Privacy Policy

Last updated: 6 July 2026

1. Overview and scope

This Privacy Policy explains how FMCG Cloud collects, uses, and protects personal data in connection with our website (fmcgcloud.com), our authenticated platform, and our agent marketplace (together, the “Services”). We aim to comply with the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and — for California residents — the California Consumer Privacy Act as amended by the CPRA (“CCPA”).

Our role depends on the data. For personal data we decide the purposes of — such as website enquiries, account administration, billing metadata, and analytics — we act as the data controller, and this policy governs it. For personal data that our customers place into their tenant on the platform, we act as a processor on the customer’s behalf; that processing is governed by the data processing agreement (DPA) between the customer and us, not by this policy, and requests about that data should be directed to the relevant customer.

2. Who we are

The data controller for the processing described in this policy is FMCG Cloud, based in Ireland. You can reach us about privacy at privacy@fmcgcloud.com. Our lead supervisory authority is the Irish Data Protection Commission (DPC).

3. Personal data we collect

We collect personal data from the following sources:

  • Enquiry and contact data — when you request a demo or apply to the partner programme, we collect your name, work email, company, role, and any message you include.
  • Account and identity data — for authenticated users, managed via our identity provider (Clerk): your name, email, organisation/tenant, role, and authentication metadata such as multi-factor settings.
  • Payment and transaction data — for in-platform credit purchases processed by Stripe: billing name and email and a record of the transaction. Full card details are collected and stored by Stripe, not by us.
  • Usage and log data — collected automatically to operate and secure the Services: IP address, device and browser information, timestamps, the pages and actions you take, and audit logs.
  • Analytics and cookie data — via Google Analytics 4, using pseudonymous identifiers and approximate location, only after you consent (see “Cookies and analytics”).

4. How we use your data

We use personal data to:

  • respond to your demo and partner enquiries and follow up on them;
  • create and administer accounts, tenants, and roles, and authenticate users;
  • provide the platform and marketplace and deliver the credits and features you purchase;
  • process and record payments and help prevent payment fraud;
  • send service and transactional messages such as verifications, receipts, and notifications;
  • operate, secure, debug, and improve the Services, and measure website and product performance; and
  • comply with legal, tax, and accounting obligations, and enforce our terms or protect legal rights.

5. Legal bases for processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

  • Performance of a contract — to create and run accounts, deliver the platform and marketplace, process credit purchases, and send transactional messages tied to the Services.
  • Consent — for non-essential cookies and Google Analytics, and for any marketing emails to individuals; you can withdraw consent at any time.
  • Legitimate interests — to respond to inbound business enquiries, secure the platform and prevent fraud, monitor and improve the Services, and follow up with business contacts, balanced against your rights and subject to your right to object.
  • Legal obligation — to keep invoices and tax records and to respond to lawful requests.

6. Cookies and analytics

We use strictly necessary cookies to operate the Services (for example to keep you signed in), which do not require consent. We also use Google Analytics 4 to understand how the website is used. Non-essential cookies and analytics load only after you opt in through our cookie banner: we run Google Consent Mode v2, so analytics and advertising storage are denied by default until you consent. You can accept or reject non-essential cookies with equal ease, and change or withdraw your choice at any time through the cookie settings control.

We do not use cookies for cross-context behavioural advertising. The legal basis for analytics cookies is your consent, in line with Ireland’s ePrivacy Regulations.

7. How we share data and our subprocessors

We share personal data only as needed to provide the Services, with service providers that process it on our behalf under contract, and where required by law. We do not sell your personal data. Our current infrastructure subprocessors are:

  • Google Cloud (Google LLC / Google Ireland) — hosting and infrastructure, in an EU region.
  • Clerk (Clerk, Inc.) — authentication and identity management.
  • Stripe (Stripe, Inc. / Stripe Payments Europe) — payment and credit-purchase processing.
  • SendGrid (Twilio Inc.) — transactional and service email, via our notification service.
  • Google Analytics (Google LLC / Google Ireland) — consent-gated website analytics.

