Privacy Policy

Last updated: 11 June 2026

Who we are

ProcuLink is a product operated by Diip Solutions OÜ, registry code 17527757, registered at Uus-Sadama tn 15-2, 10120 Tallinn, Estonia. In this policy, "ProcuLink", "we", "us", and "our" refer to Diip Solutions OÜ as operator of the ProcuLink procurement automation platform at proculink.eu.

What data we collect

• Account data — name, work email, organisation name, collected via Clerk authentication on sign-up.
• Order data — purchase order files you upload, canonical order data derived from those files, mapped and transformed output files.
• Usage data — page views, feature interactions, error events, collected via product analytics.
• Billing data — subscription plan and status, handled by Stripe. We never store your card numbers or payment credentials.
• Email configuration — IMAP server credentials (host, port, username, password) for email ingestion features. Passwords are encrypted at rest using AES-256-GCM authenticated encryption.
• Delivery credentials — webhook URLs and authentication tokens for supplier delivery configurations, encrypted at rest.

How we use your data

• To provide the ProcuLink service: parse, map, transform, and deliver your purchase orders.
• To send transactional emails such as order status notifications and billing receipts.
• To improve the product via aggregated, pseudonymous product analytics.
• To comply with legal obligations, including tax records for invoiced subscriptions.

We do not sell your data to third parties. We do not use your order content to train AI models.

Data storage and residency

Your data is stored in EU-region or EU-compliant infrastructure:

• Authentication: Clerk (US-based, EU data residency available on request)
• File storage: Cloudflare R2 (EU-region bucket)
• API hosting: Railway (EU region — europe-west4, Netherlands)
• Database: PostgreSQL hosted on Neon (EU region)
• Error monitoring: Sentry (EU region instance)
• Frontend: Vercel (global CDN, source data stays in EU)

Data retention

• Active account data is retained while your account is active.
• Order files and output artifacts are retained for the life of the account by default. We delete order data on written request, and automated retention windows are on our roadmap.
• Account and billing data is deleted within 30 days of account closure on written request.
• Audit log entries are retained for the life of the account.

Your rights under GDPR

As an EU/EEA data subject you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate data
• Erasure ("right to be forgotten") where no overriding legal basis exists
• Data portability — receive your data in a structured, machine-readable format
• Objection to processing based on legitimate interests
• Restriction of processing where accuracy is contested or objection is pending

To exercise any of these rights, email privacy@proculink.eu. We aim to respond within 30 days.

Cookies

We use only functional cookies (authentication session, CSRF protection) and analytics cookies (product usage — pseudonymous). We do not use advertising or cross-site tracking cookies.

Subprocessors

The authoritative list of subprocessors is maintained at /subprocessors with a 30-day change-notification commitment. The current snapshot:

Contact and DPO

For privacy questions or to exercise your rights: privacy@proculink.eu
General support: support@proculink.eu
Registered address: Diip Solutions OÜ, Uus-Sadama tn 15-2, 10120 Tallinn, Estonia

Terms of ServiceSecuritySupport