Last updated: 21.05.2026
1. ABOUT THIS POLICY
RTC Technology Limited (registered in Ireland under company number CRO 767648, with registered office at The View, Marina Village, Malahide, Dublin, K36 CX99, Ireland, “RTC”, “we”, “our” or “us”) provides cloud-based tax compliance software covering e-invoicing, e-reporting, e-book, SAF-T, VAT return and related regulatory reporting services.
This Privacy Policy explains how RTC collects and uses personal data of: (a) visitors to our website at https://www.rtcsuite.com and any related domains operated by RTC; (b) prospective and existing business customers and their representatives, including signatories, administrators and authorised users of our services; (c) representatives of our suppliers, partners and resellers; (d) job applicants; and (e) any other individual who contacts us or interacts with us in the course of our business.
This Policy is published in English and is intended to satisfy the transparency requirements of Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the United Kingdom General Data Protection Regulation as supplemented by the Data Protection Act 2018 and the Data (Use and Access) Act 2025 (“UK GDPR”).
This Policy applies to personal data that RTC determines the purposes and means of processing. Personal data that customers upload or enter into our software for the purpose of producing their regulatory filings is processed by RTC on behalf of, and under the instructions of, the relevant customer; that processing is described separately in Section 12 and is governed by the customer’s own privacy notice and contractual arrangements.
2. CONTACT DETAILS
Controller: RTC Technology Limited Company number: CRO 767648 Registered address: The View, Marina Village, Malahide, Dublin, K36 CX99, Ireland General contact email: contact@rtcsuite.com Privacy and data protection email: privacy@rtcsuite.com
For all privacy and data protection matters, including the exercise of your rights described in Section 13 below, please contact us at privacy@rtcsuite.com. For all other general enquiries, please use contact@rtcsuite.com.
3. CATEGORIES OF PERSONAL DATA WE COLLECT
3.1 Business contacts (customer, supplier, partner and reseller representatives): full name and job title; business email address, telephone number and postal address; name of the organisation you represent; information about your role and authority to act for that organisation, including whether you are an authorised signatory or administrator user; correspondence, meeting notes and records of our dealings; information necessary for sanctions, anti-money laundering and “know your customer” checks where required by law.
3.2 Authorised users of our software: account credentials (username, hashed password, multi-factor authentication tokens); user role and permissions; audit logs of access and actions performed in the platform, including date, time, IP address and the action taken; support tickets and related correspondence.
3.3 Website visitors: IP address, approximate geographic location derived from IP, device type, browser type and version, operating system and referring URL; pages visited, time on page and click behaviour; information submitted through contact forms, demo request forms, newsletter sign-ups or similar mechanisms; cookies and similar technologies (see Section 10).
3.4 Job applicants: name and contact details; CV, cover letter, education, employment and qualification details; right-to-work documentation where applicable; interview notes, assessment results and references.
3.5 Marketing contacts: name, business email, organisation and role; engagement data including emails opened, links clicked, events attended and content downloaded; consent records and communication preferences.
We do not routinely process special category personal data (Article 9 UK/EU GDPR) or criminal offence data (Article 10 UK/EU GDPR) in our capacity as a controller. Where we do, the specific legal basis and safeguards are set out at the point of collection.
4. SOURCES OF PERSONAL DATA
We collect personal data: (a) directly from you when you contact us, register for an account, attend an event, apply for a role, subscribe to communications or interact with our website; (b) from your employer or the organisation that engages our services, where you are designated as a representative or authorised user; (c) from public sources, including company registries, professional networks such as LinkedIn, and published regulatory filings, in the context of business-to-business prospecting and relationship management; (d) from our partners, resellers, event co-organisers and referral sources, where you have indicated interest in our services or registered for an event through them; and (e) from sanctions and anti-money laundering screening providers where required by law.
5. PURPOSES OF PROCESSING AND LEGAL BASES
For each purpose for which we process personal data, the legal basis under Article 6 UK/EU GDPR is identified below.
5.1 Performing our contract with you or your organisation. Article 6(1)(b) (contractual necessity), or, where the contract is with your organisation rather than with you personally, Article 6(1)(f) (legitimate interests in administering the customer relationship). This includes onboarding, account provisioning, billing, customer support, service communications and account administration.
5.2 Complying with our legal obligations. Article 6(1)(c). This includes tax, accounting and commercial record retention obligations under applicable Irish, UK and EU law, sanctions and anti-money laundering obligations, responses to lawful requests from regulators, courts and law enforcement, and obligations arising from our HMRC Making Tax Digital VAT return software recognition.
5.3 Operating, securing and improving our website and services. Article 6(1)(f). Our legitimate interests are in maintaining a secure, functional and continuously improving platform. This includes site analytics, performance monitoring, fraud prevention, abuse detection and platform security telemetry.
