SmartAlex GDPR Article 13 Layered Notice
1. About this notice
This notice satisfies the information obligations under Articles 13 and 14 of Regulation (EU) 2016/679 (the GDPR) and the equivalent provisions of the United Kingdom GDPR as incorporated by the Data Protection Act 2018 (the UK GDPR). Where Swiss data protection law applies, this notice is also intended to satisfy the corresponding information duties under Article 19 of the Swiss Federal Act on Data Protection (the nFADP). It applies where we process Personal Data about an individual located in the European Economic Area (the EEA), the United Kingdom, or Switzerland, whether that individual deals with us as a Customer, as a visitor to our websites, or as an End User of a Customer's voice agent.
This notice complements, and does not replace, our Privacy Policy, which contains the full detail of our processing across every jurisdiction in which we operate, including Singapore, the United States, and South Africa. Where this notice and the Privacy Policy address the same processing, they are intended to be read together and to be consistent. This notice is the EEA, UK, and Swiss layered view that procurement and data protection reviewers most often need, and it is structured so that the short summary in this section can be read on its own, with each later section providing the detailed layer.
SmartAlex is a multi-tenant business platform on which Customers configure AI voice agents that place and receive telephone calls, run outbound campaigns, manage contacts, and view analytics. The Services record and transcribe calls, process the resulting audio and transcripts with speech and language AI, and bill the Customer by subscription. For call content and contact data, the Customer is the Controller and SmartAlex is its Processor. For account, billing, security, and product-analytics data, SmartAlex is an independent Controller. This notice covers the processing for which SmartAlex is a Controller, explains how to reach the Customer where the Customer is the Controller, and identifies the boundary between those two roles so that you always know whom to approach.
1.1 Summary
This is the short layer of a layered notice. The sections that follow give the full detail, and nothing in this summary limits or qualifies them.
- Who we are. THERCSGROUP PTE. LTD. trading as SmartAlex, a private company limited by shares incorporated in the Republic of Singapore (UEN 202543608D), contactable for privacy matters at privacy@getsmartalex.com.
- What we process. Account and billing data, service data (including call audio and transcripts), technical data, website and analytics data, and the communications you send us.
- Why. To provide and bill the Services, to meet our legal obligations, to keep the Services secure and free of fraud and abuse, and, with your consent, for analytics and marketing.
- Your rights. Access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right not to be subject to a solely automated decision that produces legal or similarly significant effects.
- How to act. Exercise rights or ask questions at privacy@getsmartalex.com or through our Data Subject Access Request Procedure, and you may complain to your local supervisory authority.
2. Definitions
The following defined terms are used throughout this notice and carry the same meaning each time they appear.
- SmartAlex, we, us, and our mean THERCSGROUP PTE. LTD. trading as SmartAlex.
- Services and Platform mean the SmartAlex platform, websites, applications, and APIs.
- Customer and you mean the business that contracts for the Services, and, where this notice addresses website visitors or End Users, the individual to whom the relevant section is addressed.
- End User means an individual the Customer interacts with through the Services, for example a person who is called by, or who calls, a Customer's voice agent.
- Personal Data means information relating to an identified or identifiable individual within the meaning of Article 4(1) of the GDPR.
- Special-category data means the categories of Personal Data listed in Article 9(1), including data concerning health, biometric data processed to identify a person, and data revealing racial or ethnic origin, religious beliefs, or trade union membership.
- Processing, Controller, and Processor have the meanings given to them in Article 4 of the GDPR.
- Subprocessor means a third party we engage to process Personal Data on our behalf.
- Customer Data means data the Customer or its End Users provide, or that is generated through the Customer's use of the Services, including call audio, transcripts, contacts, and messages.
3. Controller, data protection contact, and representatives
Controller: THERCSGROUP PTE. LTD., trading as SmartAlex, a private company limited by shares incorporated in the Republic of Singapore (UEN 202543608D), at 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914. The general email address for privacy matters is privacy@getsmartalex.com.
