Privacy Policy

Last updated: 21 April 2026

1. Who We Are

Rylax ("we", "us", "our") is a property development management platform operated from Senan House, Wexford, Ireland. We are the data controller for personal data collected through our website at rylax.ie, our platform, and related services.

For any data protection queries, you can contact us at info@rylax.ie.

We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU 2016/679) ("GDPR"), the Irish Data Protection Act 2018, and the ePrivacy Regulations (S.I. No. 336 of 2011, as amended).

2. Scope of This Policy

This policy applies to all personal data collected through:

• Our website at rylax.ie
• The Rylax platform (SaaS application)
• Web forms and enquiry forms
• Demo booking forms (via Typeform)
• QR code lead capture at construction sites, show houses, and marketing events
• API integrations where third-party platforms push enquiry data into Rylax
• Email correspondence

This policy covers website visitors, platform users (property developers, estate agents, solicitors, portfolio holders), leads captured via QR codes, and anyone who submits an enquiry or contacts us.

3. Personal Data We Collect

3.1 Website Visitors

• IP address, browser type, device information, pages visited, referring URL, and session duration (collected via Firebase Analytics)
• Cookie identifiers and tracking data (see Section 12 below)

3.2 Enquiry and Contact Forms

• Name
• Email address
• Message content
• Company name and role (where provided)

3.3 Demo Booking (via Typeform)

• Name, email address, company name, role, phone number, and any other information submitted through the booking form

3.4 QR Code Lead Capture

• Name, email address, phone number
• Property or development of interest
• Any other information submitted through QR code landing pages

3.5 Platform Users (B2B SaaS)

• Account registration data: name, email, phone, company name, role, business address
• Login credentials (stored in encrypted/hashed form)
• Usage data and activity logs within the platform
• Developer portfolio data, which may include commercially sensitive business information about property developments. Where this data contains personal data of individuals (e.g. buyer names, contact details), it is processed in accordance with this policy

3.6 API Integrations

• Enquiry data pushed by third-party platforms on behalf of our clients: name, email, phone, message content, property interest, and any other fields transmitted via the API

3.7 Email Communications

• Email address, name, and content of correspondence

4. How and Why We Use Your Data

Purpose	Legal Basis (GDPR Article 6)
Providing the platform service — managing accounts, enabling property development management features, storing portfolio data	Performance of a contract (Art. 6(1)(b))
Processing demo bookings and sales enquiries — responding to requests submitted via forms and Typeform	Pre-contractual steps at your request (Art. 6(1)(b))
Lead capture and management — collecting and processing leads from QR codes, web forms, and API integrations on behalf of our clients	Legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)), depending on the context
Customer support and communications — responding to your enquiries and providing support	Legitimate interests (Art. 6(1)(f))
Website analytics and improvement — understanding how visitors use rylax.ie	Consent (Art. 6(1)(a)) for analytics cookies
Marketing communications — sending emails about Rylax services	Consent (Art. 6(1)(a)) for new contacts; legitimate interests (Art. 6(1)(f)) for existing customers (soft opt-in)
Compliance and legal obligations — tax records, regulatory requirements, responding to legal requests	Legal obligation (Art. 6(1)(c))
Security and fraud prevention — protecting the platform and its users	Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your rights and freedoms.

5. Data Controller and Data Processor Roles

Rylax acts in different capacities depending on the context:

• Data controller: When we collect data from our own website visitors, process demo bookings, manage our own marketing, and handle direct enquiries.
• Data processor: When we process enquiry data, QR code leads, or portfolio data on behalf of our clients (property developers and other platform users). In these cases, our client is the data controller and we process data only on their documented instructions, governed by a Data Processing Agreement (DPA) in accordance with GDPR Article 28.

6. Who We Share Your Data With

We may share personal data with the following categories of recipients:

• Firebase (Google LLC) — hosting and analytics. Google acts as a data processor under Google's Data Processing Terms
• Typeform (TYPEFORM SL, Spain) — form processing for demo bookings. Typeform acts as a data processor and is based in the EU
• Third-party API integration partners — platforms that push enquiry data to Rylax on behalf of our clients
• Cloud infrastructure providers — for hosting, storage, and compute services
• Email service providers — for transactional and marketing emails
• Professional advisors — solicitors, accountants, and auditors as necessary
• Law enforcement and regulatory bodies — where required by law or to protect our legal rights

We do not sell your personal data to third parties.

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify affected individuals of any such transfer.

