top of page

Privacy Policy

1. Who We Are

This privacy policy explains how ABS Synergy Ltd (Company Registration Number IE491109, VAT Number IE9773454J), trading as Synergy Up, Synergy Stocktaking, and Synergy Bookkeeping, collects, uses, stores, and protects your personal data. Throughout this policy, "we", "us", and "our" refers to ABS Synergy Ltd and all of its trading names.

Our registered office is at 8-10 Coke Lane, Smithfield, Dublin, Ireland, D07 EN2Y.

This policy applies when you use any of our services, including:

  • The Synergy Up platform at app.synergyup.com and our website at synergyup.com

  • The Synergy Stocktaking service at synergystocktaking.ie

  • The Synergy Bookkeeping service at synergybookkeeping.ie

  • Our mobile applications

  • Any interactions with us through sales, marketing, support, or events

 

For all data protection queries, please contact us at:

Email: privacy@synergyup.com

Post: Data Protection Lead, ABS Synergy Ltd, 8-10 Coke Lane, Smithfield, Dublin, D07 EN2Y, Ireland

2. Our Role: Data Controller and Data Processor

Depending on the context, we act in different roles under GDPR. Understanding this distinction is important because it determines who is responsible for decisions about your personal data.

Context
Our Role
What This Means
Client employee, payroll, HR, scheduling, and operational data processed through the Synergy Up platform
Data Processor
Your employer (our client) is the Data Controller. They decide what data is processed and why. We process it on their documented instructions under a Data Processing Agreement (DPA).
Our own employees and contractors
Data Controller
We decide what data to collect and how to use it for employment and operational purposes.
Website visitors to synergyup.com, synergystocktaking.ie, and synergybookkeeping.ie
Data Controller
We collect analytics and cookie data subject to your consent choices.
Support and helpdesk interactions
Data Controller
We manage support data to resolve your queries.
Marketing and sales contacts
Data Controller
We process contact data based on consent or legitimate interest.
Synergy Stocktaking service clients and their data
Data Processor / Data Controller
We act as Processor for client operational data. We act as Controller for our own client relationship data.
Synergy Bookkeeping service clients and their data
Data Processor / Data Controller
We act as Processor for client financial and operational data. We act as Controller for our own client relationship data.

Where we act as a Data Processor on behalf of your employer or organisation, your employer is responsible for providing you with their own privacy notice explaining how your data is used. If you have questions about how your employer uses your data through our platform, please contact them directly.

3. What Personal Data We Collect

3.1 Data You Provide Directly

Depending on which of our services you use, the personal data you or your organisation provides may include:

 
Synergy Up Platform (Employee Up, Cash Up, Order Up, Report Up)

  • Employee names, contact details (phone, email, address), dates of birth

  • PPS numbers or other government-issued identification numbers

  • Bank account details and payroll information

  • Copies of passports, GNIB cards, visa documentation, or work permits

  • Employment contracts and HR documents

  • Emergency contact details

  • Staff scheduling and attendance data

  • Cash reconciliation records (names and login details of staff performing reconciliations)

  • Stock count and ordering data (names of staff, supplier email addresses)

  • Any personal data contained within reports uploaded to the platform

  • Names and email addresses of managers and administrators with platform access

  • Images or audio recordings uploaded through our service features

Synergy Stocktaking

  • Client contact details (names, email addresses, phone numbers, business addresses)

  • Names of staff involved in stocktaking operations

  • Operational data related to stock counts and inventory

Synergy Bookkeeping

  • Client contact details (names, email addresses, phone numbers, business addresses)

  • Financial records, invoices, receipts, and transactional data

  • Employee payroll data where bookkeeping services include payroll processing

  • Tax reference numbers and business registration details

Across All Services

  • Account registration details (name, email, password)

  • Payment and billing information (processed securely by Stripe)

  • Support ticket content and communications

3.2 Data We Collect Automatically

When you visit our websites or use our applications, we automatically collect certain technical information. This does not directly identify you but may include:

  • IP address, browser type and version, operating system

  • Device identifiers and technical information

  • Pages visited, time spent, referring URLs, and usage patterns

  • Log data including timestamps, error reports, and system activity

 

This information is collected through cookies and similar technologies (see Section 8 below).