Data protection contact and data protection officer: we have appointed a privacy function that performs the role of a data protection officer for the purposes of Article 37, reachable at privacy@getsmartalex.com. This is the single contact point for all questions about how we handle Personal Data, for exercising your rights, and for any matter arising under this notice. You may use this address whether you deal with us as a Customer, a website visitor, or an End User.
3.1 EU and UK representatives under Article 27
We are a controller established outside the EEA and the United Kingdom that offers the Services to, and processes the Personal Data of, individuals in those territories, so Article 27 of the GDPR and Article 27 of the UK GDPR require us to designate representatives. We are in the course of appointing an EU representative and a UK representative, and we will publish their names, postal addresses, and contact details in this section as soon as each appointment takes effect. Until then, you may send any matter you would otherwise raise with a representative to privacy@getsmartalex.com, and we will handle it without requiring you to wait for the appointment. This interim routing does not limit your right to contact your supervisory authority directly, as described in the Complaints section, and does not transfer or dilute any of our obligations under the GDPR or UK GDPR.
4. What we process, why, the legal basis, retention, and recipients
The table below sets out, for each category of Personal Data we process as Controller, the purpose, the legal basis under Article 6 (and Article 9 where special-category data is engaged), the retention period or the criteria we use to determine it, and the categories of recipients. The sub-sections after the table add explanation where it is useful, and a consolidated retention schedule appears in the Retention section.
| Category | Purpose | Legal basis | Retention | Recipients |
|---|---|---|---|---|
| Account and billing data (name, business name, email address, billing address, payment-method metadata processed by our payment processor) | Provide the Services to you and the Customer; bill; meet tax and accounting obligations | Article 6(1)(b) performance of a contract; Article 6(1)(c) legal obligation for tax and accounting records | Duration of the contract, then up to seven years for tax and accounting records | Our payment processor, Stripe; our accounting and email delivery providers; tax authorities where the law requires |
| Service data (call audio, transcripts, messages, contacts, configuration and prompt data) | Provide the Services; improve quality and safety where the Customer authorises it; secure the Services and prevent abuse | Article 6(1)(b) performance of a contract; Article 6(1)(f) legitimate interests, namely securing the Services and preventing abuse | A default of 90 days, Customer-configurable, deleted on Customer instruction or on termination of the contract | Our cloud infrastructure providers; our telephony provider; our real-time voice infrastructure provider; our speech and language AI providers, each bound by a data processing agreement |
| Technical data (IP address, device and browser identifiers, operating system, request and security logs) | Deliver the Services securely; detect and prevent fraud and abuse; diagnose faults | Article 6(1)(f) legitimate interests, namely network and information security and the detection and prevention of fraud and abuse | Up to 90 days for security logs; up to 24 months for aggregated analytics | Our cloud infrastructure providers; our security and error-monitoring providers; our anti-fraud provider |
| Website and analytics data (cookies, session data, marketing identifiers) | Measure and improve the Services; deliver marketing where you consent | Article 6(1)(a) consent, given through our cookie banner | As set out in our Cookie Policy | The analytics, session-replay, and advertising providers named in our Cookie Policy |
| Marketing and communications data (email address, contact preferences, engagement data) | Send service messages, and, where you opt in, marketing about the Services | Article 6(1)(f) legitimate interests for service messages; Article 6(1)(a) consent for marketing, given on an opt-in basis and never bundled into account creation | Until you unsubscribe or object, then suppression-list data kept to honour your choice | Our email delivery and marketing providers |
| Communications you send us (support requests, sales enquiries) | Respond to and resolve your communication | Article 6(1)(b) where it relates to a contract; Article 6(1)(f) legitimate interests, namely responding to and managing enquiries, otherwise | Up to 36 months from last contact | Our customer-support and email delivery providers |
4.1 Account and billing data
When a Customer creates an account, we process the identifying and contact details of the individuals who administer it, together with the billing details needed to take payment. Payment-card details are entered directly with our payment processor, Stripe, and we receive only payment-method metadata and transaction history, not full card numbers. Provision of this data is a contractual necessity, as explained in the section on whether you must provide Personal Data.
