(a)) — opt-in at signup, opt-out via unsubscribe link in every email
Website analytics (PostHog)To understand and improve how the site is usedLegitimate interest (Article 6(1)(f)) — data is anonymised and you can object

3. Who we share it with

We do not sell your data. We share it only with the service providers ("subprocessors") we need to operate procohq.com. Each is bound by a data processing agreement.

SubprocessorWhat they doWhere they process data
StripePayment processing, subscription billingUnited States / EU depending on account region
HubSpotCRM, lead capture, marketing emailsEuropean Union
PostHogWebsite analytics (proxied through our own domain)European Union
Neon (database hosting)Stores account, order, and community dataUnited States or EU depending on region

We may disclose data when required by law (court order, valid government request) or to protect rights, safety, or property. If that happens we will tell you unless legally prohibited.

4. How long we keep it

5. International transfers

Some of our subprocessors (e.g. Stripe, Neon) may process data outside the European Economic Area, primarily in the United States. We rely on the European Commission's adequacy decisions where they exist (e.g. the EU-US Data Privacy Framework, where the provider is enrolled) and on Standard Contractual Clauses where they do not. We assess each transfer for risk and apply supplementary safeguards where required.

6. Your rights

Under GDPR you have the following rights. To exercise any of them, email hello@procohq.com. We respond within 30 days; complex requests may take up to 90 days. There is no charge for exercising your rights.

7. Children

procohq.com is not intended for users under 16. We do not knowingly collect data from children under 16. If you believe a child has created an account, email hello@procohq.com and we will delete it.

8. Security

We encrypt data in transit (TLS) and at rest. Passwords are stored using industry-standard hashing, never in plain text. Payment details are handled entirely by Stripe — we never see or store your full card number. Access to production systems is limited to the founding team and is logged. We follow the principle of least privilege.

No security is absolute. If we discover a breach affecting your personal data, we will notify you and the Data Protection Commission within 72 hours as required by GDPR Article 33.

9. Changes to this policy

If we change this policy in a material way (e.g. new subprocessor, new data category, new purpose), we will email you and update the "Last updated" date at the top of this page. Past versions are kept in our records.

10. Contact

For any privacy question, complaint, or rights request:

If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, Ireland — dataprotection.ie.