Last updated July 27, 2024 Introduction – Scope Welcome to the website www.smartrep.ai (hereinafter “Website”) of the company under the name “SmartRep”, (hereinafter “SmartRep”, “Company”, “us”, or “we”). 1. Our relationship with you On this point our relationship with you is defined. If you have provided to us some personal information, for instance by subscribing to our newsletter, then you are a “User” and SamrtRep is Controller for processing your account information, such as your name and email address. The ” Customer’s End User” is someone who provides personal information to our Customers. We do not have a direct relationship with them. Note that these categories do not rule out each other — you may belong to all three! In order to fully understand your rights and SamrtRep’s obligations under this Policy, it is important to determine your relationship with SmartRep. “User” or “simple User” means the natural person who provides to us personal data through the Website, for instance by subscribing to our newsletter or creating an account. In this case, SmartRep shall be Controller of your personal data in compliance with Article 4 GDPR ‘Customer’ means a natural or legal person who chooses to use the SaaS application for the mutual benefit of himself/itself and his/its own customers. In this case, SmartRep shall act as Processor on behalf of the Customer in compliance with Article 4 GDPR. “Customer’s End User” means any natural person who interacts on our Customers website/webpage and provides to them his personal information. SmartRep is not directly related to the Costumer’s End Users. We do not control the purposes or the means by which this personal information is collected and we have no direct relationship with the Customer’s End Users. For more details on the processing of your personal information as a Customer’s End User, see our respective Customers’ Privacy Policies. Henceforth, we may refer to Customers and Users collectively as “you”. 2. What data we collect We collect various categories of personal data (simple and – where applicable – sensitive data) that you voluntarily provide to us during your visit to the Website and/or when you use the SaaS application, either as a simple Usre, as a Customer or as a Customer’s End User. Anonymous or anonymised information does not fall into the category of personal data. 3. Minors data We never collect personal data directly and deliberately about a natural person under the age of majority and unable to provide valid consent according to local requirements. If you notice that a minor has disclosed personal information to us without the consent of their parents and guardians, please let us know and we will act accordingly. The Company does not intend to directly collect and process child data under the legal age of consent, as defined by the jurisdiction of the country in which the Data Subject is located. If you notice that minors’ data is disclosed through the Service without the consent and without the knowledge of their parents and guardians, please inform us immediately in order to close the account and take the appropriate protection measures. 4. Processing purposes We process the information you provide to us in a lawful and fair manner according to the purpose pursued each time. In respect and in compliance with the Applicable Legislation, we inform you about our purposes for the processing of Your Personal Information, as well as about the legal basis for such processing. Unless otherwise permitted by law, we may process the data and the personal information you provide to us for the following purposes: For network and information security purposes against malicious actions of third parties Without processing your relevant and necessary information, we may not be able to ensure the security of the Service. We are committed to using your personal data solely for the above legitimate purposes or compatible ones. In addition to these purposes, the Company may process all or part of your data in order to comply with any obligations arising from a legal provision (Art.6(1)(c)GDPR)and/or in pursuit of further legitimate interests, such as the support and pursuit of the Company’s legal claims (Art.6(1)(f) GDPR). 5. Who has access to your data Access to your data has Company’s authorized personnel and its partners, providing appropriate contractual guarantees. In certain cases, and to the extent necessary, we use third-party services, such as in payments, file storage and analytics. All these services comply with policies such as ours. The Company carries out most of the data processing activities required to provide the Service on its own resources and personnel. 6. International transfers It is not our intention to transfer data to non-EU/EEA third countries per se. However, due to the location or multinational nature of certain technology service providers , your data may be transferred to non-EU/EEA third countries. In such case, our established policy is to use the European Commission’s Standard Contractual Clauses and other approved data transfer mechanisms to better protect your personal data in non-EU/EEA jurisdictions. The Company uses approved data transfer mechanisms to transfer your personal data to and from the United States and other jurisdictions outside the EU/EEA. Primarily, we rely on Standard Contractual Clauses approved by the European Commission as a legal mechanism, where necessary, for any non-EU/EEA data transfers, to the extent that such transfers are made. 7. Time to keep your data We store and keep your data for as long as the contract between us stands or for as long as is necessary to fulfill the purpose for which your data was collected or for as long as the law requires on a case-by-case basis. Subjects’ personal data is stored only for the period of time required to fulfill the purposes for which the data was originally collected. Furthermore, the Company retains your data as long as necessary to comply with requirements of the law, including any legal, accounting or other obligations in