Privacy notice

1. Who we are

Stillbound Limited ("Stillbound", "we", "us") operates CaskIQ — an operating intelligence platform for distilleries, bonders, and blenders. This is a B2B privacy notice. It is not directed at consumers.

Data controller: Stillbound Limited, Ireland. Privacy queries: hello@stillbound.ai

2. What we process and why

We process two categories of personal data:

As data controller — account and identity data (name, email, job title), authentication data (hashed passwords, MFA), usage and audit logs, and commercial communications. Legal bases: contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), and consent for marketing (Art. 6(1)(a)).

As data processor on your behalf — personal data embedded in your cask records and documents: staff names, warehouse manager attributions, tasting-note authors, cask owner identifiers, and supplier references. Stillbound processes this data solely to deliver the contracted service. Your distillery is the data controller for this category. Processing is governed by the DPA.

3. How we use data

• To provide and secure the CaskIQ platform: ingestion, metric calculation, dashboards, actions, and audit trails.
• To detect and respond to security incidents and unauthorised access.
• To send service communications (updates, maintenance, security notices) as necessary for the contract.
• To send marketing communications — only with your consent, which you can withdraw at any time.

We do not sell personal data. We do not use customer data for automated decision-making that produces legal or similarly significant effects. We do not use customer-identifiable data to train third-party AI models.

4. AI and model processing

CaskIQ runs on deterministic services on our infrastructure. In standard operation, your cask records and uploaded documents are not sent to a third-party LLM. No customer data is used to train third-party AI models.

Optional AI-assisted features — where contracted as an uplift tier — run under commercial AI provider agreements with no-training terms, are listed in your DPA subprocessor schedule, and can be disabled at tenant level on written request. No AI tier is activated without a contract amendment and customer acknowledgement.

5. Subprocessors

We give at least 30 days' notice before adding or replacing a subprocessor, and you may object on reasonable data-protection grounds (see the DPA). Product-analytics processing (PostHog, EU Cloud) is listed as a subprocessor only for tenants where usage telemetry is enabled; it is off by default. Full subprocessor register available on request. Customer data is stored in the EU; international transfers outside the EEA are governed by the EU Standard Contractual Clauses, relied on with the EU–US Data Privacy Framework where a US subprocessor is certified.

6. Retention

7. Your rights

Where Stillbound processes data as data controller, you have rights under GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). Exercise any right by emailing hello@stillbound.ai. We will respond within one calendar month.

Where Stillbound processes data as data processor on your behalf, rights requests should be directed to your distillery as data controller. We will assist you in responding as required by the DPA.

You have the right to lodge a complaint with the Data Protection Commission (Ireland): dataprotection.ie.

8. Security

• TLS encryption in transit; encryption at rest for databases and object storage.
• Tenant isolation — each customer's data is logically separated.
• Role-based access control and least-privilege access.
• Multi-factor authentication for all Stillbound admin accounts.
• Audit logs for data import, export, sensitive record access, and user management.

We will notify affected customers and the Data Protection Commission of a personal data breach within 72 hours of becoming aware of it.

9. Contact

Data protection queries and rights requests: hello@stillbound.ai