Privacy Policy

Security workforce management, scheduling, reporting and location operations platform.

Reader’s guide — who this policy is for

Odinseye is a business-to-business platform. Different people read this policy for different reasons. The table below tells you which sections apply to you.

Part 0 — General

1. Introduction

This Privacy Policy explains how Scaithan Dubha Teoranta (“Scaithan Dubha”, “we”, “us”, “our”) collects, uses, stores, shares and protects personal data in connection with Odinseye, our security workforce management platform. Odinseye is designed for security companies and similar organisations to manage guards, supervisors, sites, shifts, duties, patrols, incidents, reports, communications, attendance, location verification and related operational records.

This policy applies to users of the Odinseye web dashboard, the Odinseye mobile application, our websites at odinseye.eu and any sub-domains, our support services, and related services. It also explains how personal data may be processed when a Customer organisation uses Odinseye to manage its own staff, contractors, guards, client sites or business operations.

This policy is designed to meet our transparency obligations under:

• the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”);
• the Irish Data Protection Act 2018 and the Data Protection Acts 1988 to 2018;
• the UK General Data Protection Regulation and the UK Data Protection Act 2018, for personal data of UK individuals;
• the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. 336/2011) (“ePrivacy Regulations 2011”);
• the Private Security Services Act 2004 and the Private Security (Licensing and Standards) Regulations 2023 (S.I. 140/2023), to the extent they affect our Customers as PSA-licensed security service providers; and
• the EU Artificial Intelligence Act (Regulation 2024/1689), where future Odinseye features may involve AI systems within scope.

2. Our role: Controller and Processor

Scaithan Dubha acts in two distinct capacities depending on the personal data involved.

2.1 When we act as Controller. We are the Controller for personal data we determine the purposes and means of processing for, including:

• account administration, authentication, user provisioning and Customer support;
• billing, subscription management and tax/accounting records;
• service security, fraud and abuse prevention, audit logging and access logging;
• platform analytics and product improvement;
• direct communications to administrative and billing contacts about our services;
• marketing communications to business contacts in accordance with applicable law and consent rules;
• legal compliance, dispute management and regulatory cooperation.

2.2 When we act as Processor. Where a Customer (typically a security firm or other organisation) uses Odinseye to manage its own workers, contractors, sites and operations, the Customer is the Controller of the personal data it enters or generates through Odinseye. Scaithan Dubha is the Processor for that personal data and processes it only on the Customer’s documented instructions under our Data Processing Agreement.

As Processor, we do not access, review or use Customer content (including worker records, location data, reports and communications) except to provide and maintain the service, to provide support requested by the Customer, to ensure the security and integrity of the platform, or where required by law. We do not proactively monitor Customer content, and we do not use Customer content to train machine learning models or for our own marketing.

2.3 Data Processing Agreement. Scaithan Dubha’s standard Data Processing Agreement is incorporated by reference into every Odinseye Customer contract. It includes all provisions required by Article 28(3) GDPR including subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the rights and obligations of Controller and Processor. A copy is available on request from [email protected].

Where there is a conflict between this Privacy Policy and a signed Data Processing Agreement, the Data Processing Agreement governs our activities as Processor to the extent required by applicable data protection law.

3. Special category and sensitive personal data

Odinseye is not designed to require special category data within the meaning of Article 9 GDPR (such as health data, biometric identifiers used for identification, trade union membership, religious or philosophical beliefs, political opinions, racial or ethnic origin, sexual orientation or sex life) or personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR.

Under clause 3.3 of the Data Processing Agreement, Customers must not submit special category or criminal offence data to Odinseye except where specific additional safeguards have been agreed with us in writing. However, Customers and Authorised Users may, in practice, include such information in incident reports, welfare check notes, attachments, communications, or accident records. Where this happens:

• As Controller, the Customer is responsible for identifying an Article 9 condition (and where relevant an Article 10 basis) and ensuring the processing is lawful, necessary and proportionate.
• Where Scaithan Dubha incidentally processes such data as Controller, we rely on Article 9(2)(b) (processing necessary in the field of employment, social security and social protection law) and Article 9(2)(f) (establishment, exercise or defence of legal claims) as applicable, subject to suitable safeguards.
• Scaithan Dubha does not collect biometric identifiers for identification unless a future feature is expressly introduced with a dedicated DPIA, specific worker-facing notice, and an alternative non-biometric option.