5.4 Direct marketing of related products and services to existing business customers. Article 6(1)(f). Our legitimate interest is in informing existing customers of services likely to be relevant to them. You may object at any time using the unsubscribe link in any marketing communication or by contacting us at privacy@rtcsuite.com.
5.5 Marketing to prospects and non-customers, including joint marketing activities and event sponsorships. Article 6(1)(a) (consent) where required by applicable law, including under Regulation 13 of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 in Ireland, Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) in the United Kingdom, and the ePrivacy Directive (2002/58/EC) as implemented in EU Member States. From time to time, we organise or participate in joint events, webinars and co-branded campaigns with partners and event sponsors. Where required by applicable law, we will obtain your consent before sharing your personal data with such partners or sponsors for their own marketing purposes. Consent can be withdrawn at any time.
5.6 Recruitment. Article 6(1)(b) (pre-contractual steps at your request) and Article 6(1)(f) (our legitimate interest in evaluating candidates and maintaining a talent pool). Where you consent, we may retain your application after the conclusion of the relevant recruitment process to consider you for future opportunities. For any sensitive processing during recruitment, Article 9(2)(a) (explicit consent) or another applicable condition will apply.
5.7 Establishment, exercise or defence of legal claims, and corporate transactions. Article 6(1)(f). Our legitimate interest is in protecting our legal rights, complying with judicial or regulatory processes, and conducting due diligence in connection with potential corporate transactions.
Where we rely on legitimate interests, we have carried out a legitimate interests assessment that balances our interests against your rights and freedoms. You may request a summary of the relevant assessment by contacting us at privacy@rtcsuite.com.
6. AUTOMATED DECISION-MAKING AND PROFILING
RTC does not subject individuals to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects on them, within the meaning of Article 22 UK/EU GDPR.
7. RECIPIENTS OF PERSONAL DATA
We disclose personal data only to the categories of recipients listed below, and only to the extent necessary for the relevant purpose: (a) authorised personnel of RTC and its group companies, bound by confidentiality obligations; (b) service providers that support our operations, including cloud and platform infrastructure providers (notably SAP SE in respect of the SAP Business Technology Platform on which our services are deployed, and the underlying hyperscale infrastructure providers used by SAP BTP in the relevant region), customer relationship management, email delivery, support ticketing and helpdesk providers, analytics providers (see Section 10), hosting and storage providers for our website, identity verification, sanctions and anti-money laundering screening providers, professional advisers (legal, tax, audit, accounting, insurance), and payment service providers and banks; (c) public authorities, regulators, law enforcement and courts, where required by law or in connection with the establishment, exercise or defence of legal claims; (d) potential acquirers, investors and their advisers in connection with a corporate transaction, subject to appropriate confidentiality undertakings; (e) event co-organisers, sponsors and partners in connection with joint marketing activities, where you have consented or where otherwise permitted by applicable law.
A list of the service providers used in the provision of our software to customers is available on request and is provided to customers in connection with their service agreement with RTC.
We do not sell personal data.
8. INTERNATIONAL TRANSFERS
RTC is established in Ireland, an EU Member State. Personal data of individuals located in the European Economic Area is therefore processed within an adequate jurisdiction by default.
Where personal data of individuals located in the United Kingdom is transferred to Ireland, such transfers are covered by the European Commission’s adequacy decision recognising the United Kingdom as providing an adequate level of protection, and the corresponding UK adequacy regulations recognising the European Union and the European Economic Area, which permit the free flow of personal data between the United Kingdom and the EEA.
Where personal data is transferred to, or processed in, jurisdictions outside the EEA and the United Kingdom (for example, where one of our service providers operates from such a jurisdiction), we implement appropriate safeguards, which may include: (a) the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers from the EEA; (b) the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, for transfers from the United Kingdom; (c) any applicable adequacy decision or regulations; or (d) other safeguards or derogations permitted under Chapter V of UK GDPR or EU GDPR.
Where transfers are made by our service providers (including SAP and its sub-processors), those transfers are governed by the service provider’s own transfer mechanisms, which we have reviewed and consider appropriate.
You may request further information about the safeguards in place for a specific transfer by contacting us at privacy@rtcsuite.com.
9. RETENTION
We retain personal data only for as long as necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements.
