SmartAlex Privacy Policy
1. About this policy
This Privacy Policy explains how THERCSGROUP PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore (UEN 202543608D), trading as SmartAlex (SmartAlex, we, us, or our), collects, uses, shares, and protects Personal Data when you use our platform, websites, applications, and APIs (together, the Services).
SmartAlex is a multi-tenant business-to-business platform. Our business customers configure AI voice agents that place and receive telephone calls, run outbound campaigns, manage contacts, and view analytics. The platform records and transcribes calls, processes the resulting audio and transcripts with speech and language AI, and bills by subscription. This policy describes our practices as a business that processes Personal Data both for our own purposes and on behalf of our customers.
This policy is governed by the laws of Singapore, without prejudice to any mandatory rights you have under the GDPR, POPIA, or other applicable data-protection law. Where you are a Customer, this policy operates alongside our Terms of Service and, for Personal Data we process on your behalf, our Data Processing Addendum. Where this policy conflicts with a separately signed agreement between you and us, that signed agreement prevails for the Personal Data it covers.
Please read this policy together with the linked documents referenced throughout, which form part of how we describe our data practices: our Cookie Policy, our Subprocessor List, our Telephony and Call Recording Notice, our AI Usage Policy, and the regional notices for the EEA and United Kingdom, California, and South Africa.
2. Definitions
The following defined terms are used throughout this policy. We introduce each term in bold on first use and then use it with an initial capital.
- SmartAlex, we, us, or our means THERCSGROUP PTE. LTD., trading as SmartAlex.
- Services or Platform means the SmartAlex platform, websites, applications, and APIs, and all features made available through them.
- Customer or, where this policy addresses a Customer, you, means the business that contracts for the Services.
- End User means an individual a Customer interacts with through the Services, such as a call recipient, a person whose contact details a Customer uploads, or a person who speaks with a Customer's AI voice agent.
- Customer Data means data a Customer or its End Users provide, or that is generated through the Customer's use of the Services, including call audio, transcripts, contacts, messages, and the configuration the Customer creates.
- Personal Data means information relating to an identified or identifiable individual. It includes personal information under the PDPA and POPIA and personal data under the GDPR.
- Special-category data means the categories of data described in Article 9 GDPR and the special personal information described in sections 26 and 27 POPIA, including data revealing health, racial or ethnic origin, religious or philosophical beliefs, and biometric data used to identify an individual.
- Subprocessor means a third party we engage to process Personal Data in connection with the Services.
- Controller means the party that, alone or jointly, determines the purposes and means of processing Personal Data. The equivalent term under POPIA is responsible party.
- Processor means a party that processes Personal Data on behalf of, and on the instructions of, a Controller. The equivalent term under POPIA is operator.
- Process or processing means any operation performed on Personal Data, whether or not by automated means, including collecting, recording, storing, transcribing, analysing, using, disclosing, and deleting it.
- PDPA means the Personal Data Protection Act 2012 of Singapore. GDPR means the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR as it forms part of UK law. POPIA means the Protection of Personal Information Act 2013 of South Africa.
3. Scope and the laws that apply
This policy applies to users of the SmartAlex platform and APIs, visitors to our websites, recipients of our communications, and our business customers, partners, and resellers. It is written to meet the requirements of, among others:
- the PDPA of Singapore;
- the EU and UK GDPR, where we process the Personal Data of individuals in the EEA or the United Kingdom in connection with offering the Services or monitoring behaviour;
- POPIA, where we process the Personal Data of data subjects in South Africa;
- United States state privacy laws, including the California Consumer Privacy Act as amended (the CCPA), addressed in our California Privacy Notice; and
- other data-protection and privacy laws applicable to the Services from time to time.
This policy does not override the more specific notices we provide for particular regions. Our GDPR Article 13 Notice, POPIA Notice, and California Privacy Notice give region-specific detail. Where a particular regime gives you stronger rights than this policy describes, that regime prevails for the Personal Data and individuals it protects.
