Privacy Statement
This policy explains when and why we collect personal information about people who visit our website, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
Please read the following carefully to understand our views and practices regarding your personal data and how it is obtained, processed, shared, and stored. By visiting krisolis.ie you are accepting and consenting to the practices described in this policy.
1. Who We Are
Krisolis Limited (referred to in this Notice as “we”, “us”, or “our”) is since 2009 Krisolis has been working with companies of every size in every industry throughout Ireland, the UK, Europe and beyond. Through training, mentoring and consulting, we’ve helped our customers grow their data analytics and AI capabilities and embed data-driven solutions into the fabric of their decision making. Our registered address is [full registered address].
We are a data controller within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act 2018. This means we are responsible for deciding how and why your personal data is processed, and we are bound by the obligations set out in GDPR in respect of that processing.
The purpose of this Notice is to explain clearly what personal data we collect about you, why we collect it, what we do with it, who we share it with, and what rights you have in relation to it. We are committed to handling your personal data transparently and fairly.
2. How to Contact Us
If you have any questions about this Notice or about the way we handle your personal data, please contact our Data Protection Lead:
- Name: Nina Copeland
- Email: info@krisolis.ie
- Post: Data Protection Lead, 28–32 Pembroke Street Upper, Dublin 2, D02 NT28
We will always try to resolve any concern you raise with us directly before you need to contact a supervisory authority.
3. Who This Notice Applies To
This Notice applies to all individuals whose personal data is processed by us in the context of a customer or client relationship. This includes:
- Individual consumers who purchase goods or services from us directly.
- Business clients, and the employees, representatives, or other contact persons of those businesses who interact with us in a professional capacity; and
- Prospective customers or clients who contact us to enquire about our products or services.
Where we process personal data about an employee or representative of a business client, we do so only to the extent necessary to manage our commercial relationship with that business. Those individuals have the same rights under GDPR as any other data subject, and this Notice applies to them equally.
4. Personal Data We Collect
We collect and process the following categories of personal data. Not all categories will apply in every case; the data we process will depend on the nature of your relationship with us.
| Category | Examples |
| Identifying data | Full name |
| Contact data | Email address, telephone number, postal address |
| Professional data | Job title, company name, business role |
| Transactional data | Orders placed, purchase history, invoices, training history |
| Financial data | Payment details, processed securely via our payment provider; bank account details where relevant to the service |
| Behavioural and device data | IP address, browser type, device identifiers, website browsing behaviour, cookie data |
| Communication data | Records of emails, calls, and correspondence with us |
| Preference data | Marketing preferences, feedback, and information provided voluntarily through surveys or competitions |
| Training records | Courses completed, test and assignment scores, grades |
4.1 Where We Collect Your Personal Data From
We collect your personal data in the following ways:
- Directly from you, when you register an account, place an order, contact us, or complete a form on our website or otherwise.
- Indirectly, through your use of our website or digital services, via cookies and analytics technologies
- From third parties where relevant, such as payment processors confirming payment status, or publicly available sources such as company registers, where we need to verify information, you have provided.
4.2 Where Providing Data is Required
Where we collect personal data directly from you, we will endeavour to make clear at the point of collection whether providing that data is a requirement of entering into or performing a contract with us, a statutory or legal obligation, or an optional matter. In general:
- Where we ask for data that is necessary to provide a service or manage your account, you are not required by law to provide it. However, if you choose not to do so, we may be unable to deliver the service or fulfil our contractual obligations to you.
- Where we collect data to comply with a legal or regulatory obligation, such as financial or tax records, providing that data is a statutory requirement, and we may be unable to process your request or transaction without it.
Where we ask for data on a voluntary basis, there is no obligation to provide it and doing so will not affect the core services we provide to you
5. Special Category Data
We do not ordinarily collect or process special category personal data, as defined under Article 9 GDPR, in connection with our customer or client relationships. Special category data includes health information, biometric data, racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, and data concerning sexual orientation or criminal convictions.
If a particular service or product we offer requires us to process special category data, we will provide you with a separate notice at the point of collection explaining the specific data processed, the legal basis under Article 9(2) GDPR on which we rely, and the safeguards we have put in place.
6. Why and How We Use Your Personal Data
We process your personal data only for specific, legitimate purposes, and only where we have a lawful basis under Article 6 GDPR for doing so. The full list of processing activities, the categories of data involved, the lawful basis relied upon, the recipients of that data, and the applicable retention periods are set out in Annex I to this Notice.
In summary, we use your personal data to manage your account and our business relationship with you to deliver services, to issue invoices and process payments, to respond to your queries and resolve complaints, to send you marketing communications in accordance with Section 8 below, to operate and improve our website and digital services; to comply with our legal and regulatory obligations; and to defend or pursue legal claims where necessary.