Customers must configure access permissions in Odinseye so that sensitive information in reports or attachments is visible only to authorised personnel.

4. Lawful bases for processing

Where Scaithan Dubha is the Controller, we rely on one or more of the lawful bases below. Where the Customer is the Controller, the Customer is responsible for identifying and documenting the lawful basis for its own processing through Odinseye.

Important — consent is generally not a valid basis for monitoring workers. Because of the imbalance of power between an employer and a worker, the Data Protection Commission and the European Data Protection Board consider that worker consent is rarely freely given within the meaning of Article 4(11) GDPR. Customers must not rely on worker consent as the lawful basis for routine location tracking, attendance verification, performance monitoring or similar processing. The appropriate basis is normally legitimate interests, supported by a Legitimate Interests Assessment and (for high-risk monitoring) a Data Protection Impact Assessment.

Part A — Information for Customers

This Part applies where you are a current or prospective Customer of Odinseye — that is, a business or organisation that has or is considering an Odinseye account.

5. Personal data we process about Customer business and billing contacts

Where you engage with us as a Customer, we process the following categories of personal data about your administrators, billing contacts and business representatives, with Scaithan Dubha acting as Controller:

Account, identity and billing data is required to enter into and perform the Odinseye contract. If it is not provided, we may be unable to set up or maintain the account or provide the service. All other data described above is optional unless stated otherwise.

6. Why we process Customer data

7. Customer responsibilities as Controller

When you use Odinseye to manage your own workforce, you are the Controller of that personal data and Scaithan Dubha is your Processor. You retain responsibility for your compliance under GDPR, the Irish Data Protection Act 2018 and applicable employment, labour, health and safety, and PSA regulatory law. In particular, you must:

• provide each worker and other relevant individual with a clear privacy notice in plain language before processing begins, including the categories of data, purposes, lawful basis, retention and rights (Articles 13 and 14 GDPR). Scaithan Dubha provides a template Worker Privacy Notice at Schedule 1 — adapt it to your operations;
• identify and document a lawful basis for each processing purpose, and an Article 9 condition for any special category data;
• complete a Data Protection Impact Assessment before enabling systematic location tracking, lone-worker monitoring, or any other high-risk processing. The DPC has expressly identified employee location and vehicle tracking as high-risk processing requiring a DPIA;
• use Odinseye’s location tracking, monitoring and reporting features only where necessary, proportionate and lawful, and only for purposes that have been clearly communicated to workers in advance;
• configure access permissions, role-based controls and retention settings appropriately, and review them at least annually;
• keep personal data accurate and up to date, and remove data when no longer required;
• avoid entering unnecessary sensitive personal data into Odinseye;
• respond to data subject rights requests within statutory time limits and route requests received by Scaithan Dubha for onward handling;
• comply with Section 25 of the Organisation of Working Time Act 1997 and the Organisation of Working Time (Records) (Prescribed Form and Exemptions) Regulations 2001 in respect of working-time records; the National Minimum Wage Act 2000; the Safety, Health and Welfare at Work Act 2005 and the Safety, Health and Welfare at Work (General Application) Regulations 1993; and any other applicable workplace law;
• comply with applicable PSA Licensing Requirements, including PSA 28:2013 (Door Supervision and Security Guarding), PSA 74:2019 (Security Service Providers), PSA 33:2022 (CCTV and Alarm Monitoring Centres) and any other standard applicable to your licence category;
• not use Odinseye for any unlawful surveillance, off-duty tracking, anti-union activity, discriminatory profiling or stalking. These activities are prohibited by our Acceptable Use Policy (Schedule 3);
• ensure that your use of Odinseye is consistent with your written workplace policies, contracts of employment, collective agreements and any worker representative consultations required by law.

