1. Our Commitment to GDPR
At DevEire Ltd, the company behind ProductBuilder, we are fully committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Data Protection Acts 1988 to 2018 (as applicable in Ireland). We believe that robust data protection is not merely a legal obligation but a fundamental aspect of earning and maintaining the trust of our customers, partners, and users.
We have implemented comprehensive policies, procedures, and technical measures to ensure that all personal data we process is handled lawfully, fairly, and transparently. This page outlines how we meet our obligations under GDPR and how you can exercise your rights as a data subject.
Applies to: All personal data processed by DevEire Ltd through the ProductBuilder platform, including data of underwriters, brokers, policyholders, and website visitors.
2. Data Controller
The data controller responsible for the personal data processed through ProductBuilder is:
DevEire Ltd
National Technology Park, Limerick, Ireland
Email: hello@productbuilder360.com
Data Protection Officer: dpo@productbuilder360.com
As the data controller, DevEire Ltd determines the purposes and means of processing personal data. Where we process data on behalf of our customers (e.g., policyholder data managed by an MGA using our platform), we act as a data processor and process data strictly in accordance with our customers' instructions and a written Data Processing Agreement (DPA).
3. Legal Bases for Processing
We only process personal data where we have a valid legal basis under Article 6 of the GDPR. The legal bases we rely upon include:
3.1 Consent (Article 6(1)(a))
Where you have given clear, informed, and unambiguous consent for us to process your personal data for a specific purpose. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Examples include subscribing to our newsletter, opting in to analytics cookies, or participating in marketing campaigns.
3.2 Performance of a Contract (Article 6(1)(b))
Where processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract. This includes processing your account information to provide access to the ProductBuilder platform, processing payment details for subscription services, and managing your user preferences and configuration.
3.3 Legitimate Interests (Article 6(1)(f))
Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. We conduct a Legitimate Interest Assessment (LIA) before relying on this basis. Examples include improving and securing our platform, detecting and preventing fraud, conducting business analytics on aggregated data, and communicating product updates to existing customers.
3.4 Legal Obligation (Article 6(1)(c))
Where processing is necessary to comply with a legal obligation to which we are subject, such as tax reporting, financial regulations, or responding to lawful requests from regulatory authorities.
4. Your Rights Under GDPR
As a data subject, you have the following rights under GDPR. We are committed to facilitating the exercise of these rights in a timely and transparent manner.
Right of Access
You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with information about how it is processed (Article 15).
Right to Rectification
You have the right to request correction of inaccurate personal data and to have incomplete data completed (Article 16).
Right to Erasure
You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purpose for which it was collected (Article 17).
Right to Restriction
You have the right to request restriction of processing in certain circumstances, for example while we verify the accuracy of contested data (Article 18).
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller (Article 20).
Right to Object
You have the right to object to processing based on legitimate interests or direct marketing at any time. We will cease processing unless we have compelling legitimate grounds (Article 21).
Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects (Article 22).
Right to Withdraw Consent
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal (Article 7(3)).
5. How to Exercise Your Rights
You can exercise any of the rights described above by contacting us using the details below. To help us process your request efficiently and securely, please include:
- Your full name and the email address associated with your ProductBuilder account.
- A description of the right you wish to exercise and any relevant details.
- Any supporting information that may help us locate the specific data in question.
We will acknowledge your request within 3 business days and respond substantively within 30 days of receipt, as required by GDPR. If your request is complex or we receive a high volume of requests, we may extend this period by a further 60 days and will notify you of any extension and the reasons for it.
We may need to verify your identity before processing your request. This is a security measure to ensure that personal data is not disclosed to unauthorised persons. We will never charge a fee for processing a standard request unless it is manifestly unfounded or excessive.
6. Data Protection Officer
DevEire Ltd has appointed a Data Protection Officer (DPO) to oversee our compliance with GDPR and other applicable data protection legislation. The DPO is responsible for:
- Monitoring compliance with GDPR, other data protection laws, and our internal policies.
- Advising on Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
- Serving as the primary point of contact for data subjects and the supervisory authority.
- Providing training and guidance to staff on data protection obligations.
- Maintaining records of processing activities under Article 30.
Data Protection Officer
DevEire Ltd
National Technology Park, Limerick, Ireland
Email: dpo@productbuilder360.com
7. Sub-Processors
We engage a limited number of carefully vetted third-party sub-processors to assist in providing the ProductBuilder service. Each sub-processor is bound by a Data Processing Agreement (DPA) that includes GDPR-compliant obligations regarding data security, confidentiality, and breach notification.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, and data storage for the ProductBuilder platform. | All platform data including account information, product configurations, and quote submissions. | EU (Ireland) |
| Stripe, Inc. | Payment processing for subscription billing and premium collection. | Payment card details, billing address, transaction amounts, and payment history. | EU / US |
| Calendly, LLC | Scheduling for demo bookings and customer support meetings. | Name, email address, and scheduling preferences. | US |
| Google LLC (Analytics) | Website analytics and usage reporting (when consent is given). | Anonymised browsing data, page views, session duration, and device information. | EU / US |
We maintain an up-to-date list of sub-processors and will notify customers of any material changes. If you would like to be notified of future changes to our sub-processor list, please contact dpo@productbuilder360.com.
