This policy explains what data Proco collects when you use procohq.com — to buy a supplement stack, join our support membership, or take part in the member community — why we collect it, who we share it with, how long we keep it, and the rights you have over it. It is written in plain language. If anything is unclear, email hello@procohq.com.
Who runs Proco. Proco Technologies Limited is an Irish company (No. 670796) registered in Ireland. We are the data controller for the information described below.
We collect only the data we need to operate procohq.com, fulfil orders, and run the membership and community areas.
We do not collect specific medical conditions, diagnoses, medications, or any data that constitutes "special category" health data under GDPR Article 9.
We do not collect: precise location, contacts, photos, microphone or call data, browsing history outside our own site, or any data that would allow building a profile about you outside procohq.com.
| What | Why | GDPR basis |
|---|---|---|
| Account information | To create and operate your account | Performance of contract (Article 6(1)(b)) |
| Shipping and order data | To fulfil and ship your order | Performance of contract (Article 6(1)(b)) |
| Payment data (via Stripe) | To process payment and manage your subscription | Performance of contract (Article 6(1)(b)) |
| Community posts and replies | To operate the member community feature | Performance of contract (Article 6(1)(b)) |
| Transactional emails (welcome, receipts) | To confirm actions you took | Performance of contract (Article 6(1)(b)) |
| Marketing emails and CRM data (HubSpot) | To share content and product updates | Consent (Article 6(1)(a)) — opt-in at signup, opt-out via unsubscribe link in every email |
| Website analytics (PostHog) | To understand and improve how the site is used | Legitimate interest (Article 6(1)(f)) — data is anonymised and you can object |
We do not sell your data. We share it only with the service providers ("subprocessors") we need to operate procohq.com. Each is bound by a data processing agreement.
| Subprocessor | What they do | Where they process data |
|---|---|---|
| Stripe | Payment processing, subscription billing | United States / EU depending on account region |
| HubSpot | CRM, lead capture, marketing emails | European Union |
| PostHog | Website analytics (proxied through our own domain) | European Union |
| Neon (database hosting) | Stores account, order, and community data | United States or EU depending on region |
We may disclose data when required by law (court order, valid government request) or to protect rights, safety, or property. If that happens we will tell you unless legally prohibited.
Some of our subprocessors (e.g. Stripe, Neon) may process data outside the European Economic Area, primarily in the United States. We rely on the European Commission's adequacy decisions where they exist (e.g. the EU-US Data Privacy Framework, where the provider is enrolled) and on Standard Contractual Clauses where they do not. We assess each transfer for risk and apply supplementary safeguards where required.
Under GDPR you have the following rights. To exercise any of them, email hello@procohq.com. We respond within 30 days; complex requests may take up to 90 days. There is no charge for exercising your rights.
procohq.com is not intended for users under 16. We do not knowingly collect data from children under 16. If you believe a child has created an account, email hello@procohq.com and we will delete it.
We encrypt data in transit (TLS) and at rest. Passwords are stored using industry-standard hashing, never in plain text. Payment details are handled entirely by Stripe — we never see or store your full card number. Access to production systems is limited to the founding team and is logged. We follow the principle of least privilege.
No security is absolute. If we discover a breach affecting your personal data, we will notify you and the Data Protection Commission within 72 hours as required by GDPR Article 33.
If we change this policy in a material way (e.g. new subprocessor, new data category, new purpose), we will email you and update the "Last updated" date at the top of this page. Past versions are kept in our records.
For any privacy question, complaint, or rights request:
If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, Ireland — dataprotection.ie.