Back to Home
Project Paced LogoProject Paced

Privacy Policy

Last updated: April 26, 2026

At Project Paced Ltd, we believe project management tools should be visual, streamlined, and respectful of your privacy. This policy explains what information we collect, how we use it, and the controls you have over your data.

1. Who We Are and What This Policy Covers

We are Project Paced Ltd, a company registered in England and Wales (Company Address: International House, 64 Nile Street, London, N1 7SR).

This policy applies to your use of projectpaced.com, app.projectpaced.com, eu.projectpaced.com (our EU data residency instance for enterprise customers), and mcp.projectpaced.com (our Model Context Protocol server for AI-assistant integrations). We act as the Data Controller for the personal information you provide to us under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

We only collect information that is strictly necessary to provide our visual timeline and export services.

Information You Provide

  • Account Credentials: Your email and password, managed securely via Firebase Authentication. Legal basis: Performance of a contract.
  • Project Content: The titles and milestone descriptions you enter to create your timelines. Legal basis: Performance of a contract.
  • AI Inputs (Optional): If you use our AI Timeline Builder, we process the project description you provide to generate a draft. Legal basis: Performance of a contract.
  • Team Roster Data (Enterprise): If you use our resource allocation features, we store the team member profiles you create, including names, email addresses (if provided), departments, and capacity allocations. This data is entered by you and relates to third parties. Legal basis: Performance of a contract. You are responsible for ensuring you have the right to share this information with us.
  • Payment Data: We use Stripe to process payments. We do not store your credit card details; we only receive a confirmation token and a Stripe Customer ID. Legal basis: Performance of a contract.

Information Collected Automatically

  • Performance Monitoring (Sentry & Better Stack): We use these tools to fix bugs. To protect your privacy, we have configured full client-side masking — we see that a button was clicked, but we cannot see the text you type or the specific project data you enter. Legal basis: Legitimate interests (service reliability).
  • Bot & Abuse Prevention (Google reCAPTCHA Enterprise via Firebase App Check): When you load the application, browser and device signals (such as IP address, user-agent, and interaction patterns) are sent to Google to verify that requests come from our official web app and not from automated scripts or attackers. We do not see the underlying signals — only a pass/fail attestation token. Legal basis: Legitimate interests (fraud prevention and service security).
  • Analytics (Google Analytics): We use Google Analytics to collect anonymised data on how our website and application are used (e.g., page visits, feature adoption, sign-up funnels). This helps us prioritise new features and improve performance. Analytics cookies are set on both projectpaced.com and app.projectpaced.com. Legal basis: Consent (managed via our cookie banner).
  • PDF Report Generation (Enterprise): We process your project and team data on-device and server-side to generate downloadable PDF reports. No third-party processor is involved in PDF generation. Legal basis: Performance of a contract.

3. Our Use of Artificial Intelligence (Vertex AI)

Project Paced offers an optional AI-assisted timeline generation tool.

  • Privacy by Design: We use the Google Cloud Vertex AI API (Enterprise Tier).
  • No Training on Your Data: Under our enterprise agreement, Google does not use the data you submit via the API to train its global AI models. Your project ideas remain your own.

4. Data Sharing & Sub-Processors

We do not sell your data. We only share it with these trusted partners to operate our service:

Sub-ProcessorPurposeRegion
Google CloudDatabase hosting (Firestore), file storage, AI processing (Vertex AI), and bot/abuse prevention (reCAPTCHA Enterprise via Firebase App Check)Standard instance: Firestore in nam5 multi-region (USA), Cloud Functions and Vertex AI in us-central1. EU instance: Firestore in eur3 multi-region (Belgium / Netherlands / Finland), Cloud Functions and Vertex AI in europe-west1. reCAPTCHA Enterprise: USA / Global.
StripeSubscription management and PCI-compliant payment processing (standard instance only — EU enterprise is invoiced manually)USA / Global
VercelHosting our web application and MCP serverGlobal CDN
SentryMasked error reporting and session replayUSA
Better StackMasked performance and uptime monitoringEU / USA
ResendTransactional email delivery (contact form, welcome emails)USA

All sub-processors are contractually obligated to protect your data and may only use it to provide services to us. For the canonical, dated list — including transfer mechanisms — see our Sub-processor List.

EU Data Residency

Enterprise customers may be provisioned on our EU instance (eu.projectpaced.com), where Firestore stores data in Google Cloud's eur3 multi-region (replicated across Belgium, the Netherlands, and Finland), and Cloud Functions, Cloud Storage, and Vertex AI inference all run in europe-west1 (Belgium). All EU-instance data and processing remain within the European Union. The standard app.projectpaced.com instance uses Firestore's nam5 multi-region in the United States, with Cloud Functions and Vertex AI in us-central1 (Iowa). Each instance is a separate Firebase project with an isolated user-identity namespace; data does not transit between them under normal operation. EU enterprise customers are billed via manual invoice and are not enrolled with Stripe.

