Privacy Notice

Incorpro Limited (registered in Ireland, company number 654276)
Unit 2
2 Bridge Street
Athlone, Westmeath
N37 F1W4, Ireland
info@incorpro.ie

Incorpro Limited is the data controller for the personal data described in this notice. We have not appointed a Data Protection Officer; however, we have nominated a Head of Privacy who is responsible for our compliance with data protection law. You can contact our Head of Privacy by email at info@incorpro.ie or by post at the address above, marked for the attention of the Head of Privacy.

1. How we process personal data

For people who contact us through our website

We use the personal data you have provided to us to respond to your queries when you contact us. Our legal basis for this processing is our legitimate interest in responding to your enquiry, maintaining records of professional communications, and operating our professional services business. If you become a client, your personal data will become part of your file with us. If you do not become a client, we will delete your personal data 12 months after your last contact with us. Providing your contact details is not a legal requirement, but we cannot respond to your query without them.

For people who sign up for our newsletter

We use the contact information you have provided us to send you our newsletter and other updates. Our legal basis for this processing is the consent that you provided when you signed up. Signing up is entirely voluntary. We always include an unsubscribe option in our marketing communications, so you can opt out of receiving such communications at any time by clicking the unsubscribe link included in every newsletter, or by contacting us at info@incorpro.ie — you have an absolute right to object to receiving direct marketing and we will act on any such objection immediately. We retain your contact information for as long as you remain subscribed. If you unsubscribe or object, we will stop using it for marketing; we will then delete it unless we have another lawful basis to retain it (for example, if you are also a client and we hold the data for tax, AML, or engagement-record purposes set out below).

For clients and prospective clients

We process personal data about you in order to provide our professional services, including accounts preparation, tax compliance, payroll, and company secretarial services. Our legal bases for this processing are performance of a contract, compliance with our legal obligations, and our legitimate interest in fulfilling our professional and regulatory obligations as a firm of Chartered Accountants. Providing your personal data is necessary for us to provide services to you. In many cases it is also a legal requirement — for example, the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 requires us to verify your identity and retain records before we can act for you, and the Companies Act 2014 requires the filing of certain personal data (such as director and secretary details) with the Companies Registration Office. If you do not provide the required data, we may be unable to take you on as a client or to continue providing services to you.

We retain client engagement records for the following periods, determined by the applicable statutory obligation:

Anti-Money Laundering / Customer Due Diligence records — 5 years from the end of the business relationship, as required by the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
Tax and accounts records — 6 years from the end of the relevant tax year, as required by Revenue Ireland.
Payroll records — 6 years from the end of the relevant payroll period, as required by Revenue Ireland.
Other client engagement records — 7 years from the completion of the engagement, in line with professional indemnity and contractual limitation periods.

For people whose information we received from one of our clients

If you are an employee, contractor, customer, supplier, or family member of one of our clients, we receive and process your personal data as part of our engagement with that client. That personal data may include your name, contact information, and financial information such as salary or payments. We will only process your data in order to provide our accounting, tax, audit or other services to our client. Our legal basis for this processing is our legitimate interest in fulfilling our professional and contractual obligations to our clients, and in many cases a legal obligation (for example, payroll reporting obligations to Revenue). We retain this data in accordance with the same retention periods set out above. You were not required to provide this data to us directly — it was provided to us by our client.

2. Whom we share data with

We share your personal data with the following service providers, who process it on our behalf in delivering our services to you: ID-Pal Limited (identity verification), Google Ireland Limited (cloud infrastructure, document processing, analytics), OpenAI (document analysis and AI assistance), Anthropic (AI assistance), Mailgun (Sinch) (email delivery), Revolut Bank UAB (Irish Branch) (payment processing), Yapily Limited (UK) (open-banking transaction data, with your consent), Calendly (meeting scheduling), WhatsApp Ireland Ltd (client messaging), Sentry (application error monitoring — error reports may incidentally include personal data that appears in stack traces or log context), and LinkedIn Ireland Unlimited Company (advertising). These providers are not permitted to use this data except on our behalf. The categories of personal data shared with each provider depend on the service they deliver to us. We update this list when our service providers change. We may also share your personal data with our professional advisors (such as our solicitors, auditors and tax advisors), who are subject to rules of confidentiality, and we may be obliged to provide access to your personal data to regulators including the Data Protection Commission, the Companies Registration Office, Revenue, and our professional body Chartered Accountants Ireland.

