Smart Operator Ltd ("Smart Operator") is the owner of Smart Operator. Smart Operator Ltd, as a Responsible Party or Data Controller, collects, uses, shares and holds certain Personal Information about data subjects. Personal Information must be Processed in accordance with applicable Data Protection Laws, including:
Smart Operator is committed to adhering to these Data Protection Laws, and any other applicable Data Protection Laws. Smart Operator recognises the need to treat Personal Information in an appropriate and lawful manner and is committed to complying with its obligations in this regard.
This Privacy Policy applies to all individuals who work for, with or on behalf of Smart Operator. Personal Information may be provided to Smart Operator by the data subject directly or by a third party.
This Privacy Policy describes how Smart Operator uses Personal Information collected from:
This policy applies to all Employees of Smart Operator and all persons who process personal information of data subjects for, with or on behalf of Smart Operator.
The Personal Information Smart Operator holds about data subjects may differ depending on the relationship, including the type of communications between Smart Operator and the data subject and the services Smart Operator provides. Personal Information generally falls within one of the following categories — current, past and prospective:
Smart Operator endeavours to keep Personal Information accurate and up to date, stored in as few places and with as few copies as is reasonably possible. Staff are trained not to create unnecessary additional copies of Personal Information. Further detail is set out in Schedule 2.
Smart Operator uses Personal Information to carry out its business activities. The purposes for which Smart Operator uses a data subject's Personal Information are set out in detail in Schedule 2.
Smart Operator may use automated decision-making tools where a person is not involved in the decision. Smart Operator typically uses these tools when making straightforward decisions about a data subject. Where this is the case, Smart Operator may provide the data subject with additional information at the time to aid understanding.
Smart Operator is responsible for looking after Personal Information in accordance with this Privacy Policy, internal standards and procedures, and the requirements of Data Protection Laws. Employees, service providers and contractors who process personal information on behalf of Smart Operator are obliged to comply with this Privacy Policy when doing so.
In connection with the purposes described in section 4, Smart Operator may need to share Personal Information with third parties. The types of third parties are described in Schedule 2.
In addition to those persons referred to in Schedule 2, Personal Information may be accessible to administrators, legal service providers, accountants, third-party technical service providers and IT companies who are appointed, if necessary, as Data Processors or Operators by Smart Operator. The updated list of these parties may be requested at any time.
When Smart Operator provides Personal Information to third parties, those third parties will be selected carefully and required to use appropriate measures to protect the confidentiality and security of the Personal Information, in accordance with applicable Data Protection Laws.
Smart Operator endeavours to keep Personal Information of European, UK and South African users inside Europe. However, certain data processors are in other countries where the data subject's Personal Information may be transferred or processed on behalf of Smart Operator — limited to countries with particular circumstances that protect personal information.
When making these transfers, Smart Operator will take steps to ensure that the Personal Information is adequately protected and transferred in accordance with Data Protection Laws, including the use of standard contractual clauses or other mechanisms recognised by the European Commission. For further information, contact the Information Officer/Data Protection Officer using the details in Schedule 4.
Smart Operator uses appropriate technical, physical, legal and organisational measures that comply with Data Protection Laws to keep Personal Information secure. Further detail is described in Smart Operator's Information Security Policy and Data Breach Policy, obtainable from the contact details in Schedule 4.
To comply with Data Protection Laws, Smart Operator must describe the legal justification it relies on for using Personal Information. The main legal justifications are described in Schedule 2. Smart Operator's legitimate interests include:
For Processing of more Sensitive Personal Information, Smart Operator will rely on either consent, or that use is necessary for the establishment, exercise or defence of legal claims. Processing of Personal Information relating to criminal convictions and offences is subject to the requirements of applicable laws.
Smart Operator may record meetings with employees in order to: improve service standards through feedback and training; address queries, concerns or complaints; prevent, detect and investigate crime; and comply with legal and regulatory obligations.
Smart Operator monitors electronic communications of employees (for example, emails) to protect employees, the business, IT infrastructure and third parties — including identifying inappropriate communications and removing viruses or other malware. The use of CCTV also involves Processing of Personal Information, including video footage.
Smart Operator will keep Personal Information for as long as is necessary for the purposes for which it was collected. Once the relationship comes to an end, Smart Operator will retain such Personal Information for a period that allows it to: (a) comply with legal record retention requirements; (b) defend or bring legal claims; (c) maintain records for business analyses and audit; and (d) address complaints and other issues.
Smart Operator endeavours to ensure that Personal Information kept is relevant and not excessive to achieve the purposes for which it is held. Personal Information will be deleted once that purpose is achieved or it is no longer required. For further information about retention periods, contact the Information Officer/Data Protection Officer using the details in Schedule 4.
Schedule 3 sets out a summary of the data protection rights available to data subjects in Europe, the UK and South Africa. These rights may only apply in certain jurisdictions or circumstances and are subject to certain legal exemptions. To exercise any of these rights, contact the Information Officer/Data Protection Officer using the details in Schedule 4.
For any questions or concerns about the way Smart Operator uses Personal Information, please contact the Information Officer/Data Protection Officer at the email address in Schedule 4.
