YOUR PRIVACY MATTERS

Privacy Policy

Learn how Smart Asset Management protects your privacy and handles your personal data.

Last updated: 4 April 2026

1. Information We Collect

When you use Smart Asset Management (SAM), we may collect the following types of information:

  • Account Information: Name, email address, and profile information when you create an account
  • Usage Data: Information about how you use our application, including features accessed and actions performed
  • Technical Data: IP address, browser type, device information, and operating system
  • Communication Data: Messages you send through our contact forms or support channels

2. How We Use Your Information

We use the collected information for the following purposes:

  • To provide and maintain our services
  • To authenticate your identity and manage your account
  • To improve our application and user experience
  • To respond to your inquiries and provide customer support
  • To send important updates about our services
  • To detect and prevent fraud or security issues

3. Legal Basis for Processing (GDPR Article 6)

Under the UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out each processing purpose and the legal basis we rely on:

  • Account creation & authentication: Contract performance (Art. 6(1)(b)) — necessary to provide you with the service you signed up for.
  • Subscription billing & payment processing: Contract performance (Art. 6(1)(b)) — necessary to fulfil your subscription agreement.
  • Customer support & communications: Contract performance (Art. 6(1)(b)) — necessary to respond to your requests and manage your account.
  • Service improvement & analytics: Legitimate interests (Art. 6(1)(f)) — our legitimate interest in understanding usage patterns and improving our products. You can opt out of analytics cookies via the cookie consent banner.
  • Security & fraud prevention: Legitimate interests (Art. 6(1)(f)) — our legitimate interest in protecting our service and users from fraud and abuse.
  • Marketing emails & newsletters: Consent (Art. 6(1)(a)) — only sent with your explicit opt-in consent. You can withdraw consent at any time via Account Settings or the unsubscribe link.
  • Financial record-keeping: Legal obligation (Art. 6(1)(c)) — required to comply with UK tax and accounting regulations (7-year retention).
  • Responding to legal requests: Legal obligation (Art. 6(1)(c)) — necessary to comply with court orders or regulatory requirements.

4. Data Sharing & Third Parties

We do not sell, trade, or rent your personal information to third parties. We may share information in the following limited circumstances:

  • Service Providers: Trusted third-party services that help us operate our platform
  • Legal Requirements: When required by law, regulation, or legal process
  • Security: To protect our rights, privacy, safety, or property
  • Business Transfers: In connection with a merger, sale, or transfer of assets

5. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You can request a copy of all personal data we hold about you. Use the data export feature in your Account Settings to download your data instantly.
  • Right to Rectification (Article 16): You can request correction of inaccurate or incomplete personal data through your Account Settings or by contacting us.
  • Right to Erasure (Article 17): You can request deletion of your personal data. Use the account deletion feature in Account Settings or contact us. We will erase your data within 30 days unless we have a legal obligation to retain it.
  • Right to Restriction (Article 18): You can request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of your data.
  • Right to Data Portability (Article 20): You can request your data in a structured, commonly used, machine-readable format (JSON). Use the data export feature in Account Settings.
  • Right to Object (Article 21): You can object to processing of your personal data for direct marketing purposes. Unsubscribe from newsletters via Account Settings at any time.

To exercise any of these rights, use the self-service features in your Account Settings or email us at privacy@getsam.app. We will respond within 30 days.

6. Cookies & Tracking

We use essential cookies for authentication (powered by Supabase) and analytics cookies via Vercel Analytics to understand usage patterns. We do not use advertising or third-party tracking cookies.

  • Essential Cookies: Required for authentication and session management. These cannot be disabled without breaking core functionality.
  • Analytics (Vercel Analytics): Privacy-friendly, anonymised web analytics with no cross-site tracking. See Vercel’s privacy policy at vercel.com/legal/privacy-policy for details.

You can control cookie preferences through the cookie consent banner shown on your first visit or through your browser settings. Rejecting analytics cookies will not affect website functionality.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Account Data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Subscription & Billing Data: Retained for 7 years after subscription ends to comply with UK financial record-keeping regulations.
  • Usage & Analytics Data: Anonymised after 12 months. Aggregated statistics may be retained indefinitely.
  • Support Communications: Retained for 2 years after last contact to provide continuity of support.
  • Device Identifiers: Cleared immediately upon account deletion or device removal from your account.

8. International Data Transfers

Some of our service providers are based outside the United Kingdom. When your data is transferred internationally, we ensure appropriate safeguards are in place:

  • Supabase (Database & Authentication): Data may be processed in the United States. Supabase complies with SOC 2 Type II and implements appropriate technical and organisational measures. Transfers are covered by Standard Contractual Clauses (SCCs).
  • Vercel (Website Hosting & Analytics): Data may be processed in the United States and edge locations globally. Vercel complies with SOC 2 Type II. Analytics data is anonymised and aggregated. Transfers are covered by SCCs.
  • Stripe (Payment Processing): Payment data is processed by Stripe, Inc. (US) and Stripe Payments Europe, Ltd. (Ireland). Stripe is PCI DSS Level 1 certified and complies with UK GDPR via SCCs and its Binding Corporate Rules.

We only transfer personal data to countries or organisations that provide an adequate level of protection or where appropriate safeguards (such as Standard Contractual Clauses approved by the UK ICO) are in place.

9. Sub-Processors

We use the following third-party sub-processors to help deliver our service. Each has been vetted for GDPR compliance:

  • Supabase, Inc.: Database hosting, user authentication, and file storage. Location: United States. Privacy policy: supabase.com/privacy.
  • Vercel, Inc.: Website hosting, CDN, and privacy-friendly web analytics. Location: United States (global edge network). Privacy policy: vercel.com/legal/privacy-policy.
  • Stripe, Inc.: Payment processing, subscription billing, and invoicing. Location: United States / Ireland. Privacy policy: stripe.com/privacy.

We will update this list if we add new sub-processors. Material changes to sub-processors will be communicated via email to account holders.

10. Data Protection Contact

For any data protection queries, concerns, or to exercise your GDPR rights, contact our data protection team:

Email: privacy@getsam.app. We aim to respond to all data protection requests within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

11. Children’s Privacy

Our services are not intended for children under the age of 16 in the EU or 13 in the UK. We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you are unsatisfied with our response:

We will respond to privacy-related inquiries within 30 days of receipt.