Privacy Policy
Effective date: 26 February 2026 · Last updated: 26 February 2026 · Version 1.0
Privacy at a Glance
A quick summary of how we handle your data. Scroll down for the full policy.
Who We Are
ThoughtFox Limited, an AI transformation consultancy registered in Ireland (No. 802055).
What We Collect
Contact details, professional info, enquiry content, and website usage data via cookies.
Why We Process It
To respond to enquiries, deliver services, send relevant updates, and improve our website.
Who We Share With
Trusted processors only (Mailchimp, Google Analytics, hosting). We never sell your data.
Your Rights
Access, rectify, erase, restrict, port, or object to your data under GDPR at any time.
Exercise Your Rights
Email us at privacy@thoughtfox.ai with the subject line “Data Subject Request”.
1. About Us & This Policy
ThoughtFox Limited (“ThoughtFox”, “we”, “our”, or “us”) is a company registered in Ireland under company number 802055, with its registered address at 23 Abbot Drive, Dún Laoghaire, Dublin, A96 KH7W.
We are an AI transformation consultancy specialising in AI readiness, adoption, governance, and EU AI Act compliance for businesses across Ireland and Europe.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website at thoughtfox.ai, use our services, or otherwise interact with us. It has been prepared in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Irish Data Protection Act 2018.
ThoughtFox Limited is the Data Controller in respect of the personal data described in this policy. As an Ireland-based company, our lead supervisory authority is the Data Protection Commission (DPC).
2. Personal Data We Collect
We collect personal data in the following categories:
2.1 Information You Provide Directly
- Contact details: name, email address, phone number
- Professional information: job title, company name, company size, industry sector
- Enquiry and message content: information you submit through our contact forms, AI Readiness Scan, or direct correspondence
- Marketing preferences: your consent choices for marketing communications
2.2 Information Collected Automatically
When you visit our website, we may automatically collect:
- Device and browser information: browser type and version, operating system, device type
- Usage data: pages visited, time spent on pages, links clicked, referring website or source
- Technical data: IP address, approximate geographic location (derived from IP), session identifiers
This data is collected via cookies and similar technologies. See Section 9 (Cookies) for full details.
2.3 Information From Third Parties
We may receive data about you from third-party platforms such as LinkedIn or other professional networks where you engage with our content, subject to their own privacy policies and your settings on those platforms.
3. Lawful Basis for Processing
Under GDPR, we are required to have a lawful basis for each type of personal data processing we carry out. The table below sets out our processing activities and the corresponding lawful basis.
| Processing Activity | Lawful Basis | Details |
|---|---|---|
| Responding to enquiries and contact form submissions | Legitimate Interests (Art. 6(1)(f)) | Our legitimate interest in responding to prospective and existing clients who contact us directly. |
| Delivering contracted consultancy services | Performance of a Contract (Art. 6(1)(b)) | Necessary to fulfil our obligations under a client engagement or service agreement. |
| Sending marketing communications to existing clients | Legitimate Interests (Art. 6(1)(f)) | We have a legitimate interest in informing existing clients of relevant services and insights. You may opt out at any time. |
| Sending marketing communications to prospects (email/direct channels) | Consent (Art. 6(1)(a)) | Where required, we obtain your explicit consent before sending marketing materials. Consent can be withdrawn at any time. |
| Website analytics and performance monitoring | Legitimate Interests (Art. 6(1)(f)) | To understand how our website is used and to improve our digital presence. We carry out a Legitimate Interests Assessment (LIA) for this activity. |
| Compliance with legal obligations | Legal Obligation (Art. 6(1)(c)) | Where required by Irish or EU law, including tax, accounting, and regulatory obligations. |
Legitimate Interests Assessments (LIA)
Where we rely on legitimate interests as our lawful basis, we have carried out a Legitimate Interests Assessment to ensure our interests are not overridden by your rights and freedoms. You may request details of any LIA by contacting us at privacy@thoughtfox.ai.
4. How We Use Your Personal Data
We use your personal data only for the purposes for which it was collected or for compatible purposes that you would reasonably expect. Specifically, we use your data to:
- Respond to enquiries, contact form submissions, and requests for information
- Provide and deliver our consultancy services under a client engagement
- Manage our commercial relationship with you, including invoicing and contract administration
- Send you relevant updates, thought leadership, and service information (where you have consented or we have a legitimate interest to do so)
- Administer and improve our website, including analysing usage patterns
- Comply with our legal and regulatory obligations under Irish and EU law
- Detect and prevent fraud, misuse, or security incidents
5. Data Sharing & Third-Party Processors
We do not sell your personal data to any third party. We do not share your personal data for third-party advertising purposes.
We may share your data with trusted third-party service providers who act as data processors on our behalf. These providers are contractually bound to process your data only on our instructions and in accordance with GDPR. Our current third-party processors include:
| Processor | Purpose | Data Processed |
|---|---|---|
| Mailchimp (Intuit) | Email marketing and newsletter delivery | Name, email address, marketing engagement data (opens, clicks) |
| Google Analytics | Website analytics and performance monitoring | Anonymised usage data, device/browser information, IP address (anonymised) |
| Firebase / Google Cloud | Hosting and delivery of thoughtfox.ai | Server logs, IP addresses, technical traffic data |
We may also disclose your personal data where required to do so by law, by a court order, or by any governmental or regulatory authority with appropriate jurisdiction, including the Data Protection Commission.
6. International Data Transfers
Some of our third-party processors, including Mailchimp (operated by Intuit Inc., a US company) and Google, may transfer and process your personal data outside the European Economic Area (EEA).
Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V. These safeguards may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions issued by the European Commission confirming the recipient country provides an equivalent level of data protection
- Other approved transfer mechanisms where applicable
You may request further information on the specific safeguards applied to any particular transfer by contacting us at privacy@thoughtfox.ai.
7. Data Retention
We retain your personal data only for as long as is necessary to fulfil the purpose for which it was collected, or as required or permitted by law. Our retention periods are as follows:
| Data Category | Retention Period | Reason |
|---|---|---|
| Enquiry and contact form data | 2 years from last contact | Sufficient to manage and follow up on sales and business enquiries |
| Client engagement data (contracts, correspondence, deliverables) | 7 years from end of engagement | Irish tax and accounting obligations under the Companies Act and Revenue requirements |
| Marketing contacts (opted out or unsubscribed) | 3 years from opt-out | To maintain suppression lists and honour opt-out preferences |
| Website analytics data | 26 months (Google Analytics default) | Standard analytics retention window; anonymised after this period |
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights in relation to the personal data we hold about you. You may exercise any of these rights by contacting us at privacy@thoughtfox.ai.
8.1 Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you, together with information about how and why we process it. We will respond to access requests within one month of receipt.
8.2 Right to Rectification (Article 16)
If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it.
8.3 Right to Erasure / ‘Right to be Forgotten’ (Article 17)
You have the right to request that we delete your personal data in certain circumstances — for example, where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other lawful basis for processing. This right is not absolute and may be subject to our legal obligations.
8.4 Right to Restrict Processing (Article 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have contested.
8.5 Right to Data Portability (Article 20)
Where we process your data on the basis of consent or for the performance of a contract, you have the right to receive a copy of that data in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible.
8.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing your data for that purpose immediately. For other objections based on legitimate interests, we will consider your objection and cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
8.7 Rights Related to Automated Decision-Making (Article 22)
We do not currently make decisions about you using solely automated processing (including profiling) that produce legal or similarly significant effects. If this changes, we will update this policy and notify you accordingly.
8.8 Right to Withdraw Consent
Where we process your data on the basis of your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. You can withdraw consent by clicking the unsubscribe link in any marketing communication, or by contacting us at privacy@thoughtfox.ai.
How to Exercise Your Rights
To exercise any of the rights above, please email privacy@thoughtfox.ai with the subject line “Data Subject Request”. We will respond within one calendar month. In complex cases we may extend this by a further two months, in which case we will notify you of the extension and the reason for it. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.
9. Cookies & Tracking Technologies
Our website uses cookies and similar technologies to provide essential functionality, analyse website performance, and (where you have consented) to support our marketing activities.
A cookie is a small text file placed on your device when you visit a website. Cookies help the website remember your preferences and understand how you use the site.
9.1 Categories of Cookies We Use
| Category | Purpose | Examples | Basis |
|---|---|---|---|
| Strictly Necessary | Essential for the website to function. Cannot be disabled. | Session cookies, security tokens | Necessary (no consent required) |
| Analytics & Performance | Help us understand how visitors use our site so we can improve it. | Google Analytics (_ga, _gid) | Legitimate Interests / Consent |
| Marketing & Tracking | Used to track visits from marketing campaigns and measure their effectiveness. | Campaign source tracking | Consent required |
9.2 Managing Cookies
You can control and manage cookies in several ways. When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your preferences at any time by clicking the “Cookie Settings” link in the footer of our website.
You can also manage cookies through your browser settings. Most browsers allow you to refuse cookies or delete cookies that have already been set. Please note that disabling certain cookies may affect the functionality of our website. For guidance on managing cookies in your browser, visit www.aboutcookies.org.
10. Data Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures designed to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures include access controls and authentication requirements for systems holding personal data, encryption of data in transit using industry-standard TLS/SSL protocols, regular review of our data handling practices and third-party processor arrangements, and staff awareness of data protection obligations.
However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of the breach, and will notify you directly where required by law.
11. Children’s Privacy
Our website and services are directed at business professionals and are not intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If you become aware that a child has provided us with personal data without parental consent, please contact us at privacy@thoughtfox.ai and we will take steps to delete such information.
12. Links to Third-Party Websites
Our website may contain links to third-party websites, including social media platforms and partner or client websites. This Privacy Policy applies solely to our website and services. We are not responsible for the privacy practices of third-party websites and encourage you to review their privacy policies before providing any personal data to them.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or business operations. When we make material changes, we will update the “Last Updated” date at the top of this policy and, where appropriate, notify you by email or by a prominent notice on our website.
We encourage you to review this policy periodically. Your continued use of our website or services following any changes constitutes your acknowledgement of the updated policy.
14. Your Right to Complain
If you are not satisfied with how we handle your personal data, or with our response to a data subject request, you have the right to lodge a complaint with the Data Protection Commission (DPC), which is the Irish supervisory authority under GDPR.
We would, however, appreciate the opportunity to address your concerns directly before you approach the DPC. Please contact us first at privacy@thoughtfox.ai.
15. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have any concerns about how we handle your personal data, please contact us:
| Company | ThoughtFox Limited |
| Company No. | 802055 |
| Registered Address | 23 Abbot Drive, Dún Laoghaire, Dublin, A96 KH7W, Ireland |
| Privacy Contact | privacy@thoughtfox.ai |
| General Enquiries | hello@thoughtfox.ai |
| Website | www.thoughtfox.ai |
ThoughtFox Limited • Registered in Ireland No. 802055 • privacy@thoughtfox.ai