Privacy Policy Update — May 2026
Purpose: target additions to FCR Media Ireland's public privacy notice (currently embedded as Section 7 of https://fcrmedia.ie/terms-and-conditions) to cover LLM-based processing of communications and to publish a sub-processors list.
Scope: Controller flow only — i.e. personal data FCR processes about its own prospects, visitors and inbound communications. The processor flow (client-owned personal data, governed by the DPA embedded in the commercial agreement) is not covered by this update and needs a separate review of the commercial-agreement DPA template (see "Open items" below).
Status: Draft for review by FCR Media Ireland's legal / DPO function before publication. Items marked [verify] require confirmation against contracts.
A. Automated processing of communications and content (new insert into Section 7)
Insert after the existing "legitimate interests" / right-to-object language.
Automated processing of communications and content
We use automated language-processing services to help us classify, draft responses to, and route communications you send us (including emails, support tickets and chat messages), and to analyse internal records relating to your account. A member of our team is responsible for any decision taken on foot of your communication; no decisions producing legal or similarly significant effects on you are taken solely by automated means.
The providers we engage for this purpose include Anthropic, PBC, OpenAI Ireland Ltd. and Google LLC (Gemini). Each acts as our processor under written terms that include the European Commission's Standard Contractual Clauses (Modules 2 and 3, 4 June 2021) where personal data is transferred outside the European Economic Area. None of these providers uses your data to train their general models when accessed via the business interfaces we use.
You may object to this processing at any time under Article 21 GDPR by contacting data@goldenpages.ie. If you object, we will revert to manual handling of your communications.
B. International transfers (replacement for existing vague SCCs line)
Current text in Section 7:
"safeguards in the form of EU Commission approved standard contractual clauses will be implemented for transfers"
Replacement:
Where we transfer Personal Data outside the European Economic Area, we rely on one or more of the following safeguards: (a) the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914); (b) certification of the recipient under the EU-US Data Privacy Framework, where applicable; or (c) an applicable adequacy decision under Article 45 GDPR. The list of our sub-processors and the safeguard applying to each is published at fcrmedia.ie/sub-processors and is updated when sub-processors change.
C. Sub-processors page (new standalone page)
Suggested URL: fcrmedia.ie/sub-processors. Link from Section 7 of the privacy policy.
Sub-processors — FCR Media Ireland
The following sub-processors are engaged in delivering our services. We update this list when sub-processors change. To request the relevant transfer safeguard or the data-processing terms applying to any sub-processor, contact data@goldenpages.ie.
Last updated: [YYYY-MM-DD]
| # | Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|---|
| 1 | HubSpot, Inc. | CRM, deal pipeline, marketing automation, contact records, sales communications | United States | SCCs + EU-US DPF |
| 2 | Anthropic, PBC (Claude) | Automated classification, drafting and analysis of communications and internal content | United States | SCCs (EU Commission Modules 2 + 3, 4 June 2021); per Anthropic DPA effective 24 Feb 2025 |
| 3 | OpenAI Ireland Ltd. (with onward processing by OpenAI OpCo, LLC) | Automated classification, drafting and analysis of communications and internal content | Ireland (primary contracting entity for EEA customers) / United States (onward) | Intra-EU contract with OpenAI Ireland Ltd.; SCCs (Modules 2 + 3) cover onward transfers to US affiliates; per OpenAI DPA v.010126 |
| 4 | Google LLC (Gemini, Google Workspace AI features) | Automated classification, drafting and analysis of communications and internal content | United States | SCCs + EU-US DPF |
| 5 | Teamwork.com Ltd (Teamwork Desk) | Client support ticketing | Ireland (EU) | No transfer outside EEA |
| 6 | Teamwork.com Ltd (Teamwork Projects) | Project management and delivery tracking | Ireland (EU) | No transfer outside EEA |
| 7 | Intuit Inc. (Mailchimp) | Email marketing and client newsletters | United States | SCCs + EU-US DPF |
| 8 | Microsoft Ireland Operations Ltd (Microsoft Teams) | Internal collaboration, client meetings and recordings | Ireland / EU Data Boundary | SCCs where US transfer occurs; otherwise EU Data Boundary |
| 9 | Microsoft Ireland Operations Ltd (Outlook / Exchange Online) | Business email and calendaring | Ireland / EU Data Boundary | SCCs where US transfer occurs; otherwise EU Data Boundary |
| 10 | Roam HQ Inc. (Ro.am) | Internal chat, meetings, calendar, AI assistant interface, meeting transcription | United States (Brooklyn, NY) | Governed by a separately executed Enterprise Agreement between FCR Media and Roam HQ Inc. (transfer safeguard to be quoted from that agreement — typically SCCs Modules 2 and 3 for processor processing). Roam's standard ToU defers all data-governance terms to this Enterprise Agreement. |
| 11 | Wix.com Ltd | Website hosting and editor for certain client websites | Israel (adequacy decision) / United States | Adequacy decision (Israel) + SCCs where applicable |
| 12 | Mono Solutions ApS | Website builder platform for certain client websites | Denmark (EU) | No transfer outside EEA |
| 13 | WordPress hosting — see note | CMS for certain client websites | Depends on hosting provider | See note |
Note on WordPress. WordPress is open-source software, not a sub-processor in its own right. When FCR builds a client site on WordPress, the actual sub-processor is the hosting provider (e.g. WP Engine, Kinsta — list actual partners) or Automattic Inc. (WordPress.com / VIP) if that is what is in use. This row needs to be split or rewritten based on actual hosting relationships before publication.
