Smartmessages Subscriber Privacy Policy

If you're a subscriber to a mailing list belonging to Smartmessages, this applies to you. Hi 👋!

If you an employee of or acting on behalf of Smartmessages, please refer to the separate policy that applies to you.

Who does what?

Smartmessages is your data controller and is responsible for your privacy. Smartmessages uses their Smartmessages Luxembourg account to manage the mailing lists to which you can subscribe. Smartmessages Luxembourg is operated by Synchromedia Limited (the owner of Smartmessages Luxembourg, "we", "us"), and acts as a data processor for Smartmessages. Smartmessages may also provide your data to other services (we do not); you will need to refer to their own privacy policy for further details.

When do we collect data?

We collect your personal data for Smartmessages when you subscribe to their mailing lists as part of our contract with them. We may also be given your data by Smartmessages, for example when they upload their mailing lists.

Though by default Smartmessages Luxembourg does not do any tracking at all, Smartmessages has asked us to enable tracking features. If you consent to tracking of message opens and clicks when subscribing, these events will be recorded and associated with your address. You may change your tracking consent either in our subscriber data access portal, or by using your browser's Do Not Track setting. If you have consented to tracking, but have Do Not Track enabled, the opens and clicks will be recorded anonymously, without any connection to you.

What data is collected?

Obviously we collect email addresses so that we can send you email relating to the mailing lists that you join, and you can (at your discretion) provide other personal data, such as your name. We are required by law to be able to prove opt-in status of subscriptions (i.e. that we are not spamming you!), so we record IP addresses, referrer URLs, keep copies of confirmation messages with verifiable DKIM signatures, and user agent strings relating to that.

Since we are only a data processor for you, we collect contact information from Account Holders, so that you can refer privacy questions to them, since they are your data controller, not us.

IP addresses are logged where we need to be able to protect against abuse, trace system problems, or defend against attackers, for example in account logins or password resets.

Why do we process data?

We are contracted to provide mailing list services to Smartmessages, so we process your data for them on the basis of contractual necessity. The overall basis for processing your data lies between you and Smartmessages, and is most often based on consent or legitimate interest (for example if you are their customer), though there may be other grounds; refer to Smartmessages's privacy policy for details, which you may find on their web site.

Privacy rights

Data Subject Access Requests

The right to access your data lies with Smartmessages, however, we provide a way for you to access, amend, or delete personal data that we manage on their behalf as part of our contract with them. Your personal data may be stored by more than one Smartmessages Luxembourg account holder, and your rights extend to all of them. You can access all of your data via our subscriber data access portal.

Data portability

Your data can be exported in a machine-readable format (usually CSV) from our subscriber data access portal so that you can provide it to another service, or to inspect it yourself.

Complaints

You may object to our use of personal data in several ways (in order of convenience):

  • Use our unsubscribe links – they really work!
  • Make use of our subscriber data access portal to view, amend, export, or delete your personal data.
  • Ask us at support@smartmessages.eu to deal with your complaint.
  • Ask your data controller (Smartmessages) to deal with the complaint (their contact details appear on every interaction subscribers have with them via Smartmessages Luxembourg).
  • If all of the above fail, you can ask the Luxembourg National Commission for Data Protection (the applicable supervisory authority) to intervene on your behalf.

Data adequacy

The only information we need from you is an email address, and so that is the only data that we require when subscribing to a mailing list. You may be asked for more personal data, such as your name, but it is entirely voluntary.

When sending email for marketing purposes, the responsible data controller must be clearly identified, so the Account Holder's contact details are made available whenever subscribers interact with us, such as when subscribing to a mailing list.

We record IP addresses, referrer URLs, and user agent strings when subscribers confirm subscriptions to mailing lists because we are required to retain this information in order to be able to prove opt-in status, so it is also exempt from our Do Not Track handling.

We do not store or process any "special category" data, as described in GDPR article 9, such as ethnic origin, political affiliation, medical records, etc. Though it is not covered by article 9 anyway, we do not store data on gender.

