Privacy notice

This privacy notice explains how Bluegrove Financial Solutions Ltd, trading as ProSuitability (“we”, “us”, “our”), collects and uses personal data when you visit our website, contact us, sign up for a trial, or use the ProSuitability web application. It also explains your rights under UK data-protection law.

This notice should be read with our cookie policy. If you are a subscribing firm, contractual terms — including our role when you upload client data — are set out in our licence & data processing agreement.

1. Who we are and how to contact us

Data controller: Bluegrove Financial Solutions Ltd (company number 6363970), registered office at 20a Moreton Avenue, Harpenden, Hertfordshire AL5 2ET. ProSuitability is our trading name.

Privacy enquiries: [email protected]

Postal address: Data Protection Enquiries, Bluegrove Financial Solutions Ltd, 20a Moreton Avenue, Harpenden, Hertfordshire AL5 2ET

2. Scope of this notice

This notice applies to:

• Website visitors — anyone who browses our marketing pages, reads our legal information, or tries the read-only public demo;
• Firm users — individuals at an FCA-authorised advice firm who register for, administer, or use a ProSuitability account (for example firm administrators, advisers, paraplanners, and viewers); and
• Prospective customers — individuals who start a trial signup or contact us about the service.

2.1 Client data entered by your firm

ProSuitability is designed for regulated advice firms to prepare suitability reports. When your firm uses the service, you may enter personal data about your clients (for example names, dates of birth, addresses, and financial circumstances) and about their recommendations and cases.

In that context your firm is normally the data controller (or joint controller) for client personal data, and we act as a data processor on your firm’s instructions. The processor terms — including security measures, sub-processors, and assistance with data-subject requests — are in our licence & DPA. If you are an end client of a financial adviser, please contact that firm directly about how your personal data is used; we cannot usually respond to client requests without your adviser’s instruction.

3. Personal data we collect

The data we collect depends on how you interact with us. We collect only what we need for the purposes described in section 4.

3.1 Website and demo

• Technical data — IP address, browser type, device information, and similar log data generated when you request pages from our servers;
• Cookie / session data — as described in our cookie policy (for example session identifiers and security tokens);
• Demo usage — if you use the interactive ISA demo, we create a short-lived session so you can view a sample report in read-only mode (typically up to 30 minutes).

We do not require you to create a marketing-site account to browse our public pages.

3.2 Trial signup and firm account

When a firm registers or subscribes, we collect data such as:

• Firm legal name, trading name, FCA firm reference number, and business address;
• Named contact details (name, email, telephone);
• Administrator and user account details (username, display name, work email, role);
• Optional adviser identifiers (for example FCA individual reference) where provided;
• Licence acceptance records (version accepted, time, and IP address where captured);
• Billing-related identifiers from Stripe (customer and subscription IDs, payment status — we do not store full card numbers on our systems).

3.3 Use of the application

When authorised users work in ProSuitability, we process:

• Client and case data entered by your firm (identity, household/partner details, addresses, dates of birth, risk information, recommendations, suitability-report content, and related notes);
• User activity data — authentication events, configuration changes, and an append-only audit log of significant actions (who did what, when, and on which record), to support security, accountability, and regulatory expectations;
• Security data — for firm administrators and platform operators, two-factor authentication (TOTP) enrolment via standard authenticator apps.

3.4 Communications

If you email us or request a demo, we process your contact details and the content of your message so we can respond. If we enable a scheduling tool on our website in future, that provider may collect booking details under its own privacy terms; we will update this notice when that happens.

4. How and why we use personal data

We do not use your personal data for automated decision-making that has legal or similarly significant effects. We do not sell personal data.

5. Who we share data with

We share personal data only where needed to run the service, comply with law, or with your direction. Our main categories of recipients are:

• Infrastructure providers — we host the application and database in the United Kingdom using DigitalOcean (London region). Backups and related infrastructure are also configured for UK data residency as described in our technical hosting documentation;
• Stripe — payment processing and subscription management when you start a trial or pay for the service;
• Postmark (or equivalent) — delivery of transactional emails such as account and service notifications, where enabled;
• Embedded content providers — for example Supademo if you play the product walkthrough on our marketing site (see our cookie policy);
• Professional advisers — lawyers, accountants, or insurers where reasonably necessary;
• Regulators and authorities — when required by law or a valid legal request.

A list of sub-processors relevant to firm client data is addressed in our licence & DPA. We require processors to protect personal data by contract.

6. International transfers

We design the service so that primary hosting and storage of customer data is in the UK. Some support providers (for example payment or email services) may process data outside the UK. Where that happens, we rely on appropriate safeguards recognised under UK law (such as the UK International Data Transfer Agreement or adequacy regulations), or processor terms that meet UK GDPR requirements.

7. How long we keep data

Retention depends on the type of data and our legal obligations:

• Website logs — kept for a limited period appropriate for security and troubleshooting, then deleted or aggregated;
• Account and firm data — kept while your subscription or trial is active and for a reasonable period afterwards to allow export, billing resolution, and legal compliance;
• Client/case data — kept while your firm uses the service and handled on cancellation in line with our licence and your firm’s instructions (including read-only and archival phases where applicable);
• Audit logs — retained to support security, accountability, and regulatory needs, typically for an extended period aligned with our product design;
• Signup records — incomplete signups are removed or anonymised after a limited period; completed signups are linked to the firm record.

Specific retention periods for processor data may also be set out in our licence & DPA or your firm’s agreement with us. We can provide more detail on request.

8. Security

We implement technical and organisational measures appropriate to a regulated SaaS product handling confidential advice data, including access controls by role, authentication (including two-factor authentication for privileged accounts), encryption in transit (TLS), encryption at rest on infrastructure we use, audit logging, and tenant isolation between firms. No online service can be guaranteed completely secure; we work to reduce risk and to detect and respond to incidents.

9. Your rights

Under UK GDPR and the Data Protection Act 2018, you may have the following rights in relation to personal data we control about you:

• Access — request a copy of your personal data;
• Rectification — ask us to correct inaccurate data;
• Erasure — ask us to delete data in certain circumstances;
• Restriction — ask us to limit processing in certain circumstances;
• Objection — object to processing based on legitimate interests;
• Data portability — receive data you provided in a structured, machine-readable format where applicable;
• Withdraw consent — where we rely on consent (we use consent sparingly — mainly for non-essential cookies if introduced).

To exercise your rights, email [email protected]. We may need to verify your identity. We respond within one month in most cases, subject to lawful extensions for complex requests.

If your firm is our customer and you want access to client data we process on the firm’s behalf, please contact your firm first; we will assist the firm as processor where required.

10. Complaints

We hope to resolve any concern directly. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113

11. Children

ProSuitability is a business service for financial-advice firms. It is not directed at children, and we do not knowingly collect personal data from anyone under 18 through our website or signup flows.

12. Changes to this notice

We may update this privacy notice when our service, legal obligations, or processing activities change. The “Last updated” date at the top shows when it was last revised. Significant changes may also be communicated to registered firm administrators where appropriate.

13. Related documents

• Cookie policy
• Licence & data processing agreement