Privacy Policy

How we handle personal data when you visit our website or engage our services

Version 1.0 · Last updated: May 2026 · Governed by Irish Law
This Policy sits alongside our Terms & Conditions and Data Processing Addendum. The DPA covers how we handle personal data on behalf of our clients; this Policy covers how we handle personal data of website visitors, prospects and clients.

Contents

Who we are
Scope of this Policy
What personal data we collect
Why we collect it & legal basis
Who we share data with
International transfers
How long we keep data
Your rights
Cookies & analytics
Security
Children
Changes to this Policy
Contact & complaints

1. Who we are

DM Digital is a web and app development business based in Dublin, Ireland, operated by Lee Dempsey and James McGuirk. For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the Data Protection Acts 1988 to 2018, DM Digital is the data controller in respect of the personal data described in this Policy.

If you have any questions about this Policy or how we handle your personal data, please contact us at info@dmdigital.ie — see also Section 13 below.

2. Scope of this Policy

This Policy applies to personal data we process about:

Visitors to dmdigital.ie and any subdomain we operate.
Prospects who contact us through enquiry forms, email, WhatsApp or other channels to discuss potential work.
Clients (and their staff) for whom we provide services under a signed Statement of Work.
Other individuals who correspond with us in connection with our business (for example, suppliers and prospective collaborators).

Note: Where we process personal data on behalf of a client — for example, when we host a client’s website and that website collects personal data from end-users — we act as a processor, not a controller. That processing is governed by our Data Processing Addendum and the relevant client’s own privacy policy, not this Policy.

3. What personal data we collect

The categories of personal data we collect depend on how you interact with us:

3.1 Information you give us

Contact details: name, email address, phone or WhatsApp number, company name, role.
Enquiry content: the contents of any message, brief, document or attachment you send us.
Engagement records: contracts, statements of work, change requests, invoices, correspondence and meeting notes.
Payment details: we use Stripe to process payments. Stripe collects payment-card and bank-account details directly — we do not store full card numbers or bank-account numbers ourselves.

3.2 Information we collect automatically

Usage data: pages viewed on dmdigital.ie, referral source, approximate location (country/region from IP), device and browser type, language, time and duration of visit.
Cookies and similar technologies: see Section 9 below.
Server and security logs: IP address, request timestamps and basic technical metadata collected by our hosting infrastructure for security, abuse prevention and diagnostic purposes.

3.3 Information from third parties

Public sources: for example, the Irish Companies Registration Office, your own website or LinkedIn profile, used to verify business details before entering into an engagement.
Referrals: if someone refers you to us, we may receive your name and contact details from them.

We do not collect or process special-category data (such as health, racial or ethnic origin, political opinions, religious beliefs or biometric data) in the ordinary course of our business. If a project requires us to process such data on a client’s behalf, that processing is governed by our DPA, not this Policy.

4. Why we collect it & legal basis

We process personal data only where we have a lawful basis under Article 6 GDPR. The most relevant bases for us are summarised in the table below.

Purpose	Data used	Legal basis (Article 6 GDPR)
Responding to enquiries and discussing potential work	Contact details, enquiry content	6(1)(b) — steps taken at your request before entering a contract; or 6(1)(f) — our legitimate interest in growing our business
Delivering services under a signed Statement of Work	Engagement records, client-team contact details	6(1)(b) — performance of a contract
Issuing invoices and collecting payments	Contact details, payment status (Stripe handles card data)	6(1)(b) — performance of contract; 6(1)(c) — legal obligations (accounting, tax)
Operating and securing dmdigital.ie	Server logs, usage data	6(1)(f) — legitimate interest in maintaining a secure and functional website
Analytics (where you consent)	Cookies, page views	6(1)(a) — your consent (see Section 9)
Compliance with legal and regulatory obligations	Engagement records, tax-relevant data, breach records	6(1)(c) — legal obligation
Establishing, exercising or defending legal claims	Whatever is necessary for the claim	6(1)(f) — legitimate interest in protecting our legal position

5. Who we share data with

We share personal data only with a small number of trusted third parties, and only to the extent necessary. The current categories are:

Hosting — Replit, Inc. (United States). Hosts dmdigital.ie and the applications we build for clients. Transferred under EU Standard Contractual Clauses.
Email delivery — Resend (Drag Apps, Inc.) (United States). Sends transactional email from our domain (form acknowledgements, invoice notifications). Transferred under EU Standard Contractual Clauses.
Analytics — Google LLC (Google Analytics 4) (United States). Only where you have consented via the cookie banner. Transferred under EU Standard Contractual Clauses via Google’s Ads Data Processing Terms.
Payments — Stripe Payments Europe Limited (Ireland) and the Stripe group. Stripe acts as an independent controller of payment-card and SEPA mandate data under its own terms.
Messaging — WhatsApp / Meta Platforms Ireland Limited (Ireland) where you communicate with us via WhatsApp Business.
Accountants, tax advisers and professional advisers — where engaged for our compliance, audit or legal needs.
Authorities — where we are required to disclose by law (for example, Revenue Commissioners, courts, regulators).

