GOVIQ-POL-018 · v0.1 (DRAFT)
Privacy Policy
- Effective
- 2026-05-29 (target)
- Owner
- Liam McDonagh, CEO & acting Data Protection Lead
- Review cycle
- Annual, or on material change
- Contact
- privacy@goviq.ie
Statutory references: GDPR (Regulation (EU) 2016/679), Data Protection Act 2018 (Ireland), ePrivacy Regulations 2011 (S.I. No. 336 of 2011).
1.Who we are
GovIQ Limited is an Irish-incorporated software company providing procurement decision intelligence to organisations operating under the Irish Capital Works Management Framework (CWMF), the Office of Government Procurement (OGP) frameworks, and the Health Service Executive (HSE).
- Registered office: to be confirmed post-incorporation (STAT-01).
- CRO number: to be issued by STAT-01.
- Contact: privacy@goviq.ie
For the purposes of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, GovIQ Limited is the data controller for:
- Visitors to
goviq.ie - People who contact us via web forms, email, phone, or LinkedIn
- People who attend our events, demos, or webinars
- Suppliers, advisors, and contractors who provide services to us
- Job applicants
GovIQ Limited acts as a data processor on behalf of its customers (including the HSE) for personal data processed inside the GovIQ platform. That processing is governed separately by the Data Processing Agreement signed between GovIQ and each customer.
2.What personal data we collect
We collect the following categories of personal data about the people listed in section 1.
2.1 Website visitors
- IP address (for security, abuse prevention, and aggregate analytics)
- Browser type, operating system, device type
- Pages viewed, time spent, referring URL
- Approximate geographic region (country / region only)
- Cookies and similar technologies — see section 3 and our Cookie Policy
2.2 People who contact us
- Name, work email, work phone (if voluntarily provided)
- Job title and organisation (if voluntarily provided)
- The content of any message you send us
- Email signature data, where present in email correspondence
2.3 Event and demo attendees
- The information you provide on registration (typically name, organisation, role, email)
- Attendance records
- Recordings of webinars or demos (only if explicitly consented to by all attendees in advance)
2.4 Suppliers, advisors, and contractors
- Name, contact details, business identifiers
- Bank account details for payment
- Contract and engagement records
2.5 Job applicants
- The information in your application: CV, cover letter, references, interview notes
- Any information you choose to share about reasonable accommodations during recruitment
- For successful candidates, this transitions to employment data covered by our internal Privacy Notice for Employees
4.Why we collect personal data (lawful basis)
Under GDPR Article 6 we rely on one of the following lawful bases for each processing activity:
| Activity | Lawful basis |
|---|---|
| Website operation and security | Legitimate interest (Art. 6(1)(f)) — ensuring the security and proper functioning of our service |
| Aggregate website analytics | Consent (Art. 6(1)(a)) — captured via the cookie banner |
| Responding to your enquiry | Legitimate interest (Art. 6(1)(f)) — replying to a contact you initiated |
| Sending you information you requested (e.g., demo follow-up, whitepaper) | Consent (Art. 6(1)(a)) — you opted in |
| Marketing emails to existing business contacts (B2B) | Legitimate interest with opt-out (S.I. No. 336 of 2011 reg. 13(5)) |
| Event and webinar attendance | Contractual necessity (Art. 6(1)(b)) or consent |
| Engaging suppliers and contractors | Contractual necessity (Art. 6(1)(b)) |
| Paying suppliers and contractors | Legal obligation (Art. 6(1)(c)) — Revenue / accounting |
| Recruitment | Pre-contractual necessity (Art. 6(1)(b)) — steps prior to entering a contract; and legal obligation for record retention |
5.How long we keep personal data
| Category | Retention |
|---|---|
| Website logs | 90 days |
| Cookie consent records | 12 months |
| Contact form submissions | 24 months from last contact, then deleted |
| Marketing list entries | Until you unsubscribe, plus 30 days |
| Event and webinar attendance | 24 months |
| Supplier and contractor records | 7 years post-engagement (tax obligation) |
| Job applications — unsuccessful | 13 months (employment equality limitation) |
| Job applications — successful | Transitions to employment record retention |
6.Who we share personal data with (sub-processors)
We do not sell personal data. We share it only with the following categories of third party, all of whom act on our behalf under contractual obligations.
