Privacy Policy

1. Introduction

Inntally Limited ("Inntally", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, mobile applications, and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. Data We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, job title, and company details when you create an account.
• Business Data: Inventory records, financial data, supplier information, recipes, compliance documents, and other operational data you input into the platform.
• Payment Information: Billing address and payment method details. Card numbers are processed directly by our PCI-DSS compliant payment processor (Stripe) and are never stored on our servers.
• Communications: Messages, support tickets, and feedback you send us.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, actions taken, timestamps, and session duration.
• Device Information: IP address, browser type, operating system, device identifiers, and screen resolution.
• Log Data: Server logs including access times, error logs, and referral URLs.

2.3 Information from Third Parties

• Integration Data: Data received from POS systems, accounting software, or other third-party services you connect to Inntally.
• Supplier/Partner Data: Information shared by your suppliers or business partners through the Marketplace.

3. How We Use Your Data

We use your information to:

• Provide, maintain, and improve our Services
• Process transactions and send related notifications
• Personalise your experience and provide tailored recommendations
• Analyse usage patterns to improve platform performance
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our terms
• Send product updates, newsletters, and marketing communications (with your consent)
• Provide customer support and respond to inquiries

4. Legal Basis for Processing

Under GDPR and applicable data protection laws, we process your data based on:

• Contract Performance: Processing necessary to deliver the Services you have subscribed to.
• Legitimate Interests: Improving our Services, fraud prevention, and platform security.
• Consent: Marketing communications and optional cookies.
• Legal Obligation: Tax reporting, regulatory compliance, and law enforcement requests.

5. Data Sharing & Third Parties

We do not sell your personal data. We may share data with:

• Service Providers: Cloud hosting (AWS), payment processing (Stripe), email delivery, and analytics providers — all bound by data processing agreements.
• Business Partners: Suppliers and vendors you interact with through the Marketplace, only as necessary to facilitate transactions.
• Legal Requirements: When required by law, court order, or governmental authority.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

6. International Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards through:

• EU Standard Contractual Clauses (SCCs)
• Data Processing Agreements with all sub-processors
• Adequacy decisions where available

7. Data Retention

We retain your data for as long as your account is active or as needed to provide Services. Specific retention periods:

• Account Data: Duration of account plus 30 days after deletion request
• Business Data: As configured by your organisation's retention policies
• Financial Records: Minimum 7 years as required by tax law
• Log Data: 90 days for security logs, 12 months for analytics
• Marketing Consent: Until withdrawn

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Revoke previously given consent at any time

To exercise these rights, contact us at privacy@inntally.com. We will respond within 30 days.

9. Cookies & Tracking

We use cookies and similar technologies for:

• Essential Cookies: Required for platform functionality (authentication, security tokens)
• Analytics Cookies: Understanding usage patterns (with consent)
• Preference Cookies: Remembering your settings and choices

You can manage cookie preferences through our cookie consent banner or your browser settings. Disabling essential cookies may impact platform functionality.

10. Children's Privacy

Our Services are not directed to individuals under 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Security Measures

We employ industry-standard security measures including:

• AES-256 encryption at rest and TLS 1.3 in transit
• Multi-factor authentication support
• Regular penetration testing and security audits
• SOC 2 Type II compliance framework
• Role-based access controls with principle of least privilege
• 24/7 infrastructure monitoring and anomaly detection

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or through a prominent notice on our platform at least 30 days before the changes take effect. Continued use after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

• Email: privacy@inntally.com
• Data Protection Officer: dpo@inntally.com
• Address: Inntally Limited, Dublin, Ireland

If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.