7. International Data Transfers

Rylax operates across Ireland, the UK, Europe, and the Middle East. Your personal data may be transferred outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place:

• United Kingdom: The European Commission has adopted an adequacy decision for the UK. Data transfers to the UK are permitted under this decision.
• United States (Firebase/Google): Google LLC is certified under the EU-US Data Privacy Framework (DPF). We also rely on Standard Contractual Clauses (SCCs) as a supplementary safeguard.
• Middle East and other regions: Where no adequacy decision exists, we rely on Standard Contractual Clauses (Commission Implementing Decision 2021/914) or other safeguards under GDPR Articles 46-49. Transfer impact assessments are conducted where required.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are as follows:

• Website analytics data: Retained for the period configured in Firebase Analytics (default 14 months)
• Enquiry form data: Up to 24 months after last contact, or until the purpose is fulfilled
• Demo booking data: 12 months if no contract results
• QR code lead data: Where Rylax acts as processor, retention is governed by the client's instructions. Where Rylax is controller, retained for up to 24 months
• Customer account and platform data: Duration of the contract plus 6 years (in accordance with the Irish Statute of Limitations Act 1957 and Revenue requirements)
• Portfolio and development data: Duration of the contract plus a post-termination retention period as specified in the service agreement
• Billing and financial records: 6 years (Irish Revenue requirement)
• Marketing consent records: Retained as long as consent is valid, plus a reasonable period to demonstrate compliance
• Email correspondence: Up to 24 months after last contact

When data is no longer needed, it is securely deleted or anonymised.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights in relation to your personal data:

• Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
• Right to rectification (Article 16): You have the right to have inaccurate personal data corrected without undue delay.
• Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful. This right is subject to certain exceptions, including where retention is necessary for legal obligations or the establishment, exercise, or defence of legal claims.
• Right to restriction of processing (Article 18): You have the right to request that we limit the processing of your data in certain circumstances, for example while we verify its accuracy.
• Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making (Article 22): Rylax does not currently engage in solely automated decision-making that produces legal or similarly significant effects on individuals.

How to Exercise Your Rights

To exercise any of these rights, contact us at info@rylax.ie. We may need to verify your identity before processing your request. We will respond within one month of receiving your request. This period may be extended by a further two months for complex or multiple requests, in which case we will notify you. Requests are free of charge unless they are manifestly unfounded or excessive.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with GDPR Article 32. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms
• Firebase security rules for database access
• Secure API authentication for third-party integrations
• Regular security assessments
• Staff training on data protection
• Incident response procedures

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, in accordance with GDPR Article 34.

12. Cookies

Our website uses cookies and similar technologies. Under Irish ePrivacy Regulations (S.I. No. 336 of 2011, as amended), we obtain your consent before setting any non-essential cookies.

Categories of Cookies

• Strictly necessary cookies: Essential for the website to function. These do not require consent.
• Analytics cookies: Firebase Analytics cookies used to understand how visitors interact with our website. These require your consent before being set.

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling cookies may affect your experience of our website.

13. Direct Marketing

We comply with Irish ePrivacy Regulations (S.I. No. 336 of 2011, as amended by S.I. No. 426 of 2022) in relation to electronic marketing.

• Existing customers: We may send you marketing communications about similar products and services, provided you are given a clear opportunity to opt out in every communication (soft opt-in under Regulation 13(10)).
• New contacts and prospects: We will only send marketing communications with your prior consent (opt-in).

Every marketing email includes an unsubscribe mechanism. To opt out at any time, use the unsubscribe link in any email or contact us at info@rylax.ie.

14. Children's Data

Rylax services are not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (the digital age of consent in Ireland under Section 31 of the Data Protection Act 2018). If we become aware that we have collected data from a child under 16, we will delete it promptly.

15. Third-Party Links

Our website may contain links to third-party websites and services (including Typeform). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data.

16. API Integrations and Third-Party Data

Third-party platforms may push enquiry data to Rylax via API on behalf of our clients. In these cases, our clients are responsible for ensuring they have a lawful basis for sharing personal data with us. Our processing of such data is governed by Data Processing Agreements with our clients.

17. Data Protection Impact Assessments

Rylax conducts Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to the rights and freedoms of individuals, in accordance with GDPR Article 35. This includes assessments for large-scale processing of developer portfolio data, QR code lead capture systems, and new third-party integrations.

18. Your Right to Complain

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority.

Ireland

Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Phone: +353 (0)1 765 0100 / 1800 437 737
Email: info@dataprotection.ie
Website: www.dataprotection.ie

United Kingdom

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk

You also have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

19. Changes to This Policy

We may update this privacy policy from time to time. Any material changes will be reflected by updating the "Last updated" date at the top of this page. For significant changes, we may also notify you by email where appropriate. We encourage you to review this policy periodically.

20. Contact Us

If you have any questions about this privacy policy or how we handle your personal data, please contact us:

Rylax
Senan House, Wexford, Ireland
Email: info@rylax.ie