Data retention

We hold your data for as long as subscriptions remain active. If open and click activity is recorded (see Do Not Track), that data is kept for 6 months, and is then deleted and only appears in aggregated statistics. We may use a lack of recorded activity to automatically delete your data so that we do not retain it for longer than is necessary or relevant.

Data relating to subscribers that request a subscription but do not complete an opt-in confirmation is deleted after 1 week.

We retain unsubscribe data so that we can suppress future attempts to add subscriber address back onto mailing lists other than by your own request (for example by uploads of outdated lists by Account Holders).

Third parties

We do not share any personal data nor sell it to any third parties. We do not permit the use of bought-in mailing lists; read this article for why.

Cookies & trackers

For the most part, we use no cookies at all. When necessary, we use only secure, first-party session cookies, containing no identifiable data, that are deleted as soon as you close your browser window. Since these are strictly necessary for the operation of our site, we do not ask for consent (in accordance with PECR). We do not use any third party services that require cookies. We don't use any tracking scripts either; you'll find all our sites are unpolluted by google, facebook, and other trackers.

Account holders may use third-party tracking on their own sites, but they are outside our control.

Smartmessages Luxembourg can (optionally) add analytics tracking parameters to clickthrough URLs, however, this only tells the destination web site where the traffic came from in general terms, and does not include any personal data.

We strongly recommend using an ethically-run tracker-blocker extension such as Better or uBlock Origin; both are entirely compatible with everything we do.

Do Not Track

We honour the standard "Do Not Track" mechanism built into browsers, which is usually controlled by a browser setting labelled something like "Ask websites not to track me". When this is set, we still record activity (typically message opens and clicks), but anonymously, without recording anything that would allow us to link to or identify you, such as your email or IP address. For reference, your current web browser has this setting disabled.

There are two exceptions to this: we are required to retain proof of opt-in confirmation, so we record IP address, referrer URL, and user agent string when you confirm a subscription to a mailing list in order to do that; We record IP addresses during logins so we can combat abuse and attempted break-ins.

Profiling and automated decision making

We don't do any of that.

Data security

We have extensive security measures in place in order to keep your data safe. This includes using strong encryption wherever feasible, enforcing strong passwords, using 2-factor authentication, using servers in secure data centres, and ensuring that only authorised staff can access data. Bear in mind that you provide personal data at your own risk; nobody (including us) can guarantee 100% security. We may sometimes send you email messages that contain important links, such as if you need to reset a password or confirm a subscription; you should treat these as confidential, much as you would a password. You can read more about our security measures.

Physical location

Our hosting provider is Omnis Cloud, located in Luxembourg.

We perform some processing and host various resources (for example, our web site and help pages) on servers in France, hosted by gandi.net in Paris, but this does not involve personal data.

We do not host any services or store data outside the EEA or UK.

Data processors

We use some third parties to provide technical services for our platform, none of which are related to marketing or advertising services:

  • Omnis Cloud, provides hosting and system administration, based in Luxembourg.
  • Green Arrow Inc. provides our mail server software and support, based in the USA.

Phishing

To help defend against phishing, Account Holders can set up a page on their own site that points back to us, and this can be used to assure subscribers that we are really acting for the Account Holder, and not pretending to be them.

Data breach procedures

GDPR and the data protection directive (DPD, EU 2002) require reporting of personal data breaches. Breaches can include:

  • Unauthorised third-party access.
  • Deliberate or accidental action by a controller or processor.
  • Revealing personal data to an incorrect recipient.
  • Unauthorised alteration of personal data.
  • Unintentional loss of availability of personal data.

Should a breach occur relating to your data, we will inform the Account Holder(s) by email to their account addresses, and it is their responsibility to communicate with subscribers, if necessary.

The applicable supervisory authority is the Luxembourg National Commission for Data Protection.

Applicable laws

As a company based in Luxembourg, we are subject to Luxembourg legislation, which includes national and EU regulations, including the General Data Protection Regulation and the EU Electronic Privacy Directive.