8. Sharing continued, and international transfers

We may also disclose personal data to respond to lawful requests from authorities, to enforce our terms or protect our rights, and in connection with a merger, acquisition, or sale of assets. Tenant data is logically isolated, and we do not use one customer’s data to serve another without consent.

We host in an EU region to keep data in the EU where possible. Some of our providers are based in the United States, so certain personal data may be transferred outside the EEA. Where it is, we rely on the European Commission’s Standard Contractual Clauses as our primary safeguard and, where applicable, on a provider’s certification under the EU-US Data Privacy Framework, supported by additional measures. We maintain data processing agreements with our providers and can provide information about the relevant safeguards on request.

9. Data retention

We keep personal data only as long as necessary for the purposes described here, and then delete or anonymise it. In practice: enquiry data is kept for the sales cycle and a reasonable follow-up period unless you become a customer or ask us to stop; account data is kept for the life of the account plus a short wind-down period; payment and transaction records are kept for the period required by Irish tax and company law; and usage and log data is kept for a limited operational and security window. A legal hold or dispute may extend these periods where necessary.

10. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit and at rest, EU-region hosting, logical isolation between tenants, role-based access controls, least-privilege access, audit logging, and multi-factor authentication through our identity provider. Card data is handled by our PCI-DSS-compliant payment provider. No method of transmission or storage is completely secure; where we are required to, we will notify the DPC and affected individuals of a personal-data breach as required by law. You can read more about our security posture on our Trust Center.

11. Your rights

Depending on your location, you have rights over your personal data. Under the GDPR you can:

  • access the personal data we hold about you, and receive a copy;
  • have inaccurate data corrected, and incomplete data completed;
  • have your data erased in certain circumstances;
  • restrict or object to certain processing, including direct marketing;
  • receive your data in a portable format; and
  • withdraw consent at any time, without affecting processing already carried out.

12. Exercising your rights, and complaints

To exercise any of these rights, contact privacy@fmcgcloud.com. We may need to verify your identity, and we will respond within the time allowed by law. Exercising your rights is free unless a request is manifestly unfounded or excessive. If a request concerns data we process on a customer’s behalf within their tenant, we will direct you to that customer, who is the controller of that data.

You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Irish Data Protection Commission (21 Fitzwilliam Square South, Dublin 2; dataprotection.ie), and if you are in the EEA you may also complain to your local authority.

13. Your California privacy rights

If you are a California resident, the CCPA gives you rights over the personal information we collect. We collect the categories described in “Personal data we collect” for the business purposes described in “How we use your data”, and disclose them to the service providers listed above. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. Where technically applicable, we honour opt-out preference signals such as Global Privacy Control.

Subject to the CCPA, you may:

  • know the categories and specific pieces of personal information we have collected, their sources, and the purposes;
  • request deletion of your personal information;
  • request correction of inaccurate personal information;
  • opt out of the sale or sharing of personal information (note we do neither); and
  • not be discriminated against for exercising your rights.

14. Children’s data

The Services are a business product intended for business users and are not directed to children. We do not knowingly collect personal data from children; if we learn that we have, we will delete it. If you believe a child has provided us with personal data, contact privacy@fmcgcloud.com.

15. AI agents and automated decisions

The Services include AI-assisted agents that process business data on behalf of our customers. Their outputs are tools that support our customers’ own decisions; the customer, as controller of its tenant data, decides how they are used. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human involvement. Where profiling for direct marketing ever occurs, you can object to it.

16. Changes and contact

We may update this policy from time to time. The “last updated” date at the top reflects the current version, and we will notify you of material changes — for example by email to account holders or a notice on the website. Where our processing relies on your consent, a material change may require us to ask for your consent again. Questions about this policy, or about how we handle personal data, can be directed to privacy@fmcgcloud.com.