4.2 Service data and special-category data
Service data includes the audio and transcripts of calls handled through the Services, together with the contacts, messages, prompts, and configuration the Customer supplies. For this data the Customer is the Controller and we are the Customer's Processor, acting on the Customer's documented instructions under our Data Processing Addendum.
Calls may incidentally contain special-category data under Article 9, such as information about health or religious beliefs, that a speaker chooses to disclose, and a voice may constitute biometric data where it is processed to identify a person. We do not seek out special-category data, and we do not use any special-category data in call content for any independent purpose of our own. Where such data is present, the Customer is the Controller, is responsible for establishing an Article 9(2) condition (typically the explicit consent of the End User) and for giving any required notices, and instructs us to process that data solely to provide the Services. We do not process special-category data in the account, technical, or analytics data we hold as Controller, and we do not derive special-category inferences from that data.
4.3 Technical data and security processing
We process technical data, including IP address, device and browser identifiers, and request and security logs, to deliver the Services securely, to diagnose faults, and to detect and prevent fraud and abuse. We rely here on our legitimate interests under Article 6(1)(f), namely network and information security and the detection and prevention of fraud and abuse. We have weighed these interests against your interests and fundamental rights and consider that the processing is limited to what is necessary, is not unexpected for a business service of this kind, and is subject to the safeguards described in the Security section.
4.4 Your right to object to legitimate-interests processing
Where we rely on our legitimate interests under Article 6(1)(f), as shown in the table for service, technical, marketing, and certain communications data, you have the right to object to that processing at any time on grounds relating to your particular situation, and an unconditional right to object where the processing is for direct marketing. To object, contact privacy@getsmartalex.com. We set this right out separately here, in addition to the general list of rights below, so that it is brought clearly and specifically to your attention as Article 21(4) requires.
4.5 Recipients and our named subprocessors
The recipient categories in the table are the types of third party that may process Personal Data on our behalf or receive it for the purposes stated. We do not sell Personal Data, and we do not share it with third parties for their own marketing. A current list of the named subprocessors we engage, including the AI voice, telephony, and infrastructure providers, is maintained in our Subprocessor List and forms part of our Data Processing Addendum. We may also disclose Personal Data to professional advisers, to a buyer in connection with a corporate transaction subject to appropriate safeguards, and to courts, regulators, and law-enforcement authorities where we are legally required to do so or where disclosure is necessary to protect our rights, the Services, or the safety of any person.
5. Whether you must provide Personal Data
Providing account and billing information is necessary to enter into and perform the contract for the Services. If you do not provide it, we cannot create an account or deliver the Services. Technical data is generated automatically through your use of the Services rather than provided by you in a form you control, and it cannot be switched off without preventing the Services from functioning securely. There is no general statutory obligation on you to provide Personal Data to us, except that, once you are a Customer, we are required by tax and accounting law to retain certain billing records for the periods set out in the Retention section. Providing analytics and marketing data is optional and depends on the consent you give, or withhold, through our cookie banner and our marketing preferences, and declining it does not affect your ability to use the Services.
6. International transfers and safeguards
Personal Data may be processed in countries that include Singapore, the United States, and other jurisdictions where our subprocessors operate. Where Personal Data is transferred out of the EEA, the United Kingdom, or Switzerland to a country that has not been recognised as providing an adequate level of protection, we rely on one or more of the following safeguards, together with the supplementary technical and organisational measures described below:
- Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914, executed between SmartAlex and the receiving subprocessor (Module Two, controller to processor, and Module Three for onward transfers).
- The UK International Data Transfer Addendum to those Clauses, or the UK International Data Transfer Agreement, where the transfer involves UK Personal Data.
