Compliance Hub

Legal

Privacy Notice

Last updated: 19 May 2026

1. Who we are

OrganiGo Ltd, a company registered in Ireland, trading as Compliance Hub ("we", "us") is the data controller for the personal data described in this notice.

2. What personal data we collect

  • Account data: full name, work email, organisation name, role.
  • Authentication data: hashed password, session tokens.
  • Usage & telemetry: checklist updates, audit log entries, ledger transactions, evidence URLs.
  • Security data: IP address (purged after 12 months) and standard sign-in records.
  • Support correspondence: messages you send us by email.
  • Payment metadata: Paddle customer ID and subscription status. Card numbers are never collected or stored by us — Paddle handles all payment data.

3. Why we process it and the legal basis

  • Provide the Service — performance of a contract.
  • Account creation, billing, and renewals — performance of a contract.
  • Security, fraud prevention, and audit-trail integrity — legitimate interest in protecting our users and the service.
  • Customer support — performance of a contract / legitimate interest.
  • Product improvement and aggregate analytics — legitimate interest.
  • Legal & regulatory compliance — legal obligation.

4. Who we share data with

  • Lovable Cloud (Supabase) — EU-region hosting, database, authentication and storage subprocessor.
  • Paddle.com Market Ltd — Merchant of Record for all subscription payments. Paddle handles checkout, payments, tax compliance, invoicing, refunds, and subscription billing. See Paddle's privacy notice.
  • Professional advisers — accountants and legal counsel where strictly necessary.
  • Authorities — when required by law or to defend our legal rights.

We do not sell personal data and we do not read the contents of files inside Google Drive folders you link to Compliance Hub.

5. International transfers

Personal data is stored within the EU. Where any subprocessor transfers data outside the EU/EEA, transfers are governed by Standard Contractual Clauses or an adequacy decision.

6. Retention

  • Account & workspace data — retained for the life of your subscription and deleted within 30 days of termination, unless legal retention applies.
  • IP addresses in audit logs — automatically nulled after 12 months.
  • Billing records — retained for 7 years to meet Irish Revenue requirements.

7. Your rights (GDPR)

You have the right to access, rectify, erase, restrict processing of, port, or object to our processing of your personal data. You can also withdraw consent at any time and complain to the Irish Data Protection Commission (dataprotection.ie). We respond to verified requests within one month.

8. Security

We use row-level security, encryption in transit, verifiable audit logging, and the principle of least privilege. Access is restricted to authorised personnel under confidentiality obligations.

9. Cookies

We use only strictly-necessary cookies (session, CSRF, theme). We do not run third-party advertising or marketing cookies on the application.

10. Contact

Data protection contact: maire@compliancehub.ie · See also our Data Processing Agreement.