Privacy Policy
This Privacy Policy explains how CloudERP Systems Ltd. ("Procee", "we", "us") collects, uses, and protects personal information across our commercial websites (procee.com, he.procee.com, and subdomains), our SaaS web application, our supplier portal, and our Android and iOS mobile apps (together, the "Services"). It serves as our public privacy notice, including for Apple App Privacy and Google Play Data Safety disclosures. It does not replace any written agreement between Procee and a customer organization (such as a subscription agreement, DPA, or order form), which may contain additional or more specific terms.
1. Who We Are and Our Role
The Services are operated by CloudERP Systems Ltd.
Our role under privacy law depends on context: we act as a controller for our commercial websites, marketing, sales, and our own corporate operations, and as a processor for customer organizations using the SaaS, supplier portal, and mobile apps.
If you use Procee through your employer, customer, or supplier, that organization may also have its own privacy notice governing how your information is used within its workspace.
2. Information We Collect
Account, contact, and identity
Full name, business email, phone, job title, department, company, username, language preference, and authentication details. If your organization enables SSO via Google Workspace, Microsoft Entra ID, Okta, or another SAML/OIDC provider, we receive identity attributes (name, email, NameID, group/role attributes, authentication timestamps) configured by your organization.
Organization and business records
Company registration and tax details, departments, branches, cost centers, budgets, projects, accounting classifications, user roles and permissions, approval routes, and supplier records.
Procurement, supplier, and workflow data
Purchase requests, purchase orders, supplier quotations, supplier onboarding data, invoices (tax invoices, proforma invoices, receipts, delivery notes), approval comments and audit trail entries, files uploaded by users or suppliers, and text or structured data extracted from documents through OCR or AI.
Supplier bank and payment workflow data
For customers using payment workflows: supplier bank account details (account numbers, IBAN, SWIFT/BIC), MASAV or similar bank-transfer list data, payment requests, transaction references, clearing status, and tokens issued by third-party clearing providers to support reuse of a payment method. We do not store full credit card numbers or CVV codes on Procee systems. Card processing is performed by third-party PCI-compliant clearing providers.
Mobile app and device data
Account and login data, device type, OS, app version, language, IP address, approximate (IP-derived) location, push notification tokens, crash and diagnostic logs, usage events (screens viewed, actions taken), and content you choose to upload (camera images, documents, files). We do not access your camera, photos, files, or notifications unless the relevant feature requires it and you grant device-level permission. The mobile app does not request precise location access.
Website and tracking data
Pages viewed, time on page, interactions, referrer, approximate location from IP, browser and device characteristics, and cookie or local-storage identifiers. We use third-party analytics and behavior-measurement tools, together with an internal visitor identifier, to understand which product areas interested a visitor and, if they later contact us, associate that website activity with their lead or account.
Usage, log, and security data
IP address, login and logout times, session duration, failed login attempts, audit logs of in-system actions, security events, and server and diagnostic logs.
Support and billing
Message content, support tickets, screenshots, call and meeting records, billing contact details, subscription details, invoices, transaction references, and tax information.
3. How We Use Information
We use personal information to provide and operate the Services, authenticate users, process documents and workflows (including OCR/AI), provide customer support, send transactional and administrative messages, comply with legal and tax obligations, secure the Services, and improve the product. With your consent or where otherwise permitted by law, we also send marketing communications.
You can opt out of marketing communications at any time using the unsubscribe link or by emailing [email protected]. Transactional, security, billing, and administrative messages will continue.
4. AI, OCR, and Document Processing
We use OCR, machine learning, and AI to extract, classify, summarize, and validate information from uploaded documents (invoices, supplier documents, receipts, delivery notes, and similar). We use third-party AI providers through their standard API services.
Customers are responsible for ensuring they have the rights, notices, and lawful basis to upload documents and personal information through the Services.
5. Legal Bases (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we process personal information on the legal bases of contract performance, legitimate interests, legal obligation, or consent, depending on the processing activity.
Where Israeli privacy law applies, we process personal information under the Protection of Privacy Law, 1981, as amended (including Amendment No. 13), and its regulations.
6. How We Share Information
We do not sell or rent personal information. We share information only as described below.
Customer organizations and counterparties
Activity, approvals, comments, uploaded files, and workflow actions are visible to authorized administrators and users in the customer's workspace. Where customer workflows require it, certain information is shared with suppliers, customers, or payment counterparties as part of the relevant business process.
Service providers and subprocessors
We use third-party vendors to host, secure, operate, analyze, and improve the Services. Categories include cloud hosting, identity and authentication, analytics, AI/OCR providers, email and messaging, customer support, payment-clearing partners, and observability and logging.
A current list of named subprocessors is available to customers on request. Where required by customer agreement or applicable law, we will provide notice of changes to material subprocessors.
Integrations
If a customer enables integrations with accounting/ERP systems, identity providers, payment or clearing systems, storage providers, or other third-party services, information is exchanged according to the customer's configuration.
