1. Who We Are

The data controller responsible for your personal data collected via collatzinc.ie is:

References to "we", "us", or "our" in this policy refer to Collatzinc in its capacity as data controller.

Data Protection Officer (DPO): Collatzinc is not currently required to designate a DPO under GDPR Article 37, as our core activities do not involve large-scale, systematic processing of personal data or special category data. Should our processing activities change such that a DPO appointment becomes mandatory, we will publish the DPO's contact details within this policy without delay. In the interim, all data protection queries should be directed to contact@collatzinc.ie.

2. Information We Collect

We collect and process the following categories of personal data:

Special category data: We do not seek to collect special category data (as defined in GDPR Article 9, including health, biometric, racial, religious, or political data). If any such data is incidentally shared with us, we will not process it beyond what is strictly necessary and will delete it promptly.

Source of indirectly collected data (GDPR Art. 14): Where we obtain personal data from third-party sources — such as publicly available business directories, LinkedIn, referral partners, or analytics providers — we will inform you of this at the earliest reasonable opportunity and no later than 30 days from obtaining the data.

3. How We Use Your Data and the Legal Basis for Each Purpose

We process your personal data only when we have a specific, documented lawful basis under GDPR Article 6. The table below maps each processing purpose to its legal basis.

Legitimate Interests Assessment (LIA): Where we rely on Art. 6(1)(f) Legitimate Interests, we have conducted or will conduct a Legitimate Interests Assessment to confirm that our interests are not overridden by your rights and freedoms. A summary of any LIA is available on written request by contacting contact@collatzinc.ie.

Change of purpose: If we intend to use your data for a purpose incompatible with the original purpose of collection, we will notify you in advance and obtain your consent or identify a new lawful basis, as required under GDPR Article 6(4).

4. Marketing Communications

We will only send you marketing communications (including emails, newsletters, or service updates) where:

• You have explicitly opted in to receive such communications; or
• You are an existing client and we are marketing directly related services, subject to your right to opt out at any time.

This is consistent with the requirements of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011), which transpose the EU ePrivacy Directive into Irish law.

To opt out: You may withdraw marketing consent at any time by clicking the "unsubscribe" link in any email we send you, or by emailing contact@collatzinc.ie with the subject line "Marketing Opt-Out". We will action your request within 5 business days.

5. Cookies and Tracking Technologies

We use cookies and similar technologies on collatzinc.ie in accordance with the ePrivacy Regulations (SI 336 of 2011) and GDPR. Cookies are small text files placed on your device.

You will be presented with a cookie consent banner upon your first visit to collatzinc.ie. You may change your preferences at any time via the cookie settings link in the website footer. Refusing non-essential cookies will not affect your ability to use the website's core features.

Third-party cookies (e.g., from analytics providers) are subject to those providers' own privacy policies. We do not sell data derived from cookies to third parties.

6. Data Sharing and International Transfers

6.1 Who We Share Data With

We may share your personal data with the following categories of recipients:

• Data Processors (Service Providers): Third-party vendors providing hosting, cloud infrastructure, analytics, CRM, email delivery, and payment processing, under written Data Processing Agreements (DPAs) that bind them to GDPR standards.
• Collatzinc Group Entities: Our affiliated entities in India and the United States, for the purpose of delivering services and internal operations, each operating as a separate legal entity under its own obligations and solely as a data processor acting on Collatzinc Ireland's instructions.
• Legal and Regulatory Bodies: Courts, regulators (including the Revenue Commissioners and the Data Protection Commission), and law enforcement, where required by law.
• Professional Advisers: Solicitors, accountants, and auditors, subject to professional confidentiality obligations.
• Business Transaction Parties: In the event of a merger, acquisition, or restructuring, subject to standard confidentiality protections.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

6.2 International Transfers Outside the EEA

Transfers to our group entities in India and the United States involve third countries that may not have an adequacy decision equivalent to EU standards. We safeguard these transfers using the following mechanisms, as required by GDPR Chapter V:

• Standard Contractual Clauses (SCCs): The European Commission's 2021 SCCs are incorporated into our intra-group agreements and service provider contracts involving non-EEA transfers.
• Transfer Impact Assessments (TIAs): We assess the laws and practices of recipient countries to identify any risk to your rights, particularly following the CJEU's Schrems II ruling (C-311/18). Where a TIA identifies elevated risk, we implement supplementary technical and contractual safeguards.
• US-specific transfers: We rely on the EU-U.S. Data Privacy Framework (where applicable) or SCCs with TIAs for transfers to US-based processors.

You may request a copy of the applicable transfer safeguards by contacting contact@collatzinc.ie.

7. Data Security

We apply appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

• TLS/SSL encryption for all data in transit.
• Encryption at rest for stored personal data.
• Role-based access controls and multi-factor authentication for internal systems.
• Periodic security reviews and vulnerability assessments, conducted at a frequency appropriate to the risk profile of our processing activities.
• Staff training on data protection and security awareness.
• Vendor due diligence and contractual security obligations.

