Privacy Policy
This Privacy Policy explains how Togra (operated by Scannain) collects, uses, shares, and protects personal data when you use the Togra service at togra.scannain.com. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR"), the UK General Data Protection Regulation as it applies in the United Kingdom ("UK GDPR"), and the Irish Data Protection Act 2018.
If you have any questions about this Policy or how we handle your data, contact us at niall@scannain.ie.
1. Who we are
Togra is a production-management application for Irish and UK independent film and television producers, used to manage development, finance, casting, contracts, S481 compliance, and related production operations.
The service is operated by:
Scannain
Niall Murphy
Email: niall@scannain.ie
Website: togra.scannain.com
In this Policy we refer to Scannain as "we", "us", or "Togra". The data controller for the categories of personal data described in section 4 is Scannain, except where indicated.
We do not have a Data Protection Officer because we are not required to appoint one under Article 37 GDPR. The contact above is your single point of contact for data-protection questions.
2. Who this policy applies to
This Policy applies to three groups of people:
- Account holders — producers, production staff, freelancers, and other industry professionals who hold a Togra login.
- Visitors — anyone visiting togra.scannain.com without logging in.
- Third parties whose data is entered into Togra by an account holder — typically cast, crew, suppliers, financiers, participants in net-profits or residuals, co-producers, and other production-related contacts.
For groups 1 and 2 we are the data controller. For group 3 we are typically a data processor acting on behalf of the producer or production company that holds the relevant Togra account; that producer is the controller of the personal data they enter about third parties. Section 11 of this Policy explains how that distinction affects your rights.
3. Lawful bases for processing
We process personal data on the following bases under Article 6(1) GDPR:
| Activity | Lawful basis |
|---|---|
| Operating your Togra account, providing the service, billing | Contract performance (6(1)(b)) |
| Maintaining audit logs, security, fraud prevention | Legitimate interests (6(1)(f)) |
| Sending service-essential emails (password resets, security alerts) | Contract performance |
| Sending optional product-update emails | Consent (6(1)(a)) — opt-in only |
| Producing S481 / AVEC / co-production / contract documents | Contract performance + legal obligation in Ireland or UK |
| Retaining records to meet S481 (6-year statutory retention) | Legal obligation (6(1)(c)) |
| Responding to lawful requests from Revenue, HMRC, DCCS, NI Screen, IFB, or other regulators | Legal obligation |
Where consent is the lawful basis, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. Personal data we collect
4.1 Account data (you provide directly)
- Name, email address, hashed password
- Group membership (which production company you belong to within Togra)
- Persona / role (e.g. Lead Producer, Casting Director, Production Accountant)
- Default landing-page preference, calendar-feed token
- Audit-log entries linking your user ID to actions you take in the system
4.2 Company / group profile data (entered by producers)
- Producer-company legal name, CRO / Companies House number, registered address
- Director and Company-Secretary names and addresses
- Bank account details (IBAN/BIC, sort code/account number) and VAT registration numbers
- Insurance policy details (Employers' Liability, Public Liability, Producer's Indemnity)
- Trade-body memberships (PACT, Screen Producers Ireland)
- S481-relevant attestations (Deggendorf clearance, sole-purpose attestation)
- 15%+ shareholders' names, ownership percentages, tax-clearance certificate numbers, valid-until dates
4.3 Project data (entered by producers)
- Project title, synopsis, logline, schedule, completion dates
- Cast and crew names, roles, tax residency, contracted days, fees, contact details where the producer chooses to capture them
- Casting workflow: candidate names, audition status, casting-director notes
- Locations, contracts, completion bond, pre-sales, soft-money, broadcaster commissions
- Suppliers (name, country, VAT, connected-persons flag, notes)
- Net-profits participants (writers, directors, principal cast, profit-share holders, residual recipients), including their participation percentages and contact details
4.4 Technical and usage data (collected automatically)
- Session cookie storing your authenticated session
- Server access logs (IP address, request path, response code, user agent, timestamp) retained for security and operational diagnostics
- We do not deploy third-party analytics (Google Analytics, Hotjar, etc.) on togra.scannain.com
- We do not use behavioural advertising cookies
- We do not feed your data into any AI / ML system
4.5 Communications
- Emails you send to us (e.g. support requests) and our replies
- Optional product-update emails where you have opted in
5. How we use your data
We use personal data for the purposes listed below and for no other purpose without your knowledge:
- Operating the service — authenticating logins, displaying your projects, generating PDFs (contracts, residuals statements, S481 application packs, etc.), sending notification emails
- Statutory documents — preparing S481 application packs (cultural-cert applications, interim-claim packs, final-claim packs, compliance reports), AVEC IFTC documentation, transparency reports under EU Directive 2019/790 Article 19
- Compliance — meeting our own legal obligations (statutory record-keeping, responding to lawful regulator requests, fraud prevention)
- Security — detecting and preventing unauthorised access, abuse, and breach
- Service improvement — diagnosing bugs, planning new features (we do not profile users for marketing)
We do not sell personal data to third parties. We do not share personal data with advertisers.