In addition, we obtain information about company directors, secretaries, shareholders and beneficial owners from independent data sources — including the Companies Registration Office, the Revenue Online Service, EU VIES (for VAT validation), and Vision-Net. These bodies act as independent data controllers in their own right; we receive data from them rather than sharing data with them.

If we received your personal data from one of our clients, then we also share your personal data with that client.

We will not share your personal data with any other third parties, unless we have a legal or professional duty to do so.

For information about the cookies we set on our website, please see our Cookie Policy.

3. Transfers of data outside the European Economic Area

Some of the providers listed above are based in the United States. OpenAI, Anthropic, Mailgun (Sinch) and Sentry are US-based; transfers of personal data to these providers are governed by the 2021 Standard Contractual Clauses approved by the European Commission. Calendly is US-based and transfers take place under the Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

Google Ireland Limited, WhatsApp Ireland Ltd and LinkedIn Ireland Unlimited Company are based within the EEA, and the contracting entity for our agreement is the EEA entity. However, personal data may be onward-transferred to the relevant US-based parent or affiliate (Google LLC, Meta Platforms Inc. and LinkedIn Corporation respectively). For Google, that onward transfer is governed by Standard Contractual Clauses between Google Ireland Limited and Google LLC. For WhatsApp/Meta and LinkedIn, the onward transfer takes place under the EU-US Data Privacy Framework, supplemented by Standard Contractual Clauses where relevant.

ID-Pal Limited and Revolut (Revolut Bank UAB Irish Branch) are EEA-based and personal data shared with them remains within the EEA.

Yapily Limited is based in the United Kingdom; transfers of personal data to Yapily are made on the basis of the European Commission's adequacy decision for the United Kingdom dated 28 June 2021.

The categories of personal data transferred to each provider are determined by the service that provider delivers to us, as described in Section 2 above. A copy of the Standard Contractual Clauses and other safeguards described above is available on request from our Head of Privacy at info@incorpro.ie.

4. Automated Decision-Making, AI Assistance, and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects about you. However, we provide IncorproChat, an AI-powered chatbot that draws on a knowledge base of employee-produced content to assist with general queries.

IncorproChat disclaimer

IncorproChat provides general information drawn from a knowledge base of employee-produced content. It does not constitute accounting, tax, legal, or professional advice. Responses are not always up to date, complete, or applicable to your specific situation. Consult our team before making any decisions based on IncorproChat's responses. We accept no liability for any errors, omissions, or reliance on the information provided.

Please do not share confidential, personal, or sensitive information in IncorproChat. Conversation logs may be reviewed by our staff to identify quality regressions and to inform updates to the knowledge base; our legal basis for this is our legitimate interest in maintaining the accuracy of the service. Conversation logs are retained for up to 12 months from the date of the conversation, after which they are deleted; where a conversation forms part of a client engagement record, the retention periods set out in section 1 above apply instead.

5. Your rights

You have the following rights under the GDPR in relation to your personal data. Where a particular right applies only in certain circumstances or is subject to specific conditions, we explain those conditions in the relevant entry below.

Right to be informed — you have the right to be told how we use your personal data, which this notice fulfils.
Right to access — you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
Right to rectification — you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
Right to erasure — you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten. Note that this right does not apply where we are required by law to retain the data (for example, tax or AML records).
Right to restrict processing — you have the right to request that we restrict our processing of your personal data in certain circumstances, for example while the accuracy of data is contested.
Right to object — you have the right to object to our processing of your personal data where we rely on legitimate interests as our legal basis. Where you object to processing for direct marketing purposes, this right is absolute — we must stop processing immediately and without any balancing assessment.
Right to data portability — you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used, machine-readable format, where the processing is based on consent or contract.
Right to withdraw consent — if we are processing personal data based on your consent, you may withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

In order to exercise any of the rights set out above, or if you have questions or concerns about how we process your data, please contact us at info@incorpro.ie or by post at Incorpro Limited, Unit 2, 2 Bridge Street, Athlone, Westmeath, N37 F1W4, Ireland. You also have the right to lodge a complaint with the Data Protection Commission, whose contact details are as follows: