Privacy Policy
1. Who We Are
RapidLaunch provides website development, hosting, and related services. We are based in Cahir, Co. Tipperary, Ireland. For data protection matters, contact our Data Protection Officer at dpo@rapidlaunch.ie — please mark subject as "Data Protection Inquiry". We will respond within 30 days.
2. Personal Data We Collect
We collect only the data you provide to us or that is generated through normal website operation:
| Category | Data Collected | Source |
|---|---|---|
| Contact form submissions | Name, email, company, phone, message content, IP address, consent preferences | Contact form on www.rapidlaunch.ie |
| Account registration | Name, email, password (hashed), billing information | Client portal registration |
| Website usage | IP address, browser type, pages visited, referral source, timestamps | Automatic server logging |
| Communication | Email content, support ticket messages, phone call records | Email and support system |
| Cookies | Session identifiers, consent preferences | Browser cookies (with your consent) |
3. How We Use Your Data
We use your data only for these specific purposes:
- To provide our services: Build, host, and maintain your website
- To communicate: Respond to inquiries, send support messages, send invoices
- To improve: Understand how visitors use our website (with consent)
- To comply: Meet legal obligations, respond to lawful requests
We never sell your personal data. We never share it with third parties for their marketing purposes.
4. Legal Basis for Processing (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Providing website services | Contract performance (GDPR Art. 6(1)(b)) |
| Responding to inquiries | Legitimate interest (GDPR Art. 6(1)(f)) |
| Sending marketing communications | Consent (GDPR Art. 6(1)(a)) — you can withdraw anytime |
| Legal compliance | Legal obligation (GDPR Art. 6(1)(c)) |
5. Data Retention — Automated System
We retain your data only as long as necessary. Our automated compliance system enforces these retention periods. See our Data Retention Policy for the complete schedule.
| Data Type | Retention Period | After Expiry |
|---|---|---|
| Lead/enquiry data | 2 years after last contact | Anonymised (name and email removed) |
| Marketing consent records | Duration of consent + 1 year after withdrawal | Anonymised |
| Server access logs | 30 days | Permanently deleted |
| Account data (active clients) | Duration of account + 2 years | Anonymised |
| Ticket/support messages | Duration of account + 1 year | Anonymised |
| Billing records | 6 years (Revenue requirements, Finance Act) | Retained as required by law |
| Cookie consent records | 1 year | Deleted |
Before any permanent deletion, data is first archived to encrypted cold storage. Data under legal hold (active disputes, unresolved GDPR requests) is exempt from all purges.
6. Data Sharing & Sub-Processors
We share your data only with essential service providers. See our Sub-Processors Register for the complete list with safeguards.
7. International Data Transfers
Our primary infrastructure (server hosting, databases) is located within Ireland and the European Economic Area. However, some of our essential sub-processors operate globally:
- Stripe (payment processing): Stripe Payments Europe Ltd. processes payments within the EEA. Where data is transferred to Stripe Inc. in the United States, this is protected by Standard Contractual Clauses (SCCs) as approved by the European Commission.
- GitHub (code hosting): Our source code repositories are hosted by GitHub Inc. in the United States. This includes configuration templates but does not include live customer personal data. Transfers are protected by GitHub's SCCs.
- HostArmada (server hosting): All hosting data is stored within the Republic of Ireland. No transfer outside the EEA occurs.
All international transfers are governed by the safeguards described in our Sub-Processors Register. Where SCCs are used, you may request a copy by contacting our DPO. We will notify you before engaging any new sub-processor that would change these arrangements.
