SmartAlex Data Subject Access Request Procedure
1. Purpose and scope
This Data Subject Access Request Procedure (the "Procedure") explains how to exercise your rights as a data subject when THERCSGROUP PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore (UEN 202543608D) with its registered office at 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, trading as SmartAlex ("SmartAlex", "we", "our", or "us"), processes Personal Data about you.
It supplements our Privacy Policy, which describes more broadly what data we process and why, our Data Processing Addendum, which governs the processing we carry out on behalf of our business customers, and our Subprocessor List, which names the third parties we engage. This Procedure tells you, in operational detail, how to make a request, how we verify who you are, how long we take, the format in which we respond, and the limited grounds on which we may decline.
This Procedure applies to data-subject requests under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the United Kingdom GDPR and Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("Swiss FADP"), the Singapore Personal Data Protection Act 2012 ("PDPA"), the South African Protection of Personal Information Act 2013 ("POPIA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and the United Arab Emirates Federal Decree-Law No. 45 of 2021 ("UAE PDPL"). The specific rights available to you, and the time we have to answer, depend on which of these laws applies to the processing in question.
2. Definitions
The following terms have the meanings set out below. Other capitalised terms not defined here, such as Services and Customer, have the meaning given in the Privacy Policy and our Terms of Service.
- Personal Data means any information relating to an identified or identifiable individual.
- Special-Category Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health, sex life or sexual orientation, genetic data, and biometric data processed to uniquely identify an individual, together with the equivalent categories of special personal information under POPIA and sensitive personal information under the CCPA.
- Customer means a business that contracts for the Services and configures AI voice agents, campaigns and contacts within its tenant.
- End User means an individual a Customer interacts with through the Services, for example a person who places or receives a telephone call handled by a Customer's AI voice agent.
- Customer Data means data a Customer or its End Users provide or that is generated through a Customer's use of the Services, including call audio, transcripts, contacts, messages and configuration.
- Controller means the party that determines the purposes and means of processing Personal Data; Processor means a party that processes Personal Data on a Controller's behalf and on its instructions. These terms carry their GDPR meanings and are read across to the equivalent concepts (responsible party and operator under POPIA, business and service provider under the CCPA) where those laws apply.
- Data Subject Request means any request by which you seek to exercise one of the rights described in this Procedure.
- Authorised Agent means a natural or legal person you have authorised to make a Data Subject Request on your behalf.
3. Your rights
Depending on the jurisdiction whose law applies to the processing, you may have any or all of the following rights. Not every right exists under every law, and some are subject to exceptions described in this Procedure and the applicable statute.
- Access: to obtain confirmation that we are processing your Personal Data, a copy of that data, and information about the purposes of processing, the categories of data, the recipients or categories of recipient to whom it is disclosed, the envisaged retention period or the criteria used to set it, the source of the data where it was not collected from you, and the existence of any automated decision-making.
- Correction (rectification): to have inaccurate data corrected and incomplete data completed.
- Deletion (erasure, or "right to be forgotten"): to have your Personal Data deleted, subject to exceptions including where the data is required to provide a Service you are still using, where retention is required by law, or where the data is needed to establish, exercise, or defend a legal claim.
- Portability: to receive the Personal Data you provided to us in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted to another controller.
- Restriction: to have processing of your Personal Data restricted in specific circumstances, for example while a correction request is being assessed.
- Objection: to object to processing based on legitimate interests, to processing for direct marketing, or to automated decision-making producing legal or similarly significant effects.
- Withdrawal of consent: where processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Non-discrimination (CCPA): to exercise your rights without suffering discriminatory treatment, such as the denial of goods or services, in connection with your request.
- Right to lodge a complaint: to complain to the data-protection authority of your country of residence, work, or alleged infringement, as described in the section on the right to complain, below.
4. The scope of an access request for voice and call data
SmartAlex operates a platform on which Customers configure AI voice agents that place and receive real telephone calls. The platform records and transcribes those calls and processes the resulting audio and transcripts with speech and language AI. Because this is the core of what the Services do, it is important that you understand what an access request can reach.
