[ LEGAL // PRIVACY_POLICY ]

Privacy Policy

Last updated: 22 March 2026

1. CONTROLLER IDENTITY

COMPANY.LEGAL is the data controller for personal data processed through this platform. We operate from Dublin, Ireland and are registered with the Data Protection Commissioner of Ireland. For data protection enquiries, contact us at privacy@company.legal.

2. LEGAL BASIS

We process your personal data under the following legal bases as set out in the GDPR (Regulation (EU) 2016/679) and the Data Protection Acts 1988–2018:

  • [CONTRACT] Processing necessary to provide the services you have requested.
  • [LEGAL OBLIGATION] Processing required to comply with Irish and EU legal obligations, including CRO and Revenue requirements.
  • [LEGITIMATE INTERESTS] Processing for fraud prevention, platform security, and service improvement.
  • [CONSENT] Where we have obtained your explicit consent, such as for marketing communications.

3. DATA WE COLLECT

3.1 // ACCOUNT DATA

Name, email address, and authentication credentials including passkeys and biometric authenticators registered on your device.

3.2 // COMPANY DATA

Company name, CRO number, registered address, directors, shareholders, cap table data, constitutional documents, and other corporate records you create or upload.

3.3 // TRANSACTION DATA

Financial data synced from connected providers (Revolut, Stripe), invoices, and payment records processed through the platform.

3.4 // USAGE DATA

IP addresses, browser type, device identifiers, pages visited, actions taken, and timestamps. We maintain forensic audit logs of all significant actions on the platform for compliance purposes.

3.5 // BIOMETRIC DATA

We do not store raw biometric data. Biometric authentication is handled entirely on your device using the WebAuthn standard. We store only the public key component of your passkey, never your fingerprint, face scan, or other biometric raw data.

4. HOW WE USE YOUR DATA

  • Providing, maintaining, and improving the platform
  • Processing company incorporations and compliance filings
  • Authenticating your identity and authorising actions
  • Generating and maintaining cryptographic audit trails
  • Sending service notifications, verification emails, and legal alerts
  • Complying with CRO, Revenue, and other regulatory obligations
  • Investigating fraud, misuse, or security incidents
  • Responding to legal requests from Irish courts or regulators

5. DATA STORAGE AND TRANSFERS

Your data is stored on Cloudflare infrastructure. Cloudflare D1 databases and R2 object storage are configured to operate within the EU. Cloudflare Inc. is certified under the EU-US Data Privacy Framework.

Cryptographic hashes of signed documents may be anchored to the BSV blockchain, which is a public, immutable ledger. Only hash values — never personal data or document contents — are written to the blockchain.

6. DATA SHARING

We do not sell your personal data. We may share data with:

  • [CLOUDFLARE] Infrastructure provider for compute, storage, and CDN.
  • [CRO / REVENUE] Where you instruct us to file returns on your behalf.
  • [CONNECTED PROVIDERS] Revolut, Stripe — only data you have authorised via OAuth.
  • [LEGAL AUTHORITIES] Where required by Irish law, court order, or regulatory obligation.
  • [OTHER USERS] Only data you explicitly share within your organisation or with invited counterparties.

7. RETENTION

We retain your account data for the duration of your subscription plus 7 years to comply with Irish company law record-keeping requirements. Corporate records (resolutions, share registers, meeting minutes) are retained for a minimum of 6 years as required under the Companies Act 2014. Audit logs are retained for 7 years. You may request deletion of personal data not subject to legal retention obligations at any time.

8. YOUR RIGHTS

Under GDPR and the Data Protection Acts, you have the following rights:

  • [ACCESS] Request a copy of all personal data we hold about you.
  • [RECTIFICATION] Correct inaccurate or incomplete personal data.
  • [ERASURE] Request deletion of personal data not subject to legal retention obligations.
  • [PORTABILITY] Receive your data in a structured, machine-readable format.
  • [OBJECTION] Object to processing based on legitimate interests.
  • [RESTRICTION] Request we restrict processing of your data in certain circumstances.
  • [WITHDRAW CONSENT] Withdraw consent at any time where processing is consent-based.

To exercise any of these rights, email privacy@company.legal. We will respond within 30 days. You also have the right to lodge a complaint with the Data Protection Commission of Ireland at dataprotection.ie.

9. COOKIES

We use only essential session cookies required for authentication and platform operation. We do not use advertising, tracking, or analytics cookies. No third-party tracking scripts are loaded on this platform.

10. SECURITY

We implement technical and organisational security measures including: end-to-end encryption for sensitive documents, WebAuthn/passkey authentication, cryptographic audit trails, role-based access control, and regular security reviews. Despite these measures, no system is completely secure. You are responsible for keeping your device and authentication credentials secure.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes by email or in-platform notification at least 30 days before they take effect. The date at the top of this page indicates when the policy was last updated.

12. CONTACT

For any privacy-related queries or to exercise your rights, contact us at privacy@company.legal.