Contracting Plus

Privacy Policy

Privacy Policy – Last updated 13th March 2026 – Version 3.0

Introduction

On the 25th May 2018, the General Data Protection Regulation (GDPR) came into effect across all EU member states. This Privacy Policy explains how Contracting PLUS collects, uses, stores and protects personal data in line with the General Data Protection Regulation (GDPR), the 2025 GDPR updates, the EU–U.S. Data Privacy Framework, and the EU AI Act (2025–2026 implementation period).

Contracting PLUS is committed to satisfying all GDPR requirements to provide confidence to our clients, that their data is being managed to the highest standards. This policy has been updated to reflect the requirements of GDPR and hopefully will give you clarity on how we manage the lifecycle of your data.

If you have any questions about this policy or your data, you can email us at dpo@contractingplus.com

Definitions

Before we get into the policy, it’s important you understand some of the key terms used as they are mentioned within the policy document.

Personal Data: Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated. The GDPR’s scope was broadened in 2025 to explicitly include biometric data, genetic information, location data and online identifiers as personal data.

Processing: means performing any operation or set of operations on personal data, including:

  • obtaining, recording or keeping data;
  • organising or altering the data;
  • retrieving, consulting or using the data;
  • disclosing the data to a third party (including publication); and
  • erasing or destroying the data.

Data Controller: A Data Controller is the person or organisation who decides the purposes for which, and the means by which, personal data is processed. The purpose of processing data involves ‘why’ the personal data is being processed and the ‘means’ of the processing involves ‘how’ the data is processed. For the purposes of this document, Contracting Plus is the Data Controller.

Data Processor: A person or organisation that processes personal data on the behalf of a data controller.

Data subject: A Data subject is the individual the personal data relates to.

Model Contract: A ‘model contract’ is a general type of contract that includes specific provisions dealing with data protection, and that has been approved either by the EU Commission or by the Data Protection Commissioner. A data controller in Ireland, which wishes to transfer personal data outside of the EEA, can use the model contract as the basis for its relationship with the third-country organisation.

Policy

1. Who we are

When we use the term “Contracting PLUS“ or “us” or “we”, within this document, we are referring to Contracting PLUS Consultants Ltd which includes all associated branch locations. Contracting PLUS is Irelands most trusted and experienced provider of client solutions. We provide peace of mind to individuals that want to manage their tax, accounting and financial needs whilst protecting and growing their wealth. Our mission is to make Professional Contracting easier by providing accessible and friendly solutions for all your personal tax service needs.

2. Data Protection Officer

Contracting PLUS has an appointed Data Protection Office (DPO) and has the following responsibilities:

  • to inform and advise the controller (Contracting PLUS) or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
  • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

If you wish to contact Contracting PLUS’s DPO, please email dpo@contractingplus.com.

3. How we collect information about you

Our data collection process aims to be open and transparent at all times. Contracting PLUS gathers personal data via a number of mediums i.e. telephone, web forms, email, apps, social media, etc for the following reasons:

  • for assessment of application for service,
  • for planning service delivery,
  • for provision of information.

In addition, our web sites use ‘cookie’ technology. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. They help us make the sites work better for you as well as provide Contracting PLUS with analytics on how the service is being used.

4. How we keep your information safe

Contracting PLUS’ most important concern is the protection and reliability of customer data. Contracting PLUS use a mixture of Private and Public cloud infrastructure providers to ensure customer data is secure and available at all times. All our Cloud Providers are located within the EU and adhere to the highest compliancy standards including the following certifications/regulations:

– DoD SRG, FedRAMP, FIPS, IRAP, ISO 9001, ISO 27001, ISO 27017, ISO 27018, MLPS Level 3, MTCS, PCI DSS Level 1, SEC Rule 17-a-4(f), SOC 1, SOC 2, SOC 3

– EU Data Protection Directive, HIPAA

All client data is regularly backed up with robust disaster recovery procedures in place.

