Legal · GDPR

GDPR Centre.

How Inntally complies with the EU General Data Protection Regulation. Built around EU residency, ISO 27701 controls, a documented ROPA, a published DPA, and a named DPO who actually answers.

Contact the DPO See the full security page

1. Our role

Inntally Ltd. (company number 787583, Limerick V94 X2P7, Ireland) is:

  • Controller for personal data we collect for our own purposes — marketing-website visitors, contact-form submissions, sales prospects, and our own staff.
  • Processor for personal data customers process inside the platform (their staff, their guests, their suppliers). That relationship is governed by our Data Processing Agreement (DPA), signed at onboarding.

2. Legal basis

We process personal data on these GDPR Article 6 bases:

  • Contract performance — delivering the Services.
  • Legitimate interests — security, fraud prevention, product improvement (TIA documented in our ISMS).
  • Consent — marketing emails, non-essential cookies.
  • Legal obligation — tax + employment law + lawful requests.

3. Data subject rights

You have the following rights under GDPR. We honour all of them:

  • Article 15 — right of access (a copy of your data).
  • Article 16 — rectification.
  • Article 17 — erasure (“right to be forgotten”) subject to lawful retention.
  • Article 18 — restriction of processing.
  • Article 20 — data portability (machine-readable export).
  • Article 21 — objection (incl. to direct marketing).
  • Article 22 — not to be subject to automated decision-making with legal effect.

4. DSAR procedure

  1. Email dpo@inntally.com with the right(s) you wish to exercise.
  2. We verify your identity (proportionate to the request) within 5 working days.
  3. We fulfil the request within 30 days (extendable by 2 months for complex requests per Article 12(3), with notice).
  4. Standard requests are free of charge; manifestly unfounded / excessive requests may attract a reasonable fee.
  5. If you are the data subject of a customer’s data, we may direct you to that customer (the controller); we will inform you and copy them.

5. Sub-processors

Each sub-processor is bound by a Data Processing Agreement with technical + organisational safeguards. Full list, with purposes, regions, and attestations, is in our DPA Schedule 2. Headline sub-processors:

  • AWS — compute, storage, database, queueing. eu-west-1 (Dublin).
  • Stripe — payments processing. PCI DSS Level 1.
  • OpenAI EU API — AI inference for IntelliFlow + Vault search. EU region; no-training flag enabled.
  • AWS Textract — OCR layer for IntelliFlow. EU region.
  • AWS SES + SNS — transactional email + SMS. EU region.

Material additions or changes are notified at least 30 days in advance.

6. International transfers

All Inntally customer data sits in AWS eu-west-1 (Dublin). For sub-processors with US presence (Stripe, parts of OpenAI infra), transfers are governed by:

  • EU Standard Contractual Clauses (Module 1 controller–controller, Module 2 controller–processor as appropriate).
  • Transfer Risk Assessments documented per sub-processor and reviewed annually.
  • EU–US Data Privacy Framework where applicable.

7. Retention

Personal data is retained only as long as needed for the purpose, plus any legal hold. Headline retention:

  • Marketing-website visitor logs — 90 days (security), 12 months (aggregated analytics).
  • Contact-form submissions — 3 years.
  • Customer-platform data — per customer’s retention policy + Schedule 3 of the DPA.
  • Financial records (tax) — 7 years.

8. DPIAs

Data Protection Impact Assessments are completed for processing activities likely to result in high risk to data subjects, including:

  • AI-based invoice processing (IntelliFlow).
  • Biometric staff clock-in (HR360).
  • Customer marketing automation.

DPIAs are reviewed at least annually and on material change.

9. Breach notification

  • Internal incident response triggered within 1 hour of detection.
  • Notification to the Irish Data Protection Commission (and other applicable authorities) within 72 hours where the breach is reportable (Article 33).
  • Affected data subjects notified without undue delay where high risk to rights + freedoms (Article 34).
  • Affected customers (as controllers) notified within 72 hours so they can meet their own Article 33/34 obligations.

10. DPO + supervisory authority

  • Inntally DPO: dpo@inntally.com
  • Lead supervisory authority: Irish Data Protection Commission — dataprotection.ie.
  • You have the right to lodge a complaint with the DPC or your local DPA.

11. ISO 27701

Inntally has aligned its Privacy Information Management System (PIMS) to ISO/IEC 27701:2019 (the ISO 27001 privacy extension). Stage 1 audit targeted Q3/Q4 2026; certification target Q1–Q2 2027. The PIMS controls + evidence binder are available to customers under NDA.

12. Contact

Procurement-ready

Request the DPA + ROPA + sub-processor list.

One email to the DPO; binder back under NDA. Saves your CISO + legal team weeks.

Email the DPOSee the security page