Where we rely on legitimate interests as our lawful basis, we have carried out a Legitimate Interest Assessment to confirm that our interests are not overridden by your rights and fundamental freedoms.
7. Direct Marketing
We may send you marketing communications by email or SMS. Direct marketing by electronic means is governed by the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC), which operates as the specific legal framework for this type of communication, independently of the lawful bases available under GDPR.
We send direct marketing communications on the following basis:
- By email to existing customers: where you have purchased a similar service from us, we may contact you by email about related products or services under the existing customer exemption in Article 13(2) of the ePrivacy Directive, provided you were given a clear opportunity to opt out at the point your details were collected and in every subsequent communication.
- In all other cases: we will only contact you where you have given your prior, freely given, specific, informed, and unambiguous consent in accordance with Article 13(1) of the ePrivacy Directive.
You can opt out of marketing communications at any time by clicking the unsubscribe link at the bottom of any marketing email we send you, or by contacting our Data Protection Lead at info@Krisolis.com. Opting out will not affect any other aspect of your relationship with us.
8. Who We Share Your Personal Data With
We do not sell your personal data. We share it only where necessary to deliver our services or to comply with a legal obligation, and only with parties who are required to maintain appropriate security and confidentiality. The specific recipients for each processing activity are set out in Annex I.
In general, we may share your personal data with:
- Service providers and data processors who act on our behalf, such as IT and hosting providers, email platforms, payment processors, delivery and logistics providers, and analytics providers. All such parties are engaged under Data Processing Agreements in compliance with GDPR Article 28 and may not use your data for any purpose other than delivering the service for which they are engaged.
- Professional advisors, including legal counsel, auditors, and insurers, where relevant to our business operations or in connection with a legal claim.
- Statutory and regulatory authorities, such as the Revenue Commissioners or An Garda Síochána, where we are required to do so by law or in response to a lawful request.
9. International Data Transfers
We aim to process and store your personal data within the European Economic Area (EEA) wherever possible. Certain processors we engage are based outside the EEA or transfer personal data to servers located outside the EEA in the course of providing their services. Where this occurs, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V.
Where a processor transfers personal data outside the EEA to a country that does not benefit from an adequacy decision, we ensure that Standard Contractual Clauses or another approved transfer mechanism under GDPR Chapter V is in place before the transfer takes place. Details of the specific transfer mechanism relied upon for any given processor are available on request from our Data Protection Lead at info@krisolis.ie.
10. Cookies and Tracking Technologies
When you visit our website or use our digital services, we and our service providers use cookies and similar tracking technologies to support the functioning of our website and to understand how it is used. Strictly necessary cookies are placed on the basis of our legitimate interests in operating a functional and secure website. All other cookies, including analytics, functional, and targeting cookies, are placed only where you have given your prior consent through our cookie consent tool.
For full details of the cookies we use, the purposes they serve, and how to manage or withdraw your preferences, please see our Cookie Policy, available at https://krisolis.ie/manage-my-cookies/
11. How Long We Keep Your Personal Data
We retain personal data only for as long as is necessary for the purpose for which it was collected or as required by applicable law or contract. In determining the appropriate retention period, we consider the nature and sensitivity of the data, the purpose for which it is held, and any statutory or regulatory requirements that apply.
As a general guide, account and transactional records are retained for the duration of our relationship with you and for six years thereafter to comply with limitation periods under the Statute of Limitations. Financial and tax records are retained for seven years in accordance with Revenue requirements. Marketing records are deleted when you opt out or following twelve months of inactivity.
When personal data is no longer required, it is securely deleted or irreversibly anonymised in accordance with our Data Retention and Erasure Policy.
12. Automated Decision-Making and Profiling
We do not make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects on you, within the meaning of Article 22 GDPR. No automated decision-making or profiling of this nature takes place in connection with our customer or client relationships.