5. Data Retention & Deletion

We believe in keeping your data only as long as necessary. Our retention policies are designed to respect your privacy while complying with legal obligations.

User Content & Account Data

  • Active Subscribers: We retain your data for the duration of your subscription plus 30 days after cancellation to allow for accidental cancellations or payment retries.
  • Trial Accounts: Data from expired trial accounts is retained for 14 days to give you a chance to upgrade before permanent deletion.
  • Immediate Deletion: You can delete your account and all associated data immediately via the Account Settings panel. This action is irreversible.

Financial Records

We are legally required to retain certain financial information even after account deletion:

  • HMRC Compliance (UK): Transaction records, invoices, and billing information are retained for 6 years as required by UK tax law.
  • Pseudonymization: Upon account deletion, we pseudonymize these financial records to protect your identity while preserving the integrity of our tax records.
  • Payment Processors: Stripe retains payment processing records for 7 years in accordance with PCI-DSS compliance and financial regulations.

The Deletion Process

Account deletion is handled by automated Cloud Functions and follows one of two paths:

Immediate deletion (when you click "Delete Account" in your profile, with no active subscription):

  1. Content Removal: Immediate deletion of all timelines, milestones, projects, resources, allocations, project notes, API keys, and uploaded files.
  2. Auth Removal: Deletion of your login credentials (Firebase Authentication).
  3. Financial Data: If you have any payment history, financial records are pseudonymised under a DELETED_USER_* identifier for HMRC tax compliance and retained for 6 years before being purged.
  4. Stripe: Your customer record in Stripe is marked as deleted.

Scheduled deletion (automated, runs daily at 02:00 UTC):

  • Trial accounts: Deleted 14 days after trial expiration.
  • Cancelled subscriptions: Deleted 30 days after the subscription end date. During this 30-day grace period, signing in restores access — and you can cancel the scheduled deletion from a banner shown in the app.
  • Financial archives: Pseudonymised records in our deleted_users archive are auto-purged 6 years after deletion.

You can check whether you have a pending scheduled deletion at any time from your profile.

6. Cookies and Tracking Technologies

We use a small number of cookies and similar technologies to operate and improve our Service. We do not use marketing or advertising cookies. For full details of every cookie we set and how to manage your preferences, see our Cookie Policy.

You can manage your cookie preferences at any time via the cookie banner on our site. Please note that refusing essential cookies will prevent you from logging in to the application.

Cookie TypePurposeWhere Used
Essential (Firebase Auth)Maintains your login sessionapp.projectpaced.com
Performance (Sentry/Better Stack)Anonymous, masked error and performance monitoringapp.projectpaced.com
Analytics (Google Analytics)Anonymised usage analytics (e.g., feature adoption, export frequency)projectpaced.com & app.projectpaced.com

7. Your Rights (UK GDPR)

As a UK GDPR data subject, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify any inaccurate or incomplete data.
  • Erase your data (Right to Erasure / "Right to be Forgotten").
  • Port your data (Right to Portability) — you can export your timelines as CSV or image files at any time from within the app.
  • Object to processing based on legitimate interests.
  • Restrict processing in certain circumstances.

To exercise any of these rights, please email us at privacy@projectpaced.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK supervisory authority for data protection — at ico.org.uk or by calling 0303 123 1113.

8. Public REST API & MCP Server

We offer programmatic access to your account via a Public REST API (Bearer-token authenticated) and a Model Context Protocol (MCP) server at mcp.projectpaced.com (OAuth 2.1, used by AI assistants such as Claude and ChatGPT).

  • Same data, additional channel: Requests via the API or MCP server access only the projects, milestones, and resources already in your account, and are processed by the same sub-processors listed in §4.
  • API keys are sensitive: Keys are shown once at issuance and stored only as SHA-256 hashes on our side. You are responsible for keeping them confidential. You can revoke a key at any time from the API Access section of your profile.
  • OAuth tokens: When you connect Project Paced to an AI assistant via OAuth, the assistant receives a scoped access token that acts on your behalf. You can revoke the connection from your AI assistant's connector settings.
  • Audit: Issuance and revocation of API keys are logged.

9. Changes to This Policy

We may update this policy occasionally to reflect changes in our app or legal requirements. We will notify you of any significant changes via email or an in-app notification before they take effect.

The current version is always available at projectpaced.com/privacy.

For questions about this policy, contact us at privacy@projectpaced.com.

Project Paced Ltd — International House, 64 Nile Street, London, N1 7SR