PROLY
[ PRIVACY POLICY ]

Privacy Policy

Last updated: 14 May 2026

1. Who we are

Proly is operated by INTERWEB360 LTD, a company registered in England and Wales (company number 09833364) with its registered office at 20-22 Wenlock Road, London, England, N1 7GU.

We are the data controller for the personal data we process through this service. If you have any questions about this policy or your data, contact us at steve@proly.co.uk.

2. What data we collect

Account information

When you register, we collect your name, email address, and a hashed password. We never store your password in plain text.

Billing information

Payments are processed by Stripe. We do not store your card number, expiry date, or CVC on our servers. Stripe handles all payment card data in accordance with PCI DSS. We retain your Stripe customer ID and subscription status so we can manage your account.

Connected accounts (OAuth)

If you connect third-party services (such as Gmail, Google Calendar, or Microsoft Outlook), we store encrypted OAuth tokens that allow your AI agents to access those services on your behalf. We request only the permissions (scopes) needed for the features you enable. You can disconnect any integration at any time from your account settings.

Agent usage and task data

When your AI agents run tasks, we store the task goal, status, result, and cost. We also maintain a plain-English audit trail of actions each agent takes, so you can review what happened and when.

Messaging and notification data

To deliver notifications via your preferred channel, we may store your Telegram chat ID, phone number, or other channel identifiers. We also store conversation history between you and your agents (e.g. approval requests and responses).

Voice call data (callers to your business)

If you enable the voice receptionist, members of the public who call your business number reach an AI assistant. The greeting on every call discloses both that the caller is speaking to an AI and that the call is recorded. We process the following data about callers:

  • Caller phone number, encrypted at rest
  • Audio recording and transcript of the call (recording held by ElevenLabs, transcript stored by Proly, both encrypted at rest)
  • Structured data extracted by the AI from the call (caller name, address, issue description, urgency)
  • Notification metadata recording how and when we forwarded the message to you

For voice calls, you (the Proly customer) are the data controller and Proly acts as the data processor on your behalf. We process caller data only to operate the receptionist for you. Caller data is retained for 90 days by default and then automatically deleted. Callers can exercise their UK GDPR rights (access, erasure, rectification) by emailing privacy@proly.co.uk; we will route the request to you as controller and execute the technical action (e.g. deleting matching call records) on your behalf.

Browser session data

If an agent uses a web browser on your behalf, we store encrypted browser context identifiers to maintain authenticated sessions. We do not store browsing history or page content long-term.

Analytics and cookies

We use essential cookies to manage your login session and protect against cross-site request forgery. We may also use analytics tools to understand how our website is used and improve the service. Analytics data is aggregated and does not identify you personally. We do not sell your data to third parties.

3. Why we process your data (legal basis)

Under UK GDPR, we process your personal data on the following grounds:

  • Contract — to provide the Proly service you signed up for, including running agents, processing payments, and delivering notifications.
  • Legitimate interest — to maintain security, prevent fraud, improve the service, and generate aggregated usage analytics.
  • Consent — where you explicitly opt in, such as connecting third-party accounts via OAuth or joining our mailing list. You can withdraw consent at any time.
  • Legal obligation — to retain financial records as required by UK tax and company law.

4. Who we share your data with

We share data only with the third-party services required to operate the platform:

  • Stripe — payment processing and subscription management
  • Google — Gmail and Calendar access (only if you connect these integrations)
  • Microsoft — Outlook email access (only if you connect this integration)
  • Telegram — notification delivery (only if you choose Telegram as your channel)
  • Twilio — SMS and WhatsApp notification delivery and inbound voice call routing (only if you choose these channels or enable the voice receptionist)
  • ElevenLabs — voice generation, transcription, and live conversation AI for the voice receptionist (only if you enable it)
  • LLM providers (via OpenRouter) — to power the AI capabilities of your agents. Task prompts and context are sent to language model providers for processing. We do not send your OAuth tokens or payment details to LLM providers.
  • Cloud infrastructure providers — for hosting, browser automation, and sandbox execution (DigitalOcean, Steel, Browserbase, E2B)

We do not sell, rent, or trade your personal data to any third party.

A complete current list of our sub-processors (with purpose and processing region) is at proly.co.uk/sub-processors.

5. Data security

We take the security of your data seriously:

  • OAuth tokens are encrypted at rest using AES-256 encryption
  • Passwords are hashed using bcrypt — we never store or can retrieve your plain-text password
  • All data in transit is encrypted using TLS
  • Internal API communication between our services uses shared-secret authentication
  • Agent sandboxes run in isolated micro-VMs with no access to other users' data
  • Access to production systems is restricted to authorised personnel

6. Data retention

  • Account data — retained while your account is active and deleted when you request account deletion.
  • Task records — when you delete your account, task records are anonymised (your user ID is removed) rather than deleted. This allows us to maintain aggregate platform analytics without retaining any personal data.
  • Agent data, integrations, audit entries, and messaging data — fully deleted when you delete your account.
  • Voice call data (transcripts, summaries, AI analysis, caller phone numbers) — automatically deleted 90 days after the call. The call record itself (timestamp, duration, AI classification) is retained for analytics with no caller-identifying data. The corresponding audio recording on ElevenLabs is deleted at the same time.
  • Stripe records — Stripe retains its own records of transactions as required by financial regulations. We cannot delete these on your behalf.
  • Backups — your data may persist in encrypted backups for up to 30 days after deletion, after which it is permanently removed.

7. Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — request deletion of your account and personal data
  • Portability — receive your data in a structured, machine-readable format
  • Restrict processing — ask us to limit how we use your data
  • Object — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, email us at steve@proly.co.uk. We will respond within 30 days.

You can delete your account at any time from your account settings or by calling the account deletion API endpoint. This is immediate and irreversible.

8. International data transfers

Some of our third-party service providers (such as Stripe, Google, and LLM providers) may process data outside the United Kingdom. Where this happens, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions recognised by the UK government.

9. Age restriction

Proly is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us at steve@proly.co.uk and we will delete the account promptly.

10. Changes to this policy

We may update this privacy policy from time to time. If we make significant changes, we will notify you by email or through the service. The "last updated" date at the top of this page indicates when the policy was last revised.

11. Complaints

If you are unhappy with how we handle your data, please contact us first at steve@proly.co.uk so we can resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:

A new version is ready

Tap to refresh — your work will be saved.