Smart Operator reviews this Privacy Policy regularly and reserves the right to make changes at any time to take account of changes in the business, legal requirements, and the manner in which Smart Operator processes Personal Information. This Privacy Policy was last updated on the date indicated on the cover page.
| Term | Definition |
|---|---|
| Data Controller / Responsible Party | The entity that controls Personal Information, by deciding why and how such Personal Information is Processed. |
| Data Processor / Operator | The party that Processes Personal Information on behalf of the Data Controller (for example, a payroll service provider). |
| Personal Information / Personal Data | Any information relating to a living individual which allows the identification of that data subject — including a name, identification number, location details, or any other information specific to that data subject. |
| Processing | Includes collecting, using, recording, organising, altering, disclosing, destroying or holding Personal Information in any way, either manually or by automated systems. |
| Sensitive Personal Information / Special Categories | Types of Personal Information that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, or Personal Information relating to criminal convictions or offences. |
| Category | Data Processed | Service / Shared With | Purpose | Legal Basis | Required? |
|---|---|---|---|---|---|
| Account & Billing | Billing address, email, name, payment info, purchase history | Stripe Payments | Payments, record-keeping, billing | Consent; performance of contract | Mandatory |
| Hosting | Email, address, phone, name, company, usage data, location | Google Cloud Platform | Hosting backend infrastructure | Consent; contract; service provision | Mandatory |
| Communication | Email, address, phone, name, company, communication content | Mailchimp | Managing contacts and sending messages | Consent; contract | Optional / Mandatory |
| Registration | Email, first name, gender, last name | Smart Operator directly | Service access | Consent; contract | Mandatory |
| Service Users | Email, UUID, usage data, cookies | Intercom | Database management | Consent; contract | Mandatory |
| Analytics | IP address, device info, cookies, browsing data | Google Analytics | Analytics | Consent | Optional |
| Advertising | Advertising identifiers, IP address | Google Analytics | Advertising | Consent | Optional |
Employee Personal Information
| Policy Area | Policy Details | Responsibilities |
|---|---|---|
| Collection | Only collect information necessary for employment (name, contact, tax, salary, emergency contacts, prior employment, residence status etc.). | Employees must provide accurate, up-to-date information when requested. |
| Use | Used solely for employment-related purposes including payroll, benefits, emergencies and legal compliance. | Must use personal information only for authorised purposes as outlined in this Policy. |
| Storage | Stored securely, in line with company security protocols (encryption, restricted access). | Ensure all personal data is securely stored and access is restricted to authorised personnel. |
| Retention | Kept only as long as necessary for legal, regulatory or operational purposes. | Retain for the required duration and dispose securely when no longer needed. |
| Sharing | Not shared with third parties without explicit consent, unless required for business purposes or by law. | Obtain consent for data sharing unless required for HR/accounting; ensure third-party compliance. |
| Employee Rights | Employees have the right to access, correct or request deletion of their Personal Information, subject to legal limitations. | Contact HR or the Information Officer/Data Protection Officer to exercise data rights. |
| Confidentiality | Employee data treated with utmost confidentiality during and after employment. | Maintain confidentiality of employee information at all times, including post-employment. |
| Training | Employees must undergo annual privacy and data protection training. | Attend training sessions and keep informed about data protection policies. |
| Right | When Applicable |
|---|---|
| Right of Access — Receive a copy of the Personal Information Smart Operator holds and information about how it is used. | Applicable at all times when Smart Operator holds a data subject's Personal Information (subject to certain exemptions). |
| Right to Rectification — Request correction of Personal Information that is incorrect or incomplete. | Applicable at all times when Smart Operator holds a data subject's Personal Information (subject to certain exemptions). |
| Right to Erasure — Request deletion or removal of Personal Information from Smart Operator's systems and records. | Applies when: Smart Operator no longer needs the data; consent is withdrawn; the data subject objects and no overriding grounds exist; Personal Information has been used unlawfully; or erasure is required for legal compliance. |
| Right to Restrict Processing — Request suspension of use of Personal Information. | Applicable if: the data is potentially inaccurate (pending verification); processing is unlawful and erasure is opposed; data is required for legal claims; or a data subject's objection is under consideration. |
| Right to Data Portability — Obtain Personal Information in a portable format for transfer to another organisation. | Applies to data provided by the data subject, where Smart Operator's use is based on consent or contract, and processing is carried out by electronic means. |
| Right to Object — Object to Smart Operator's use of Personal Information in certain circumstances. | Smart Operator may continue use where there are compelling legitimate grounds or where the Personal Information is needed in connection with legal claims or employment. |
| Rights Re: Automated Decision-Making — Not be subject to solely automated decisions that produce significant effects. | Not applicable if: an automated decision is necessary to enter into or fulfil a contract; authorised by law; or based on explicit consent. |
| Right to Withdraw Consent — Withdraw consent where Smart Operator has relied on consent to process Personal Information. | Applies only where processing is based on consent. Withdrawal may affect the ability to receive products or services. |
| Right to Complain — Make a complaint to the relevant data protection regulator. | Applies at any time if the data subject believes their Personal Information has been processed in breach of Data Protection Laws. |
Smart Operator Ltd · smart-operator.ai · Privacy Policy — April 2026