8. Your GDPR Rights
You have the following rights under the General Data Protection Regulation:
| Right | What It Means | How To Exercise |
|---|---|---|
| Right of Access | Request a copy of all data we hold about you | Data request form |
| Right to Rectification | Correct inaccurate data | Email dpo@rapidlaunch.ie |
| Right to Erasure | Delete your data ("right to be forgotten") | Data request form |
| Right to Restrict Processing | Limit how we use your data | Email dpo@rapidlaunch.ie |
| Right to Data Portability | Receive your data in a machine-readable format | Data request form |
| Right to Object | Object to processing based on legitimate interests | Email dpo@rapidlaunch.ie |
| Right to Withdraw Consent | Withdraw marketing consent at any time | Consent preferences |
We will respond to all requests within 30 days as required by GDPR.
9. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects concerning you.
10. Logging and Technical Data
When you visit our website or use our services, we automatically collect technical data including your IP address, browser type and version, operating system, pages visited, session identifiers, and request timestamps. This data is processed for security monitoring (detecting brute force attacks, SQL injection attempts, and other threats), service optimisation, and debugging purposes.
Our logging system retains this data for varying periods depending on category (typically 7–30 days for security logs, up to 365 days for payment-related logs). This processing is based on our legitimate interests in maintaining the security and integrity of our systems. You have the right to object to this processing. A documented Legitimate Interest Assessment is available at /legitimate-interest or on request.
11. Authentication (Magic Links)
We use secure, time-limited magic links for client portal authentication. When you request a login link, we generate a unique one-time token sent to your email address. Access attempts are logged including IP address and timestamp to detect unauthorised access. These tokens expire after use or after a set period, typically 24 hours.
12. Staging and Preview Environments
When clients are invited to preview websites before launch, we provide access via a secure staging portal. This portal records feedback, IP addresses, and access timestamps. Staging access is controlled through unique tokens and may require a password. Preview environments are not indexed by search engines and are accessible only to authorised recipients.
13. Cookies
We use cookies across four categories:
- Essential cookies — Required for the website to function. These include session cookies (PHPSESSID) for authentication and CSRF protection, and consent preference cookies. Legal basis: legitimate interest (strictly necessary for service delivery).
- Functional cookies — Enhance your browsing experience, such as remembering your theme preference, dismissing popups you have already seen, and tracking referral sources. These cookies do not collect personally identifiable information.
- Analytics cookies — Set only with your explicit consent. We use Google Analytics 4 to understand how visitors use our website, which pages are popular, and how we can improve. GA4 collects anonymised data — no personally identifiable information is stored. You may accept analytics cookies independently from marketing cookies.
- Marketing cookies — Set only with your explicit consent. We use the Facebook Pixel to measure the effectiveness of our advertising campaigns. You may decline marketing cookies while still accepting analytics cookies.
When you first visit our website, a cookie consent banner appears. No analytics or marketing cookies are set until you explicitly accept them. You can change your preferences or withdraw consent at any time by clicking the "Cookie Settings" button in the bottom-left corner of our website.
See our Cookie Policy for a complete list of every cookie we use, or visit our Cookie Audit for a live, real-time verification.
14. Security Measures
We implement appropriate technical and organisational security measures including: HTTPS/TLS encryption for all data in transit, encrypted cold storage for archived data, access controls on databases, automatic IP-based brute force detection and blocking, regular security audits, and employee confidentiality agreements.
Where we rely on legitimate interests as a legal basis for processing, we have conducted a Legitimate Interest Assessment (LIA). View our LIA or request a copy from our DPO.
15. Right to Lodge a Complaint
If you believe we have processed your data in violation of GDPR, you have the right to lodge a complaint with the Irish Data Protection Commission:
- Website: www.dataprotection.ie
- Address: Data Protection Commission, 21 Fitzwilliam Square, Dublin 2, D02 RD28, Ireland
- Phone: +353 57 868 4800
- Email: info@dataprotection.ie
16. Changes to This Policy
We review this policy every 6 months. Changes are tracked in our Changelog. If we make material changes, we will notify you by email.
17. Contact
Data Protection Officer: dpo@rapidlaunch.ie (subject: "Data Protection Inquiry")
General inquiries: support@rapidlaunch.ie
Address: RapidLaunch, Cahir, Co. Tipperary, Ireland