If you are a job applicant, read our Privacy Notice for Job Applicants.

At Fonoa, we are committed to protecting privacy and ensuring that personal data is handled securely, lawfully, and transparently. This document (the “Privacy Notice”) explains how we collect, use, and safeguard personal information when you interact with us in connection with our business activities.

We understand the importance of privacy in the digital world, and will process your personal data responsibly, in compliance with relevant data privacy laws, in particular the EU General Data Protection Regulation (the “GDPR”). Whether you are our customer, business partner, prospective client, or a visitor simply exploring the Fonoa website, this Privacy Notice gives insights into how we manage personal data in our day-to-day operations.

1 Scope of this Privacy Notice

Fonoa provides software solutions that enable businesses to automate their tax compliance processes. In delivering these solutions, we process personal data in a variety of contexts. This Privacy Notice applies to the personal data that Fonoa processes as a data controller - for example, when we operate our website, engage with business contacts, market our services, manage partnerships, or respond to inquiries.

This Privacy Notice does not apply to personal data we process on behalf of our customers when they use our software products. In those instances, Fonoa is a data processor, handling personal data based on our customers’ instructions and in accordance with our contractual agreements. Fonoa is committed to supporting its customers in fulfilling their data protection obligations and provides appropriate contractual, technical, and organizational measures to help ensure compliant data processing.

Our customers, as data controllers, determine the purposes and means of processing personal data when using our services. They are also responsible for providing the appropriate privacy notices to the individuals whose data they process. If your personal data is being processed by Fonoa’s customer and you have questions about that processing, we recommend reaching out directly to the relevant business or organisation.

However, there are limited situations where Fonoa is a data controller when providing our services - for instance, when we manage login credentials or account details for individuals accessing our platform. These activities involve processing personal data for our purposes, as addressed in the relevant sections of this Privacy Notice.

2 Contact details

The entity responsible for the collection and processing of personal data (i.e., data controller) under this Privacy Notice is:

Fonoa Technologies Limited

6th Floor, South Bank House, Barrow Street,

Dublin 4, D04TR29, Ireland

Contact Email: gdpr@fonoa.com

As the data controller, we are responsible for determining how and why your personal data is processed. If you have questions about how we handle your personal data or wish to exercise your rights under applicable data protection laws, please feel free to contact us using the details provided above.

3 Our Processing Activities

We process personal data for various business purposes. This section outlines the contexts in which we handle personal data and the types of data involved, depending on how you interact with us, whether as a user of our services, a website visitor, or a business contact.

If you are a user of our services, we process personal data in the following contexts to provide, support, and improve our services, ensure compliance, and maintain platform integrity:

• Access and use of our platform: Authorised users designated by our customers can access Fonoa’s services through a dashboard. To enable this, we process personal data such as name, email address, contact details, organization affiliation, account credentials, and usage data. This is necessary to register users, authenticate access, set up accounts, and maintain secure system access;
• Customer support and communication: We process personal data such as contact details, communication history (e.g., support tickets, emails, chat logs), and user preferences to provide customer support, respond to inquiries, resolve account issues, and communicate important updates related to your use of our services;
• Platform security and service stability: To maintain the security, integrity, and availability of our platform, we process usage data, device and browser information, IP addresses, login activity, and security logs. This helps us detect unauthorised access, prevent fraud, monitor system performance, and mitigate security risks;
• Product and service improvement: We process usage data, interaction logs, crash reports, diagnostic information, and user feedback (including any survey responses) to understand how our services are used, troubleshoot technical issues, and enhance platform functionality. While feedback is often provided on behalf of an organisation, it may be associated with the individual who submits it;
• Compliance with legal and regulatory obligations: We process personal data such as contact and account details, usage information, and any additional information required by law to meet our legal and regulatory obligations. This includes obligations related to tax, accounting, and data protection, such as responding to data subject rights requests.

