PraticaBack to home

SECURITY · CONFIDENCE

Your case, held with measured care.

The places where your documents, messages and payments live — and the practices around them that keep it that way.

DATA

Supabase · UE

PAYMENTS

Stripe · PCI-DSS

EMAIL

Resend · transazionale

Nothing on this site is improvised. Every system that touches your data is a known, audited provider under a formal data-processing agreement.

THE INFRASTRUCTURE

Four systems, each doing one thing, each with its own contract.

CLIENT DATABASE

Supabase

REGION · EU (Frankfurt)

Client database, orders, messages, documents. Row-Level Security enabled on every table: a row is readable only by the client it belongs to. Encrypted at rest and in transit.

PAYMENT PROCESSING

Stripe

REGION · United States · United Kingdom · Ireland

PCI-DSS compliant. Full card data never touches Pratica. Standard Contractual Clauses for international transfers.

TRANSACTIONAL EMAIL

Resend

REGION · United States

Order-linked email only: confirmations, status updates, password resets. No marketing email. SCCs for transfers.

SITE HOSTING

Vercel

REGION · United States · EU

The public site and API routes are served from Vercel. Security headers set at the app level. SCCs for transfers.

THE TRANSPORT

Nothing moves unencrypted.

The site is served over HTTPS only. HSTS is enabled for one year, including subdomains. TLS connections use modern ciphers negotiated by the browser. Security headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy, Permissions-Policy — are set at the application level to block clickjacking, MIME sniffing, referrer leaks and unauthorised embedding of the domain.

HOW WE TALK

Three channels, ordered by where the record lives.

The portal is where the record lives. Email is the default channel. WhatsApp is the tool for timing.

PRIMARY

Portal messages

Every message exchanged in the portal is tied to your order, stored in our database with RLS on, and survives the loss of your phone. It is the source of truth for what we have said.

DEFAULT

Email

Order confirmations, status updates, password resets arrive from info@pratica.uk. The inbox is monitored directly by the operator. Writing to that address is always a valid route.

OPERATIONAL

WhatsApp

For real-time coordination during consular windows or Prenot@Mi appointments. WhatsApp is not the system of record — it is the tool for speed. The section below explains how we use it.

ON WHATSAPP

Fast where speed matters, written where record matters.

WhatsApp is a workable tool for timing-sensitive coordination. It is not the archive. Five practices keep it inside its limits.

MINIMUM PII

We do not exchange documents, passport scans, or card details over WhatsApp. Documents are uploaded to the portal, where they live under RLS. Payments happen at the site's Stripe checkout — never via a chat link.

MIRROR TO PORTAL

Any substantive exchange — a decision, an instruction, a meaningful clarification — is logged to the order's portal thread. So six months later, whoever reopens the case sees a single, complete history.

END-OF-CASE CLEARANCE

When the case closes, WhatsApp conversations are cleared from the operator's device. The portal remains the permanent record. You keep whatever you choose to keep on your own phone.

OPT-OUT

WhatsApp is never required. Clients who prefer to stay on portal + email receive the same level of service. Say so at the start of the case, or at any point after.

DEVICE

The operator's phone is locked. Cloud photo backup is disabled for case images. WhatsApp's own end-to-end encryption protects messages in transit; the practices above protect the data at rest.

THE LAW

Your data is processed under the UK GDPR and the Data Protection Act 2018.

The lawful bases for processing are: performance of the contract you have entered into with us (Art. 6(1)(b) UK GDPR), legal obligations we are subject to — tax, anti-fraud, transaction records — (Art. 6(1)(c)), and our legitimate interest in preventing abuse of the service and in keeping a reasonable record (Art. 6(1)(f)).

Retention periods are set out in the Privacy Policy: 6 years for payment records (HMRC requirement), 3 years for communications, 90 days for technical logs. International transfers occur under Standard Contractual Clauses or UK adequacy decisions.

IF SOMETHING GOES WRONG

Seventy-two hours to the ICO. Without delay to you.

If a personal data breach occurs that may result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware, as required by Art. 33 UK GDPR. Where the breach is likely to result in a high risk to your rights, we will notify you directly and without undue delay (Art. 34). We will not use reassuring language to minimise what happened: what we know, when we know it, how we think it happened.

YOUR RIGHTS, IN PRACTICE

Seven things you can ask us to do with your data.

Access

A copy of everything we hold about you, in the form we hold it. Art. 15.

Rectification

Correct inaccurate or incomplete information. Art. 16.

Erasure

The right to be forgotten, subject to statutory retention duties. Art. 17.

Restriction

Pause processing while you dispute something. Art. 18.

Portability

Receive your data in a structured, machine-readable, transferable format. Art. 20.

Objection

Object to processing based on our legitimate interest. Art. 21.

Withdraw consent

Where processing rests on consent, you may withdraw it at any time.

To exercise any of these, write to info@pratica.uk

WHAT WE NEVER ASK

The things we will never ask of you, on any channel.

Never your portal password

No Pratica operator ever needs your password. If anyone asks for it claiming to be us, it is not us.

Never card details by email or WhatsApp

All payments happen at the site's Stripe checkout. No chat, no private link, no IBAN for transfers.

Never documents by WhatsApp

Documents are uploaded to the portal, where they live under access control. Scans sent over WhatsApp are refused even when they arrive.

Never bank transfers for the service

Service payment is always via Stripe. If anyone requests a bank transfer claiming to be Pratica, forward the email to info@pratica.uk and do not respond.

A NOTE

Security is a posture, not a page.

We review these practices quarterly. When something changes — a new subprocessor, a stronger default, a regulatory update — this page updates with a clear date. If you have a question not covered here, write to us.

Updated: 19 April 2026