GDPR Compliance

How Inntally protects your rights under the EU General Data Protection Regulation.

Last Updated: 1 February 2026
Contents
  1. Our Commitment to GDPR
  2. Who We Are (Data Controller)
  3. Data We Process
  4. Lawful Basis for Processing
  5. The Six GDPR Principles
  6. Your Rights Under GDPR
  7. How to Exercise Your Rights
  8. Data Processing Agreements
  9. Sub-Processors
  10. International Data Transfers
  11. Data Retention
  12. Data Breach Notification
  13. Data Protection Impact Assessments
  14. Children's Data
  15. Data Protection Officer
  16. Supervisory Authority

1. Our Commitment to GDPR

Inntally is an Irish-headquartered company and GDPR compliance is fundamental to how we operate. We have built our platform with privacy by design and privacy by default — from our multi-tenant architecture to our encryption protocols — ensuring that your personal data is protected at every layer.

This page explains how we comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the Irish Data Protection Act 2018. It supplements our Privacy Policy with GDPR-specific detail.

2. Who We Are (Data Controller)

For the purposes of GDPR, the data controller is:

  • Company: Inntally Limited
  • Registration: Registered in Ireland
  • Address: Dublin, Ireland
  • DPO Email: dpo@inntally.com

When our hospitality clients (hotels, restaurants, pubs, catering companies) use Inntally to manage their procurement and operations, they are the data controllers of their customer and employee data, and Inntally acts as a data processor on their behalf.

3. Data We Process

The personal data we process falls into these categories:

Account Data

  • Name, email address, phone number
  • Job title and role within the organisation
  • Organisation name and business address
  • Password hash (never stored in plain text)

Platform Usage Data

  • Login timestamps and IP addresses
  • Feature usage patterns and navigation paths
  • Document uploads (invoices, dockets, supplier catalogues)
  • Procurement orders and inventory records

Financial Data

  • Billing information and payment method details (processed by Stripe — we do not store card numbers)
  • Transaction records, supplier pricing, and journal entries

AI-Processed Data

  • Document content extracted via OCR/AI (IntelliFlow)
  • AI-generated product matches and price intelligence
  • Extraction confidence scores and validation metadata

4. Lawful Basis for Processing

We rely on the following lawful bases under Article 6(1) of the GDPR:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the Inntally platform services you have subscribed to — account management, procurement, inventory, billing.
  • Legitimate Interest (Art. 6(1)(f)): Platform security monitoring, fraud prevention, product improvement, and anonymised analytics. We balance our interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)): Marketing communications, analytics cookies, and optional AI-powered features. You may withdraw consent at any time.
  • Legal Obligation (Art. 6(1)(c)): Tax record retention, financial reporting, and responding to lawful requests from authorities.

5. The Six GDPR Principles

Inntally adheres to all six principles of Article 5 of the GDPR:

Lawfulness, Fairness & Transparency

We clearly explain what data we collect, why, and how it is used. We never process data in ways you would not reasonably expect.

Purpose Limitation

Data is collected for specific, explicit purposes (platform operation, billing, support) and never used for incompatible secondary purposes.

Data Minimisation

We collect only the data we need. Our multi-tenant architecture ensures each client only sees their own data — no more, no less.

Accuracy

Users can update their profile data at any time. AI-extracted data goes through validation and human review (quarantine) before publishing.

Storage Limitation

Personal data is retained only as long as necessary. When accounts are closed, data is deleted or anonymised per our retention schedule (see Section 11).

Integrity & Confidentiality

AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, regular penetration testing, and 24/7 monitoring protect your data.

6. Your Rights Under GDPR

As an EU/EEA data subject, you have the following rights. We respond to all valid requests within 30 days (extendable by 60 days for complex requests).

Right of Access

Request a copy of all personal data we hold about you, in a structured and readable format.

Right to Rectification

Correct any inaccurate or incomplete personal data. Most corrections can be made directly in your profile settings.

Right to Erasure

Request deletion of your personal data when it is no longer necessary, or withdraw consent.

Right to Restrict

Ask us to limit how we process your data while we verify accuracy or assess a legitimate interest objection.

Right to Portability

Receive your data in a machine-readable format (JSON/CSV) to transfer to another service.

Right to Object

Object to processing based on legitimate interest or direct marketing at any time. We will cease processing unless we have compelling grounds.

7. How to Exercise Your Rights

You can exercise any of the above rights by:

  • Self-service: Access Settings → Privacy → Data Rights in the Inntally platform to download, correct, or delete your data
  • Email: Send a request to dpo@inntally.com — include your full name, email address, and the specific right you wish to exercise
  • Post: Write to Inntally Limited, Data Protection Officer, Dublin, Ireland

We will verify your identity before processing the request. For account holders, we verify via your authenticated session. For non-account holders, we may ask for proof of identity.