3.3 Data from Third Parties

In limited circumstances, we may receive personal data from third parties such as integration partners (for example, Bizimply for workforce management) or from your employer when they set up your account on our platform.

4. Why and How We Use Your Data (Lawful Basis)

Under GDPR, we must have a lawful basis for every processing activity. The table below sets out our purposes and the corresponding legal basis under Article 6:

Purpose
Lawful Basis (Article 6)
Notes
Providing platform services and fulfilling our contract with you or your organisation
Contract performance (Art. 6(1)(b))
Necessary to deliver the service you or your employer have signed up for.
Processing payroll, HR, and employment data on behalf of your employer
Contract performance / Legal obligation (as determined by the client Data Controller)
We process this data on your employer's instructions under our DPA. Your employer determines the lawful basis.
Creating and managing your user account
Contract performance (Art. 6(1)(b))
Necessary to provide access to the platform.
Responding to support queries
Legitimate interest (Art. 6(1)(f))
Our legitimate interest in providing effective customer support.
Platform security, fraud prevention, and abuse detection
Legitimate interest (Art. 6(1)(f))
Our legitimate interest in maintaining a secure platform for all users.
Sending service-related communications (e.g. policy changes, security alerts)
Contract performance (Art. 6(1)(b))
Necessary operational communications related to the service.
Sending marketing communications
Consent (Art. 6(1)(a))
Only with your opt-in consent. You can withdraw consent at any time.
Website analytics and performance monitoring
Consent (Art. 6(1)(a))
Non-essential cookies are only set with your consent via our cookie banner.
Complying with legal and regulatory obligations (tax, employment law, GDPR)
Legal obligation (Art. 6(1)(c))
Where required by Irish, UK, or EU law.
Generating invoices and processing payments
Contract performance (Art. 6(1)(b))
Necessary to manage the commercial relationship.
Improving our services and developing new features
Legitimate interest (Art. 6(1)(f))
Our legitimate interest in improving the platform, balanced against your privacy rights.

Where we rely on legitimate interest as the lawful basis, we have conducted a balancing assessment to ensure our interests do not override your rights and freedoms. You can request a copy of our Legitimate Interests Assessments by contacting privacy@synergyup.com.

Important: We do not use consent as the lawful basis for processing employment or payroll data. Employees are in an imbalanced relationship with their employer, which means consent cannot be freely given in that context. Contract performance or legal obligation is the appropriate basis for employment-related processing.

5. Who We Share Your Data With

We do not sell your personal data. We share your data only where necessary to deliver our services, comply with the law, or as described below.

5.1 Sub-Processors

We engage the following third-party sub-processors to operate our services. Each is bound by data protection obligations equivalent to those in our client Data Processing Agreements:

Sub Processor
Location
Purpose
Amazon Web Services (AWS) eu-west-1
Ireland
Cloud infrastructure and data storage
Cloudflare
EU nodes
Security, CDN, and DDoS protection
Stripe
Ireland / EU
Payment processing
Bizimply
Ireland
Workforce management integration (where applicable)
Spiceworks
United States
Customer support helpdesk
Open AI
United States
AI-assisted extraction of data from client invoices; may incidentally process personal data such as names and addresses contained within invoice documents

An up-to-date sub-processor list is maintained and available on request at privacy@synergyup.com. We will provide at least 30 days' notice to client organisations before adding a new sub-processor, giving them the opportunity to object.

5.2 Other Disclosures

We may also share your data with:

  • Professional advisors (legal, accounting, auditing) who are bound by professional confidentiality obligations

  • Law enforcement or regulatory authorities where required by law, court order, or governmental regulation

 

A successor entity in the event of a merger, acquisition, or business transfer, in which case we will notify you

6. International Data Transfers

All production personal data is stored in AWS eu-west-1 (Ireland) within the European Economic Area. We do not transfer your production data outside the EEA.

Our development and testing environments use only fully synthetic (non-personal) data, meaning no real personal data is accessible outside the EEA for development purposes.

