How we handle your data.
Plain English. No dark patterns. We collect the minimum we need, store it in the EU, and delete it when we're done with it.
1. Who we are
MTMN Digital ("MTMN", "we", "us", "our") is the data controller for personal data submitted through mtmn.ie and its subdomains. We are an independent studio based in Co. Cork, Republic of Ireland.
Contact for data-protection matters: hello@mtmn.ie. Postal address available on request via the same email.
2. What we collect, why, and how long we keep it
| Data | Why | Lawful basis | Retention |
|---|---|---|---|
| Name, email, phone, business type, the free-text "anything you'd like us to know" field | To respond to your booking request and prepare for the call you've booked | Contract / pre-contractual measures (Art. 6(1)(b) GDPR) | 24 months from submission if you don't become a client; for the lifetime of the engagement plus 7 years for tax records (Revenue requirement) if you do |
| IP address and basic request metadata (timestamps, user agent) | Security: rate-limiting, CAPTCHA verification, abuse detection, audit log | Legitimate interest (Art. 6(1)(f)), running a service that isn't trivially abused | ≤ 12 months in audit log; ≤ 24 hours in rate-limit windows |
| Login email + password hash for staff portal users | Operating the staff dashboard | Contract / employment | For the duration of the engagement; account deleted on departure |
Google Ads conversion tracking (fires only on the booking-confirmation page, /booking-confirmed): your IP address, browser user-agent, the Google Ads click identifier (gclid) if you arrived from a Google ad, and the URL of the confirmation page are sent to Google. Cookies (_gcl_au, NID) are set in your browser to attribute the booking back to the originating ad click | To measure which Google Ads spend actually results in booked consultations, so we can stop running ads that don't work | Consent (Art. 6(1)(a) GDPR / Reg. 5(3) of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011). The Google tag runs with Consent Mode v2 default-denied, no cookies are set and no identifiers are sent unless you accept | Per Google's published retention: click-identifier records up to 13 months; the _gcl_au cookie expires 90 days after your last interaction with the site. None of this is stored on MTMN's own servers |
Other than the Google Ads conversion tracking described above – which fires only on the booking-confirmation page, and only if you consent – this site runs no analytics, no behavioural tracking, and no advertising pixels. We do not sell, rent, or trade personal data to anyone, ever.
3. Who else processes your data on our behalf
Personal data is stored and processed by the following sub-processors. All have been chosen because they are GDPR-compliant and host data inside the EU/EEA.
- Supabase (database hosting, AWS Frankfurt / Dublin, EU-West region), covered by Supabase's Data Processing Addendum.
- Vercel (application hosting / edge network), covered by Vercel's DPA.
- Cloudflare Turnstile (bot detection on the booking form), only your IP and a request signature are sent during CAPTCHA validation; nothing else.
- Google Ireland Ltd / Google LLC (Google Ads conversion tracking on the booking-confirmation page only), receives the data listed in the row above. Google Ireland Ltd is the EU controller for European users; underlying processing is performed by Google LLC in the United States under the EU-US Data Privacy Framework.
4. International transfers
Personal data submitted through the booking form is stored in the European Economic Area (Supabase EU-West) and is not transferred outside the EEA. The one exception is the Google Ads conversion-tracking data described in section 2, which is processed by Google LLC in the United States. That transfer relies on the EU-US Data Privacy Framework adequacy decision (Art. 45 GDPR, in force since July 2023), to which Google LLC is a certified participant. If we ever introduce another sub-processor outside the EEA we will rely on a Chapter V transfer mechanism (e.g. Standard Contractual Clauses) and update this notice.
5. Your rights
Under the GDPR you have the right to:
- Access, get a copy of the personal data we hold about you.
- Rectification, have inaccurate data corrected.
- Erasure ("right to be forgotten") – have your data deleted, subject to legal retention obligations such as Revenue invoicing rules.
- Restriction, limit how we use your data.
- Portability – receive your data in a portable, machine-readable format.
- Objection, object to processing based on legitimate interest.
- Withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email hello@mtmn.ie. We will respond within one month and won't charge you for it.
6. Security
Personal data is encrypted in transit (TLS 1.2+) and at rest (Supabase managed encryption). Access to the staff dashboard is protected by hashed passwords (PBKDF2 via werkzeug) and short-lived signed sessions. We rate-limit public endpoints, run CAPTCHA on form submissions, and write an audit log of staff access to records containing personal data.
7. Automated decision-making
None. No decision affecting you is made automatically by this website.
8. Changes to this notice
If we change this notice in any material way, we will publish a new version with an updated effective date and version number at the top of this page. The current version applies to all data we hold; older versions are archived for reference.
9. Contact
Questions, requests, or complaints – hello@mtmn.ie.