Back to siteElements Engage

Privacy Policy

Last updated: 18 April 2026

1. Who we are

Elements Engage (the "Platform") is operated by Elements Marketing Ltd, registered in Ireland. Our contact point for privacy matters is privacy@elementsmarketing.ie. For the purposes of the GDPR, we act as the data controller for personal data you provide directly (e.g. your account), and as a data processor for data your employer pushes into the Platform about your engagement with their programmes.

2. What data we collect

  • Account data: your email, full name, job title, profile photo, and organisation.
  • Usage data: which content you download, which events you RSVP to, which items you favourite, and basic timestamps. We store this so you have a personal history inside the app.
  • Technical data: session cookies for sign-in, IP address captured transiently for rate-limiting and abuse prevention, and browser user-agent.
  • Consent data: which cookie choices you made and when. Used to prove we asked.

We do not collect special category data (health, ethnicity, religion, etc.) and we do not buy or sell personal data from third parties.

3. Why we use it (lawful bases)

  • Contract: providing the service you signed up for.
  • Legitimate interest: securing the service, preventing abuse, and analysing aggregate usage to improve it.
  • Consent: optional analytics and marketing cookies.
  • Legal obligation: meeting record-keeping duties, responding to lawful requests.

4. Who we share it with

We share personal data only with processors needed to run the Platform:

  • Supabase (database, auth, storage — hosted in the EU)
  • Vercel (application hosting)
  • Transactional email provider for confirmation and password-reset emails

All processors are bound by data-processing agreements. We do not transfer personal data outside the EU/EEA without appropriate safeguards (Standard Contractual Clauses).

5. How long we keep it

  • Account data: while your account is active, and up to 30 days after closure to allow recovery.
  • Download / event-registration history: up to 24 months, then anonymised.
  • Auth-attempt logs (rate limiting): 30 days.
  • Admin audit logs: 24 months.

6. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interest. You can also withdraw consent at any time. We've built these into the product:

  • Access / portability: download all your data as JSON from your account page.
  • Rectification: edit your profile fields on the account page.
  • Erasure: delete your account on the account page. We wipe PII and anonymise historical records.
  • Consent withdrawal: re-open the cookie banner (coming soon) or email us.

You can also complain to the Irish Data Protection Commission (dataprotection.ie) if you're unhappy with how we handle your data.

7. Security

We encrypt data in transit and at rest, enforce row-level security at the database so users only see their own records, require strong passwords, rate-limit authentication, and sign out idle sessions after 60 minutes. We keep admin actions in an audit log so we can detect and investigate suspicious activity.

8. Cookies

We use strictly essential cookies (session, CSRF, consent state) by default. With your consent, we may also set analytics and marketing cookies. You choose when you first visit and can change your mind at any time.

9. Contact

Questions or requests? Email privacy@elementsmarketing.ie. We respond within 30 days as required by the GDPR.