4. The principles we apply
Wherever we process Personal Data as a Controller, we apply the data-protection principles that are common to the laws listed above. We:
- process Personal Data lawfully, fairly, and in a transparent way, and only for the purposes described in this policy or a more specific notice;
- collect only the Personal Data we need for those purposes, and do not use it in a way that is incompatible with them without a further notice or, where required, your consent;
- take reasonable steps to keep Personal Data accurate and up to date, and to correct or delete inaccurate data;
- keep Personal Data only for as long as we need it, as described in Data retention, below;
- protect Personal Data with appropriate security measures, as described in Data security, below; and
- remain accountable for our processing and can demonstrate how we meet these principles.
Where we act as a Processor for a Customer, the Customer remains responsible for these principles in relation to its Customer Data, and we support the Customer in meeting them under our Data Processing Addendum.
5. Our role: controller and processor
SmartAlex acts in two distinct roles, and the role determines who is responsible for the Personal Data in question. The same individual may be the subject of data in both roles at different points.
- For call content and contact data that a Customer processes through the Services (call audio, transcripts, messages, contacts, and the configuration the Customer creates), the Customer is the Controller (in POPIA terms, the responsible party) and SmartAlex is the Customer's Processor (operator). We process that data only on the Customer's documented instructions, as set out in our Data Processing Addendum.
- For account, billing, security, and product-analytics data that we collect to run our business and operate the Services, SmartAlex is an independent Controller, and this policy is our notice to you about that processing.
5.1 If you are a Customer
When you use the Services to call, message, or otherwise process the data of your own End Users, you are the Controller of that Customer Data and you decide why and how it is processed. You are responsible for having a lawful basis for that processing, for giving your End Users the notices the law requires, and for honouring their rights. We support you in meeting those responsibilities, but we do not assume them on your behalf.
5.2 If you are an End User
Where your data was provided to us by a Customer, for example because that Customer called you using the Services or uploaded your contact details, the Customer is the Controller of that data and decides how it is used. For questions about how a Customer uses your data, or to exercise your rights in relation to it, please contact that Customer and refer to its own privacy notice. We will assist the Customer in responding to your request, as described in Your rights, below. Our role as Processor is governed by our Data Processing Addendum.
6. Personal Data we collect
We collect the data needed to provide, secure, and improve the Services. The categories below note their source, which for End User data is usually indirect, through a Customer. We do not collect more than we need for the purposes described in How we use Personal Data, below.
6.1 Account and billing data
- name, business name, job title, and contact details, provided by you;
- account credentials and authentication data, generated when you register, and records of your role and permissions within a tenant;
- billing contact details, payment-method metadata, and transaction history, processed through our payment processor, Stripe. We do not store full card numbers.
6.2 Service data
- call audio recordings, call transcripts, messages, and interaction logs processed through the Services. For Customer calls, this data relates to the Customer's End Users and is collected indirectly through the Customer;
- configuration data you create, such as knowledge bases, prompts, scripts, contact lists, campaign settings, and agent configuration;
- technical and usage data such as IP address, device and browser identifiers, operating system, log files, and a record of the actions taken in your account.
6.3 Website and analytics data
- cookies, session data, and analytics about how you use our websites and product, set in line with your consent for non-essential cookies;
- traffic patterns, referring URLs, and browsing behaviour.
See our Cookie Policy for the full list of cookies and tracking technologies and to manage your preferences. Non-essential and marketing cookies are only set with your prior consent.
6.4 Communications data
- emails, support requests, chat messages, and other communications you exchange with our teams, and our records of those exchanges, including any recordings or notes of support calls.
6.5 Data we do not deliberately collect
We do not ask you to provide special-category data to operate your account, and we do not require government identifiers to use the Services. We do not knowingly collect the Personal Data of children, as described in Children's privacy, below. Where special-category data nonetheless arises in call content, we handle it as described next.
6.6 Special-category and biometric data
Call audio recordings and transcripts processed through the Services may contain special-category Personal Data within the meaning of Article 9 GDPR and special personal information under sections 26 and 27 POPIA, for example data revealing health, religion, or ethnicity that an individual mentions on a call. Depending on how a Customer configures the Services, voice data may also constitute biometric data where it is used to identify an individual.