- The Swiss recognition of the Standard Contractual Clauses by the Federal Data Protection and Information Commissioner, with the amendments that authority requires, where the transfer involves Swiss Personal Data.
- An adequacy decision, where the European Commission, the UK Government, or the Swiss Federal Council has issued one in favour of the receiving country or framework.
The supplementary measures that accompany these safeguards include encryption of Personal Data in transit and at rest, strict access controls on a need-to-know basis, contractual commitments by each subprocessor to notify us of any legally binding request by a public authority for disclosure and to challenge it where lawful, and a transfer-impact assessment for each transfer that takes account of the law and practice of the destination country. A copy of the relevant safeguards, with commercial terms redacted, is available on request to privacy@getsmartalex.com under a confidentiality undertaking.
7. How we keep Personal Data secure
We maintain technical and organisational measures appropriate to the risk, taking into account the nature of the Services and the sensitivity of call audio and transcripts. These measures include encryption of data in transit and at rest, logical separation of each Customer's data in our multi-tenant environment, role-based access controls and the principle of least privilege, authentication and session controls for access to our systems, network and application security monitoring, regular patching and vulnerability management, and logging of access to and changes affecting Personal Data. Our infrastructure subprocessors maintain SOC 2 or ISO 27001 attestations, and we are working towards SOC 2 readiness for our own organisation. We operate an incident-response process and, where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected individuals in accordance with Articles 33 and 34. Our process for receiving reports of security issues is described in our Vulnerability Disclosure Policy.
8. How long we keep Personal Data
We keep Personal Data only for as long as we need it for the purposes set out in this notice, and then delete it or anonymise it. The table below consolidates the retention periods and criteria that also appear against each category above. Where a fixed period cannot sensibly be set, we apply the criteria stated rather than keep the data indefinitely.
| Category | Retention period or criteria |
|---|---|
| Account data | For the duration of the contract, then deleted within a reasonable period after the account is closed, subject to the records we must keep for tax and accounting |
| Billing and transaction records | Up to seven years to meet tax and accounting obligations |
| Service data (call audio, transcripts, messages, contacts, configuration) | A default of 90 days, configurable by the Customer, and deleted on Customer instruction or on termination of the contract |
| Technical and security logs | Up to 90 days, with longer retention only where needed to investigate a specific security incident |
| Aggregated analytics | Up to 24 months in a form that limits identifiability |
| Website and cookie data | As set out in our Cookie Policy, by reference to each cookie's stated lifespan |
| Marketing and suppression data | Until you unsubscribe or object, after which limited suppression-list data is kept to ensure we continue to honour your choice |
| Support and enquiry communications | Up to 36 months from your last contact |
| Backups | Held for a limited rolling window and overwritten on the backup cycle, after which deleted data is purged from backups |
9. Your rights
Subject to the conditions in the GDPR and UK GDPR, you have the right to:
- access the Personal Data we hold about you, and obtain the information set out in Article 15;
- have inaccurate Personal Data rectified and incomplete data completed (Article 16);
- have your Personal Data erased where one of the grounds in Article 17 applies;
- obtain a restriction of processing in the circumstances set out in Article 18;
- receive the Personal Data you have provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible (Article 20);
- object to processing carried out on the basis of our legitimate interests, and to object at any time to processing for direct marketing (Article 21);
- not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you (Article 22); and
- withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before the withdrawal (Article 7(3)).
To exercise any of these rights, follow our Data Subject Access Request Procedure or write to privacy@getsmartalex.com. We may need to verify your identity before we act, in order to protect your data, and we will ask only for the information reasonably necessary to do so. We do not charge a fee for a request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act, and we will tell you why. We respond within one month of a verifiable request (Article 12(3)), extendable by up to two further months where the request is complex or numerous, in which case we will tell you within the first month and explain the reason for the delay.
Where the Personal Data relates to call content or contacts for which the Customer is the Controller, the Customer is the appropriate first point of contact, and we will assist that Customer to respond and will route your request to them. Exercising these rights is free of, and separate from, any contractual remedy, and using them never routes you into commercial arbitration.