8. Sub-processors and international transfers (Customer-facing)

8.1 Sub-processors. Scaithan Dubha appoints sub-processors to support the delivery of Odinseye. A current list of all sub-processors, including their service, location and transfer mechanism, is available on request from [email protected]. Customers may request email notifications of changes to the sub-processor list by contacting the same address.

We provide at least 30 days’ written notice before engaging a new sub-processor or changing the role of an existing one. Customers may object to a new sub-processor in accordance with the terms of the Data Processing Agreement.

All sub-processors are bound by written contractual terms imposing data protection obligations no less protective than those in the Data Processing Agreement, including confidentiality, security, sub-processing restrictions and assistance with Controller obligations.

8.2 International transfers. Odinseye is hosted primarily in the European Economic Area on Supabase infrastructure in EU regions. Personal data of EEA Customers and their workers is stored in the EEA by default.

Some sub-processors may process personal data outside the EEA, in particular in the United Kingdom and the United States. Where this occurs, we rely on one or more of the following transfer mechanisms:

• adequacy decisions, including the European Commission’s adequacy decision for the United Kingdom (extended in December 2025) and the EU-US Data Privacy Framework where the sub-processor is certified;
• the European Commission’s Standard Contractual Clauses (Decision 2021/914), using the appropriate Module, supplemented by a documented Transfer Impact Assessment under Schrems II;
• the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, for transfers of UK personal data;
• additional technical, organisational and contractual safeguards, where required by the Transfer Impact Assessment.

The transfer mechanism applicable to each sub-processor is identified in the Sub-Processor List.

8.3 Return and deletion of data at end of service. In accordance with Article 28(3)(g) GDPR and clause 10 of the Data Processing Agreement, on termination or expiry of a Customer account: (a) the Customer may export its data in a structured, commonly used and machine-readable format for 30 days following termination; (b) following the export window, we will delete the Customer’s personal data from live systems within 60 days, except for records we are required to retain as Controller under section 26 (such as billing and tax records), records EU or Irish law requires us to retain, or records under a legal hold; and (c) residual copies in encrypted backups are deleted or overwritten in the ordinary backup cycle and in any event within 90 days of deletion from live systems, and are not restored to live systems except where necessary for disaster recovery, in which case restored data is deleted again promptly. On written request, we will confirm completion of deletion in writing.

Part B — Information for Authorised Users (admins, supervisors, dispatchers)

This Part applies where you log in to Odinseye as an authorised representative of a Customer organisation — for example, as an administrator, supervisor, dispatcher, control-room operator, manager, or HR contact.

9. Your relationship with Scaithan Dubha

Your employer (the Customer) is the Controller of the operational personal data about you in Odinseye (such as your role, permissions, audit history, the actions you take in the system, and any operational location data captured during your work). Scaithan Dubha is the Processor for that data.

In addition, Scaithan Dubha is an independent Controller for a narrow category of data: your account authentication data and login records, technical and security logs, and any support communications you send directly to us. This processing is necessary for the security and operation of the platform.

10. Personal data about Authorised Users

The following data may be processed about you. “Controller” indicates who determines the purposes and means.

11. How to exercise your rights as an Authorised User

For data where your employer is the Controller (most operational data), please contact your employer’s data protection contact or HR function in the first instance. Your employer is best placed to respond and may need to do so to comply with their Article 13 transparency notice.

For data where Scaithan Dubha is the Controller (authentication, security logs, direct support communications), contact us at [email protected]. See section 23 for the full rights statement.

If you make a rights request to Scaithan Dubha and the data is your employer’s, we will forward your request to your employer within 5 working days and confirm to you that we have done so, unless we are legally prevented from doing so.