If you are visiting our website, we process personal data in the following contexts to operate and improve the site, analyze usage, maintain security, and support a functional user experience:

• Website usage and analytics: We collect information about how visitors interact with our website to understand user behavior, improve navigation, and enhance overall site performance. This includes using third-party analytics tools to assess traffic patterns, session activity, and engagement with content. The data we process may include IP address, browser type, device information, pages visited, time spent on pages, clicks, scroll activity, and aggregated usage statistics;
• Cookies and tracking technologies: We may use cookies and similar technologies to support core website functionality, enhance user experience, and gain insights into how the site is used. Some cookies are essential for the website to operate, while others may help us understand engagement with content and navigation patterns. Where third-party analytics or experience optimisation tools are used, we strive to limit the collection of personal data to what is necessary and implement them in a privacy-conscious manner. These technologies may collect data such as cookie identifiers, browsing behavior, device type, user preferences, and session activity. To learn more about how cookies are used and what choices may be available to you, please refer to our Cookie Policy.

We may also process personal data in the following contexts, depending on how you engage with us:

• Sourcing business contacts: We may obtain contact details from publicly available sources or trusted third-party providers to identify potential stakeholders who may be interested in our services. This may include names, job titles, email addresses, phone numbers, company affiliations, and other publicly accessible business information. We ensure that third-party sources provide data lawfully;
• Marketing and communications: We may process personal data such as your name, email address, communication preferences, and engagement history (e.g., whether you open or interact with emails) to send newsletters, product updates, and promotional materials about our services. You can unsubscribe at any time using the link provided in our messages or by contacting us;
• Events, activities, and webinars: If you register for or participate in a Fonoa-hosted event, webinar, or similar activity, we process your personal data to manage registration, track attendance, send updates, and follow up afterwards. Where events are recorded, we will inform participants in advance. This may include your name, contact details, organisation affiliation, event preferences, and any information you provide during participation;
• Managing business relationships: We process personal data to manage relationships with customers, prospects, partners, and other business contacts. This includes contact information, job titles, organization details, and communication history, used for ongoing engagement, contractual discussions, and administrative purposes such as invoicing;
• Call recording and business communications: In some cases, we may record business-related calls, such as sales conversations, onboarding sessions, or account reviews, for training, quality assurance, or documentation purposes. Participants are notified if a call is being recorded. Data may include call recordings, timestamps, participant details, and related notes
• Social media engagement: If you interact with us on any social platforms (such as LinkedIn, Twitter, or Facebook), we may process personal data you choose to share - such as your public profile, comments, messages, or reactions. This helps us respond to inquiries and communicate updates. Please note that your activity is also subject to the privacy policies of the respective platforms.

4 Legal Basis for Processing

We rely on different legal grounds to process personal data, depending on the purpose:

• Contractual necessity: We process personal data when it is required to enter into or perform a contract. This includes providing access to our dashboard, setting up and managing user accounts, authenticating users, and fulfilling obligations to our business customers. It also covers responding to service-related enquiries and ensuring the platform operates as expecte
• Legitimate interests: We may process personal data based on our legitimate interests, provided these are not overridden by your rights and freedoms. This legal basis applies where the processing is necessary to support the operation, improvement, and protection of our business and services. These interests include maintaining the security, performance, and stability of our platform; preventing fraud and unauthorised access; analysing usage trends to enhance functionality and user experience; and promoting our services. We also rely on legitimate interest to manage relationships with current and prospective customers, partners, and suppliers; communicate with business contacts; and organise and follow up on events or webinars. When relying on this basis, we consider the potential impact on individuals and ensure that our interests are balanced against data protection rights;
• Compliance: We process personal data where necessary to meet our legal and regulatory obligations. This includes complying with applicable tax, financial, and corporate laws; responding to lawful requests from regulatory or public authorities; and fulfilling our obligations under data protection laws, such as handling data subject rights requests. In such cases, we only process the data required to satisfy these obligations and ensure that it is handled securely and appropriately;
• Consent: In some situations, we may rely on your consent to process personal data, particularly where required by law. This may include the use of certain cookies, the recording of business-related calls, or sending you marketing communications such as newsletters. Where we rely on consent, you may withdraw it at any time. Doing so will not affect the lawfulness of any processing carried out before your withdrawal. If you withdraw consent, we will stop such processing unless we have another legal basis to continue.