We do not sell personal data, and we do not use it for third-party advertising.

A current list of the sub-processors we use when acting as a processor on behalf of clients is maintained at Schedule 2 of the DPA.

6. International transfers

Some of our service providers (notably Replit, Resend and Google) are based in the United States. Where we transfer personal data outside the European Economic Area (“EEA”), we rely on an appropriate transfer mechanism — typically the European Commission’s Standard Contractual Clauses — together with supplementary measures (such as encryption in transit and at rest) where required.

You can request a copy of the safeguards in place for any specific transfer by contacting us at info@dmdigital.ie.

7. How long we keep data

We retain personal data for as long as we need it for the purpose for which it was collected, plus any further period required by law. Indicative retention periods:

Enquiry records (prospects who did not become clients)	24 months from last contact, then deleted
Client engagement records	For the duration of the engagement plus 7 years (to satisfy Irish accounting and tax record-keeping requirements)
Invoices and accounting records	7 years (Section 886 Taxes Consolidation Act 1997)
Website server logs	90 days (longer where needed to investigate a security incident)
Analytics data (where consent given)	14 months in Google Analytics 4 (default)
Marketing communications consents and preferences	Until you withdraw consent or for 3 years from last interaction

If you ask us to delete your data and we are required by law to retain certain records, we will inform you which records we are required to keep and for how long.

8. Your rights

Under the GDPR you have the following rights in respect of personal data we hold about you:

Access — ask for a copy of the personal data we hold about you (Article 15).
Rectification — ask us to correct inaccurate or incomplete data (Article 16).
Erasure — ask us to delete data, subject to limited legal exceptions (Article 17).
Restriction — ask us to suspend processing while a question is resolved (Article 18).
Portability — receive certain data in a structured, machine-readable format (Article 20).
Objection — object to processing based on our legitimate interests, including for any direct marketing (Article 21).
Withdraw consent — where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
Complain — lodge a complaint with the Data Protection Commission (see Section 13).

To exercise any of these rights, please email info@dmdigital.ie. We will respond within one month of receiving a verifiable request, and we will not charge a fee unless the request is manifestly unfounded or excessive.

9. Cookies & analytics

We use a small number of cookies on dmdigital.ie:

Cookie / category	Purpose	Basis
Strictly necessary	Session management, security, cookie-consent preference itself	Set by default — no consent required (ePrivacy Regulations, Reg 5(5))
Analytics (Google Analytics 4)	Counts visits, measures site performance, helps us improve content	Set only after you click “Accept” on the cookie banner. You can withdraw consent at any time via the cookie settings link in the footer.

We do not use advertising or tracking cookies. We do not share device identifiers with ad networks.

You can also control cookies through your browser settings — most browsers let you block or delete cookies, though some site features may not work properly if you do.

10. Security

We maintain appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss or destruction. These measures include encryption in transit (TLS 1.2 or higher), access control on systems holding personal data, multi-factor authentication for administrative access, regular patching of operating systems and software, monitoring and logging, and confidentiality undertakings from our personnel and sub-processors.

No system is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify the Data Protection Commission and (where required by Article 34 GDPR) affected individuals without undue delay.

11. Children

Our services are aimed at businesses and we do not knowingly collect personal data from children under the age of 16. If you believe a child has provided personal data to us, please contact us and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. The current version is always available at dmdigital.ie/privacy with the version number and “last updated” date shown at the top. Where a change is material, we will give individuals whose personal data is materially affected reasonable notice (by email or a prominent notice on the website) before the change takes effect.

13. Contact & complaints

For any privacy question, request to exercise your rights, or concern about how we handle your personal data:

DM Digital, Dublin, Ireland
Email: info@dmdigital.ie
Web: www.dmdigital.ie

We try to resolve all complaints directly. If you are not satisfied with how we have handled your complaint, you have the right to lodge a complaint with the Irish Data Protection Commission:

Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Web: www.dataprotection.ie
Phone: +353 (0)761 104 800