12. Worker representatives

Where applicable employment law or a collective agreement requires consultation with worker representatives, employee forums, trade unions or similar bodies before deploying or materially changing monitoring or location-tracking features, your employer is responsible for that consultation. Odinseye does not substitute for that obligation.

Part C — Information for Guards, Officers and Field Workers

Important. If you are a guard, door supervisor, security officer or other field worker, your employer (the Customer) is the Controller of most personal data about you in Odinseye, not Scaithan Dubha. Your employer should have given you their own Worker Privacy Notice. Schedule 1 of this policy is a template version your employer can adapt — but the binding notice is the one your employer provides to you. Ask your employer for it.

13. Personal data about workers in Odinseye

The following categories of personal data may be processed about you when your employer uses Odinseye:

• identity and contact data (name, employee ID, work phone, work email, PSA licence number where applicable, profile photograph, emergency contact);
• employment and operational data (employer, assigned sites, posts, patrols, rotas, shifts, duties, breaks, attendance, clock-in/out, check-in/out, task completion, supervisor notes, audit history);
• location data (see section 14 below — the most sensitive category);
• reports and incident data (daily activity reports, incident reports, welfare checks, observations, photographs, voice notes, signatures);
• communications data (in-app messages and voice notes you send or receive);
• device and technical data (IP address, device type, OS, mobile app version, login and access logs);
• training, licensing and qualification records (PSA licence details, training certificates, expiry dates) where your employer configures these.

14. Location data — your rights and our defaults

Location data is the most privacy-sensitive category of data Odinseye can process. It is also a core function of the platform, not an ancillary feature. This section explains why it is processed, and the protections Scaithan Dubha has built in by design and by default.

14.1 Why location data is processed. When a Customer enables location features, location data is processed during active shifts for two principal purposes:

Worker safety. Security work frequently involves lone working, night work, mobile patrols and higher-risk environments. Knowing a worker’s location during an active shift is what enables welfare checks, missed check-in escalation, man-down response and the dispatch of assistance to the right place in an emergency. It also supports the employer’s statutory duty under section 8 of the Safety, Health and Welfare at Work Act 2005 to ensure, so far as is reasonably practicable, the safety, health and welfare of its employees, including the assessment and control of risks to lone workers. For a lone guard at a remote site, location-aware welfare monitoring is frequently the only practicable means of discharging that duty.

Proof of services rendered. Customers contract with their own clients to provide guarding, patrol and monitoring services at agreed times and places. Location-verified records — clock-ins and clock-outs at site, patrol checkpoint scans, and geofence events — are how a security firm evidences that the contracted service was actually delivered, where and when it was delivered. These records underpin accurate client billing, the resolution and defence of service disputes, insurance and incident investigation, and the record-keeping expected of PSA-licensed providers under applicable licensing standards (including PSA 28:2013 and PSA 74:2019). Without verifiable attendance and patrol records, neither the Customer nor its client can demonstrate that the service occurred.

These purposes are typically grounded in the Customer’s legitimate interests (Article 6(1)(f)) — and those of its clients in receiving the contracted service — and, for safety-related processing, the Customer’s legal obligations (Article 6(1)(c)) under health and safety law, in each case supported by the Customer’s Legitimate Interests Assessment and, where required, Data Protection Impact Assessment. Processing is limited to what is necessary for these purposes: it is shift-bounded, visible to the worker in real time, retained for limited periods, and protected by the purpose-limitation rule in section 14.4. The safeguards in the remainder of this section are what make this processing necessary and proportionate rather than general surveillance — Odinseye is designed to verify service delivery and protect workers on duty, not to monitor people.

14.2 Default-off and shift-bounded.

• Location tracking is disabled by default. A Customer administrator must expressly enable it before any tracking occurs.
• When enabled, location collection is bounded to active shifts. The Odinseye mobile application does not collect background location outside the period beginning at clock-in and ending at clock-out for a scheduled shift, except for narrowly defined emergency events (see 14.5).
• Customers cannot configure Odinseye to track workers outside scheduled working time. This is a technical control, not just a contractual restriction.

