Privacy Policy

Last updated: 2 May 2026

Who we are

McNulty Automation is a sole trader business providing workflow automation services to small and medium-sized businesses, established in England and Wales. For any privacy matters, contact us at matthew@mcnultyautomation.com.

What data we collect

When you contact us via email or WhatsApp to enquire about our services, we may collect:

  • Your name and contact details (email address, phone number)
  • Your business name and type
  • Information you provide about your business needs

If you use the McNulty Automation client portal, we also collect:

  • Account data: your name, email address, and business details held in your portal profile
  • Authentication data: magic link tokens and session records used to verify your identity
  • Billing and payment data: your GoCardless direct debit mandate ID and payment status
  • Invoice and transaction records: sourced from Xero and displayed in your portal
  • Workflow execution logs: metadata only — workflow name, execution timestamp, status, and duration. No payload data (the content your automations process) is stored in the portal.

We use self-hosted, anonymised website analytics (PostHog) to understand how visitors use our website. No personally identifiable information is collected, and no IP addresses are stored.

Why we collect it (lawful basis)

  • Legitimate interests — to respond to enquiries and provide our services
  • Contractual necessity — to deliver automation services you have engaged us for
  • Legal obligation — to comply with tax and accounting requirements
  • Consent — for any marketing communications (you can withdraw at any time)

Who we share your data with

We do not sell your data. We use the following third-party processors, each acting under appropriate data protection agreements:

  • Google Workspace (US) — business email service used to receive and manage client enquiries. Covered by Google's Data Processing Amendment and standard contractual clauses.
  • Hetzner (DE/EU) — VPS infrastructure hosting our website and automation services.
  • Supabase (EU, Frankfurt) — client portal database storing contact details, billing information, and account data.
  • GoCardless (EU) — direct debit mandate and payment processing for monthly retainer collections.
  • Xero (NZ/AU/US) — invoicing and accounting. Servers may be located in New Zealand, Australia, or the United States. Covered by standard contractual clauses for UK GDPR compliance.
  • Resend (EU, eu-west-1) — transactional email delivery for portal access links, notifications, and support communications.
  • Cloudflare R2 (EU jurisdiction) — encrypted backup storage for system data. Data does not leave the EU.
  • PostHog (self-hosted, EU) — anonymous website analytics. Data is processed on our own EU-based infrastructure and does not leave our servers.

Where we process personal data on your behalf as part of delivering our services, this is covered by a separate Data Processing Agreement (DPA) agreed before work begins.

Data retention

We retain your contact data for as long as necessary to provide our services. Client business data is deleted within 30 days of contract termination. Accounting records are retained for 6 years as required by HMRC.

Data breaches

In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify you without undue delay — and in any event within 48 hours of becoming aware of the breach. We will also report to the relevant supervisory authority within 72 hours where required by applicable data protection law (ICO for UK residents; DPC for Irish residents).

Your data protection rights

Under UK GDPR (for UK residents) and EU GDPR (for residents of the Republic of Ireland and other EU member states), you have the right to: access your data, correct inaccurate data, request deletion, restrict processing, data portability, and object to processing.

To exercise any of these rights, email us at matthew@mcnultyautomation.com. We will respond within 30 days.

You also have the right to lodge a complaint with the ICO at ico.org.uk. If you are based in the Republic of Ireland, you may instead lodge a complaint with the Data Protection Commission (DPC) at dataprotection.ie.