Progressa

Privacy Policy

Last updated: March 2026

1. Introduction

Progressa Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Progressa training management platform ("Service").

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our registered address is in England and Wales.

2. Data Controller and Processor Roles

When we are the Data Controller

We are the Data Controller for personal data of our customers (training company administrators and team members), including account details, billing information, and usage data.

When we are the Data Processor

When our customers use the Service to manage delegate information (training attendees), we act as a Data Processor on behalf of the customer (Data Controller). This includes delegate names, email addresses, booking records, dietary/accessibility requirements, feedback responses, and certificates.

3. Data We Collect

Account data

When you register, we collect your name, email address, organisation name, and any information provided during onboarding. Authentication is handled by Clerk, who may collect additional authentication data under their privacy policy.

Billing data

Payment information is processed by Stripe. We do not store full card numbers. We receive and store your Stripe customer ID, subscription status, and billing period.

Usage data

We collect information about how you use the Service, including pages visited, features used, and actions taken. This helps us improve the Service and provide support.

Delegate data (processed on your behalf)

Your training delegates' personal data — names, emails, booking details, accessibility requirements, feedback, certificates — is stored and processed solely to provide the Service to you.

File uploads

Files uploaded to the Service (course materials, documents) are stored via Uploadthing on secure cloud infrastructure. Files are associated with your organisation and only accessible to authorised users.

4. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To process payments and manage subscriptions
  • To send transactional emails (booking confirmations, certificates, password resets)
  • To send service-related communications (maintenance notices, security alerts)
  • To provide customer support
  • To detect and prevent fraud or abuse
  • To comply with legal obligations

We do not sell your personal data. We do not use your data for advertising or share it with third parties for marketing purposes.

5. Legal Basis for Processing

  • Contract performance: Processing necessary to provide the Service you have subscribed to.
  • Legitimate interests: Service improvement, security, and fraud prevention.
  • Legal obligation: Compliance with tax, accounting, and regulatory requirements.
  • Consent: Where required, such as for optional marketing emails or non-essential cookies.

6. Third-Party Services

We share data with the following third parties solely to operate the Service:

  • Clerk (authentication) — stores user identity and session data
  • Stripe (payments) — processes payment card data and manages subscriptions
  • Neon (database) — hosts our PostgreSQL database on EU-based infrastructure
  • Uploadthing (file storage) — stores uploaded files and documents
  • Resend (email) — delivers transactional emails on our behalf
  • Vercel (hosting) — hosts the web application

Each provider has their own privacy policy and is bound by data processing agreements where applicable.

7. Data Retention

We retain your account data for as long as your account is active. After account termination, we retain data for 90 days to allow recovery, then delete it permanently. Billing records are retained for 7 years as required by UK tax law.

Delegate data processed on your behalf is retained in accordance with your instructions. You can delete delegate data at any time through the Service.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest
  • Secure authentication via Clerk with optional multi-factor authentication
  • Organisation-level data isolation (multi-tenant architecture)
  • Regular security reviews and dependency updates
  • Role-based access controls

9. International Data Transfers

Our primary database is hosted in the EU (AWS eu-west-2 region via Neon). Some third-party providers may process data outside the UK/EEA. Where this occurs, appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

10. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate personal data
  • Erase your personal data (right to be forgotten)
  • Restrict or object to processing
  • Data portability (receive your data in a structured, machine-readable format)
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise these rights, contact us at privacy@useprogressa.com. We will respond within 30 days.

11. Cookies

We use cookies and similar technologies. For details, please see our Cookie Policy.

12. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

14. Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@useprogressa.com.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.