Privacy policy

proma is production-management software for made-to-order fashion businesses. This policy describes how we collect, use, store, and share personal data when you use proma.studio (marketing and waitlist), app.proma.studio (the application), and related emails.

This document is a product-aligned draft based on what our systems actually store. It is not legal advice. Have qualified counsel review it before you rely on it for compliance.

For waitlist and platform operations, proma — operated by [COMPANY LEGAL NAME], company no. [COMPANY NUMBER], registered at [REGISTERED ADDRESS] (contact: hello@proma.studio) — acts as the data controller for information you submit to join the waitlist and for account data needed to run the service.

When you use proma as part of a workshop team, your employer or studio (the business workspace on proma) decides what client and production data is entered. Your studio is responsible for that business data. We process it on their behalf to provide the service — typically as a data processor under UK GDPR.

Questions about this policy or your rights: hello@proma.studio.

When you submit the waitlist form we store a row in our waitlist_signups table with:

• Name and studio / atelier name (house)
• Email address
• Role and annual production volume (the options on the form)
• Interest type (waitlist / founding member, where applicable)
• Timestamps and an internal approval status (pending, approved, or declined)
• An internal approval token and, if you are approved, links to the business we create for you

If you are invited into a workspace or approved from the waitlist, we create or link an authentication record (Supabase Auth) and a user_profiles row. That typically includes:

• Email address (used for magic-link and one-time passcode sign-in)
• Display name
• Role in the workspace (owner, admin, or member)
• Workspace (business) membership
• Onboarding progress and optional capacity settings (for example weekly capacity hours)
• Optional avatar image if you upload one

Once you use the app, your team may store business and production data in our database. This is the core of the product. Categories include:

• Clients — names and contact details you enter
• Orders — titles, dates, values, workflow type (MTO or bespoke), planning fields, tracking and carrier information, share-link settings
• Garments — descriptions, catalogue links, fabric and colour, effort hours, member assignment, measurement profile references
• Phases — production steps, status, assignees, durations, notes, and timestamps
• Notes — text attached to clients, orders, or garments (including pinned notes)
• Files and attachments — images and documents uploaded for clients or garments (stored in Supabase Storage)
• Measurements — structured measurement profiles and fields
• Catalogue and phase templates — your studio’s product and phase recipes
• Calendar and business events — dates and copy your team records
• Team invites — email addresses you invite, invite status, and audit events (for example invite accepted or member removed)
• Notifications — in-app messages between team members
• Starred orders and clients — your personal shortcuts inside a workspace
• Capacity overrides — holiday or availability adjustments where used

If you use Ask proma, we store ai_threads and ai_messages (conversation history), ai_tool_calls (a log of tools the assistant attempted, including errors), and ai_usage (rate-limit counters). Prompts may include context from the screen you are on (for example which order or client you are viewing).

Manager-only write tools (such as assigning a member or marking a phase complete) run only when you enable Agency mode and only within your workspace. Do not put information in chat that you would not want your workspace admins to access.

Orders can be shared via an unguessable token. Anyone with the link can view the shared order summary we expose through that token (without signing in). Your team controls whether sharing is enabled and can regenerate the token.

Like most web services, we receive technical data from your browser and our hosts: IP address, device and browser type, request logs, and error reports. We use this to secure the service, debug failures, and improve reliability.

The home dashboard may fetch a public foreign-exchange rate (Frankfurter / ECB data) to display currency context. That request does not include your personal data.

We use personal data to:

• Review and respond to waitlist applications
• Provide, secure, and improve proma
• Authenticate you and enforce workspace access controls
• Send transactional email (sign-in, team invites, waitlist confirmations, and related service messages)
• Operate AI features you choose to use
• Comply with law and protect our rights

We use trusted providers to run proma. They process data only to provide their service to us:

• Supabase — database, authentication, file storage, and row-level security (data hosted in the region configured for our project)
• Vercel — application hosting and edge delivery
• Resend — transactional email (from hello@proma.studio on the proma.studio domain)
• Anthropic (via Vercel AI Gateway) — processing Ask proma prompts and tool calls when you use AI chat
• Stripe — payment processing only if and when billing features are enabled for your workspace

Waitlist rows are kept while we operate the intake programme and for a reasonable period afterward for audit and outreach, unless you ask us to delete them sooner where we are allowed to.

Workspace data is kept for as long as your studio uses proma. If a team member is removed, we delete their profile row and hard-delete their auth account; operational references (for example who completed a phase) may be anonymised rather than deleted, so production history stays intact.

AI chat history is kept until you delete threads in the product or we delete your account data.

Backups and logs may retain data for a limited period after deletion.

We use industry-standard measures including encrypted connections (HTTPS), authenticated access, and database row-level security so each workspace can only access its own data. No system is perfectly secure; use a strong email account and report suspected misuse to hello@proma.studio.

Depending on where you live (including the UK and EEA), you may have rights to access, correct, delete, restrict, or object to processing of your personal data, and to data portability or withdraw consent where processing is based on consent.

For workspace production data, contact your studio first — they control what is entered about clients and orders. For waitlist or account data, contact hello@proma.studio. We will respond within the time required by applicable law.

You may complain to your local data protection authority. In the UK this is the Information Commissioner’s Office (ICO).

proma is a business product not directed at children. Do not use the service if you are under 16.

We may update this policy. We will post the new version on this page with an updated date. Material changes may also be notified by email or in the product where appropriate.