13. Your Rights
Under GDPR and the Data Protection Act 2018, you have the following rights in respect of your personal data. These rights are not absolute and are subject to conditions and exemptions under applicable law.
| Your Right | What It Means |
| Right of access (Art. 15) | You may request a copy of the personal data we hold about you, together with information about how and why we process it. |
| Right to rectification (Art. 16) | You may ask us to correct inaccurate personal data or to complete data that is incomplete. |
| Right to erasure (Art. 17) | You may ask us to delete your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent, or where we have no other lawful basis for retaining it. |
| Right to restrict processing (Art. 18) | You may ask us to temporarily stop processing your personal data in certain circumstances, for example while the accuracy of the data is disputed. |
| Right to data portability (Art. 20) | Where processing is based on consent or contract and carried out by automated means, you may ask us to provide your personal data in a structured, machine-readable format, or to transmit it directly to another controller. |
| Right to object (Art. 21) | You may object at any time to the processing of your personal data where we rely on legitimate interests as our lawful basis. You have an absolute right to object to processing for direct marketing purposes, and we must stop immediately upon receiving your objection. |
| Right to withdraw consent (Art. 7(3)) | Where we process your personal data on the basis of consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. |
| Right to lodge a complaint (Art. 77) | You have the right to lodge a complaint with the Data Protection Commission or another competent supervisory authority. See Section 15 for contact details. |
To exercise any of the above rights, please contact our Data Protection Lead at info@krisolis.ie. We will respond within one month of receipt of your request in accordance with Article 12 GDPR. Where a request is complex or where we receive a large number of requests at the same time, we may extend this period by a further two months; we will notify you within the first month if this is the case. There is no charge for exercising your rights, though we may charge a reasonable fee or decline to respond where a request is manifestly unfounded or excessive.
14. How to Make a Complaint
If you have concerns about the way in which we handle your personal data, we ask that you contact us in the first instance at Info@krisolis.ie so that we can seek to resolve your concern as promptly as possible.
If you remain unsatisfied, you have the right to lodge a complaint with the Data Protection Commission (DPC), the supervisory authority in Ireland:
- Webform: https://forms.dataprotection.ie/contact
- Email: info@dataprotection.ie
- Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
You also have the right to seek a judicial remedy against us or against the supervisory authority under Articles 78 and 79 GDPR.
15. Updates to This Notice
We may update this Notice from time to time to reflect changes in applicable law, guidance issued by the Data Protection Commission or the European Data Protection Board, or changes to our processing practices. Where we make a material change to how we process your personal data, we will notify you by email before the change takes effect.
16. Annex I — Data Processing Overview
The table below sets out all processing activities carried out in connection with our customer and client relationships, the categories of personal data involved, the lawful basis relied upon, the recipients of that data, and the applicable retention period. This Annex forms part of this Notice and should be read alongside it.
All processors listed in the table above are engaged under Data Processing Agreements in compliance with Article 28 GDPR. Where legitimate interests are recorded as the lawful basis, a Legitimate Interest Assessment has been completed and is retained on file.
| Processing Activity | Categories of Personal Data | Lawful Basis (Art. 6 GDPR) | Recipients / Processors | Retention Period |
| Account and relationship management | Name, contact details, account reference, correspondence records | Performance of contract, Legitimate interests (ongoing relationship management) | Administrate Limited | Duration of relationship, then 6 years |
| Provision and operation of the SaaS platform | Name, email address, job title, employer organisation, user credentials, platform usage data, IP address, device and browser identifiers | Performance of contract, Legitimate interests | Cobblestone Learning Limited | Duration of subscription, then 6 years. Audit and security logs retained for 12 months from creation |
| Invoicing and payment processing | Name, address, payment details (processed securely by payment provider) | Performance of contract; Legal obligation | Xero UK Limited | 7 years (statutory obligation) |
| Customer service and query handling | Name, contact details, records of correspondence and calls | Legitimate interests (effective customer service) | Google Ireland Limited | 12 months after closure of query |
| Complaints handling | Name, contact details, details of complaint and resolution | Legitimate interests; Legal obligation | Google Ireland Limited | 12 months after resolution; 6 years where legal proceedings are involved |
| Direct marketing by email | Email address, name, marketing preferences, engagement data | Article 13(2) ePrivacy Directive (existing customer exemption) or consent | MailChimp, Google Ireland Limited | Until opt-out or 12 months following last activity |
| Website analytics and cookies | IP address, device identifiers, browser type, browsing behaviour | Consent (non-essential cookies); Legitimate interests (strictly necessary cookies only) | Google Ireland Limited (Google Analytics) | See Cookie Policy |
| Legal and regulatory compliance | Varies depending on the obligation | Legal obligation | Revenue Commissioners, An Garda Síochána, Data Protection Commission, and any other statutory or regulatory bodies as required by applicable law | As required by applicable law, typically 7 years |
| Litigation and dispute management | Financial, transactional, and contact data relevant to the claim | Legitimate interests | Legal counsel and solicitors retained by Krisolis | 7 years after resolution of the claim |
| Provision of Training Services | Name, email address, job title, employer organisation | Performance of contract, Legitimate interests | Microsoft Ireland Limited, Google Ireland Limited, Administrate Limited, Zoom, Qualtrics Ireland Limited | Duration of relationship, then 6 years |
April 2026