6.1 Our sub-processors (data processors acting for us)
| Sub-processor | What they do | Location |
|---|---|---|
| Microsoft Ireland | Email, calendar, identity (Entra ID) | Ireland (EEA) |
| Convex Inc. | Backend platform for the GovIQ application | AWS eu-west-1 (Ireland — EEA) |
| Vercel Inc. | Frontend hosting and CDN | EEA (Frankfurt primary) + global edge |
| Resend | Transactional email delivery | EEA |
| Anthropic, PBC | AI inference (Claude API) for product features | EEA processing endpoint where available; otherwise US under SCCs |
| Cloudflare | DNS and infrastructure | Global |
| GitHub (Microsoft) | Source code repository (no customer personal data) | US + EEA replication |
| Accountant (pending STAT-15) | Payroll and accounting | Ireland |
A live, dated version of this list is maintained at goviq.ie/trust (Sub-Processor Register).
6.2 Service providers
- Our accountant — for payroll and statutory filings
- Our solicitor — for contractual and legal advice
- Our insurance broker — for the procurement of cover
6.3 Authorities and regulators
We may disclose personal data to comply with a legal obligation (e.g., a valid court order, Garda investigation, Data Protection Commission inquiry). We do not disclose personal data voluntarily to authorities outside formal legal process.
7.International transfers
Most personal data we process stays in the European Economic Area (EEA). Where transfer outside the EEA is necessary, we rely on one of the following GDPR Chapter V mechanisms:
- Adequacy decision (where the European Commission has determined the receiving country provides adequate protection)
- Standard Contractual Clauses (SCCs) — Module 2 (controller-to-processor) for our sub-processors located outside the EEA
- Supplementary measures — encryption, access restrictions, contractual zero-retention where applicable
Specific situations:
- Anthropic (Claude API) — inference may currently be routed via US infrastructure under SCCs with supplementary measures including, where required by our customer agreements, contractual zero-retention of prompts and completions.
- Cloudflare— DNS resolution is global by design; we use Cloudflare's EEA-routing options where available.
- GitHub — source code (no customer personal data) — US + EEA, under SCCs.
8.Your rights under GDPR
You have the following rights in respect of personal data we hold about you:
| Right | What it means |
|---|---|
| Access (Art. 15) | Ask for a copy of the personal data we hold about you |
| Rectification (Art. 16) | Ask us to correct inaccurate or incomplete data |
| Erasure (Art. 17) | Ask us to delete your personal data, subject to certain exceptions (e.g., legal obligations) |
| Restriction (Art. 18) | Ask us to limit processing while a query is resolved |
| Portability (Art. 20) | Ask us to provide your data in a structured, machine-readable format and / or transfer it to another controller |
| Object (Art. 21) | Object to processing based on legitimate interest, including direct marketing — for marketing, this objection is absolute |
| Withdraw consent (Art. 7(3)) | Withdraw any consent you have given; this does not affect processing already carried out |
| Not to be subject to automated decision-making (Art. 22) | We do not currently make solely automated decisions about you that have legal or similarly significant effects |
To exercise any of these rights, contact us at privacy@goviq.ie. We will respond within one month of receiving your request (extendable by two months for complex requests, with notification to you within the first month).
We may ask you to verify your identity before responding, to protect your data from unauthorised disclosure.
9.How to contact us
| Topic | |
|---|---|
| Privacy enquiries and rights requests | privacy@goviq.ie |
| Security concerns or reports | security@goviq.ie |
| General contact | info@goviq.ie |
Acting Data Protection Lead: Liam McDonagh, CEO. GovIQ does not currently require a formal Data Protection Officer under GDPR Article 37, but we may appoint one if our processing scale increases.
10.Complaints
You have the right to lodge a complaint with the Data Protection Commission (DPC):
- Web: www.dataprotection.ie
- Phone: +353 (0)761 104 800
- Post: 21 Fitzwilliam Square South, Dublin 2, D02 RD28
We would prefer to address your concern directly first — please contact privacy@goviq.ie and we will take your concern seriously and respond promptly.
11.Changes to this policy
We may update this policy:
- Annually, as part of our policy review cycle
- When we add or change a sub-processor
- When we change the categories of data we process or the purposes
- On any material legal change
Any material change is reflected:
- Here, with a new version number and effective date
- At
goviq.ie/privacy, immediately - For people on our marketing list, by email notification 14 days before the change takes effect (where the change affects them)
The version history of this policy is preserved in the company repository.