6. Who we share data with
6.1 Sub-processors
We use a small number of sub-processors who help us run the service:
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| DreamHost, Inc. | Web + database hosting + transactional email (SMTP) | United States | EU-US Data Privacy Framework / Standard Contractual Clauses |
We do not share personal data with any other third party except where required by law.
6.2 Within your group
Other members of your Togra group (your producer's Lead, Members, Production Manager, Casting Director, Production Accountant, etc.) can see project data shared within that group. Group access is governed by the persona model.
6.3 With co-producers
Where a project has co-production partners, certain project data may be visible to users belonging to the co-producer's group, again governed by the persona / co-production model.
6.4 With regulators and auditors
We will disclose personal data to Revenue, HMRC, DCCS, the Irish Film Commission, Northern Ireland Screen, the British Film Institute, Coimisiún na Meán, or other competent authorities where required by law or court order, or where you authorise the disclosure as part of a S481, AVEC, broadcaster, or funder application.
6.5 Business transfer
If Scannain is sold, merged, or restructured, personal data may be transferred to the new owner subject to the same protections as set out in this Policy. We will notify you in advance of any such transfer.
7. International transfers
Some of our sub-processors are based outside the EEA (notably DreamHost in the United States). Where personal data is transferred outside the EEA we rely on:
- The EU-US Data Privacy Framework adequacy decision (where the recipient is certified), or
- Standard Contractual Clauses adopted by the European Commission, with supplementary measures where required
We do not transfer personal data to jurisdictions without an adequacy decision or appropriate safeguards.
8. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
| Data category | Retention period |
|---|---|
| Account data (active accounts) | While the account is active |
| Account data (closed accounts) | 30 days after closure, then deleted; encrypted backups for up to 90 days |
| Project records (general) | While the producer holds the account; can be deleted at the producer's request |
| S481-related records (cultural cert, claims, books and records, contracts, payroll, invoices) | 6 years from the later of completion of the qualifying film or the final claim under section 481(2G)(b)(ii), per Regulation 8 of S.I. 119/2019 |
| AVEC / UK Audio-Visual Expenditure Credit records | 6 years from the end of the relevant accounting period, per HMRC requirements |
| Audit logs | 2 years |
| Server access logs | 90 days |
| Tax records (Scannain's own corporation tax / VAT records) | 7 years |
| Email correspondence | 7 years |
Where a longer retention is required by law, we retain only what is necessary for that legal obligation.
9. Your rights
Subject to the conditions in GDPR, you have the following rights with respect to personal data we hold about you:
- Right of access (Article 15) — a copy of your personal data and the supplementary information set out in this Policy
- Right to rectification (Article 16) — correction of inaccurate or incomplete personal data
- Right to erasure (Article 17) — deletion of personal data we no longer have a lawful basis to hold (subject to legal-obligation overrides such as S481 6-year retention)
- Right to restriction (Article 18) — restrict processing while a dispute is resolved
- Right to portability (Article 20) — receive your personal data in a structured, machine-readable format and transmit it to another controller
- Right to object (Article 21) — object to processing based on legitimate interests; we will stop unless we demonstrate compelling overriding legitimate grounds
- Right not to be subject to automated decision-making (Article 22) — Togra does not make automated decisions about you with legal or similarly significant effects
- Right to withdraw consent — for any processing based on consent, withdraw at any time
To exercise any of these rights, contact niall@scannain.ie. We aim to respond within 30 calendar days. We may need to verify your identity before responding.
You also have the right to lodge a complaint with the supervisory authority:
Data Protection Commission (Ireland)
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Tel: +353 (0)761 104 800
Web: dataprotection.ieOr the Information Commissioner's Office (UK): ico.org.uk
10. Security
We protect personal data with:
- TLS encryption for all data in transit (HTTPS)
- Hashed-and-salted password storage (bcrypt)
- Application-level access controls based on the persona model
- Audit logging of every meaningful action
- Server-level firewalling and patched OS / PHP / MySQL stack
- Encrypted backups with key custody by Scannain only
- Principle of least privilege for sub-processor access
No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the Data Protection Commission within 72 hours of becoming aware, in accordance with Article 33 GDPR.
11. Producer-controlled data (third-party data subjects)
If you are a cast member, crew member, supplier, financier, profit-share participant, or other third party whose personal data has been entered into Togra by a producer, please note:
- The producer (the Togra account holder who entered your data) is the data controller for that data.
- We are a data processor acting on the producer's instructions.
- Your rights of access, rectification, erasure, etc. are exercisable against the producer, not against Togra directly.
- We will assist the producer in responding to your request under our data-processing terms.
If you are unsure who the controlling producer is or if you cannot reach them, you may contact us at niall@scannain.ie and we will identify them and forward your request.
12. Children
Togra is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child's data has been entered into Togra, contact us and we will investigate and delete the data if appropriate.
13. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be notified to account holders by email at least 30 days before they take effect.
A history of policy versions is available on request.
14. Contact
For all data-protection enquiries, including data-subject rights requests:
Niall Murphy (Scannain)
niall@scannain.ie
For complaints you cannot resolve with us, contact the Data Protection Commission at dataprotection.ie or your equivalent national authority.