10. Automated decision-making and profiling
For the processing where SmartAlex is the Controller, we do not make decisions based solely on automated processing that produce legal effects concerning you or that similarly significantly affect you within the meaning of Article 22.
As part of securing the Services and preventing fraud and abuse, we apply automated checks to technical data, for example device and network signals at signup and in use, that may amount to profiling under Article 4(4). The logic is straightforward: we score signals associated with known fraud and abuse patterns, and we may slow down, challenge, or block a request that scores as high risk. A human reviews any decision that would materially affect access to the Services, so no such decision is taken solely by automated means, and you may contact privacy@getsmartalex.com to ask about this processing, to express your point of view, or to object to it.
The AI outputs of the Platform, such as a voice agent's responses during a call, are produced by the system the Customer configures and operates. Decisions a Customer takes using the Services are the Customer's decisions, for which the Customer is responsible, including the decision to make or receive calls, the content of prompts, and any action taken on the outcome of a call. The Customer is responsible for telling End Users clearly and unconditionally when they are interacting with an AI system, as required by applicable AI-transparency law, and our AI Usage Policy sets out the obligations that apply to that use.
11. Where we did not obtain your Personal Data from you
This section addresses Article 14, which applies where we process Personal Data about you that we did not obtain directly from you. This is typically the case for an End User whom a Customer's voice agent calls, or who calls a Customer's line, because the Personal Data reaches us through the Customer and through the call itself rather than from a form you completed with us.
Where we obtain your Personal Data from a source other than you, the categories we process are your phone number and caller identifier, the audio recording and transcript of the call, and the associated call metadata, such as the time, duration, and outcome of the call. The source of that data is the SmartAlex Customer that operates the telephone line or voice agent you contacted, and the call itself as it is carried over the telephone network. Where any such data originates from a publicly accessible source, we will tell you on request.
For this call content, the Customer is the Controller and is the appropriate first point of contact for an Article 14 enquiry, including for information about the Customer's own purposes and legal basis. We act as the Customer's Processor for that content, we will route any Article 14 request we receive to the relevant Customer, and we will assist them in fulfilling it. You may also contact us at privacy@getsmartalex.com, and you retain all the rights set out in the Your rights section in relation to the processing for which we are the Controller.
12. Children's data
The Services are a business tool offered to organisations and are not directed at children. We do not knowingly process the Personal Data of a child in our capacity as Controller for the purpose of offering an information society service directly to that child. Where a Customer's use of the Services involves Personal Data of a child, the Customer is the Controller and is responsible for the lawful basis, including any age threshold and parental consent that applies under Article 8 as implemented in the relevant Member State or the United Kingdom.
13. Complaints
You have the right to lodge a complaint with the supervisory authority of the EU Member State, the United Kingdom, or Switzerland in which you reside or work, or in which the alleged infringement took place (Article 77). Because we have no establishment in the Union, there is no single lead supervisory authority under the one-stop-shop, so you may approach your local authority. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. The United Kingdom authority is the Information Commissioner's Office at ico.org.uk. The Swiss authority is the Federal Data Protection and Information Commissioner at edoeb.admin.ch. We ask that you give us the opportunity to address your concern first by contacting privacy@getsmartalex.com, but this is a request and not a condition of your right to complain. Exercising your statutory rights is separate from, and not affected by, any arbitration provisions in our commercial agreements, which apply only to commercial disputes between us and a Customer.
14. Changes to this notice and how to reach us
We update this notice as our processing evolves and as EU, UK, or Swiss authorities issue guidance. We will publish the names and contact details of our Article 27 representatives in this notice as soon as they are appointed. Material changes are notified to Customers through the SmartAlex platform, and the effective date below always reflects the current version. For any question about this notice, or to exercise a right, contact our privacy function at privacy@getsmartalex.com.
This GDPR Article 13 and 14 Notice is version 1.1 and is effective from 1 June 2026.