Legal, security, and business transfers
We may disclose information to comply with law, respond to lawful requests, enforce agreements, protect rights, or investigate fraud and security incidents. In a merger, acquisition, financing, or sale of assets, information may transfer subject to appropriate protections; where required by law, we will give notice before personal information becomes subject to materially different privacy practices.
7. International Transfers
Personal information may be processed in Israel, the European Economic Area, the United States, and other countries where we or our service providers operate. Where personal information is transferred internationally, we rely on safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions where applicable.
A Data Processing Agreement reflecting these transfer mechanisms is available to customers on request or as part of the customer agreement.
8. Data Retention
We keep personal information only for as long as needed for the purposes in this Policy, unless a longer period is required by law, contract, customer instruction, audit, tax, accounting, dispute resolution, backup, or security needs.
9. Security and Breach Notification
We use technical, organizational, and administrative safeguards designed to protect personal information, including encryption in transit, encryption at rest for sensitive data, access controls, audit logging, secure development practices, and regular penetration testing.
No system is completely secure, but we work to protect information appropriately to its sensitivity.
Incident response
If we become aware of a security incident affecting personal information, we will investigate and act according to its nature, our role, and applicable law.
10. Your Privacy Rights
Subject to applicable law, you may have the right to access, correct, delete, restrict, object to, or port your personal information, and to withdraw consent where processing is based on consent.
To exercise rights, contact [email protected]. Where Procee acts as a controller, we respond within the timeframe required by applicable law (within one month under GDPR/UK GDPR, with extension where permitted). Where Procee acts as a processor for a customer, we will forward your request to the customer or ask you to contact them directly, and assist them as required.
If your account is managed by your employer or another organization, account-level deletion may need to be handled by that organization's administrator.
EEA, UK, and Switzerland
You may lodge a complaint with your local supervisory authority. Where required by GDPR Art. 27 / UK GDPR, Procee will appoint and publish the contact details of a representative.
Israel
You have rights under the Protection of Privacy Law, 1981, as amended (including Amendment No. 13), including rights to review, correct, and delete database information, subject to applicable limits. Complaints may be filed with the Israeli Privacy Protection Authority (PPA).
California and other U.S. states
To the extent California or other U.S. state laws apply, residents may have rights to know, access, correct, delete, or opt out of certain uses of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising through the mobile app.
11. Cookies and Similar Technologies
Our websites and web app use cookies and similar technologies for essential functionality, analytics, performance, security, and (where permitted) marketing.
Where required by law, non-essential cookies, analytics, the visitor identifier, marketing pixels, and similar technologies are used only with consent through our cookie banner or preferences tool. You can also manage cookies via your browser. Some features may not work correctly if cookies are disabled.
12. Mobile App Disclosures
For Apple App Privacy and Google Play Data Safety: depending on enabled features and customer configuration, the Procee mobile app may collect account and login data, device identifiers, diagnostic and usage data, files you choose to upload, and push notification tokens.
The app uses this data for app functionality, account management, document upload, AI/OCR processing, security, push notifications, customer support, analytics, customer-enabled payment workflows, and product improvement.
The mobile app does not request precise location, does not contain advertising functionality, does not sell personal information, and does not use personal information for third-party advertising. Payment for Procee's own subscription fees is not handled through the mobile app.
13. Children
The Services are intended for business use and are not directed to anyone under 16 (or the age required by local law). If we learn that we have collected personal information from a child without authorization, we will delete it.
14. Changes to This Policy
We may update this Policy from time to time. If changes are material, we will provide notice by posting the updated Policy with a new effective date, sending email notice, showing in-Service notice, or another legally appropriate method. Continued use of the Services after the effective date means the updated Policy applies, subject to applicable law and any customer agreement.
15. Contact
For data protection inquiries, please contact [email protected] first so we can address your concern. You retain the right to contact a supervisory authority directly.
16. Data Deletion (Procee Mobile App)
This section describes how users of the Procee mobile applications can request deletion of their account data, what data is deleted, and what may be retained for legal or operational reasons. It supplements section 10 (Your Privacy Rights) and section 8 (Data Retention) of this Policy.
How to request account or data deletion
To request that your Procee account or specific data associated with it be deleted, contact [email protected] from the email address registered to your Procee account or from your organization's billing contact.
We will acknowledge your request within 3 business days and complete the deletion within 30 days of verification, except where retention is required by applicable law.
What is deleted
When a deletion request is processed, the personal information associated with your account is permanently removed from our active systems.
What may be retained, and why
Some data is retained after a deletion request, only for the minimum period and purposes required by law or by legitimate business necessity. When the retention period expires, the data is deleted on the next regularly scheduled deletion cycle.
Third-party processors
When you request deletion, we instruct each of our service providers to delete the corresponding data on their side as part of the deletion process. A current list of named subprocessors is available to customers on request.