Open items before publication
- Ro.am — Enterprise Agreement in place; obtain copy for the file. FCR has an executed Enterprise Agreement with Roam HQ Inc. (confirmed 2026-05-13). Standard ToU defers all processor-data-governance terms to this agreement. Action: locate the executed Enterprise Agreement, confirm it contains SCCs Modules 2/3 (or equivalent transfer mechanism), confirm sub-processor authorisation + change-notice language, and store the PDF with the other countersigned vendor DPAs. Separately, request Roam's sub-processor list — their privacy policy references unnamed "AI providers" for transcription/summarisation, which need to flow into FCR's own sub-processor disclosure.
- Resolve the WordPress row — name actual hosting partners, or replace with Automattic Inc. if using WordPress.com / VIP.
- Audit the list for completeness. Likely missing candidates that touch client personal data in current operations: Cloudflare (worker / CDN), Google Cloud (BigQuery / GCS), iovox (call tracking), SerpAPI, Ahrefs, any payment processor, any SMS provider. Add what's in use, remove what isn't.
- Commit to a notice period for new sub-processors (industry norm: 30 days, with right to object). OpenAI's DPA already specifies 30 days at their layer — FCR can match this in its own notice commitment.
- DPO contact line.
data@goldenpages.ieis the current mailbox — confirm it is monitored to the Art. 12(3) one-month standard. - Obtain countersigned DPA PDFs naming FCR Media Ireland Ltd as Customer for audit-defence, even though click-through binding is already in force:
- Anthropic — request via console / contact.
- OpenAI — complete the "Execute Data Processing Agreement" form linked at the end of their DPA (https://openai.com/policies/data-processing-addendum).
- Google — equivalent process for whichever surface is in use (Cloud DPA or Workspace DPA).
- Subscribe to sub-processor change notifications at https://www.anthropic.com/subprocessors and https://platform.openai.com/subprocessors so Art. 28(2) notices actually reach FCR.
Out of scope — but parallel work needed
This update fixes the controller flow (FCR's processing of its own prospects' and visitors' data).
The processor flow — FCR processing client-owned personal data on the client's behalf, governed by the DPA embedded in FCR's commercial agreement — needs a separate review:
- Does the embedded DPA contain a general written authorisation for sub-processors plus a notification mechanism (Art. 28(2))? If yes, this new
fcrmedia.ie/sub-processorspage can serve as that mechanism — but the DPA must reference it. - Does the embedded DPA contemplate automated language-processing tools / AI sub-processors? If not, a one-line amendment is the lightweight fix.
- Is there a notice period and an objection mechanism for new sub-processors?
Owner: whoever maintains FCR's commercial-agreement templates.
Structural observations (not blocking)
- The privacy policy is currently embedded as Section 7 of a Terms & Conditions page. Most regulators expect a standalone, separately-linked privacy notice for Art. 12 transparency. Worth flagging to whoever owns the site.
- The fcrmedia.com privacy policy is materially weaker than the fcrmedia.ie version and may not be aligned to current EU-US transfer mechanisms. Out of scope here but worth a follow-up if .com handles EU data.
FCR Dashboard documentation · generated from docs/ · keep counts verified, not guessed.