SmartAlex processes this data only on the Customer's instructions and does not itself use voice data to identify individuals. Where this data is processed, the lawful condition is the relevant individual's explicit consent (Article 9(2)(a) GDPR; section 27 POPIA). The Customer, acting as Controller, is responsible for establishing that lawful condition, typically by obtaining explicit consent, and for giving End Users any call-recording and AI-interaction notices required by law. See also Special-category responsibilities in our Data Processing Addendum and our Telephony and Call Recording Notice.
6.7 Sources of data
We obtain Personal Data from the sources below. Where data about an End User is collected indirectly, the Customer is the Controller and is responsible for the lawfulness of providing it to us.
| Category | Typical source |
|---|---|
| Account and billing data | You, directly, when you register, configure your account, and pay. |
| Call audio, transcripts, and messages | Generated through use of the Services. End User content is collected indirectly through the Customer and from the End User during a call. |
| Contacts and configuration data | You, directly, by uploading or creating it in the Platform. |
| Technical and usage data | Automatically, from your device and browser and from our systems and Subprocessors. |
| Website and analytics data | Automatically, through cookies and similar technologies, with your consent for non-essential cookies. |
| Enrichment data, where you enable enrichment features | Public sources and third-party providers, as described in our Subprocessor List. |
7. How we use Personal Data and our lawful bases
Where we act as a Controller, we process Personal Data for the purposes below. Each purpose is matched to its lawful basis under Article 6(1) GDPR (and equivalent grounds under the PDPA and POPIA). Where we act as a Processor for Customer Data, we process it only on the Customer's instructions and the Customer is responsible for the lawful basis.
| Purpose | Lawful basis |
|---|---|
| Provide and maintain the Services, authenticate users, manage accounts, and provide support | Performance of a contract (Article 6(1)(b)) |
| Process payments, prevent and detect fraud, and secure the platform | Legitimate interests in running a secure, viable service (Article 6(1)(f)) and, for fraud and financial-record obligations, legal obligation (Article 6(1)(c)) |
| Deliver call routing, transcription, qualification, and AI voice functionality on the Customer's instructions | Performance of a contract with the Customer (Article 6(1)(b)); the Customer is responsible for the lawful basis and any Article 9 condition for its End Users |
| Comply with legal, tax, and regulatory requirements and respond to lawful requests | Legal obligation (Article 6(1)(c)) |
| Improve performance, quality, reliability, and product analytics | Legitimate interests in improving the Services (Article 6(1)(f)), or consent where required for non-essential analytics (Article 6(1)(a)) |
| Send service updates and security alerts | Performance of a contract (Article 6(1)(b)) or legitimate interests (Article 6(1)(f)); these are not marketing and cannot be opted out of while you hold an account |
| Send marketing communications | Consent (Article 6(1)(a)), or legitimate interests for similar products to existing customers with a clear right to object (Article 6(1)(f)) |
| Establish, exercise, or defend legal claims and enforce our agreements | Legitimate interests in protecting our rights (Article 6(1)(f)) and, where applicable, legal obligation (Article 6(1)(c)) |
| Participate in optional AI model training | Explicit, opt-in consent (Article 6(1)(a)); see AI data and model training, below |
7.1 Our legitimate interests
Where we rely on legitimate interests, we have weighed those interests against your interests, rights, and freedoms, and we only rely on this basis where it is not overridden by them. Our legitimate interests include keeping the Services secure and available, preventing fraud and abuse, understanding and improving how the Services are used, managing our relationship with Customers, and growing our business responsibly. You may ask for details of a particular balancing assessment, and you may object to processing based on legitimate interests as described in Your rights, below.
7.2 Consent
Where we rely on consent, for example for non-essential cookies, certain analytics, marketing where the law requires opt-in, or optional AI model training, you may withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, and it does not affect processing we carry out on another lawful basis.