5 Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, taking into account our legal, regulatory, contractual, and operational obligations. Retention periods may vary depending on the type of data involved, the context in which it is processed, and applicable legal requirements.

We regularly review the personal data we hold and apply a range of criteria to determine how long it should be kept. These include the specific purpose for which the data was collected, the legal or regulatory obligations that may apply (for example, tax, financial, or compliance-related record-keeping), and the nature and sensitivity of the data. We also consider the potential risk of harm from unauthorised use or disclosure, as well as any contractual or ongoing business needs.

When personal data is no longer needed for its original purpose, we will either delete it securely or take steps to anonymise or aggregate it, unless we are legally required or otherwise permitted to retain it for a longer period.

If you have questions about how long your personal data may be retained in a particular context, you can contact us at gdpr@fonoa.com.

6 Data Sharing and Disclosure

We do not sell your personal data. However, to provide our services, operate our business effectively, and comply with legal obligations, we may share your personal data with third parties in limited and controlled circumstances. Below are the categories of recipients with whom we may share personal data.

• Third-party service providers: We engage third-party service providers to support the delivery, maintenance, and improvement of our platform, website, and operations. This includes services such as cloud infrastructure, data hosting, customer support, technical operations, and analytics. These providers process personal data on our behalf and are contractually bound to protect it, use it only as instructed, and implement appropriate security measures;
• Third-party integrations: Some features of our services may include integrations with third-party tools or platforms. Where they are enabled, limited personal data may be shared to facilitate their functionality. These third parties process personal data under their own terms and privacy policies, and we encourage you to review those policies directly;
• Marketing and advertising partners: We may share limited personal data with selected partners to support the delivery, optimisation, and measurement of our marketing efforts. This may involve helping us tailor messaging or assess the reach and effectiveness of campaigns, often using aggregated insights or audience-level data;
• Public authorities: We may disclose personal data when required to do so by law or in response to valid legal processes, such as court orders, subpoenas, or any requests from public authorities. We respond by disclosing personal data only where we are legally required to do so and assess each request to ensure it is valid and proportionate. We disclose the data necessary to meet these obligations and, where possible, take steps to safeguard your privacy;
• Professional advisors: We may share personal data with our legal, tax, audit, or other professional advisors where necessary for the purpose of compliance, dispute resolution, or in connection with corporate governance. These parties are subject to confidentiality obligations;
• Group companies: We may share personal data with other entities within the Fonoa corporate group. This helps us operate efficiently, maintain consistent service standards, and enhance user experience. This is subject to appropriate internal controls and the safeguards outlined in this Privacy Notice;
• Corporate transactions: In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the relevant third party as part of the transaction. We will ensure that any recipient of the data is contractually obliged to continue protecting it in accordance with this Privacy Notice and applicable law. Where legally required, we will notify you of any such transfer.

7 Data Security

We are committed to protecting the security and confidentiality of your personal data and implement appropriate technical and organisational measures to safeguard it from unauthorised access, loss, misuse, or disclosure. Our approach to security is risk-based and aligned with applicable legal and industry standards.

Our systems and processes are designed to ensure the confidentiality, integrity, and availability of personal data, as well as the resilience of the services we provide. Access to personal data is restricted to those who need it for legitimate business purposes and is governed by strict internal controls and confidentiality obligations.