order to resolve any disputes arising from its activities. Although retention requirements may be different in each case, we apply some standard retention periods for part of your personal data, as described below: -Contact information collected for marketing purposes, such as name and email address, is kept on an ongoing basis until you request to opt-out or withdraw any prior consent. -Browser interaction data, such as data from cookies and related tracking technologies, is retained for the periods provided for in the Company’s applicable Cookie Policy or until the withdrawal of any prior consent. -Data provided during the use or in the framework of the Service shall be kept for a period of five (5) years from the date of the last interaction of the Subject or the termination of the contract between us accordingly, unless otherwise specified by law. 8. Security The security of your personal data is a priority for us and therefore we ensure that all the appropriate contractual, technical and organisational measures are implemented. We are committed to protecting the physical and digital security of subjects’ personal data by implementing appropriate contractual, technical, and organisational measures. Indicatively, such measures are the following: -Internal Policies and Procedures for the protection of personal data -Confidentiality and privacy clauses in contracts with our service providers and business partners -Event management and disaster recovery plan -Data recovery plan -Keeping backups -Authorized access to files and databases (Authentication and identification) -Classified access depending on the role of each user -Maintenance and regular upgrade of hardware and software and their security control -Periodic system and infrastructure security screening -Keeping backup copies -Encryption and pseudonymisation (if applicable) -Raising awareness and training of personnel on privacy and information security issues 9. Your rights The Company ensures the exercise of your rights as stipulated in the Articles 15-22 GDPR, such as the right of access and the right to be informed, the right to erasure, etc., upon request at contact@smartrep.gr. Our Company is committed to the protection and respect of your rights as defined by Articles 15-22 of the GDPR and in particular: -Your right to be informed about the processing of your personal information (right of access) and to request more information about the processing that is being performed. -Your right to rectification of inaccurate personal data. -The right to erasure of the personal information you have provided unless this is not permitted for legitimate reasons. -Your right to restriction of processing. -Your right to data portability, if possible. -Your right to object to further processing of your data and -Your right to withdraw any prior consent. In such cases, the Company will evaluate and respond accordingly to your request within one (1) month of the receipt of your request and your identification. In case your request is complex or there is a large number of requests, our Company will inform you within the above period of one month of a time period extension of up to two (2) additional months, in compliance with the GDPR. Moreover, our Company may refuse to grant your request in whole or in part, only when this is possible in compliance with the GDPR or national law. 10. Restrictions on your rights Your rights to your personal information are not unlimited and may be rejected in accordance with the stated circumstances. In certain circumstances, the Company may refuse to respond to certain rights or requests in connection with your personal data, when: -Refusal of access is required or permitted by law, -The provision of access would have a negative impact on the rights and freedom of third natural persons, or -Where the request is manifestly unfounded or excessive. 11. Changes to this Policy We update the Privacy Policy when necessary to better inform you or when we need to comply with new legislation. From time to time and according to our needs, we may update this Policy to better inform you. The updated version of this Policy will be posted on the Website indicating the effective date of the latest version, which is the date of its posting on the Website and of your free access to it. If we make significant changes to this Policy, we may notify you either by posting a specific notice of these changes on the Website or by sending you a notice directly by e-mail to the address you have provided to us. In any case, we encourage you to frequently review this Policy for your reliable and timely information on how we process and protect your personal data. 12. Contact us For more information about the protection of your personal data and the Privacy Policy of our Company, as well as the exercise of your rights, you can contact us at the following information: SmartRep, Inc Kosta Varnali 61, Chalandri 152 33
PRIVACY POLICY
PRIVACY POLICY
This Policy governs the management practices of personal data and information of natural persons (collectively, “Data Subjects” or “Subjects”) who either visit our Website individually on their own initiative or are customers who use the virtual service assistant application using artificial intelligence technology as a service (“SaaS application”), hereinafter collectively “Service”.
This Policy explains how we collect, process and protect Data Subjects’ information as part of the Service provided, in compliance with the applicable national and European regulatory framework for the protection of privacy and personal data, and in particular, Regulation (EU) 2016/679, also known as GDPR (‘GDPR’ or ‘Regulation’), Law 4624/2019 and Law 3471/2006, which incorporated the European Directive 2002/58/EC (e-Privacy Directive), as applicable, including the relevant decisions of national and European courts, as well as the relevant Guidelines and decisions of the competent supervisory authorities and the European Data Protection Board, hereinafter collectively referred to as “Applicable Legislation”.