14.3 In-app real-time indicator.

• Whenever your location is being collected, the Odinseye mobile application displays a clear, persistent visual indicator (a status banner and a corresponding system notification) so you can see when tracking is active.
• The application also exposes a status screen showing what data is being collected, who can see it, and how long it will be retained.

14.4 Purpose limitation. Location data collected for attendance verification, lone-worker safety or operational coordination must not be used by Customers for unrelated disciplinary or performance-management purposes unless you have been separately and clearly informed in advance that location data may be used for that purpose. This restriction reflects the Court of Appeal’s decision in Doolin v Data Protection Commissioner.

14.5 Emergency exception. If you trigger a panic alert, a man-down event or another safety alarm in the Odinseye mobile application, your last known location may be retrieved and shared with your employer’s control room and, where appropriate, emergency services. This processing relies on Article 6(1)(d) GDPR (vital interests) and is limited to what is necessary to summon assistance.

14.6 Retention defaults. Default retention for location data is as follows. Customers may request longer retention in writing with a documented justification, recorded on the account.

14.7 Platform-level DPIA. Scaithan Dubha has completed a Data Protection Impact Assessment in respect of Odinseye’s location capability. The DPIA is reviewed at least annually and whenever the capability materially changes. It is provided to Customers on request to support each Customer’s own DPIA. Completion of a Customer-specific DPIA remains the Customer’s responsibility under Article 35 GDPR.

15. Lawful basis for processing worker data

Your employer determines the lawful basis for processing your operational data. In practice, employers most commonly rely on:

• legitimate interests (Article 6(1)(f)) for operational management, supported by a Legitimate Interests Assessment;
• contract (Article 6(1)(b)) for performance of your contract of employment;
• legal obligation (Article 6(1)(c)) for working-time records (OWTA 1997 s.25, 3 years), pay records (NMW Act 2000 s.22), accident records (SHWWA General Application Regs 1993 reg. 60, 10 years), and PSA record-keeping requirements; and
• vital interests (Article 6(1)(d)) for emergency events.

Your employer must make this clear to you in their own Worker Privacy Notice.

16. Automated alerts and decisions

Odinseye generates a number of automated operational alerts — for example, when a worker misses a scheduled check-in, when a patrol checkpoint is not scanned within a configured window, or when a geofence is breached. These are operational notifications, not automated decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR. Any disciplinary, payroll or other significant decision based on data in Odinseye is taken by a human reviewer within your employer’s organisation.

Odinseye does not currently use machine learning models to profile workers, predict performance, or score conduct. If such features are introduced in future, they will be subject to a dedicated DPIA, updates to this policy, and Customer configuration controls.

17. Your rights (summary)

Your rights under GDPR are set out in detail in section 23. The most relevant rights for workers are:

• right of access to your personal data (Article 15);
• right to rectification of inaccurate data (Article 16);
• right to erasure, subject to statutory retention requirements your employer must comply with (Article 17);
• right to object to processing based on legitimate interests, including the right to challenge a Legitimate Interests Assessment (Article 21); and
• right to lodge a complaint with the Data Protection Commission (section 23).

Address rights requests about operational data to your employer in the first instance. See section 11 for routing where you contact Scaithan Dubha directly.

Part D — Information for website visitors and prospects

18. odinseye.eu and our marketing site

When you visit odinseye.eu, submit a contact form, sign up for a demo, subscribe to our newsletter, or otherwise interact with our marketing channels, Scaithan Dubha acts as Controller.

We process the following data:

• contact information you provide (name, business email, phone, company, role);
• information about your enquiry or use case;
• technical data captured automatically (IP address, browser, device, referring page, pages visited, approximate location from IP);
• cookie data, subject to the controls in section 19.

We use this data to respond to your enquiry, manage our sales pipeline, send relevant communications about Odinseye where lawful, and improve our website. Lawful bases are legitimate interests, contract (where you are an existing or prospective Customer), and consent (for non-essential cookies and certain marketing).