8. Data Processing Agreements

As required by Article 28 of the GDPR, Inntally enters into a Data Processing Agreement (DPA) with every client where we act as a data processor. Our standard DPA covers:

  • Nature, purpose, and duration of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Technical and organisational security measures
  • Sub-processor authorisation and audit rights
  • Data breach notification procedures
  • Data return and deletion upon contract termination

To request a copy of our standard DPA, contact legal@inntally.com.

9. Sub-Processors

We use a limited number of trusted sub-processors to deliver our services. Each sub-processor is bound by a DPA and must meet our security standards:

  • Amazon Web Services (AWS) — Cloud infrastructure, storage (EU-West-1, Ireland)
  • Cloudflare — CDN, DDoS protection, bot management
  • Stripe — Payment processing (PCI DSS Level 1 certified)
  • Google Cloud (Vertex AI) — AI/ML model inference for document extraction
  • OpenAI — AI-assisted extraction and enrichment (EU data processing addendum)
  • Intercom — Customer support and in-app messaging
  • SendGrid — Transactional email delivery

We notify clients at least 14 days before adding a new sub-processor, giving you the opportunity to object.

10. International Data Transfers

Inntally primarily stores and processes data within the European Economic Area (EEA). Our primary infrastructure is hosted in AWS EU-West-1 (Dublin, Ireland).

Where data is transferred outside the EEA (e.g., to sub-processors in the US), we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework: Where the sub-processor is certified
  • Standard Contractual Clauses (SCCs): The European Commission's approved model clauses
  • Supplementary measures: Encryption in transit and at rest, access controls, and data minimisation

We conduct Transfer Impact Assessments (TIAs) for each third-country transfer as recommended by the EDPB.

11. Data Retention

We retain personal data only as long as necessary for the purposes it was collected. Our retention schedule:

Active Account Data

Retained for the duration of your subscription plus 90 days after account closure for support and dispute resolution.

Financial & Billing Records

Retained for 7 years after the financial year in which the transaction occurred, as required by Irish tax legislation.

Platform Usage Logs

Anonymised and aggregated after 12 months. Raw logs containing IP addresses are deleted after 90 days.

AI-Processed Documents

Original documents are retained for the duration of the subscription. Extracted metadata is retained for 12 months after account closure for re-processing support, then deleted.

Marketing Consent Records

Retained for 3 years after the last interaction to demonstrate consent compliance.

Support Tickets & Communications

Retained for 2 years after resolution, then anonymised.

12. Data Breach Notification

In the event of a personal data breach, Inntally follows a structured response process:

  1. Detection & Containment: Our 24/7 monitoring and anomaly detection systems identify and isolate incidents automatically.
  2. Assessment: The security team assesses the nature, scope, and risk of the breach within 12 hours.
  3. DPC Notification: If there is a risk to data subjects' rights and freedoms, we notify the Irish Data Protection Commission within 72 hours of becoming aware of the breach (Article 33).
  4. Data Subject Notification: If the breach poses a high risk to your rights and freedoms, we will notify you directly without undue delay (Article 34).
  5. Remediation: Root cause analysis, patching, and preventive measures are documented and implemented.

We maintain an internal breach register as required by Article 33(5).

13. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 before introducing:

  • New AI/ML features that process personal data at scale (e.g., IntelliFlow extraction enhancements)
  • New integrations with third-party data sources
  • Changes to data processing that may increase risk to data subjects
  • Large-scale systematic monitoring of platform behaviour

DPIAs are reviewed by our Data Protection Officer and updated annually or when processing activities change materially.

14. Children's Data

Inntally is a B2B hospitality platform and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we have inadvertently collected data from a child, we will delete it immediately.

15. Data Protection Officer

Inntally has appointed a Data Protection Officer (DPO) who can be contacted for any GDPR-related queries:

  • Email: dpo@inntally.com
  • Address: Data Protection Officer, Inntally Limited, Dublin, Ireland

The DPO operates independently within the organisation, reports directly to senior management, and cannot be penalised for performing their duties.

16. Supervisory Authority

As an Irish company, our lead supervisory authority is the:

  • Data Protection Commission (DPC)
  • 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
  • Website: www.dataprotection.ie
  • Phone: +353 (0)76 110 4800

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the DPC or your local supervisory authority (if you are in another EU/EEA country).

We encourage you to contact us first at dpo@inntally.com so we can resolve any concerns directly.

Data Privacy Questions?

Our Data Protection Officer is available to answer any questions about how we handle your personal data.

Email Our DPO Privacy Policy