Effective date: 1st January 2026

Company Bureau Formations ULC (“CBF”, “we”, “us”, “our”) is committed to protecting your personal data. This Privacy Notice explains how we collect, use, disclose and protect personal data, and outlines your rights.

We provide company formation and company secretarial services, registered office and virtual office services, trustee services, mail handling/scanning, and related compliance services in Ireland.

1) Who we are (Controller)

Controller: Company Bureau Formations ULC, The Black Church, St. Mary’s Place, Dublin 7.

Email: formations@companybureau.ie

We act as Data Controller for most activities described here (e.g., AML/KYC, CRO and RBO filings, client relationship management). For certain activities carried out strictly on your documented instructions, we may act as Data Processor.

2) What data we collect

Identity & contact data: name, email, phone, address, job title.

KYC/AML data: ID documents, proof of address, beneficial ownership details.

Company/filing data: officers, shareholders, PSC/beneficial owners, CRO/RBO identifiers.

Financial & billing data: invoices, payments, tax numbers.

Website data: device, browser, IP address; cookie/consent choices (see Cookies Policy).

Communications/Support: emails, forms, records of interactions.

3) Why we use your data and our legal bases

We process personal data for the purposes and legal bases below:

To provide our services and manage our relationship (company formations, filings, registered office, mail handling, helpdesk): performance of a contract (Art. 6(1)(b)) and legitimate interests (to operate and improve our services) (Art. 6(1)(f)).

AML/KYC checks and regulatory obligations (Criminal Justice Act 2010 as amended, TCSP obligations; RBO/CRO filings): legal obligation (Art. 6(1)(c)) and, where relevant, substantial public interest under national law. We must retain certain AML/KYC records for five years after the relationship ends.

Client communications & operations (service updates, reminders about compliance/annual returns, onboarding administration): performance of a contract and legitimate interests (efficient service delivery).

Direct marketing to existing customers about similar services: legitimate interests / ePrivacy “soft‑opt‑in” where permitted, always with opt‑out. New prospects require consent where ePrivacy applies.

Analytics & non‑essential cookies: consent obtained via the cookie banner; strictly necessary cookies do not require consent.

Legal claims, security, fraud prevention: legitimate interests and/or legal obligation.

Where we rely on legitimate interests, we balance our interests against your rights and expectations (Legitimate Interests Assessment).

4) Where we get data from

Directly from you (forms, emails, phone, onboarding, ID verification).

From your professional advisors/agents, or company officers you nominate.

From public registers and authorities (e.g., CRO, RBO) and reputable due diligence sources.

If we obtain data indirectly, we will provide you with the information required by GDPR Art. 14 within the applicable timeframe.

5) Who we share data with (recipients)

We share personal data only as necessary for the purposes above, with appropriate contracts and safeguards:

Authorities & registries:

  • CRO
  • RBO
  • Revenue
  • Law enforcement (where legally required)

Our service providers (“processors”):

  • Identity/AML verification (e.g., ID verification platforms).
  • IT & cloud hosting (e.g., Microsoft 365), email and telephony.
  • CRM, accounting and billing platforms, document automation/e‑signature.
  • Couriers/post and secure shredding.
  • Professional agents/partners involved in delivering your chosen service (e.g., foreign filings or document legalisation).

We maintain contracts with processors per GDPR Art. 28 and keep an up‑to‑date list available on request.

6) International transfers

Some providers may process data outside the EEA. Where this happens, we use lawful transfer tools such as the EU Standard Contractual Clauses (SCCs) and conduct transfer risk assessments where appropriate.

7) How long we keep data (retention)

We keep personal data only as long as necessary for the purposes collected, including to satisfy legal, accounting, or reporting requirements. Typical periods include:

  • Client files (contractual records): duration of relationship + a reasonable period for queries/claims.
  • AML/KYC records: five years after the business relationship ends (statutory requirement).
  • RBO/CRO filings and statutory company records: as required by law.
  • Marketing data: until you opt out or we determine it is out-of-date.

Where precise periods cannot be fixed, we apply documented criteria (nature of data, legal limits, risk and operational needs).

8) Your rights

You have the right to access, rectify, erase, restrict or object to processing, and the right to data portability (where applicable). Where we rely on consent, you can withdraw consent at any time (this does not affect processing before withdrawal). You also have the right to lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie).

How to exercise your rights: email formations@companybureau.ie. We may need to verify your identity to protect your data. We respond within the statutory timeframe.

9) Cookies and similar technologies

We use cookies and similar technologies to operate our website, remember preferences, and (where you consent) to measure and improve performance.

Strictly necessary cookies are essential and do not require consent.

Analytics/marketing cookies run only with your explicit consent via our cookie banner.

You can change or withdraw your cookie choices at any time via the banner link. See our Cookies Policy for the cookie table, purposes and lifespans.

10) Direct marketing

We may email existing customers about similar services, with an easy way to opt out in every message (“soft opt‑in” where permitted by ePrivacy). We will otherwise only send electronic marketing with your opt‑in consent. You can opt out at any time.

11) Security

We implement technical and organisational measures to protect personal data (access controls, encryption, role‑based access, secure disposal, and staff training). We assess our suppliers and require appropriate security in contracts. We notify the DPC and affected individuals of personal data breaches as required by law.

12) Children

Our services target business customers. We do not knowingly collect data from children. If you believe a child has provided us with data, please contact us and we will take appropriate steps.

13) Changes to this Notice

We may update this Notice to reflect legal, technical or business developments. We will post the latest version on this page and update the effective date.

14) Contact us

Questions about this Notice or our data practices:

Email: formations@companybureau.ie

Address: The Black Church, St. Mary’s Place, Dublin 7.

Supervisory Authority (Ireland): Data Protection Commission – see contact details at dataprotection.ie.