We regularly review our security posture and conduct assessments to identify and address potential vulnerabilities. This includes testing, internal audits, and updates to our safeguards in response to evolving threats, emerging technologies, and regulatory developments. Our monitoring capabilities allow us to detect, investigate, and respond to potential security incidents in a timely and controlled manner.

To ensure operational continuity, we maintain business continuity and disaster recovery plans that are tested and updated regularly. These help ensure that personal data remains protected and recoverable even in the event of disruption or system failure.

While we apply rigorous standards to protect personal data, no system can be guaranteed to be completely secure. If you believe your data may have been compromised, please contact us immediately at gdpr@fonoa.com.

8 International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). However, in certain limited cases, it may be transferred to and stored in countries outside the EEA. If this occurs, we take appropriate safeguards to ensure that your personal data remains protected in accordance with applicable data protection laws.

We are committed to maintaining the highest standards of privacy and security, regardless of where your data is processed. Fonoa regularly monitors the adequacy decisions issued by the European Commission and stays informed about changes in the legal landscape affecting international data transfers. 

If personal data is transferred outside the EEA, we implement measures to ensure it is handled securely and in compliance with this Privacy Notice. Where transfers are made to countries without an adequacy decision, we ensure appropriate safeguards are in place to uphold data protection rights. To facilitate such secure international transfers, we rely on approved legal mechanisms, such as data processing agreements incorporating Standard Contractual Clauses (SCCs) issued by the European Commission. 

9 Automated Decision-Making

We do not engage in automated decision-making that produces legal effects or similarly significant impacts on individuals. This means we do not rely on algorithms or automated systems to make decisions that affect your rights, obligations, or relationship with us in a meaningful way.

If we introduce such processes in the future, we will comply with applicable legal requirements and provide clear information about how automated decisions are made. We will also explain what rights you may have in connection with such processing.

10 Your Rights under GDPR

Under the GDPR and other privacy laws, you have a number of rights that allow you to understand, control, and influence how we use your personal data. These rights include:

• Right of access: You can request confirmation of whether we process personal data relating to you and obtain a copy of the data we hold. You may also request additional details about how and why we process such information, the categories involved, and with whom it has been shared;
• Right to rectification: If you believe that the personal data we hold is inaccurate or incomplete, you can ask us to correct or update it;
• Right to erasure (right to be forgotten): You may request the deletion of your personal data in certain situations - for example, if no longer needed for the purpose for which it was collected, if you withdraw your consent, or if you object to processing and there are no overriding legitimate grounds for us to continue;
• Right to restrict processing: In specific circumstances, you can ask us to limit the way we use your personal data. While the data will still be stored, it will not be actively processed. This may apply if you contest accuracy, object to processing, or require the data for a legal claim;
• Right to data portability: You have the right receive personal data about you in a structured, commonly used, machine-readable format. Where technically feasible, you may request that we transfer it directly to another organisation;
• Right to withdraw consent: If we rely on consent as the basis for processing, you can withdraw it at any time. However, this will not affect any processing we carried out before the withdrawal;
• Right to object: You can object to our processing of your data where we rely on legitimate interests or use it for direct marketing. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds;
• Right to lodge a complaint: If you are concerned about how we process information about you, you can file a complaint with a supervisory authority. In the EU, this is typically the data protection authority in your country of residence or where the issue occurred.

To exercise any of these rights, or if you have questions about how we process your personal data, please contact us using the details provided in this Privacy Notice. You can reach us directly at gdpr@fonoa.com. We will respond to you in a timely manner, in accordance with applicable data protection laws.

Please note that some rights may be subject to limitations or exceptions under the law. If we are unable to fulfill your request, we will provide you with a clear explanation.

11 Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our data processing practices, business operations, or to comply with legal and regulatory developments. When we make any changes, we will post the updated version on our website and indicate the date of the most recent update.

We encourage you to check this Privacy Notice periodically to stay informed about how we handle personal data. If we make any material changes that could affect your rights, we will provide advance notice where required by applicable law.