8. International Data Transfers
We primarily store and process personal data within the European Economic Area (EEA). Our primary infrastructure is hosted on AWS in the EU (Ireland) region. However, some of our sub-processors are based in or have operations in countries outside the EEA, including the United States.
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR. These safeguards include:
8.1 EU Adequacy Decisions
Where the European Commission has determined that a country provides an adequate level of data protection (an "adequacy decision"), we may transfer data to that country without additional safeguards. We monitor adequacy decisions and adapt our transfer mechanisms as needed.
8.2 Standard Contractual Clauses (SCCs)
For transfers to countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) as adopted under Commission Implementing Decision (EU) 2021/914. All our sub-processors in non-adequate countries have executed SCCs with DevEire Ltd.
8.3 EU-U.S. Data Privacy Framework
For transfers to the United States, we also rely on the EU-U.S. Data Privacy Framework where applicable. Our US-based sub-processors (Stripe, Calendly, and Google) are certified under the Data Privacy Framework, providing an additional mechanism for lawful transfers.
8.4 Supplementary Measures
In line with the EDPB's recommendations, we conduct Transfer Impact Assessments (TIAs) and implement supplementary technical, organisational, and contractual measures where necessary. These include encryption of data in transit and at rest, pseudonymisation where feasible, and contractual commitments from sub-processors to challenge disproportionate government access requests.
9. Data Breach Notification
DevEire Ltd has established a comprehensive data breach response plan to ensure rapid and effective response in the event of a personal data breach.
9.1 Detection and Assessment
We employ continuous monitoring, intrusion detection systems, and automated alerting to detect potential data breaches as quickly as possible. Upon detection, our incident response team immediately assesses the nature, scope, and severity of the breach.
9.2 Notification to Supervisory Authority
In accordance with Article 33 of the GDPR, if a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Data Protection Commission (DPC) of Ireland within 72 hours of becoming aware of the breach. The notification will include:
- The nature of the breach, including the categories and approximate number of data subjects affected.
- The name and contact details of our Data Protection Officer.
- A description of the likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
9.3 Notification to Data Subjects
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay, in accordance with Article 34 of the GDPR. This notification will be provided in clear, plain language and will include a description of the breach, potential consequences, and recommended protective measures.
9.4 Notification to Customers (Data Controllers)
Where we act as a data processor on behalf of our customers, we will notify the relevant customer (data controller) of any personal data breach without undue delay after becoming aware of it, enabling them to fulfil their own notification obligations.
10. Security and Certifications
DevEire Ltd maintains a robust information security management system and pursues internationally recognised certifications to demonstrate our commitment to protecting personal data.
ISO 27001
Information Security Management System. The international standard for managing information security risks.
ISO 27017
Cloud Security Controls. Guidelines for information security controls applicable to the provision and use of cloud services.
ISO 27701
Privacy Information Management. Extension to ISO 27001 for establishing a Privacy Information Management System (PIMS).
Our security measures include, but are not limited to:
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege for all staff and systems.
- Audit Logging: Comprehensive logging of access and modifications to personal data, with tamper-proof log storage.
- Regular Testing: Annual penetration testing by independent third parties, quarterly vulnerability assessments, and continuous automated scanning.
- Staff Training: Mandatory data protection and security awareness training for all employees upon joining and annually thereafter.
- Business Continuity: Redundant infrastructure, automated backups, and documented disaster recovery procedures with regular testing.
11. Complaints to a Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. As DevEire Ltd is established in Ireland, our lead supervisory authority is:
Data Protection Commission (DPC)
National Technology Park, Limerick, D02 RD28, Ireland
Phone: +353 (0)1 765 0100 / +353 (0)57 868 4800
Email: info@dataprotection.ie
Website: www.dataprotection.ie
You may also lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement. We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority. Please contact us first at dpo@productbuilder360.com so we can try to resolve your concern.
12. Contact Us
If you have any questions about this GDPR compliance page, our data protection practices, or wish to exercise any of your rights, please contact us:
General enquiries: hello@productbuilder360.com
Data Protection Officer: dpo@productbuilder360.com
Address: DevEire Ltd, National Technology Park, Limerick, Ireland
For information about how we use cookies, please see our Cookie Policy. For our full privacy practices, please see our Privacy Policy. For our terms of service, please see our Terms of Service.