By accessing and using the Service, you declare your acceptance of the terms of this Policy. If you do not agree or are not familiar with any aspect of this Policy or the Terms and Conditions of Use of Services, you should immediately discontinue access to or use of our Service.
Purpose of processing
Legal basis
1
In the framework of consumer protection, we are processing your personal information in order to:
In the case of:
Art. 6(1)(c) GDPR
Processing is necessary in compliance with a legal obligation; and/or Art. 6(1)(b) GDPR Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
and/or
Art. 6(1)(f) GDPR
Processing is necessary for the purposes of the legitimate interests pursued by the Company.
2
For the proper provision of our services
We process your data to provide the services you have chosen and perform the terms of the contract between us, as set out in the Terms and Conditions of Service. For instance, when you want to charge a customer for your work, we collect enrollment, finance, transaction, and interaction data to send the bill to the customer and receive payment. We cannot provide Services to you without this information.Art. 6(1)(b) GDPR
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
3
For communication purposes within the Service
We may need to contact you to provide you with information related to your management or account, to keep you updated about the Service, to notify you of relevant security issues or updates, or to provide you with other information related to transactions.Art. 6(1)(b) GDPR
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
4
For ensuring quality control
We process the data provided to us voluntarily for the quality control and training of our authorized personnel, to ensure that we continue to provide you with high quality services. Without the measures of quality control, you may face problems during the use of the Service, such as to address problems related to the uninterrupted operation of the Service.Art. 6(1)(b) GDPR
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
5
For your convenience or service
When you contact the service channel, we process Subjects’ data to respond to requests, complaints, comments, or problems regarding the Service. We may process the provided data as a response to a Customer’s End User request, where appropriate. Without the processing of the said data for these purposes, we are unable to respond to the relevant requests.Art. 6(1)(b) GDPR
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
6
To facilitate your access to the Service
We process Subjects’ data according to their options on how to access the Service for the purpose of providing access to the Service according to your preferences. For instance, you can share part of your social media account information with us for your authentication in order to sign up or sign in to your account. Without this processing of your data, we may not be able to secure access to the Service.Art. 6(1)(f) GDPR
Processing is necessary for the purposes of the legitimate interests pursued by the Company.
7
For research and development purposes
We process the data you provide to us to better understand you and how you use and interact with the Service. For instance, interaction data can provide useful information that helps us measure, adapt, or improve the services we offer. In addition, this information helps us significantly to develop new and improved services to better serve you.Art. 6(1)(f) GDPR
Processing is necessary for the purposes of the legitimate interests pursued by the Company.
8
For marketing purposes
Subject to your prior valid consent, we may process your data for advertising and commercial purposes (marketing), such as sending targeted advertising messages about our services, promotional offers and events of the Company or its partners. We allow you to withdraw any consent for these purposes easily and free of charge at any time.Art. 6(1)(a) GDPR
The processing shall be carried out with the validconsent of the Data Subject.
We recognise that the Court of Justice of the European Union ruled in July 2020 (Schrems II) that certification under the EU-US Privacy Shield can no longer serve as an exclusive basis for guaranteeing an adequate and equal level of protection of personal data and equal to the EU level. In this context, where necessary, the Company shall make every effort to the extent possible to ensure further guarantees as to the level of protection of personal data by non-EU/EEA providers and in particular in the United States, by adopting the respective Standard Contractual Clauses approved by the European Commission.
For more information on the European Commission’s Standard Contractual Clauses, please address to https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en For more information about the U.S. Privacy Shield program, please visit https://www.privacyshield.gov/. In case of conflict between the terms of the non-EU/EEA Providers Policy and this Policy, this Policy shall prevail.
Furthermore, in the event of the exercise of one or more of the above mentioned rights to rectification, erasure and restriction of your data, your requests may also be shared with any third party to whom your data may have been transferred in pursuit of the above mentioned processing purposes.
For the exercise of these rights, you can send us an online request at contact@smartrep.gr. If the reply you receive from us does not satisfy you or if your personal data is deemed to still be infringed, then you have the right to contact the national Data Protection Authority (www.dpa.gr submission of a complaint) or to any other competent supervisory authority concerning you (you can find more information here).
Email: contact@smartrep.gr