Smartmessages Privacy Policy

If you join a mailing list belonging to Smartmessages, this applies to you.

When do we collect data?

As a data processor, we collect personal data on behalf of Smartmessages when you subscribe to mailing lists. We may also be given your personal data by Smartmessages.

If you consent to tracking of message opens and clicks when subscribing, these events will be recorded and associated with your address. You may change your tracking consent either in our subscriber data access portal, or by using your browser's Do Not Track setting. If you have consented to tracking, but have Do Not Track enabled, the opens and clicks will be recorded anonymously, without any association with your address or IP.

What data is collected?

We collect email address and any other personal data that you choose to provide. We record IP addresses, referrer URLs, and user agent strings used for subscription confirmations as we are required to record this information in order to be able to prove opt-in status.

Why do we process data?

We are contracted to provide mailing list services to Smartmessages, so we process your data for them on the basis of contractual necessity. The overall basis for processing your data lies between you and Smartmessages, and is most often based on consent or legitimate interest (for example if you are their customer), though there may be other grounds; refer to Smartmessages's privacy policy for details, which you may find on their web site.

Privacy rights

Subject Access Requests

The right to access your data lies with Smartmessages, however, we provide a way for you to access, amend, or delete personal data that we manage on their behalf as part of our contract with them. Your personal data may be stored by more than one Smartmessages Luxembourg account holder, and your rights extend to all of them. You can access all of your data via our subscriber data access portal.

Data portability

Your data can be exported in a machine-readable format (usually CSV) from our subscriber data access portal so that you can provide it to another service, or to inspect it yourself.

Complaints

You may object to our use of your data in several ways (in order of convenience):

  • Use our unsubscribe links – they really work!
  • Make use of our subscriber data access portal to amend or delete personal data.
  • Ask us at support@smartmessages.eu to deal with your complaint.
  • Ask your data controller (Smartmessages) to deal with your complaint (their contact details appear on every interaction you have with them via Smartmessages Luxembourg).
  • Ask the UK Information Commissioner's Office (the applicable supervisory authority) to intervene on your behalf.

Data adequacy

The only information we need from you is an email address, and so that is the only data that we require when subscribing to a mailing list. You are free to provide more personal data, and there may be opportunities for you to do so, but it is entirely voluntary. Your data may also be provided to us by Smartmessages, and you may view and edit that data via our systems – see Subject Access Requests.

When sending email for marketing purposes, the responsible data controller must be clearly identified, so contact details for Smartmessages are made available whenever you interact with us, such as when subscribing to a mailing list.

We record IP addresses, referrer URLs, and user agent strings when you confirm subscriptions to mailing lists because we are required to retain this information in order to be able to prove opt-in status, so it is exempt from our Do Not Track handling.

We do not store or process any data that is categorised as "sensitive", such as employment records, political affiliation, medical records, etc.

Data retention

We hold your data for as long as subscriptions remain active. We monitor your open and click activity (though see Do Not Track below), and may use a lack of recorded activity to automatically delete your data so that we do not retain it for longer than is necessary or relevant. We retain unsubscribe data so that we can suppress future attempts to add your address back onto mailing lists other than by your own request.

Third parties

We do not share your data or sell it to any third parties. We do not permit the use of bought-in mailing lists.

Cookies & trackers

For the most part, we use no cookies at all. When necessary, we use only secure, first-party session cookies, containing no identifiable data, that are deleted as soon as you close your browser window. Since these are strictly necessary for the operation of our site, we do not ask for consent (in accordance with PECR). We do not use any third party services that require cookies. We don't use any tracking scripts either; you'll find all our sites are unpolluted by google, facebook, and other trackers.

Smartmessages may use third-party tracking on their own sites, but they are outside our control.

We strongly recommend you use an ethically-run tracker-blocker extension such as Better or uBlock Origin; both are entirely compatible with everything we do.

Do Not Track

We honour the standard "Do Not Track" mechanism built into browsers, which is usually controlled by a browser setting labelled something like "Ask websites not to track me". When this is set, we still record activity (typically message opens and clicks), but anonymously, without recording anything that would allow us to link to or identify you, such as your email or IP address. Your current web browser has this setting disabled.

There are two exceptions to this: we are required to retain proof of opt-in confirmation, so we record IP address, referrer URL, and user agent string when you confirm a subscription to a mailing list in order to do that. We also record your IP address when you log into the subscriber portal so we can track abuse or attempted break-ins.

Profiling and automated decision making

We don't do any of that.

Data security

We have extensive security measures in place in order to keep your data safe. This includes using strong encryption wherever feasible, enforcing strong passwords, using 2-factor authentication, using servers in secure data centres, and ensuring that only authorised staff can access data. Bear in mind that you provide personal data at your own risk; nobody (including us) can guarantee 100% security. We may sometimes send you email messages that contain important links, such as if you need to reset a password or confirm a subscription; you should treat these as confidential, much as you would a password. You can read more about our security measures.

Physical location

Our servers are located in London. We host at Equinix's Sovereign House and Harbour Exchange data centres in London's docklands, one of the UK's premier hosting locations, featuring multiple redundant network connections, clean, reliable power supplies, overspecified air conditioning, and heavy physical security (retinal scanners etc). Our hosting provider is Mythic Beasts.

We perform some processing and host various resources (for example, our web site and help pages) on servers in France, hosted by gandi.net in Paris, but this does not involve personal data.

We will never export personal data out of the EU.

Data breach procedures

GDPR and PECR (and the forthcoming ePR) require reporting of personal data breaches; Under PECR, we are classed as a "Service Provider". Breaches can include:

  • Unauthorised third-party acccess.
  • Deliberate or accidental action by a controller or processor.
  • Revealing personal data to an incorrect recipient.
  • Alteration of personal data without permission.
  • Loss of availability of personal data.

Should a breach occur relating to your data, we will inform Smartmessages (your data controller) by email to their account addresses, and it is their responsibility to communicate with you, if necessary.

The applicable supervisory authority is the UK Information Commissioner's Office (ICO).

Applicable laws

As we are a UK company, we are subject to the Data Protection Act 2018 (DPA), the Privacy and Electronic Communications Regulations (PECR), the UK transposition of the EU General Data Protection Regulation (UK GDPR) in our role as a data processor for account holders, and as a data controller for our account holders.

Synchromedia Limited is registered as a data controller and processor with the UK ICO.