If you interacted with an AI voice agent operated through the Services, the Personal Data within scope of an access request may include:
- the call audio recording of the interaction;
- the machine-generated transcript of the call, including any speaker segmentation that attributes speech to you;
- any AI-generated summary, classification, qualification outcome or sentiment label derived from the call;
- the associated interaction log and call metadata, such as the time of the call, its duration, the telephone numbers involved and the call disposition; and
- any contact record that the relevant Controller holds about you,
in each case where that data is held and where we or the relevant Controller can locate it on the basis of the identifiers you provide.
Where any of this data constitutes Special-Category Data, for example because the content of a call reveals information about your health, or because your voice is processed in order to identify you, the additional safeguards described in the section on special-category and biometric data, below, apply.
5. Special-category and biometric data
Calls and transcripts can contain Special-Category Data, and a voiceprint may constitute biometric data where it is used to identify an individual. SmartAlex processes this data only on the relevant Customer's documented instructions and does not use it to make solely automated decisions producing legal or similarly significant effects on you.
Where SmartAlex is the Controller, we process Special-Category Data only where a lawful condition applies, such as your explicit consent or the establishment, exercise or defence of legal claims. Where a Customer is the Controller, the Customer is responsible for establishing the lawful condition for any special-category processing (typically explicit consent under GDPR Article 9(2), or authorisation under POPIA sections 26 and 27) and for giving the required notices to End Users. When you exercise rights in relation to this data, we apply identity-verification and disclosure safeguards proportionate to its sensitivity, as set out below.
6. Who is the controller for your data
For most processing in connection with the Services, the legal Controller of your Personal Data is one of two parties:
- If you are a SmartAlex direct user, for example you signed up for a SmartAlex account, browsed our marketing site, or contacted our sales team, SmartAlex is the Controller and we will respond to your request directly. We are also the independent Controller for account, billing, security and product-analytics data we hold about you.
- If you are an End User of a Customer, for example you spoke with an AI voice agent that a Customer was operating, or you submitted a form on a Customer's website, the Customer is the Controller of the call and contact data and SmartAlex is its Processor. In this case we will, without undue delay, route your request to the Customer and assist them in fulfilling it, and we will not ourselves act on the data except on the Customer's instructions.
If you are not sure which case applies to you, send your request anyway and we will help you identify the right Controller. If we do not hold Personal Data about you, or we hold it only as a Processor on behalf of a Customer, we will tell you so and, where applicable, identify the Customer to whom your request should be directed so that you can pursue it with them.
7. Automated processing and AI voice agents
Our Services use AI to handle and transcribe calls and to support routing, qualification and analytics, in each case under the relevant Customer's control. We will always make clear to an End User, where the Customer has enabled the disclosure, when they are interacting with an AI system rather than a human. SmartAlex does not make solely automated decisions that produce legal or similarly significant effects on you. Where a Customer uses our Services to take such a decision, the Customer is responsible for that decision and for the safeguards around it.
If a decision producing legal or similarly significant effects was made about you solely by automated means, you may ask the responsible Controller for human review, to express your point of view, and to contest the outcome. Where SmartAlex is the Controller, you may make that request through this Procedure. Where a Customer is the Controller, we will route your request to them.
8. How to submit a request
Submit your request by email to privacy@getsmartalex.com. To help us act quickly, include:
- the right or rights you wish to exercise (access, correction, deletion, portability, restriction, objection, or consent withdrawal);
- sufficient information for us to identify the Personal Data you are asking about. This is typically the email address or telephone number you used, the name of the Customer involved if applicable, the approximate date of your interaction, and any other identifier that helps us find your record; and
- where applicable, the country whose law you are exercising rights under.
You do not need to use a particular form of words or cite a particular statute, and a request remains valid even if it does not initially reach this address, provided it reaches us; we will treat any communication that makes clear you wish to exercise a data-subject right as a Data Subject Request and route it internally.
Where you submit a request through an Authorised Agent, we may require (i) a copy of signed written permission authorising the agent to act on your behalf, or a valid power of attorney; (ii) verification of your own identity directly with us; and (iii) confirmation from you that you authorised the agent. We will not require the first and third of these where the agent holds a valid power of attorney under applicable law. Where a parent or guardian submits a request on behalf of a child, we may require proof of parental responsibility or guardianship.