 

Where any of our sub-processors are located outside the EEA (for example, Spiceworks in the United States), we ensure appropriate safeguards are in place. These safeguards include EU Standard Contractual Clauses (SCCs) approved by the European Commission, supported by Transfer Impact Assessments where required.

For transfers from the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as appropriate.

7. How Long We Keep Your Data

We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The retention periods below apply to data we hold as a Data Controller:

Data Category
Retention Period
Reason
Active user account data
Duration of active subscription plus 30 days
Necessary to provide the service. Data is permanently deleted within 30 days of contract termination.
Payment and billing records
7 years from transaction date
Required by the Taxes Consolidation Act 1997 and accounting regulations.
Support tickets
3 years after closure
Legitimate interest in service improvement and dispute resolution.
Website analytics (cookies)
13 months maximum
Cookie expiry settings in line with regulatory guidance.
Marketing contacts (no engagement)
2 years from last interaction
After which data is suppressed or deleted.
Login and IP address logs
12 months
Security and legitimate interest in platform protection.
Platform audit logs
2 years
Security and compliance monitoring.
Contract and DPA records
7 years from end of contract
Legal compliance and dispute resolution.
Deleted user accounts
30 days (soft delete), then permanent purge
Allows for accidental deletion recovery before permanent removal.

Where we act as a Data Processor, your employer (the Data Controller) determines how long data is retained. As the Data Controller, your employer is responsible for retaining employee records for the periods required by applicable employment and tax law. They must download and retain any records they are legally required to keep before cancelling their subscription with us. On termination, we permanently delete all of the organisation's personal data within 30 days.

You may request a full export of your organisation's data in portable format (CSV) at any time before termination by contacting privacy@synergyup.com. Exports will be fulfilled within 5 working days.

8. Cookies and Similar Technologies

Our websites use cookies and similar technologies. Cookies are small text files stored on your device when you visit a website.

8.1 Types of Cookies We Use

Category
Purpose
Consent Required
Strictly Necessary
Essential for the website and platform to function (session management, security, authentication).
No (these are exempt under ePrivacy rules).
Functional
Remember your preferences and settings to improve your experience.
Yes
Analytics
Help us understand how visitors use our websites so we can improve them (e.g. page views, usage patterns).
Yes
Marketing
Used to deliver relevant advertising and track campaign effectiveness.
Yes

Non-essential cookies (functional, analytics, and marketing) are only set after you give your consent through our cookie banner.

 

Analytics tools such as Google Analytics are only loaded after consent is given. You can change your cookie preferences at any time through the cookie settings link on our websites.

You also have the right to refuse all non-essential cookies. If you decline non-essential cookies, we will not block your access to the website.

8.2 Managing Cookies in Your Browser

You can manage or delete cookies through your browser settings. Instructions for the most popular browsers:

  • Safari: support.apple.com/guide/safari/manage-cookies

  • Chrome: support.google.com/chrome/answer/95647

  • Edge: support.microsoft.com/en-us/microsoft-edge/manage-cookies

  • Firefox: support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

 

A separate Cookie Policy is available on each of our websites with full details of all cookies in use.

9. Your Rights Under GDPR

You have the following rights in relation to your personal data. These rights apply to data we hold about you as a Data Controller. Where we act as a Data Processor (processing data on behalf of your employer), your employer is responsible for responding to your rights requests, and we will assist them in doing so.

What This Means
Your Right
How to Exercise
You can request a copy of all personal data we hold about you.
Right of Access (Art. 15)
Contact privacy@synergyup.com. We will respond within one calendar month.
You can ask us to correct any inaccurate or incomplete data.
Right to Rectification (Art. 16)
Contact privacy@synergyup.com with the details to be corrected.
You can ask us to delete your data where we have no lawful reason to continue holding it.
Right to Erasure (Art. 17)
Contact privacy@synergyup.com. Note: we cannot erase data we are legally required to retain.
You can ask us to temporarily stop processing your data while a concern is resolved.
Right to Restrict Processing (Art. 18)
Contact privacy@synergyup.com with details of the restriction requested.
You can request your data in a structured, machine-readable format (CSV or JSON).
Right to Data Portability (Art. 20)
Contact privacy@synergyup.com. Fulfilled within one calendar month.
You can object to processing based on legitimate interest. For direct marketing, we will stop immediately.
Right to Object (Art. 21)
Contact privacy@synergyup.com. We will stop direct marketing without question.
You have the right to human review of any decision made solely by automated means that significantly affects you.
Rights Related to Automated Decisions (Art. 22)
Contact privacy@synergyup.com if you believe an automated decision has affected you.
Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Withdraw Consent (Art. 7(3))
Contact privacy@synergyup.com, or use unsubscribe links in marketing emails.

