Theory & PracticeTheory & PracticeLast Updated: 02/03/2026
Data Controllers: Richard Foudy and Peter Cusack
This Privacy Policy explains how Theory & Practice (‘we’, ‘us’, ‘our’) processes personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), the Digital Services Act (Regulation (EU) 2022/2065 – DSA), and the Irish Data Protection Act 2018. As a provider of intermediary services (specifically a “Hosting Service”), we are committed to the principles of lawfulness, fairness, and transparency.
Theory & Practice acts as the Data Controller for all personal data collected via our website and Learning Management System (LMS).
Contact Person: Richard Foudy
Designated Electronic Point of Contact: [email protected]
Address: Gola, Bailieborough, Co. Cavan, Ireland
| Category of Personal Data | Purpose of Processing | Lawful Basis (GDPR Article 6) |
|---|---|---|
| Registration Data (Name, Email Address, Book Access Code) | Account creation and access to E-learning course via LifterLMS. | Art. 6(1)(b) – Contractual Necessity: Performance of a contract to provide educational services. |
| Scholarship Data (Project PDFs, Photographs) | Assessment and administration of scholarship. | Art. 6(1)(f) – Legitimate Interests: Administration of academic competitions. |
| School Information (School Name, Address, Roll Number) | Verification of enrolment and account management. | Art. 6(1)(f) – Legitimate Interests: Supporting the Irish secondary school framework. |
| Technical Data (IP Address, Login Logs) | Website security and fraud prevention. | Art. 6(1)(c) & Art. 6(1)(f) – Legal Obligation / Legitimate Interests: Ensuring security of processing. |
| Transaction Data (Name, Address, Eircode, Phone Number) | Fulfilment of physical goods and invoicing. | Art. 6(1)(b) – Contractual Necessity: Performance of a contract and fulfilment of sales orders. |
We engage selected third-party service providers under Article 28 GDPR Data Processing Agreements.
Infrastructure: DigitalOcean (London, UK) – Hosted under EU Adequacy Decision for the UK. DigitalOcean maintains high-level industry certifications, including SOC 2 Type II and SOC 3 Type II, ensuring rigorous independent auditing of its security, availability, and confidentiality controls. They also hold Global CBPR (Cross-Border Privacy Rules) certification for secure international data flows.
Payments: Mollie (Amsterdam, Netherlands) – Secure processing of website transactions. We do not store or see your credit card details; these are handled directly by Mollie in accordance with PCI-DSS standards.
Fulfilment: Magazine Mailing Services (Dublin, Ireland) – Shipping of physical goods. Data is shared via a secure, password-protected cloud storage service.
Security: Cloudflare and Wordfence (USA) – Real-time security monitoring, DDoS protection, and fraud prevention. These tools process IP addresses and login logs to ensure the ongoing resilience and safety of our website.
IT and Web Development: Crescentek (India) – Website functionality and security.
Professional Advisers: Visio Advisory Chartered Accountants (Dublin, Ireland). We share necessary financial and transaction data to fulfil our statutory legal obligations regarding tax reporting and financial auditing in Ireland.
In compliance with the Irish Data Protection Act 2018 and GDPR Article 8, the age of digital consent in Ireland is 16 years.
Learning Management System (E-learning) users under 16 must obtain parental or guardian consent before registration.
We implement “Data Protection by Design” to ensure that, by default, student data is not accessible to unauthorised parties, in accordance with Article 25 of the GDPR.
Junior Cycle Data: Retained for 3 years unless progression occurs.
Senior Cycle & Scholarship Data: Retained for 2 years.
Financial Records: Retained for 6 years in accordance with Irish tax law.
Expired data is securely deleted from primary systems and backups in line with rotation schedules.
Under GDPR, users (or their parents/guardians) have the following rights:
Right of Access: To receive a copy of your personal data.
Right to Rectification: To correct inaccurate information.
Right to Erasure: To request the deletion of your data when it is no longer necessary.
Right to Object: To stop the processing of data for specific reasons.
To exercise these rights, please contact [email protected]. We respond within one month, as required under Article 12 of the GDPR.
If you are dissatisfied with our handling of your data, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC). For matters related to illegal content or moderation under the DSA, you may contact Coimisiún na Meán.