In addition, Contracting PLUS use a number of third party web based systems for purposes such as survey gathering and form data collection. In some cases, personal data processed through those systems may be transferred to, stored in, or accessed from countries outside the European Economic Area.
Where this occurs, we will ensure that the transfer is carried out in accordance with Chapter V GDPR. This may be on the basis of an adequacy decision under Article 45 GDPR, the EU U.S. Data Privacy Framework where applicable, or appropriate safeguards under Article 46 GDPR, including the European Commission’s Standard Contractual Clauses and any supplementary measures required.

Further information on the relevant transfer mechanism may be requested from us using the contact details set out in this Privacy Notice.

5. Our Data Subjects and how long we keep your information

When an individual engages with Contracting PLUS we term this person an “Interested Party”. If the individual opts to use the services of Contracting PLUS they then become an “Active Client”. Once the individual leaves our services they then become an “In-active Client”.

Below is the data retention policy for each class of individual:

An “Interested Party” is a person who has pro-actively engaged with Contracting PLUS. Engagement might be a phone call or email correspondence to learn more about or services. It might also include a download from our website or registering to attend an event held (online or offline) by Contracting PLUS.

It can often take several weeks or months before it’s definitively clear that an individual does not wish to sign up with us. We will continue to keep in touch with Interested Parties until such time as they specifically opt out of further communications.

Once that happens we will purge the personal data obtained within 30 days of the data subject opting out.

For “Active Clients” Contracting PLUS deletes permanently the following classes of information where the information in question is over seven years old post the end of the accounting year-end (end of December for Ireland, end April for the UK). This may include but would not be limited to:

  • Client expenses (both electronic and paper)
  • Client payslips (both electronic and paper)
  • Client/Agency invoices (both electronic and paper)
  • Client timesheets (both electronic and paper)
  • Submitted Tax returns information on our portal.
  • Client Portal Information > 7 years
  • Any other paper based information received > 7 years old.

 

For “In-active Clients” Contracting PLUS deletes permanently all classes of information (electronic and paper) where the information in question is over seven years old post the inactivity date of the client. We will maintain basic contact information for the purpose of marketing. In-active Clients can specifically opt out of further communications. Once that happens we will use an automated process to purge the personal data obtained within 30 days of opting out.

Employees – we recognise that our employees are also data subjects to whom we owe a duty of care in relation to their data, we have internal data protection policies in relation to our employees, and in general we keep data for as long as is necessitated by law, here is a summary of our data retention

Source of Obligation Retention Period
Revenue Commissioners, Collector General, Companies Acts legislative provisions 7 years rolling retention of records
Personal Injuries related records Records are retained for a period of 3 years past the date of the cause of action, unless it involves a minor, in which case the retention period will be up until 3 years after the minor reaches the age of 18.
Breach of Contract related records Records are retained 6 years from the date of the breach
Employment contract/terms of employment related information Duration of the employment – this includes everything from the application form, interview notes, contract related, performance appraisals, references
Organisation of Working Time – time sheets/holiday and public holiday records National Minimum Wages Protection of Employment – Temporary Agency Workers, Part Time Workers, Fixed Term Workers Protection of Young Persons 3 years post the termination of the employment. Records kept are sufficient to show compliance with legal obligations in accordance with the statutory provisions.
Parental Leave Related 8 years – records kept show the dates when a qualifying employee availed of the parental leave and force majeure leave provisions
Employment Equality All records, including interviews and applications are kept for a period of one year.
Health and Safety Records All records relating to health and safety will be kept for a period of 10 years
Data Law Compliance Records in relation to our compliance with Data Law and GDPR will be kept for a five year period.

6. Meeting our legal and regulatory obligations – the lawful basis of processing your information that we employ:

To use your information lawfully, we can rely on four of the six legal bases set out in GDPR Regulation and these are:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes; in general we will not rely on consent as our engagement with clients is based on a contractual arrangement, but consent will be used for processing beyond the envisaged contract;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; this is the main lawful basis on which we process information, combined with the necessity to comply with a legal obligation in relation to our active and non-active clients;
    It is the data subject themselves that typically contact Contracting PLUS in order to obtain both a quotation as well as an outline of our services. As such, point 2 above allows us to process personal data without having to ask for consent.
    When a client decides to fully sign-up with us there is typically a requirement to gather more personal data to allow us draw up a contract. Under point 2 (above) we will gather this additional data from you without the need to for us to request, or for you to give an explicit consent.
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

7. Use of Artificial Intelligence (AI) and Automated Processing

Contracting PLUS uses artificial intelligence (AI) and automated technologies in certain features of its systems and applications to improve efficiency, accuracy, and user experience.

