Privacy Policy

Introduction

This Privacy Policy (the “Policy”) explains how ProcuHelp B.V., a private limited liability company incorporated under Dutch law and established in the Netherlands (“ProcuHelp”, “we”, “us”, or “our”), processes personal data in connection with the ProcuHelp platform and related services (the “Platform”). We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable European data protection laws.

This Policy applies to individuals who access or use the Platform on behalf of a business customer, and to visitors who interact with our websites and communications. The Platform is intended for business and professional use only and is not designed for personal or household use.

1. Roles and relationship to Customer Data

When our customers upload, store, or otherwise process information within the Platform (including documents, metadata, and audit records), that information constitutes “Customer Data”. In connection with Customer Data, the customer acts as the data controller and ProcuHelp acts as a data processor, processing such data solely on the customer’s documented instructions and in accordance with the Data Processing Agreement (DPA) that forms part of the contractual relationship. Customers are responsible for determining the legal basis for processing Customer Data, providing required notices to data subjects, and handling data subject requests relating to Customer Data, unless otherwise agreed in writing.

Separately, ProcuHelp acts as an independent data controller for certain limited categories of personal data processed for our own operational purposes, such as administering customer accounts, managing billing, maintaining Platform security, preventing fraud and abuse, and meeting legal obligations. This Policy describes processing performed by ProcuHelp as a controller and the safeguards we apply across all processing.

2. Categories of personal data

We process personal data to the extent necessary to provide and secure the Platform. This typically includes account and identity data such as a user’s name, business email address, organization name, role and permissions within the customer account, and authentication data. Authentication credentials are stored using industry-standard security practices (including hashing where applicable) and are not stored in plaintext.

Depending on how the customer uses the Platform, we may also process personal data contained in Customer Data, including personal data included in uploaded documents (such as contracts or invoices), extracted metadata, reminders, activity history, and audit logs. In addition, we process technical and security data generated through use of the Platform, such as login timestamps, IP addresses, device and session identifiers, and activity logs, to maintain security and reliability.

For information about how we use cookies and similar technologies in connection with the Platform and our websites, please refer to our Cookie Policy, available at https://procuhelp.com/cookies.

We do not intentionally request or require special categories of personal data under Article 9 GDPR. Customers should avoid uploading such data unless strictly necessary and legally permitted.

3. Purposes of processing

We process personal data to provide access to the Platform, operate its features, and deliver customer support. This includes enabling users to manage licenses and contracts, configure reminders and notifications, and maintain change logs and audit history where the Platform provides these functions. We also process personal data to secure and maintain the Platform, including monitoring for unauthorized access, investigating suspicious activity, preventing abuse, diagnosing faults, and improving performance and reliability. We process personal data where necessary to comply with applicable legal obligations and to establish, exercise, or defend legal claims.

We do not process personal data for third-party advertising, do not sell personal data, and do not use Customer Data to build third-party profiles.

4. Legal bases (controller processing)

Where ProcuHelp processes personal data as an independent controller, the legal basis will depend on the context. Most commonly, processing is necessary for the performance of a contract (Article 6(1)(b) GDPR), for compliance with legal obligations (Article 6(1)(c)), or for ProcuHelp’s legitimate interests (Article 6(1)(f)), such as maintaining Platform security, preventing fraud, and improving service quality. Where consent is required under applicable law (for example, where a feature is optional and consent is the appropriate basis), ProcuHelp will rely on consent (Article 6(1)(a)) and consent may be withdrawn at any time, without affecting processing already performed on the basis of consent prior to withdrawal.

For processing where ProcuHelp acts as a processor, the customer determines the legal basis and instructs ProcuHelp accordingly under the DPA.

5. AI-based contract parsing

The Platform may offer optional AI-powered metadata extraction for uploaded documents. Where a customer enables this functionality, ProcuHelp will process the relevant document content solely to extract structured metadata for the customer’s use.

ProcuHelp uses Mistral, a European-based AI provider, to support this feature and ensures processing occurs within the European Economic Area. Document content submitted for AI extraction is processed transiently for the purpose of producing the requested output and is not used to train foundation models by ProcuHelp or by the AI provider.

Customers remain responsible for reviewing and validating any AI-generated output before relying on it.

AI features are optional and can be disabled within Platform settings. Customers should not use AI output as a substitute for legal, compliance, or financial advice.

6. Hosting and data location

Customer Data and operational data are hosted on infrastructure located within the European Union, currently in Frankfurt, Germany. ProcuHelp’s infrastructure partners operate data centers aligned with widely recognized security standards. ProcuHelp maintains appropriate safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

7. Data Retention

ProcuHelp retains personal data only for as long as necessary to fulfil the purposes described in this Policy, including the provision of the Platform, security monitoring, dispute resolution, and compliance with legal obligations. As a general rule, Customer Data is retained for the duration of the customer’s subscription. Following subscription expiry or termination, ProcuHelp retains Customer Data for a limited period to support data export and account recovery, after which Customer Data is deleted or anonymized in accordance with ProcuHelp’s retention practices, unless a longer retention period is required by law or is otherwise agreed in writing.

Operational logs and security records may be retained for longer periods where necessary for fraud prevention, security investigations, compliance obligations, or the establishment, exercise, or defence of legal claims. Backups are encrypted and rotated on a rolling basis and are subject to secure deletion procedures over time.

8. Subprocessors

ProcuHelp uses a limited number of subprocessors to provide the Platform, such as infrastructure hosting, monitoring, and email delivery services. Where subprocessors process personal data on ProcuHelp’s behalf, they are bound by written agreements that require appropriate confidentiality, security measures, and GDPR-compliant processing. A current list of subprocessors is available upon request by contacting privacy@procuhelp.com .

ProcuHelp does not transfer personal data outside the European Economic Area for the provision of the Platform.

9. Security

ProcuHelp maintains technical and organizational measures appropriate to the nature of the data and the risks presented by processing. These measures include encryption in transit and at rest, role-based access control, logical isolation between customer environments, logging of relevant administrative actions, and monitoring designed to detect suspicious or unauthorized activity. Access to personal data is limited to authorized personnel on a need-to-know basis and is subject to confidentiality obligations.

While ProcuHelp implements safeguards designed to protect the Platform, no system can be guaranteed to be fully secure. Customers are responsible for maintaining appropriate security controls on their side, including strong passwords, access management, and user hygiene.

10. Data subject rights

Individuals may have rights under the GDPR, including the right to access, rectify, erase, restrict processing, object to processing, and obtain data portability, subject to applicable legal limitations. Where ProcuHelp acts as a processor, requests relating to Customer Data should be directed to the relevant customer (as controller). Where ProcuHelp acts as a controller, requests can be submitted to privacy@procuhelp.com and we will respond within statutory time limits. We may request information necessary to verify identity and protect personal data from unauthorized disclosure.

Individuals also have the right to lodge a complaint with their competent supervisory authority.

11. Security incidents and breach notification

ProcuHelp maintains an incident response process designed to identify, contain, and remediate security incidents. Where ProcuHelp becomes aware of a personal data breach that triggers notification obligations under applicable law, ProcuHelp will notify affected customers without undue delay and will provide information reasonably necessary to support the customer’s compliance obligations. Where ProcuHelp acts as controller and notification to data subjects or authorities is required, ProcuHelp will comply with applicable legal requirements, including the GDPR timelines where relevant.

12. Updates to this Policy

We may update this Policy from time to time to reflect legal, technical, or operational changes. Material changes will be communicated via email or in-app notice. The most recent version will be available at https://procuhelp.com/privacy .