7.3 Compatible further use
If we plan to use your Personal Data for a new purpose that is not compatible with the purpose for which it was collected, we will provide you with a further notice and, where the law requires, obtain your consent before doing so.
7.4 Aggregated and de-identified data
We may create aggregated or de-identified data from the Personal Data we hold, for example statistics about how the Services perform, the volume of calls handled, or usage trends. Once data has been aggregated or de-identified so that it can no longer reasonably be associated with an individual, it is no longer Personal Data, and we may use it to operate, analyse, secure, and improve the Services and to produce benchmarks and reports. We do not attempt to re-identify de-identified data, and we maintain it in de-identified form. Where we act as a Processor, we only create aggregated or de-identified data from Customer Data in line with the Customer's instructions and our Data Processing Addendum.
8. Automated decision-making and profiling
SmartAlex does not make decisions producing legal effects, or similarly significant effects, on End Users based solely on automated processing within the meaning of Article 22 GDPR.
The Services use AI to handle, route, transcribe, qualify, and analyse calls under the Customer's control. The logic involves applying the call-handling rules, prompts, and scoring criteria the Customer configures to the content of a call. Any decision that has a significant effect on an individual, for example whether to offer a product or take an action following a call, is taken by the Customer, with human involvement, and is the Customer's responsibility. If a Customer chooses to use the Services to make solely-automated significant decisions, the Customer is responsible for meeting the Article 22 conditions, including giving affected individuals the right to obtain human intervention, to express their view, and to contest the decision.
End Users must be told, clearly and unconditionally, when they are interacting with an AI system rather than a person. The Customer is responsible for enabling and permitting that disclosure in its configuration of the Services. More detail on our AI practices, including the limits we place on AI use, is in our AI Usage Policy.
9. Whether you must provide data
Providing account and billing data is necessary to enter into and perform our contract with you. Without it we cannot provide the Services or maintain your account. Some data is required to meet a legal obligation, for example records we must keep for tax and accounting purposes. Other data is voluntary: optional analytics participation and AI-training participation are entirely optional, and declining them will not affect your core access to the Services. Where data is voluntary, we will tell you so at the point of collection, and declining to provide it will not have adverse consequences for your use of the Services beyond the unavailability of the optional feature concerned.
10. Sharing and disclosure
We share Personal Data only where needed to run the Services, and only with recipients bound by confidentiality and data-protection obligations. We do not sell or rent Personal Data, and we do not share it for cross-context behavioural advertising. Our practices for United States state laws that use those concepts are described in our California Privacy Notice.
10.1 Categories of recipient
- Subprocessors that provide our cloud infrastructure (hosting, database, storage, and content delivery), our telephony connectivity, our real-time voice infrastructure, and our speech and language AI (speech-to-text, text-to-speech, and language-model processing), strictly to operate the Services;
- our payment processor, Stripe, to process payments and manage subscriptions;
- our email delivery provider, to send transactional and account communications;
- analytics and advertising partners, set only with your consent through cookies and described in our Cookie Policy;
- professional advisers, such as auditors, accountants, insurers, and lawyers, under appropriate confidentiality terms;
- parties to a merger, acquisition, financing, or sale of assets, under appropriate confidentiality terms, in which case we will require the recipient to honour this policy or notify you of any material change; and
- courts, regulators, and law-enforcement or government authorities, where we are legally required to disclose or where disclosure is necessary to establish, exercise, or defend legal claims or to protect our rights, our users, or the public.
10.2 Our Subprocessor List
A current list of our Subprocessors, including our cloud, telephony, real-time voice, and speech and language AI providers, with the data they process and the safeguards that apply, is maintained in our Subprocessor List and is updated when our Subprocessors change. To subscribe to notifications of changes, email privacy@getsmartalex.com. Each Subprocessor is engaged under a written contract that imposes data-protection obligations no less protective than those in our own agreements, as required by Article 28 GDPR and section 21 POPIA.
10.3 Government and legal requests
We disclose Personal Data to public authorities only where we are legally compelled to do so or where disclosure is otherwise permitted by law. Where we may lawfully do so, and unless legally prohibited, we will give a Customer notice of a request that concerns its Customer Data so it can seek to challenge or limit the request. We assess each request for validity and scope and disclose only what we are required to disclose.