We will respond to all rights requests within one calendar month. If a request is complex or we receive a large number of requests, we may extend this by a further two months, but we will inform you within the first month if that is the case.

We may need to verify your identity before responding to a request. We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive.

If we act as a Data Processor for your data, we will forward your request to the relevant client Data Controller within 72 hours.

10. How We Keep Your Data Safe

We take the security of your personal data seriously and implement appropriate technical and organisational measures in line with Article 32 GDPR. These measures include:

  • Encryption of data at rest and in transit

  • Role-based access controls, ensuring staff only access data necessary for their role

  • Multi-factor authentication (MFA) for all platform users (Currently being Rolled Out)

  • Regular penetration testing by independent security assessors

  • Infrastructure monitoring and audit logging

  • Staff data protection training as part of onboarding and on an annual basis

  • Secure development practices including privacy by design and default

  • Incident response procedures to detect, contain, and respond to any security events

 

All data is stored on secure servers operated by Amazon Web Services in the EU (eu-west-1, Ireland). Access to personal data is restricted to employees, contractors, and agents who need it to operate, develop, or improve our services, all of whom are bound by written confidentiality obligations.

No method of transmission over the internet or electronic storage is completely secure. While we implement robust safeguards, we cannot guarantee absolute security. We encourage you to keep your account credentials confidential and to use strong, unique passwords.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (the Irish Data Protection Commission or UK Information Commissioner's Office) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR

  • Notify affected individuals without undue delay where the breach poses a high risk, as required by Article 34 GDPR

  • Where we act as a Data Processor, notify the affected client Data Controller within 72 hours so they can fulfil their own notification obligations

 

We maintain a breach register documenting all personal data breaches, including those that do not meet the threshold for supervisory authority notification, as required by Article 33(5) GDPR.

12. Data Processing Agreements

Where we act as a Data Processor on behalf of client organisations, we enter into a Data Processing Agreement (DPA) in accordance with Article 28 GDPR. Our standard DPA sets out the subject matter, duration, nature, and purpose of processing, the types of personal data processed, the categories of data subjects, and the obligations and rights of both parties.

Our standard DPA is available on request from privacy@synergyup.com and will be published for download on our Trust Centre at synergyup.com/trust.

Client organisations must accept our DPA before creating their organisation on the platform.

13. Third-Party Websites and Services

Our websites and platform may contain links to third-party websites and services such as Bizimply, Stripe, and others. These third parties have their own privacy policies and cookie practices which are not controlled by us. We are not responsible for the privacy practices of any third-party website.

We encourage you to read the privacy notice of every third-party website or service you interact with.

14. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@synergyup.com and we will take steps to delete such data.

15. How to Make a Complaint

If you are not satisfied with how we have handled your personal data or responded to a rights request, please contact us first at privacy@synergyup.com so we can try to resolve the matter.

If you remain dissatisfied, you have the right to lodge a complaint with a supervisory authority:

 

Irish Data Protection Commission (DPC)

Website: dataprotection.ie

Phone: +353 57 8684800

Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

 

UK Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Report a breach: ico.org.uk/make-a-complaint

16. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or data processing practices. The current version will always be available at synergyup.com/privacy-policy with the version number and date shown at the top.

Where changes are significant, we will notify you by email or through a notice on our platform. We encourage you to review this policy periodically.

If you do not agree with any changes, please cease using our services and contact us to discuss your concerns.

17. How to Contact Us

For all data protection queries, requests, or complaints:

 

Email: privacy@synergyup.com

Post: Data Protection Lead, ABS Synergy Ltd, 8-10 Coke Lane, Smithfield, Dublin, D07 EN2Y, Ireland

bottom of page