Synchromedia Limited (the creator of Smartmessages Luxembourg, "We", "us") is a data controller for Smartmessages Luxembourg account holders, and is also a data processor for those account holders, handling mailing list subscriber data on their behalf.
If you have a Smartmessages Luxembourg account, this is you. Synchromedia Limited is your data controller, you are bound by Smartmessages Luxembourg terms and conditions, and also have privacy rights as described below.
We collect subscribers personal data for our account holders when subscribers subscribe to mailing lists. We may also be given subscriber data by account holders, for example when they upload their mailing lists. Account holders can choose to have us collect message open and click data from actions performed by subscribers, if their browser settings allow us to (see Do Not Track)
We collect data on account holders when they sign up for a Smartmessages Luxembourg account, and use it to run their account, inform them of changes, deal with billing, system updates, etc.
We collect email addresses and any other personal data that subscribers choose to provide. We must be able to prove opt-in status of subscriptions, so we record IP addresses, referrer URLs, and user agent strings when subscribers confirm subscriptions to enable us to do that.
Account holders need to provide us with full contact information as we need to be able to provide that information to subscribers.
IP addresses are logged where we need to be able to protect against abuse, trace system problems, or defend against attackers, for example in account logins or password resets.
We process data relating to account holders themselves on a contractual basis; they are our customers, and we need to store and process their data in order to do what they are paying us to do, and to help them uphold up their responsibilities as data controllers.
The right for subscribers to have access to their personal data lies with account holder(s), however, as their data processor we provide a way for subscribers to access, amend, or delete personal data as part of our services to them. Data about a subscriber may be stored by more than one Smartmessages Luxembourg account holder, and the right of access extends to all of them. Subscribers can access all of their personal data via our subscriber data access portal.
Individual subscriber data can be exported in a machine-readable format (usually CSV) from our subscriber data access portal so that you can provide it to another service, or to inspect it yourself.
Subscribers and account holders may object to our use of personal data in several ways (in order of convenience):
The only information we need from subscribers is an email address, and so that is the only data that we require when subscribing to a mailing list. Subscribers are free to provide more personal data, and there may be opportunities for them to do so, but it is entirely voluntary.
When sending email for marketing purposes, the responsible data controller must be clearly identified, so the account holder's contact details are made available whenever subscribers interact with us, such as when subscribing to a mailing list.
We record IP addresses, referrer URLs, and user agent strings when subscribers confirm subscriptions to mailing lists because we are required to retain this information in order to be able to prove opt-in status, so it is exempt from our Do Not Track handling.
We do not store or process any "special category" data, as described in GDPR article 9, such as ethnic origin, political affiliation, medical records, etc. Though it is not covered by article 9 anyway, we do not store data on gender.
We hold subscriber data for as long as subscriptions remain active. If open and click activity is recorded (see Do Not Track), that data is kept for 6 months, and is then deleted and only appears in aggregated statistics. We may use a lack of recorded activity to automatically delete subscriber data so that we do not retain it for longer than is necessary or relevant.
Data relating to subscribers that request a subscription but do not complete an opt-in confirmation is deleted after 1 week.
We retain unsubscribe data so that we can suppress future attempts to add subscriber address back onto mailing lists other than by their own request (for example by uploads of outdated lists by account holders).
We do not share any personal data nor sell it to any third parties. We do not permit the use of bought-in mailing lists; read this article for why.
For the most part, we use no cookies at all. When necessary, we use only secure, first-party session cookies, containing no identifiable data, that are deleted as soon as you close your browser window. Since these are strictly necessary for the operation of our site, we do not ask for consent (in accordance with PECR). We do not use any third party services that require cookies. We don't use any tracking scripts either; you'll find all our sites are unpolluted by google, facebook, and other trackers.
Account holders may use third-party tracking on their own sites, but they are outside our control.
Smartmessages Luxembourg can (optionally) add analytics tracking parameters to clickthrough URLs, however, this only tells the destination web site where the traffic came from in general terms, and does not include any personal data.
We honour the standard "Do Not Track" mechanism built into browsers, which is usually controlled by a browser setting labelled something like "Ask websites not to track me". When this is set, we still record activity (typically message opens and clicks), but anonymously, without recording anything that would allow us to link to or identify an individual subscriber, such as their email or IP address. For reference, your current web browser has this setting disabled.
There are two exceptions to this: we are required to retain proof of opt-in confirmation, so we record IP address, referrer URL, and user agent string when you confirm a subscription to a mailing list in order to do that; We record IP addresses during logins so we can combat abuse and attempted break-ins.
We don't do any of that.
We have extensive security measures in place in order to keep your data safe. This includes using strong encryption wherever feasible, enforcing strong passwords, using 2-factor authentication, using servers in secure data centres, and ensuring that only authorised staff can access data. Bear in mind that you provide personal data at your own risk; nobody (including us) can guarantee 100% security. We may sometimes send you email messages that contain important links, such as if you need to reset a password or confirm a subscription; you should treat these as confidential, much as you would a password. You can read more about our security measures.
Our servers are located in London. We host at Equinix's Sovereign House and Harbour Exchange data centres in London's docklands, one of the UK's premier hosting locations, featuring multiple redundant network connections, clean, reliable power supplies, overspecified air conditioning, and heavy physical security (retinal scanners etc). Our hosting provider is Mythic Beasts.
We perform some processing and host various resources (for example, our web site and help pages) on servers in France, hosted by gandi.net in Paris, but this does not involve personal data.
We will never export personal data out of the EU.
To help defend against phishing, account holders can set up a page on their own web site that points back to us, and this can be used to assure subscribers that we are really acting for the account holder, and not pretending to be them.
GDPR and PECR require reporting of personal data breaches; Under PECR, we are classed as a "Service Provider". Breaches can include:
Should a breach occur relating to subscriber data, we will inform the relevant account holder(s) (the data controller) by email to their account addresses, and it is their responsiblity to communicate with subscribers, if necessary.
The applicable supervisory authority is the UK Information Commissioner's Office (ICO).
As we are a UK company, we are subject to the Data Protection Act 2018 (DPA), the Privacy and Electronic Communications Regulations (PECR), the EU General Data Protection Regulation (GDPR), and the forthcoming EU Electronic Privacy Regulation (ePR) in our role as a data processor for account holders, and as a data controller for our account holders.