Data Controller
Smarteaming is a product of MBP Enterprises LTD, a company registered in England and Wales (company number 16058795) with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom. MBP Enterprises LTD is the data controller for all personal data processed through the Smarteaming service. For any questions about this policy or your personal data, contact us at contact@smarteaming.com.
1. Scope
This Privacy Policy applies to the Smarteaming marketing website (smarteaming.com), the Smarteaming web application (app.smarteaming.com), the Smarteaming mobile application, and the Smarteaming API (api.smarteaming.com). It covers all personal data we collect from visitors, trial users, paying subscribers, and team members invited by subscribers.
2. Personal Data We Collect
We collect the following categories of personal data: (a) Account data — first name, last name, email address, hashed password, phone number, language preference, and profile picture; (b) Business data — business or trading name, BCE/company registration number, and postal address; (c) Financial data — IBAN for payroll-related features and billing information processed by Stripe; (d) Scheduling and employment data — work schedules, shift confirmations, availability, assigned roles and competences, and salary rates you enter into the service; (e) Demo request data — when you submit the demo form on our marketing site we collect your first name, last name, email, phone number, company name, team size, preferred date and time, and any message you include; (f) Technical data — IP address, browser type and version, device type, and push-notification token (if you opt in to notifications).
3. How We Use Your Data
We process your personal data for the following purposes and legal bases: (a) Performance of contract (Art. 6(1)(b) GDPR) — to create and manage your account, provide scheduling and payroll features, process subscriptions, and deliver the service you signed up for; (b) Legitimate interests (Art. 6(1)(f) GDPR) — to send transactional emails (shift reminders, schedule changes, account notifications), to maintain security and prevent fraud, and to respond to demo requests and support enquiries; (c) Consent (Art. 6(1)(a) GDPR) — to send push notifications to your device (you can withdraw consent at any time in your device settings). We do not use your data for automated decision-making or profiling. We do not sell, rent, or trade your personal data to any third party.
4. Data We Do Not Collect
Smarteaming does not collect GPS or geolocation data. We do not collect any special-category data as defined by Article 9 of the GDPR, including health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, or data concerning sex life or sexual orientation.
5. Sub-Processors and Third Parties
We share personal data only with the following third-party service providers, each acting as a data processor on our behalf: (a) DigitalOcean (Frankfurt, Germany) — cloud hosting and database infrastructure, all data stored within the EU; (b) Stripe (EU entity) — payment processing for subscriptions, Stripe processes billing details directly and is an independent data controller for payment data under its own privacy policy; (c) Mailgun (Sinch Group) — transactional email delivery (account notifications, shift reminders); (d) Expo Push Service (operated by 650 Industries, Inc., USA) — delivery of push notifications to mobile devices when you opt in; (e) Google Ads (Google Ireland Limited) — conversion tracking on our marketing website to measure the effectiveness of our advertising campaigns, only activated when you consent to marketing cookies via our cookie banner. Google may process your IP address and click data in accordance with its own privacy policy. We do not use Google Ads data for profiling or retargeting. We do not share data with data brokers.
6. International Data Transfers
Your primary data is stored on DigitalOcean servers in Frankfurt, Germany (EU). Certain sub-processors may process limited data outside the European Economic Area: Mailgun and Expo Push Service are US-based providers. Where data is transferred outside the EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the EU-US Data Privacy Framework where the recipient is certified. We regularly review our sub-processors to verify that appropriate safeguards remain in place.
7. Data Retention
We retain your personal data for as long as your account remains active and as reasonably necessary to provide the service. When you request account deletion (see our Account Deletion page), we will erase your personal data within 30 days of receiving a valid request. Certain data may be retained beyond this period only where required by law (for example, financial records required for tax or accounting purposes under UK law, which must be kept for up to six years). Anonymised or aggregated data that can no longer identify you may be retained indefinitely for statistical purposes.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: encryption of data in transit (TLS/HTTPS), hashing of passwords using industry-standard algorithms, access controls limiting data access to authorised personnel only, regular security reviews of our infrastructure, and Content Security Policy (CSP) headers with per-request nonces on our websites. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security, but we are committed to maintaining a level of protection appropriate to the risk.
9. Your Rights Under GDPR and UK Data Protection Law
You have the following rights regarding your personal data: (a) Right of access — you may request a copy of the personal data we hold about you; (b) Right to rectification — you may ask us to correct inaccurate or incomplete data; (c) Right to erasure — you may request deletion of your data (see our Account Deletion page at smarteaming.com/account-deletion); (d) Right to restrict processing — you may ask us to limit how we use your data in certain circumstances; (e) Right to data portability — you may request your data in a structured, commonly used, machine-readable format; (f) Right to object — you may object to processing based on legitimate interests; (g) Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To exercise any of these rights, email us at contact@smarteaming.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom or your local supervisory authority.
10. Children's Privacy
Smarteaming is a business service designed for employers and their employees. The service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at contact@smarteaming.com and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, sub-processors, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through the application. We encourage you to review this page periodically. Your continued use of the service after any changes constitutes acceptance of the updated policy.
12. Contact
If you have any questions about this Privacy Policy or wish to exercise your data-protection rights, please contact us at: MBP Enterprises LTD, 128 City Road, London, EC1V 2NX, United Kingdom. Email: contact@smarteaming.com.