11. API and AI platform integrations (MCP)
SmartAlex provides an API and a Model Context Protocol (MCP) server that lets third-party AI platforms you choose, such as Claude or ChatGPT, act on your SmartAlex account on your behalf. When you connect such a platform:
- Authentication. You explicitly authorise the connection using OAuth 2.0. The AI platform receives a scoped access token. It cannot access your account without your approval.
- Data accessed. The AI platform can read and manage the same data you can access in SmartAlex (contacts, agents, campaigns, calls, deals, and webhooks), scoped to your tenant.
- No additional storage. The MCP server is stateless. It does not store, log, or cache your data beyond what is needed to process each request. Your data remains in your SmartAlex account.
- Data sent to AI platforms. The platform sends your natural-language requests to our MCP server, which returns the requested data. Internal fields, such as tenant IDs, provider IDs, and system metadata, are stripped before any data is returned.
- Third-party policies. Data returned to an AI platform is then subject to that platform's own privacy policy and data-handling practices. Please review the privacy policy of any AI platform you connect.
- Revoking access. You can disconnect an AI platform at any time from your account settings or from the platform itself. Revoking access immediately invalidates the access token.
12. Data storage and international transfers
12.1 Where data is stored
Customer Data is primarily stored on our cloud infrastructure, with replication across secure regions for redundancy and performance. Some of our Subprocessors are located in, or replicate data to, the United States and the European Union. Our primary hosting region is set out in our Subprocessor List.
12.2 Cross-border transfers and safeguards
Because SmartAlex and its Subprocessors operate internationally, Personal Data may be transferred to and processed in countries outside the one in which you are located, including countries that have not received an adequacy decision. Where we transfer Personal Data out of the EEA, the United Kingdom, or Switzerland, we rely on appropriate safeguards:
- the European Commission's Standard Contractual Clauses (Module Two, controller to processor, and Module Three for onward transfers) for transfers from the EEA;
- the UK International Data Transfer Addendum, or the Addendum to the Standard Contractual Clauses, for transfers from the United Kingdom;
- the Swiss addendum for transfers from Switzerland; and
- for transfers from South Africa, the conditions in section 72 POPIA.
These transfer mechanisms are supported by supplementary measures, including encryption in transit and at rest, strict access controls, and a transfer-impact assessment where the circumstances require one. You may obtain a copy of the relevant safeguards by emailing privacy@getsmartalex.com.
12.3 Onward transfers and assessment
Where a Subprocessor engages a further party to process Personal Data on our behalf, we require that the same level of protection follows the data through the chain, using Module Three of the Standard Contractual Clauses or an equivalent mechanism for onward transfers. Before relying on a transfer mechanism, we assess the laws and practices of the destination country that may affect the protection of the data, taking into account the categories of data, the recipients, and the safeguards in place. Where an assessment shows that a mechanism alone would not provide adequate protection, we apply additional measures or do not make the transfer. We keep these assessments under review and update them when the circumstances change.
13. Data retention
We keep Personal Data only for as long as needed for the purpose for which it was collected, to comply with legal obligations, or to establish, exercise, or defend legal claims. Unless the law requires otherwise, we apply the periods and criteria below. Where we act as a Processor, a Customer may set a shorter period for its own Customer Data.
