Data Privacy, GDPR & How We Handle Your Data

Data Privacy & GDPR

Progressive Robot takes data protection seriously. This article explains how we handle your data during and after your engagement with us, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What Data We Collect

In the course of delivering our services, we may collect and process the following categories of data:

• Contact information — names, email addresses, phone numbers of your team members
• Business information — company name, registration number, VAT number, billing address
• Project data — files, documentation, system access credentials (stored securely), technical assets
• Financial data — invoices, payment records (payment card data is never stored by us — processed via PCI-DSS compliant payment processors)
• Communication records — emails, ticket conversations, meeting notes

Legal Basis for Processing

We process your data under the following lawful bases:

• Contractual necessity — to deliver the services set out in your contract
• Legal obligation — to comply with UK tax, accounting, and regulatory requirements
• Legitimate interests — for account management, project delivery communications, and improving our services

How We Protect Your Data

• All data is stored on UK or EEA-based servers with encryption at rest and in transit
• Access to client data is restricted to team members who need it for your project (principle of least privilege)
• We conduct regular security reviews and hold Cyber Essentials certification
• Credentials shared with us are stored in an encrypted vault and destroyed after project completion

Data Retention

We retain your data for as long as necessary to fulfil the contract and meet legal obligations:

• Financial records (invoices, contracts): 7 years (HMRC requirement)
• Project files and technical assets: 12 months post-project completion, unless you request earlier deletion
• Support ticket records: 3 years
• Marketing communications: Until you opt out

Your Rights

Under UK GDPR you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your data (subject to legal retention requirements)
• Restriction — ask us to limit how we process your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact our Data Protection point of contact at [email protected]. We will respond within 30 days.

Data Processor Agreements

If the work we carry out involves us accessing or processing personal data belonging to your customers (e.g. building a CRM, processing email lists), a Data Processing Agreement (DPA) will be included in or appended to your contract.