Data Processing Policy

    Last updated: 18 May 2026

    When delivering services that involve client data, Digital Bridge Ireland acts as a GDPR data processor. We process personal data only on documented client instructions, use vetted subprocessors, apply industry-standard security and assist clients with their own GDPR obligations.

    1. Roles

    For website visitors and our marketing list we are the data controller. When we operate systems or run services that contain your customers' personal data, we are the data processor and you are the controller.

    2. Processor responsibilities

    • Process personal data only on your documented instructions.
    • Ensure persons authorised to process data are bound by confidentiality.
    • Implement appropriate technical and organisational measures (Art. 32 GDPR).
    • Assist you with data-subject requests, DPIAs and breach notification.
    • Delete or return personal data at the end of the engagement.
    • Make available information necessary to demonstrate compliance.

    3. Subprocessors

    We use vetted subprocessors. Current list:

    • Stripe — payment processing (Ireland / global).
    • Supabase — managed database & auth (EU region where available).
    • Cloudflare — CDN, DNS, security.
    • Lovable Cloud — application platform.
    • Resend / SendGrid — transactional email.
    • Google Analytics — analytics (anonymised).
    • OpenAI / Google / Anthropic — AI model providers, where used in your build.

    We will notify you of intended changes to subprocessors and give you a chance to object.

    4. Data retention

    Personal data is retained only as long as needed to deliver the service or meet legal obligations. Project data is deleted or returned within 90 days of contract end unless otherwise agreed.

    5. International transfers

    Where data leaves the EEA we rely on Standard Contractual Clauses and (where applicable) the EU–US Data Privacy Framework.

    6. Security measures

    • TLS encryption in transit, encryption at rest where supported.
    • Role-based access controls and least-privilege principles.
    • Audit logging for sensitive operations.
    • Multi-factor authentication on admin accounts.
    • Regular review of credentials and access.

    7. Breach notification

    We will notify you without undue delay of any personal data breach affecting your data, with sufficient information to meet your own 72-hour notification obligation to the DPC.

    8. Data Processing Agreement

    A signed DPA is available on request — email info@digitalbridge.ie.

    ← Back to all legal policies