9. Identity verification
Before we act on a request, we must be reasonably satisfied that you are who you say you are, so that we do not disclose your data to someone else or act on a request that is not genuinely yours. We will verify your identity in a manner proportionate to the sensitivity of the data and the nature of the request, applying the following tiers:
| Request type | Verification we typically require |
|---|---|
| Correction of a single field, consent withdrawal, marketing objection, or restriction | Confirmation that you control the email address or telephone number on the record, for example by replying from it or completing a one-time verification code. |
| Access to, or portability of, your Personal Data | Control of the contact identifier on the record, plus matching of two or more data points we already hold, for example the Customer involved and the approximate date of the interaction. |
| Access to or deletion of Special-Category Data, call recordings, or transcripts, or any request that would result in significant disclosure of sensitive data | The above, plus a proportionate additional check such as confirmation of further details only the genuine data subject would know. We do not require government-issued identity documents for routine requests, but may request a proportionate additional check for high-risk requests. |
We will not ask for excessive identification for routine requests. Where we cannot verify your identity from the information you provide and the data we hold, we will tell you what further information we reasonably need; if we still cannot verify you, we may decline to act, and we will explain why. Identity-verification data we collect for this purpose is used only for verification, is not used to enrich your profile, and is deleted once the request is closed.
10. How we acknowledge and handle your request
We acknowledge requests promptly and assign each request a reference so that you can follow up. The handling of a typical request proceeds as follows:
- Acknowledgement: we confirm receipt and, where the request is unclear, ask you to clarify the right you wish to exercise or the data you are asking about. Asking a genuine clarifying question pauses the response clock, under those laws that allow it, until you respond.
- Verification: we verify your identity as described in the section on identity verification, above.
- Triage: we determine whether SmartAlex is the Controller or a Processor for the data in question, and route the request accordingly.
- Search and assembly: we locate the Personal Data across our production systems, search indexes and backups to the extent proportionate, and assemble the response, applying redactions only where necessary to protect the rights of others.
- Response: we provide the response within the applicable timeline, in the format described below.
11. How we respond
We respond to your request electronically, to the verified email address you contacted us from, in a concise, transparent, intelligible and easily accessible format, using clear and plain language. Where you exercise your right to access, we provide a copy of your Personal Data together with the supplementary information listed in the access right, above. Where you exercise your right to portability, we provide the data you supplied to us in a structured, commonly used, machine-readable format such as JSON or CSV.
Where a request is granted in part, we will tell you which elements we have actioned and which we have not, and why. Where we make a correction or deletion, and where it is feasible and not disproportionate, we will notify any recipient to whom the data was disclosed, and tell you who those recipients are if you ask.
12. Timelines
We respond to requests within the timelines required by applicable law. The clock starts when we have received a request and, where verification is needed, verified your identity:
- Under EU GDPR, UK GDPR, and Swiss FADP, within one (1) month of receipt, extendable by a further two months for complex or numerous requests, with notice to you within the first month explaining the reasons for the extension.
- Under California CCPA and CPRA, we confirm receipt within ten (10) business days and substantively respond within forty-five (45) days of receipt, extendable once by a further forty-five days with notice.
- Under Singapore PDPA, we respond as soon as reasonably possible and, where we cannot complete a response within thirty (30) days, we will inform you of the time by which we will respond.
- Under South African POPIA, within a "reasonable time", which we operationalise as thirty (30) days from a verified request.
- Under UAE Federal Decree-Law No. 45 of 2021, within the timeline set by its implementing regulations once issued. Until those regulations take effect, we apply our standard thirty (30) day operational target.
Where we route a request to a Customer (see the section on who is the Controller for your data, above), the Customer is responsible for meeting the applicable response timeline and SmartAlex will support them.
13. Fees
We do not charge a fee for the first request you submit in any given twelve-month period, and access requests are ordinarily free. For repeated, manifestly unfounded, or excessive requests, we may either charge a reasonable fee based on the administrative cost of providing the information or taking the action requested, or refuse to act on the request. In either case we will explain why, and where we charge a fee we will tell you how it is calculated before we incur it.