| Category | Retention period or criteria |
|---|---|
| Account data | For the life of the account, then deleted or anonymised within 90 days after termination. |
| Call recordings and transcripts | A default of 90 days, Customer-configurable. A Customer may set a different period for its own Customer Data, and you may request earlier deletion. |
| Contact data and configuration data (knowledge bases, prompts, scripts) | For the life of the account, then deleted or anonymised within 90 days after termination, unless you delete it earlier. |
| Billing and transaction records | For as long as required by tax and accounting law, generally up to 7 years. |
| Support and communications data | For the life of the account plus a reasonable period to handle follow-up queries and disputes, generally up to 24 months. |
| Marketing and consent records | Until you opt out or withdraw consent, plus a short period to evidence that opt-out or consent. |
| Security, audit, and access logs | Generally up to 12 months, or longer where needed to investigate an incident or to meet a legal obligation. |
| Website analytics and cookie data | For the lifetime set out in our Cookie Policy, after which it expires or is deleted. |
| Backups and log data | Up to 180 days in secure archival systems, after which it is permanently removed on the normal backup cycle. |
Where a fixed period is not stated above, we determine how long to keep Personal Data by reference to the criteria in the opening paragraph of this section: how long we need the data for the purpose it was collected, whether a law requires us to keep it, and whether we may need it to establish, exercise, or defend a legal claim. When the applicable period ends, we delete the data or anonymise it.
When you close your account, we securely delete or anonymise your Personal Data in line with the periods above. Backups may persist for audit and compliance purposes but are automatically purged within the cycle stated above. Where we anonymise data so that it can no longer be associated with you, we may retain and use that anonymised data without further notice to you.
14. Cookies and tracking technologies
We use cookies and similar technologies to authenticate sessions and enhance security, measure website usage and improve content, and, with your consent, deliver and measure marketing through approved partners. Non-essential and marketing cookies are only set with your prior consent, which you can give, refuse, or change through our consent banner. You can also manage or delete cookies through your browser, though disabling essential cookies may affect functionality. For the full list and to manage preferences, see our Cookie Policy.
15. AI data and model training
We do not use Customer Data to train AI models unless you explicitly opt in. Where you opt in, we de-identify and aggregate the data using industry-standard techniques before use, and you may withdraw your consent at any time. Our speech and language AI Subprocessors are contractually bound not to use data processed through the Services to train their own models, as set out in our Subprocessor List and our AI Usage Policy. The limits we place on AI use, including human oversight and accuracy measures, are described in that policy.
16. Data security
We use administrative, technical, and physical safeguards consistent with recognised industry standards to protect Personal Data against unauthorised access, alteration, disclosure, loss, or destruction. We design these measures with reference to the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to individuals. The measures we apply, as appropriate to the risk, are summarised below.
| Area | Measures |
|---|---|
| Encryption | Encryption of Personal Data in transit using current transport-layer security, and encryption at rest for stored data, including recordings, transcripts, and backups. |
| Access control | Role-based, least-privilege access; multi-factor authentication for administrative access; tenant isolation so one Customer cannot access another Customer's data; and periodic review of access rights. |
| Monitoring and resilience | Logging, monitoring, and alerting to detect and respond to unusual or unauthorised activity; redundancy across secure regions; and tested backup and recovery procedures. |
| Secure development | Secure software-development practices, code review, dependency and vulnerability management, and change-control processes for releases. |
| Organisational measures | Confidentiality obligations binding our staff and contractors, security and privacy training, a defined incident-response process, and Subprocessor due diligence and contractual controls. |
| Pseudonymisation and minimisation | Stripping of internal identifiers before data leaves the Platform where feasible, and de-identification or aggregation where the purpose can be met without identifying individuals. |
SmartAlex is working towards SOC 2 readiness, and our infrastructure Subprocessors maintain SOC 2 or ISO 27001 attestations. We do not currently hold our own SOC 2 or ISO 27001 certification, and we do not imply that we do. More detail is in our Trust and Security Overview and our Vulnerability Disclosure Policy. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; we encourage you to use strong, unique credentials, to enable multi-factor authentication, and to keep your credentials confidential.
16.1 Personal-data breaches
Where a personal-data breach occurs, we will, where required, notify the relevant supervisory authority (for example, within 72 hours under Article 33 GDPR) and notify affected individuals without undue delay, in accordance with applicable breach-notification laws, including section 22 POPIA and the PDPA. Where we act as a Processor, we notify the affected Customer without undue delay after becoming aware of a breach so that it can meet its own notification obligations, and we provide the information reasonably available to us to support that Customer's response.