Marketing communications can be unsubscribed at any time via the link in each message or by emailing [email protected]. Unsubscribing from marketing does not affect service communications about an active account.

19. Cookies and similar technologies

Our use of cookies and similar technologies is governed by the ePrivacy Regulations 2011 (S.I. 336/2011). Non-essential cookies and similar technologies are set only with your prior, freely-given, specific and informed consent. Strictly necessary cookies (authentication, session management, security, load balancing) are set without consent in reliance on Regulation 5(5) of the ePrivacy Regulations 2011 because they are essential for providing a service you have explicitly requested.

Our Cookies Policy lists every cookie, its purpose, duration and provider. You can change your cookie preferences at any time via the cookie preferences manager available at odinseye.eu and in the web dashboard. Withdrawing consent is as easy as giving it. In line with Data Protection Commission guidance, we re-seek cookie consent at intervals not exceeding six months, and we do not use cookie walls that make access to our website conditional on consent to non-essential cookies.

20. Analytics

Where we use analytics tools to understand website and product usage, we do so either (a) in a non-identifying aggregated form that is not personal data, or (b) on the basis of your consent recorded via the cookie preferences manager. Specific analytics tools in use, and the data they collect, are listed in the Cookies Policy.

Part E — Regulatory cooperation and disclosure

21. PSA-licensed Customers and PSA inspection cooperation

Many Odinseye Customers are licensed by the Private Security Authority under the Private Security Services Act 2004 and the Private Security (Licensing and Standards) Regulations 2023 (S.I. 140/2023). Odinseye is designed to support records and audit trails that Customers may rely on to demonstrate compliance with applicable PSA licensing standards including PSA 28:2013, PSA 74:2019 and PSA 33:2022.

Where a PSA inspector or other authorised official lawfully requests access to records held in Odinseye, the request is the responsibility of the Customer (as Controller). Scaithan Dubha will provide reasonable technical assistance to the Customer to enable the response, including export of relevant records in a usable format. We do not respond to PSA requests on behalf of a Customer.

22. An Garda Síochána and law enforcement disclosure

Scaithan Dubha will disclose personal data to An Garda Síochána or another competent law enforcement or judicial authority only where:

• we are compelled by a valid legal instrument (such as a District Court order, search warrant, or formal statutory request);
• the Customer (as Controller) directs disclosure as part of an incident handover or investigation in which the Customer is involved; or
• disclosure is necessary to protect the life or physical safety of an individual (Article 6(1)(d) GDPR).

We assess each request for validity and proportionality. We will push back on disproportionate, overbroad or unlawful requests. Where Scaithan Dubha receives a request for data of which a Customer is Controller, we will notify that Customer of the request and route the response through them, unless we are legally prohibited from doing so.

Where Odinseye is used to record an incident handover to An Garda Síochána (for example, a written incident report attached to a Pulse reference number), the Customer is responsible for ensuring the handover is lawful and recorded appropriately.

23. Your rights under GDPR

Subject to applicable law and exemptions, you may exercise the following rights:

• right of access to your personal data (Article 15 GDPR);
• right to rectification of inaccurate or incomplete personal data (Article 16 GDPR);
• right to erasure (“right to be forgotten”) (Article 17 GDPR), subject to legal retention obligations;
• right to restriction of processing (Article 18 GDPR);
• right to data portability for data processed on the basis of consent or contract by automated means (Article 20 GDPR);
• right to object to processing, including processing based on legitimate interests and direct marketing (Article 21 GDPR);
• right to withdraw consent where processing is based on consent, without affecting prior lawful processing (Article 7(3) GDPR);
• right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Article 22 GDPR); and
• right to lodge a complaint with a supervisory authority.

The right to object to direct marketing is absolute: if you object, we will stop using your personal data for direct marketing in all cases, without requiring any justification from you. Exercising any of these rights is free of charge and will never result in detriment to you or to the service you receive.

23.1 How to make a request.

• Where Scaithan Dubha is the Controller, send your request to [email protected].
• Where a Customer is the Controller, contact the Customer (your employer) directly. If you contact us, we will forward your request to the Customer within 5 working days and confirm forwarding to you, unless legally prevented.

23.2 How we respond.

• We will respond within one month of receipt of your request. This may be extended by up to two further months for complex or numerous requests, in which case we will notify you of the extension, and the reasons for it, within the first month. Identity verification does not restart this period.
• Responses are free of charge. We may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests (Article 12(5) GDPR).
• We may need to verify your identity using proportionate means before responding — typically by confirming details you previously provided to us, not by asking for additional identification documents unless strictly necessary.

23.3 Supervisory authorities. You may lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

Part F — Operational matters

24. Who personal data may be shared with

Personal data may be shared with the following categories of recipients where lawful and necessary:

• Customer organisations that own or administer the relevant Odinseye workspace;
• Authorised Users such as admins, supervisors, managers, guards and other personnel according to the access permissions configured by the Customer;
• Client site contacts or Customer-designated recipients where expressly configured by the Customer;
• Sub-processors as identified in the Sub-Processor List (available on request from [email protected]), including hosting, infrastructure, database, authentication, storage, email, SMS, push notification, communications, analytics, monitoring, logging and customer support providers;
• Stripe Payments Europe Limited (Dublin) as our payment processor, acting as an independent Controller for card data and as our Processor for subscription metadata (see section 25);
• professional advisers, insurers, auditors and legal representatives under appropriate confidentiality terms;
• courts, regulators (including the DPC, ICO, PSA), law enforcement (including An Garda Síochána), public authorities or third parties where disclosure is legally required or necessary to protect rights, safety or security, in accordance with section 22;
• group companies or affiliates of Scaithan Dubha, if and when they exist, under appropriate intra-group data sharing arrangements;
• a purchaser, investor, successor or adviser in connection with a business sale, merger, restructuring, financing or acquisition, subject to confidentiality and legal safeguards, and to notification of affected individuals where required.

We do not sell personal data.

25. Stripe

Subscriptions, billing and payment administration are handled through Stripe Payments Europe Limited, a company established in Dublin, Ireland.

• For card data and other payment instrument data, Stripe is an independent Controller in accordance with Stripe’s published terms. Stripe’s processing is governed by Stripe’s own privacy policy.
• For subscription metadata, customer identifiers, subscription identifiers, price identifiers, billing period dates and cancellation status that Scaithan Dubha provides to Stripe through its API, Stripe acts as Scaithan Dubha’s Processor.

Scaithan Dubha does not intentionally store full payment card numbers or card security codes on our own systems. Stripe handles card data on PCI DSS compliant infrastructure.

Stripe may transfer some data to its parent company in the United States. Such transfers are protected by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

26. Data retention — statute-grounded periods

We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required by law, contract, dispute, insurance, audit or legitimate business need. Where we act as Processor, retention is controlled by the Customer’s configuration and instructions, subject to the platform defaults below.

Where a legal hold applies (for example, anticipated or active litigation, regulatory investigation, or a documented insurance claim), records subject to the hold are retained until the hold is lifted, notwithstanding the default periods above.

27. Security

We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure or destruction. These include:

• encryption of data in transit using TLS 1.2 or higher;
• encryption of data at rest using AES-256 or equivalent;
• multi-tenant isolation via PostgreSQL row-level security policies, ensuring Customer workspaces are logically separated;
• role-based access controls and least-privilege internal access for Scaithan Dubha personnel;
• multi-factor authentication available to all users and required for administrative roles;
• comprehensive audit logging of administrative and security-relevant events;
• encrypted, geographically-separated backups with documented RPO and RTO targets;
• annual third-party penetration testing and continuous vulnerability scanning;
• background checks for personnel with access to Customer data and mandatory annual security and data protection training;
• vendor due diligence for sub-processors, with preference for vendors holding ISO 27001 or SOC 2 Type II certifications;
• documented incident response and breach notification procedures (section 28);
• contractual confidentiality obligations for all personnel and contractors.

Personal data deleted from live systems may persist in encrypted backups for a limited period (not exceeding the documented backup rotation cycle) before being overwritten. Backups are not used to restore deleted personal data except where necessary for disaster recovery, in which case deletions are re-applied.

No system is completely secure. Customers and Authorised Users must protect account credentials, use strong passwords, enable multi-factor authentication, limit admin access, and promptly notify us of suspected unauthorised access at [email protected].

28. Personal data breaches

28.1 Where we act as Processor. We will notify the relevant Customer without undue delay after becoming aware of a personal data breach affecting their data, and in any event within 48 hours of becoming aware (clause 8.1 of the Data Processing Agreement), and will provide reasonable information and assistance to support the Customer’s own 72-hour notification obligation under Article 33 GDPR. The information provided will include the nature of the breach, categories and approximate numbers of affected individuals and records, likely consequences, and measures taken or proposed. Where full details are not yet available, we will notify in phases without waiting for the investigation to conclude.

28.2 Where we act as Controller. We will notify the Data Protection Commission within 72 hours of becoming aware of a personal data breach where the breach is likely to result in a risk to the rights and freedoms of individuals. We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Articles 33 and 34 GDPR). Equivalent obligations apply to the UK ICO for UK personal data.

28.3 Internal documentation. We maintain an internal register of all personal data breaches whether or not notifiable, in accordance with Article 33(5) GDPR.

29. Children and minimum working age

Odinseye is a business service and is not intended for children. Customers must not create Odinseye accounts for individuals below the lawful working age in the relevant jurisdiction. In Ireland, the general minimum working age is 16, with restricted work permitted for 14- and 15-year-olds under the Protection of Young Persons (Employment) Act 1996. Where workers under 18 are processed in Odinseye, additional record-keeping obligations under s.15 of that Act apply to the Customer.

30. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to Customers and Authorised Users at least 30 days before they take effect, by posting the updated policy at https://www.odinseye.eu/privacy, sending email notification to administrative contacts, and providing in-app notice. Changes affecting our activities as Processor are governed by the change-control provisions of the Data Processing Agreement and do not take effect through this policy alone. Where processing relies on consent, a material change to that processing will not be applied to you on the basis of continued use; we will seek fresh consent. The version number and effective date at the top of the policy indicate when it was last revised. Prior versions are retained and available on request.

31. Contact

Questions, requests or complaints about this Privacy Policy or our handling of personal data should be sent to:

Schedule 1 — Worker Privacy Notice (template for Customers)

Note for Customers: This is a template you may adapt and provide to your workers. It is not the binding notice from Scaithan Dubha to your workers — it is a tool to help you, as Controller, meet your Article 13 obligations. Adapt the bracketed fields to your operation. The Customer remains responsible for the accuracy and lawfulness of the notice given to workers.

The Worker Privacy Notice template is issued as a separate document and is available to Customers on request from [email protected].

Schedule 2 — Data Processing Agreement (incorporated by reference)

Scaithan Dubha’s standard Data Processing Agreement is available on request from [email protected] and is incorporated by reference into every Customer contract. It contains all provisions required by Article 28(3) GDPR.

Schedule 3 — Acceptable Use Policy (referenced)

Scaithan Dubha’s Acceptable Use Policy prohibits use of Odinseye for: off-duty tracking of workers; unlawful surveillance; anti-union activity; discriminatory profiling; stalking, harassment or domestic abuse; repurposing of operational data for unrelated disciplinary action contrary to section 14.4; and any other use contrary to applicable data protection or workplace law. The full Acceptable Use Policy is available on request from [email protected].

© Scaithan Dubha Teoranta 2026. All rights reserved. Odinseye is a product of Scaithan Dubha Teoranta, registered in Ireland. This policy should be read alongside our Terms of Service and Cookies Policy.