14. Refusal grounds and partial fulfilment
We may refuse, restrict, or partially fulfil a request where, and to the extent that, doing so would:
- disclose Personal Data of another data subject in a way that disproportionately interferes with their rights, in which case we will redact or withhold only what is necessary and disclose the remainder;
- conflict with our obligations to retain data under law, regulation or court order;
- compromise an ongoing investigation, legal claim, or fraud-prevention or security activity;
- be impossible because the data has already been deleted under our retention schedule or has been irreversibly anonymised, in which case we cannot recreate it; or
- be manifestly unfounded or excessive, in particular because of its repetitive character.
Where we refuse a request in whole or in part, we will explain why, tell you what (if anything) we have done, and inform you of your right to lodge a complaint with the relevant data-protection authority and to seek a judicial remedy.
15. Retention and its effect on your requests
Retention periods affect what an access or deletion request can reach, because we cannot return or delete data we no longer hold. We retain Personal Data only as long as necessary for the purposes for which it was collected, or as required by law, applying the following criteria:
| Data category | Retention approach |
|---|---|
| Account and profile data of direct users | For the life of the account and a limited period afterwards, to handle wind-down, disputes and statutory record-keeping. |
| Call audio recordings, transcripts and interaction logs | Held as Processor for the period the relevant Customer configures, then deleted or returned on termination of that Customer's account in accordance with the Data Processing Addendum. |
| Contact records held on behalf of a Customer | For the period the Customer determines, subject to the Customer's instructions and deletion requests. |
| Billing and transaction records | For the period required by tax, accounting and company-law obligations. |
| Support and correspondence, including this request | For as long as needed to handle the matter and to evidence our compliance, then deleted. |
| Security logs and identity-verification data for a request | Security logs for a limited period for fraud-prevention and security; verification data deleted once the request is closed. |
| Backups | Backups are retained on a rolling cycle and overwritten in the ordinary course; where data is deleted from production it is removed from backups within the backup-retention window. |
16. International transfers and your data
SmartAlex and the Subprocessors that help us deliver the Services operate across Singapore, the EEA, the United Kingdom, the United States and South Africa. When we transfer Personal Data out of the EEA, the United Kingdom or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss addendum, together with supplementary measures such as encryption in transit and at rest and access controls. A copy of the relevant safeguards is available on request from privacy@getsmartalex.com. The names of the third parties involved are set out in our Subprocessor List. Exercising a Data Subject Request does not change where your data is processed, but you may ask us, as part of an access request, about the recipients to whom your data has been disclosed.
17. Right to complain
If you are not satisfied with how we have handled your request, you may complain to your local data-protection authority. Exercising a statutory right or lodging a complaint with an authority is separate from, and not replaced by, any arbitration or dispute-resolution provision in our Terms of Service; we will never route a statutory data-subject right to commercial arbitration. Relevant authorities include:
- European Union: the data-protection authority of your country of residence, work or alleged infringement. The European Data Protection Board lists national authorities at edpb.europa.eu.
- United Kingdom: the Information Commissioner's Office (ICO) at ico.org.uk.
- Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.
- Singapore: the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
- South Africa: the Information Regulator. You may lodge a complaint by email to complaints.ir@inforegulator.org.za or via inforegulator.org.za. The Regulator's postal address is JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, South Africa.
- California, U.S.A.: the California Privacy Protection Agency (CPPA) at cppa.ca.gov, and the California Attorney General.
- United Arab Emirates: the UAE Data Office.
18. EU and UK representative
SmartAlex is appointing a representative under Article 27 of the GDPR and UK GDPR. Until that appointment takes effect, you may direct any matter that would otherwise be addressed to a representative to privacy@getsmartalex.com, and we will handle it directly.
19. Contact and updates
To submit a Data Subject Request, or for any question about this Procedure, contact privacy@getsmartalex.com. The privacy team performs the data-protection officer function for SmartAlex. This Procedure is reviewed periodically and updated as the law and our Services evolve, and any material change will be reflected in an updated version and effective date below.
This Procedure is version 1.1 and is effective from 1 June 2026.