AI-enabled features may include, but are not limited to:

  • Voice-to-text transcription
  • Automated document or invoice creation
  • Data extraction and validation
  • Workflow automation and decision support

How AI is used

AI is used to:

  • Assist users in creating and processing information more efficiently
  • Reduce manual data entry and administrative effort
  • Improve accuracy and consistency of outputs
  • Enhance system performance and security

AI is used as an assistive tool and does not replace human oversight.

Human oversight & decision-making

  • AI systems used by Contracting PLUS do not make final decisions that produce legal or similarly significant effects on individuals without human involvement.
  • Outputs generated by AI are reviewable, editable, and controllable by users or authorised staff.
  • Users remain responsible for validating and approving AI-generated content (e.g. invoices, records, submissions).

Legal basis for AI processing

AI processing is carried out under one or more of the following lawful bases:

  • Performance of a contract
  • Legitimate business interests (e.g. efficiency, accuracy, service improvement)
  • Explicit user consent, where required

Where consent is relied upon, it can be withdrawn at any time.

Use of third-party AI providers

Where third-party AI providers are used:

  • Providers act as Data Processors only
  • Processing is limited strictly to the service being provided
  • Contractual safeguards are in place, including data protection and confidentiality obligations
  • Data is not used by providers for their own purposes

Data minimisation & retention

  • AI systems are designed to process only the minimum data necessary
  • Processing data is not retained longer than required
  • Persistent data follows the standard data retention rules set out in this policy

Your rights in relation to AI processing

In line with GDPR, you have the right to:

  • Obtain meaningful information about how automated processing is used
  • Request human review of AI-assisted outputs where applicable
  • Object to or restrict certain processing
  • Withdraw consent for AI-enabled features

8. Legitimate Interest

When an individual who has signalled that they were interested in our services and whom we have designated “an interested party” does not sign up to use the services provided by Contracting PLUS, we will use point 6 to continue to keep you informed of the benefits of contracting, the services offered by Contracting PLUS and other related communications. All of these communications will include a specific opt-out option.

Clients: We will utilise personal data in the form of email addresses and contact telephone numbers in order to keep our clients and potential clients informed in relation to our services and client market related information. We consider that this is in the legitimate interest of our business to maintain our market presence.
In balancing your data protection rights against this legitimate interest of our company, we have considered:

  1. The frequency of notifications to you in order to ensure that no nuisance is caused to you;
  2. The security and integrity of the data you have provided to us;
  3. Your rights and entitlements to stop the processing of your data with ease and to this end we provide the opportunity to opt out of such communication in every correspondence sent.
  4. How we use your information

Contracting PLUS holds and processes information about clients and agencies for all necessary and customary business purposes, such as:

  • Identity management (i.e. your personal/working situation and validation of your work status).
  • Pay and review compensation
  • Contract Management.
  • Agency Management.
  • Provide and administer benefits.
  • Comply with applicable taxation or other legal obligations.
  • Protect the rights, interests, or property of the Contracting PLUS.
  • Facilitate compliance with Company policies, industry standards, and legal requirements.
  • Communications (i.e. marketing, industry updates, etc.).

We do not ask for more information than is required in order to provide you a service and we only use that data in the provision of that service.

9. Your information and third parties

Contracting PLUS, as a rule do not disclose any information on our clients or agencies to third parties, but when necessary and in the course of the provision of our service to you and/or the common directors in the company through which you operate, we may make such data available to trustworthy reputable bodies/ advisors/partners/connected Contracting Plus parties and regulatory authorities such as the Revenue Commissioners and the Company’s Registration Office (CRO).

All client data received is processed by Contracting PLUS, Contracting PLUS Mortgages trading as Mortgage Navigators and Contracting PLUS Financial trading as HerMoney which is the Pensions, Protection and Financial advice arm of Contracting PLUS. This data sharing is necessary to offer our clients bespoke advise guidance and support throughout the entire mortgage process and the best service in maximising wealth management.

