Legal · Privacy

Privacy Notice.

How Inntally Ltd. collects, uses, stores, and protects your personal data under the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

Version 1.0 · Effective 25 May 2026 · Last updated 26 May 2026

1. Introduction

Inntally Ltd. (“Inntally”, “we”, “us”, “our”), Irish company number 787583, registered office Glenteely, Bohergar, Boher, Limerick V94 X2P7, Ireland, is the controller of personal data described in this Notice for its public website. For data we process on behalf of customers inside the platform, Inntally is the processor and the customer is the controller; that relationship is governed by our Data Processing Agreement.

This Notice explains what data we collect, why, how long we keep it, and what rights you have under GDPR.

2. Data we collect

2.1 Information you provide

  • Account information: name, email, phone, job title, company.
  • Business data: supplier information, recipes, inventory, invoices, HACCP records and other operational data you input. For this category, we act as your processor.
  • Payment information: billing details. Card numbers are processed by Stripe; we never store PANs.
  • Communications: support tickets, contact-form messages, feedback.

2.2 Information collected automatically

  • Usage data: pages visited, features used, session duration.
  • Device information: IP address, browser type, OS, device identifiers.
  • Log data: access times, error logs, referral URLs.

2.4 Marketing-website analytics (consent-gated)

On the public marketing website (inntally.com), only with your explicit consent via the cookie banner, we collect and store:

  • An anonymous session identifier (1st-party cookie, 30 days).
  • Page views, scroll depth, time-on-page, click events on tracked CTAs.
  • UTM parameters from the URL (when present).
  • Approximate location: IP is anonymised at ingest before storage (last octet stripped for IPv4 / /48 for IPv6). We persist country, region, and (where available from the CDN) city; we do NOT persist the raw IP.
  • Device hints (device type, browser, OS, screen size, language) reported by your browser.

This data is used to improve the site, measure campaign performance, and inform the product roadmap. It is not joined to any logged-in user account, never shared with third parties for advertising, and retained for a rolling 13-month window before automated deletion.

2.3 Information from third parties

  • Integration data: data received from POS, accounting or other third-party systems you connect.
  • Marketplace data: information shared by your suppliers via the Marketplace.

3. How we use your data

  • Provide, maintain, and improve the Services.
  • Process transactions and send related notifications.
  • Analyse usage patterns to improve platform performance.
  • Detect, prevent, and address security threats.
  • Apply pseudonymised digital identifiers to exported files for leakage traceability.
  • Comply with legal obligations and enforce our terms.
  • Send service announcements, and (with consent) product updates and newsletters.
  • Provide customer support.

4. Legal basis for processing

  • Contract performance — processing necessary to deliver the Services you have subscribed to.
  • Legitimate interests — service improvement, fraud prevention, platform security, and tracing unauthorised distribution of exported data via pseudonymised identifiers.
  • Consent — marketing communications and non-essential cookies.
  • Legal obligation — tax reporting, regulatory compliance, lawful requests.

5. Sharing & sub-processors

We do not sell your personal data. We share with:

  • Sub-processors — AWS (hosting, eu-west-1), Stripe (payments), OpenAI EU API (AI inference), AWS SES/SNS (transactional messaging), AWS Textract (OCR), CloudFront. All bound by Data Processing Agreements with EU Standard Contractual Clauses. Full list available in our DPA.
  • Business partners — suppliers + vendors you interact with via Marketplace, only as necessary to facilitate transactions you initiate.
  • Legal requirements — when required by law, court order, or competent authority.
  • Business transfers — in a merger / acquisition / asset sale, with notice to affected data subjects.

6. International transfers

Inntally infrastructure runs entirely in AWS eu-west-1 (Dublin). Customer Personal Data is stored in the EU. Where sub-processors outside the EEA are involved (e.g. Stripe, OpenAI EU), transfers are governed by:

  • EU Standard Contractual Clauses (2021 modules).
  • Transfer Risk Assessments documented per sub-processor, reviewed annually.
  • Adequacy decisions where they apply.

7. Data retention

  • Account data: duration of the account plus 30 days after deletion request, then hard-deleted (subject to lawful holds).
  • Business data (you control): retained per your organisation’s configured policies.
  • Financial records: minimum 7 years (Irish Revenue + accounting law).
  • Log data: security logs 90 days; analytics logs 12 months.
  • Marketing consent records: until withdrawn plus 3 years for evidence.

8. Your rights

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion (subject to lawful retention).
  • Restriction: limit processing.
  • Portability: receive data in a structured, machine-readable format.
  • Object: object to processing based on legitimate interests.
  • Withdraw consent: revoke previously given consent.

To exercise these rights, email dpo@inntally.com. We respond within 30 days (per GDPR Article 12).

9. Cookies & tracking

We use:

  • Essential cookies — authentication, security tokens, session continuity.
  • Analytics cookies — usage patterns (only with consent).
  • Preference cookies — remembering settings + choices.

Manage preferences via our cookie banner or your browser settings. Full detail in our Cookie Notice.

10. Children’s privacy

The Services are not directed at individuals under 16. We do not knowingly collect personal data from children. If we become aware that we have, we delete it promptly.

11. Security measures

  • AES-256 at rest (KMS-managed keys); TLS 1.2+ in transit; Argon2id password hashing.
  • MFA (TOTP) supported; SSO (SAML / OIDC) with SCIM on enterprise.
  • ISO 27001 + 27701 ISMS established 2026-05-26; certificate target Q1–Q2 2027.
  • Role-based access controls with least-privilege defaults.
  • 24x7 monitoring, alerting, on-call. WAFv2 + CloudFront edge defence.
  • Annual third-party penetration testing.
  • Pseudonymised export fingerprints in downloaded files; identifiers do not contain names, emails, user IDs or client IDs and can only be resolved inside our access-controlled audit systems.

Full security posture: /security. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

12. Changes to this notice

We may update this Notice periodically. Material changes are notified by email or prominent in-platform notice at least 30 days before the effective date. Continued use after the effective date constitutes acceptance.

13. Contact

If you’re not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local Data Protection Authority.

Need more detail?

Talk to our DPO.

Our Data Protection Officer answers GDPR questions directly. DPA + ROPA available under NDA.

Email the DPOSee the security page