Personal Data Breach Procedure:

In the event of a personal data breach, we will follow our internal incident response procedure, which includes:

1. Documenting the breach internally in our breach register.
2. Notifying the Data Protection Commission (DPC) within 72 hours of becoming aware, where the breach poses a risk to your rights and freedoms (GDPR Art. 33).
3. Notifying you directly, without undue delay, where the breach is likely to result in a HIGH risk to your rights and freedoms (GDPR Art. 34), with a description of the breach, its likely consequences, and the remedial measures taken or proposed.

Limitation of liability for data breaches: To the maximum extent permitted by GDPR and applicable Irish law, Collatzinc's financial liability arising from any personal data breach shall be limited to direct losses only and shall not include indirect, consequential, or punitive losses. Where a breach was caused wholly or primarily by the acts or omissions of a third-party data processor, Collatzinc's liability shall be limited to exercising reasonable oversight of that processor as required by GDPR Article 28, and Collatzinc shall not be liable for the processor's independent failures beyond that obligation.

Corporate group: Collatzinc Ireland is solely responsible as data controller for personal data collected via collatzinc.ie. No parent company, holding company, subsidiary, or affiliated group entity bears any responsibility or liability under this Privacy Policy or as a data controller in respect of such data.

8. Your Rights Under GDPR

Under the GDPR (Articles 15–22) and the Data Protection Act 2018, you have the following enforceable rights:

How to Exercise Your Rights

Submit your request to contact@collatzinc.ie with the subject line "Data Subject Rights Request". We will:

• Acknowledge your request within 5 business days.
• Verify your identity before processing the request (we may ask for reasonable proof of identity to prevent unauthorised access to another person's data).
• Respond in full within 30 calendar days. In complex cases, we may extend this by a further 60 days, in which case we will notify you within the initial 30-day period (GDPR Art. 12(3)).
• Provide responses free of charge. Where requests are manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to act, with written reasons.

9. Data Protection Principles

We process personal data in accordance with the core principles of GDPR Article 5. Personal data must be:

• Lawfully, fairly and transparently processed: We only process data on a documented lawful basis and we inform you of how we use it.
• Collected for specified, explicit and legitimate purposes: Data is not processed in a manner incompatible with the purpose for which it was collected.
• Adequate, relevant and limited to what is necessary: We practise data minimisation and do not collect more data than is needed.
• Accurate and kept up to date: We take reasonable steps to ensure data is accurate (GDPR Art. 5(1)(d)). If your personal details change, please notify us at contact@collatzinc.ie so we can update our records promptly.
• Kept no longer than necessary: As set out in our retention schedule in Section 10.
• Processed with appropriate security: Protecting against unauthorised access, loss, and destruction.

We are accountable for compliance with these principles and can demonstrate such compliance upon request (GDPR Art. 5(2)).

10. Data Retention

We retain personal data only for as long as is necessary for the specified purpose and no longer than permitted by law. Our retention schedule is as follows:

Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised in accordance with our internal data disposal procedure.

11. Is Providing Your Data Mandatory?

Contractual data: When you engage our services, certain personal data (such as your name, email address, company details, and payment information) is required to enter into and perform a contract with you. If you do not provide this data, we may not be able to provide the requested services.

Legal obligation data: Certain data (such as financial and tax records) must be retained to comply with Irish law. Failure to provide this information may prevent us from entering into a service agreement.

Voluntary data: Where data collection is optional (e.g., subscribing to marketing communications, completing optional survey fields), you will be informed at the point of collection. There are no negative consequences for declining to provide optional data.

12. Children's Data

Our services are directed solely at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16. Under the Data Protection Act 2018 (Ireland), the age of digital consent for information society services is 16. If you believe a child under 16 has provided data to us, please contact contact@collatzinc.ie immediately and we will delete the data without undue delay.

13. Complaints Procedure

If you have a concern about how we handle your personal data, we ask that you first raise it with us directly so that we can attempt to resolve it:

Step 1 — Internal Complaint: Email contact@collatzinc.ie with the subject line "Privacy Complaint". We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.

Step 2 — Escalation to the DPC: If you are not satisfied with our response, or if we fail to respond within 30 days, you have the right to lodge a complaint directly with the Irish supervisory authority:

You also have the right to seek a judicial remedy under GDPR Article 79 if you consider that your rights have been infringed.

14. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policy of any external site you visit. The inclusion of a link does not constitute endorsement by Collatzinc.

15. Changes to This Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance, or our processing activities. We will:

• Post the updated policy on collatzinc.ie with a revised "Last Updated" date.
• Notify existing clients and newsletter subscribers of material changes by email at least 14 days before the changes take effect.

Continued use of our website or services after the effective date of any change constitutes your acknowledgement of the updated policy.

16. Contact Information

For all data protection matters — including rights requests, complaints, or general enquiries — please contact us: