Legitimate Interest Assessment

Documented per GDPR Article 6(1)(f). Last reviewed: April 2026. Next review: April 2027.

Processing Activity 1: Server Logging and Security Monitoring

Purpose Test

We log technical data (IP addresses, request URIs, timestamps, user agents, session IDs) to:

Necessity Test

Without this logging, we cannot: detect security incidents (a legal requirement under Article 32), respond to data subject requests (Articles 15–22), or diagnose service disruptions. Less intrusive methods (e.g., anonymised aggregate metrics) would not fulfil these purposes. Retention is limited to the minimum necessary per data category (7–365 days).

Balancing Test

The data subjects affected are website visitors and clients. The data collected is limited to technical metadata — no content of communications is logged. Retention periods are short and automatically enforced. Users are informed of this processing in our Privacy Policy. The impact on individuals' rights is low, while the security benefit is high.

Conclusion: Our legitimate interest in system security and integrity outweighs the minimal privacy impact on data subjects.


Processing Activity 2: Support and Ticketing Systems

Purpose Test

We retain ticket correspondence (names, email addresses, message content, IP addresses) to:

Necessity Test

Without retaining conversation history, we cannot provide consistent support. Live agents need context from previous tickets. Automated systems (ticket IDs, status tracking) require persistent records.

Balancing Test

The data subjects are existing clients who have voluntarily engaged our support services and expect us to maintain records of their requests. Data is limited to what is necessary for the support interaction. Retention is limited to the duration of the client relationship plus one year. Users can request erasure at any time.

Conclusion: Legitimate interest in providing coherent support justifies retention of ticket data.


Processing Activity 3: Business Development and Lead Management

Purpose Test

We retain contact form submissions (name, email, company, phone, message) to:

Necessity Test

Responding to inquiries inherently requires retaining the contact details provided by the inquirer. The alternative (requiring account registration before any contact) would be disproportionate. Marketing follow-ups require separate consent and are not covered by legitimate interest.

Balancing Test

Data subjects have actively submitted their information through our contact form, demonstrating an expectation of being contacted. Data is limited to what they voluntarily provided. Retention is limited to 2 years after last contact. An unsubscribe mechanism is available for marketing communications.

Conclusion: Legitimate interest in responding to business inquiries is proportionate.


Processing Activity 4: Security Monitoring and Breach Detection

Purpose Test

We operate automated security monitoring systems that analyse server logs, authentication attempts, and error patterns to detect and respond to security incidents including brute force attacks, SQL injection attempts, XSS attempts, and other anomalous behaviour.

Necessity Test

Real-time security monitoring requires automated analysis of full request metadata including IP addresses, timestamps, and event patterns. Without this processing, we cannot detect ongoing attacks, meet our Article 32 security obligations, or fulfil the 72-hour breach notification requirement under Article 33. Batch or anonymised analysis would miss time-critical attack patterns.

Balancing Test

The data processed is limited to technical metadata already collected for system operations. Retention is short (typically 30 days for security events). The processing is automated — no human reviews individual logs unless an incident is detected. The security benefit to all users significantly outweighs the minimal privacy impact.

Conclusion: Legitimate interest in system security and breach detection justifies this processing.


Processing Activity 5: Authentication Systems (Magic Links and Sessions)

Purpose Test

We maintain authentication logs including magic link token generation, verification attempts, session creation, and access timestamps to ensure only authorised users access client portals and admin interfaces.

Necessity Test

Authentication logging is necessary to detect account compromise, track login attempts, and provide audit trails for security incidents. Without processing access timestamps, IP addresses, and token usage data, we cannot detect brute force attempts or compromised credentials.

Balancing Test

Only users who actively authenticate are affected. The data is limited to authentication events (login attempts, token requests, session creation). Retention is limited (24 hours for tokens, 12 months for access logs). Users benefit from account security.

Conclusion: Legitimate interest in authentication security justifies this processing.


This document is reviewed annually. Last review: April 2026. For inquiries, contact dpo@rapidlaunch.ie.