17. Your rights
Depending on where you are and the law that applies, you may have the right to:
- access the Personal Data we hold about you and obtain information about how we process it;
- have inaccurate Personal Data corrected and incomplete data completed;
- have your Personal Data deleted in certain circumstances;
- restrict or object to processing, including processing based on our legitimate interests;
- object to direct marketing at any time;
- not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where applicable;
- receive your Personal Data in a portable format and have it transmitted to another controller; and
- withdraw consent at any time where we rely on consent, without affecting earlier processing.
17.1 How to exercise your rights
To exercise these rights, email privacy@getsmartalex.com. We will respond within the timeframes set by applicable law, generally within one month under the GDPR, and we may extend that period where the law allows for complex requests, telling you if we do. We may need to verify your identity before acting on a request, and we will only ask for the information necessary to do so. We do not charge a fee for handling a request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act, and we will explain why. Our full process for handling requests is described in our Data Subject Access Request Procedure.
17.2 Requests about Customer Data
If you are an End User and your data was provided to us by a Customer, we will, where appropriate, direct your request to that Customer, who is the Controller of that data, and assist the Customer in responding. We cannot grant a request in a way that would breach our obligations to a Customer as its Processor.
17.3 Keeping your data accurate
We rely on you to give us accurate information and to keep your account details up to date. Please tell us, or update your account, if your contact, billing, or other details change. Where you are a Customer, you are responsible for the accuracy of the contact data and configuration you upload or create, and for correcting it. If you ask us to correct data we hold as Controller, we will do so without undue delay where the correction is justified, and we will, where required and feasible, inform recipients to whom we have disclosed the data of the correction.
17.4 Complaints and redress
You also have the right to lodge a complaint with a supervisory authority. In Singapore, this is the Personal Data Protection Commission (PDPC). In South Africa, this is the Information Regulator (complaints.ir@inforegulator.org.za; JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001). In the EEA or the United Kingdom, you may complain to your national data-protection authority, which is usually the authority in the country where you live or work or where the issue arose. We ask that you contact us first so that we can try to resolve your concern. These statutory rights are separate from, and not affected by, any arbitration agreement in our Terms of Service, and we will never require you to arbitrate a statutory data-protection right.
18. Children's privacy
The Services are intended for business and professional use and are not directed to children. We do not knowingly collect Personal Data from anyone under the age of 18, and we do not intend to process children's data within the meaning of Article 8 GDPR or sections 34 and 35 POPIA. If we learn that we hold a child's data, we will delete it promptly. If you believe a child has provided us with Personal Data, contact privacy@getsmartalex.com.
19. Marketing communications
Where the law requires your consent, we will only send you marketing if you have opted in. Otherwise, we may send marketing about similar products to existing customers on a legitimate-interests basis. We do not treat account creation as agreement to receive marketing, and marketing consent is never bundled into signing up. You can opt out at any time using the unsubscribe link in any marketing message or by emailing privacy@getsmartalex.com. Opting out of marketing does not affect essential service or security notices, which we send while you hold an account on the basis described in How we use Personal Data, above.
20. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or the law. The current version is always available on our website, with the effective date below revised accordingly. Where a change is material, we will give you reasonable notice by an appropriate means, which may include email or a notice within the Services. Your continued use of the Services after an update takes effect constitutes acceptance of the updated policy, to the extent permitted by law. We keep prior versions and can provide an earlier version on request.
21. How to contact us
For any privacy or data-protection question, or to exercise your rights, please contact us. We operate a privacy function that performs the role of a data protection officer, oversees our compliance, and can be reached at privacy@getsmartalex.com.
THERCSGROUP PTE. LTD. (trading as SmartAlex)
160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914
Privacy and data protection: privacy@getsmartalex.com
Legal and compliance: legal@getsmartalex.com
Security and vulnerability reports: security@getsmartalex.com
We are appointing a representative under Article 27 GDPR for the EEA and the United Kingdom. Until that appointment is in place, please direct any matter that would otherwise go to our Article 27 representative to privacy@getsmartalex.com.
22. Version and effective date
This Privacy Policy is version 1.1 and is effective from 1 June 2026.