Indicative retention periods are as follows. Business contact and customer relationship records are retained for the duration of the relationship and 6 years thereafter, to reflect record retention obligations under the Irish Companies Act 2014 and the Taxes Consolidation Act 1997 where applicable, or such longer period as required by UK or EU law applicable to the underlying contract. Marketing engagement data is retained until you withdraw consent or object, and for a reasonable period thereafter to evidence the lawful basis of past processing. Website analytics and log data is retained as set out in our Cookie Notice. Recruitment data is retained for 12 months after the conclusion of the relevant recruitment process, unless you have consented to retention in our talent pool, in which case for the period specified at the point of consent. Sanctions and anti-money laundering records are retained as required by applicable law, typically 5 years from the end of the relationship in line with the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 to 2021.
Where retention is required to comply with a specific legal obligation, the period set out in the applicable law prevails.
10. COOKIES AND SIMILAR TECHNOLOGIES
Our website uses cookies and similar technologies. We use: (a) strictly necessary cookies, which are required for the operation of the site and do not require consent; and (b) functional, analytics and marketing cookies, which are set only where you have provided consent through our cookie banner or an equivalent mechanism, in accordance with Article 5(3) of the ePrivacy Directive, the Irish ePrivacy Regulations 2011, PECR in the United Kingdom and the guidance of the Data Protection Commission, the ICO and EEA supervisory authorities.
You can withdraw or modify your cookie consent at any time through the cookie preferences control accessible from our website. A full list of cookies, their providers, purposes and retention periods is available in our Cookie Notice at [URL].
11. THIRD-PARTY WEBSITES
Our website may contain links to third-party websites. This Policy does not apply to those websites, and we are not responsible for their content or privacy practices. We encourage you to review the privacy notices of any third-party website you visit.
12. PROCESSING ON BEHALF OF CUSTOMERS
Where RTC processes personal data that our customers make available to our software in the course of using our services, including the personal data of customers’ clients, taxpayers, employees, suppliers and other individuals whose information is contained in invoices, VAT filings, SAF-T files, e-books or other regulatory records, RTC acts on behalf of the customer and under the customer’s instructions. The relevant customer determines the purposes and means of that processing.
This Policy does not govern that processing. Such processing is governed by the customer’s own privacy notice and by the contractual arrangements between RTC and the customer, including any Data Processing Agreement entered into between them.
Individuals whose personal data is processed by RTC on behalf of a customer should address requests to exercise their data protection rights to the customer, who will instruct RTC to assist with the response as required.
13. YOUR RIGHTS
Subject to the conditions and exceptions set out in UK GDPR and EU GDPR, you have the following rights in relation to your personal data: the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object to processing based on legitimate interests or to processing for direct marketing (Article 21), the right not to be subject to automated individual decision-making (Article 22), and, where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, contact us at privacy@rtcsuite.com. We will respond within one month of receipt of a valid request. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension within one month.
We may request proof of identity before responding to a request, where reasonably necessary to confirm the identity of the requester.
If you are exercising rights in relation to personal data that RTC processes on behalf of a customer (see Section 12), we will direct you to, or forward your request to, the relevant customer.
14. COMPLAINTS
If you have a concern about our processing of your personal data, please contact us first at privacy@rtcsuite.com so we can attempt to resolve the matter.
You also have the right to lodge a complaint with a supervisory authority. As RTC is established in Ireland, our lead supervisory authority in the European Union is the Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, https://www.dataprotection.ie/. If you are located in another EU Member State, you may also lodge a complaint with the supervisory authority of your habitual residence, place of work or place of the alleged infringement; a list is maintained by the European Data Protection Board at https://edpb.europa.eu/. In the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, https://ico.org.uk/make-a-complaint/.
15. SECURITY
RTC operates an Information Security Management System aligned with ISO/IEC 27001:2022. Measures include role-based access control, multi-factor authentication, encryption of personal data in transit and at rest, network segmentation, vulnerability management, penetration testing, secure backup and disaster recovery, security awareness training, and documented incident response procedures.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach where required under Article 33 UK/EU GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with Article 34 UK/EU GDPR, unless an exception applies.
Where RTC processes personal data on behalf of a customer, breach notification to the customer is provided without undue delay in accordance with the relevant contractual arrangements.
16. CHANGES TO THIS POLICY
We may update this Policy from time to time. The “Last updated” date at the top reflects the date of the most recent revision. Where changes are material, we will notify you by appropriate means, for example by email or by an in-product notice, in advance of the changes taking effect.
If, in the future, we intend to process your personal data for a purpose other than those described in this Policy, we will inform you of that new purpose and the applicable legal basis before commencing the new processing, in accordance with Article 13(3) and Article 14(4) UK/EU GDPR.
17. GOVERNING TRANSPARENCY OBLIGATIONS
This Policy is provided in compliance with Articles 13 and 14 UK GDPR and Articles 13 and 14 EU GDPR. It supplements, and does not replace, any specific information notice provided at the point of collection of personal data.