If disclosure of personal data to a third party is required which exceeds these terms consent will always be sought in such cases.

There are special circumstances under which disclosure of personal data to third parties is allowed. These are provided for under the Data Protection legislation and are:

  • As ordered by the Gardai, or army personnel;
  • For the purpose of investigating an offence;
  • To prevent urgent injury or damage to person or property;
  • Under a court order or other rule of law;
  • Required for the purposes of obtaining legal advice or for legal proceedings in which the person making the disclosure is a party or a witness;
  • Made at the request of and with the consent of the subject of the data.

10. International transfers of data

Contracting PLUS does not transfer client data to third party organisations outside the EEA. However, some Company employees who support service delivery may access data from outside the EEA. Contracting PLUS employees process your data in order to deliver our service.
This is all done under strict security protocols adhered to by Contracting PLUS.

11. Your personal information rights

In accordance with the GDPR, you have the right as a data subject to:

  • Know what personal data we have, why we have it and how we process it;
  • Access your personal data.
  • Data portability.
  • Have the data updated if the data is incomplete or inaccurate;
  • Have your data deleted where one of the reasons as per Article 17 applies;

Note: an individual’s right to erasure (in accordance Article 17 GDPR) does not apply where said information is required to be retained in accordance with relevant legislation. Our policy would be that :-

– we retain data for as long as statute or regulations demand; and

– we normally destroy files after seven years as per section 5.

  • Have the data processing restricted where one of the reasons as per Article 18 applies;
  • Have the right to receive your personal data, which you have provided in a structured format (see section 13);
  • Have the right to restrict or object to us using your personal information or using automated and AI assisted processing decision making;
  • Remove consent for processing and/or for direct marketing.

Note: When you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your information. Any questions or queries please email dpo@contractingplus.com

12. Making a complaint

If you have a complaint about the use of your personal information, please contact us at dpo@contractingplus.com to allow us to quickly rectify the situation.

In the unlikely event that you do not get a response within 30 days you can complain to the DATA PROTECTION COMMISSION, Supervising Authority of Ireland.
Data Protection Commissioner
Canal House
Station Road
Portarlington
R32 AP23 Co. Laois
Telephone +353 57 8684800
Lo Call Number 1890 252 231
E-mail info@dataprotection.ie

13. Updates to this notice

This policy will be reviewed regularly in light of any legislative or other relevant developments. You can always find an up-to-date copy of our policy on our web site which will hold the date of the most recent revision at https://www.contractingplus.com/index.php/privacy-policy

14. Access to Personal Data

As a client of Contracting PLUS you are entitled to receive a copy of your personal data held by Contracting PLUS upon written request, at no cost (for the initial request, subsequent requests will be charged).

In order to respond to your request we ask you to download the Access Request Form

  • Please complete, sign and date the form and be specific as possible about the information you wish to access.
  • Attach a photocopy of your proof of identity and address, to the “Access Request Form”.
  • Post the “Access Request Form” to: Data Protection Officer, Contracting PLUS, Unit 26J, Block 6500, Cork Airport Business Park, Cork, Ireland or email same to dpo@contractingplus.com

If you cannot download the Access Request Form from the internet please write to us requesting a form from: Data Protection Officer, Contracting PLUS, Unit 26J, Block 6500, Cork Airport Business Park, Cork, Ireland and we shall send you a copy by return post.

Use of the “Access Request Form” is not mandatory. Completing the Access Request Form should enable us to process your request more efficiently.

We do not accept access requests via telephone or text message.

TO ACCESS WHAT PERSONAL DATA IS HELD, IDENTIFICATION WILL BE REQUIRED. We will accept the following forms of ID when information on your personal data is requested: a copy of your national ID card, driving license, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If we are dissatisfied with the quality, further information may be sought before personal data can be released.

Review
This Policy will be reviewed regularly in light of any legislative or other relevant developments

Looks Like you're visiting from India

Would you like to be redirected to our Indian website?

View India Site