Our commitment to protecting your personal data.
Online Smarty Ltd (Company No. 11339653) is committed to protecting the privacy and security of personal data in accordance with the following legislation:
We take a "privacy by design and by default" approach, ensuring that data protection is considered at every stage of our business processes, from service design to delivery.
As a small business, we are not required under Article 37 of the UK GDPR to appoint a formal Delegat de Protecció de Dades (DPO). However, we take data protection seriously and have designated a data protection lead who is responsible for overseeing compliance with data protection legislation.
For all data protection enquiries, please contact:
We process personal data in the following contexts:
| Processing Activity | Data Categories | Data Subjects |
|---|---|---|
| Website contact form submissions | Name, email, phone number, message content | Prospective clients, website visitors |
| Service delivery (SEO, GEO, web design, AI automations, e-commerce) | Contacte details, project requirements, business information, login credentials (where provided) | Clients |
| Website analytics | Pseudonymised browsing data, IP address (anonymised), device and browser information | Website visitors |
| Email communications | Email address, name, correspondence content | Clients, prospective clients, partners |
| WhatsApp communications | Phone number, name, message content | Clients, prospective clients |
| Invoicing and accounting | Name, company name, address, payment details | Clients |
We rely on the following legal bases under Article 6 of the UK GDPR and EU GDPR:
We use the following sub-processors to deliver our services and operate our website. Each sub-processor has been assessed for GDPR compliance:
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | Content delivery network, DDoS protection, DNS, and website security | Estats Units (global CDN) | EU-U.S. Data Privacy Framework; Standard Contractual Clauses; GDPR page |
| Google LLC (Google Analytics) | Website analytics and usage reporting | Estats Units | EU-U.S. Data Privacy Framework; Standard Contractual Clauses; IP anonymisation enabled; Google compliance |
| Zoho Corporation (Zoho Mail) | Business email hosting and processing | EU data centres (Països Baixos) | GDPR compliant; EU data residency; Zoho GDPR |
| Web3Forms | Contacte form submission handling and email delivery | Estats Units | GDPR compliant; minimal data retention; Política de Privacitat |
We maintain an up-to-date record of all sub-processors and their data processing activities. We will not engage a new sub-processor without first ensuring that appropriate data protection safeguards are in place.
In the event of a personal data breach, we will follow the procedures required under Articles 33 and 34 of the UK GDPR:
Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, we will provide a reasoned justification for the delay.
The notification to the ICO will include:
Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to the affected individuals without undue delay, in clear and plain language, describing the nature of the breach and the steps they can take to protect themselves.
We maintain a record of all personal data breaches, regardless of whether they meet the threshold for notification, including the facts, effects, and remedial actions taken.
In accordance with Article 35 of the UK GDPR, we conduct Protecció de Dades Impact Assessments (DPIAs) before commencing any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes:
Given the nature of our current processing activities (digital marketing services for business clients), we have assessed that our standard processing operations do not trigger the requirement for a DPIA. However, we review this assessment regularly and will conduct a DPIA if the nature of our processing changes.
Under the UK GDPR and EU GDPR, you have the following rights. To exercise any of these rights, please email us at [email protected] with the subject line "Protecció de Dades Request".
| Right | Description | Temps de Resposta |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. | 1 month |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. | 1 month |
| Erasure (Art. 17) | Request deletion of your data where no compelling reason exists for continued processing. | 1 month |
| Restriction (Art. 18) | Request that we restrict processing of your data in certain circumstances. | 1 month |
| Portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format. | 1 month |
| Objection (Art. 21) | Oposar-te al processament based on legitimate interest or direct marketing. | 1 month |
| Withdraw consent | Withdraw consent at any time where consent is the legal basis for processing. | Immediate |
We will not charge a fee for responding to your request, unless the request is manifestly unfounded or excessive. In complex cases, we may extend the response period by a further two months, but we will inform you of any extension within the initial one-month period.
We may need to verify your identity before fulfilling your request. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
The supervisory authority for data protection in the Regne Unit is the Information Commissioner's Office (ICO):
You have the right to lodge a complaint with the ICO at any time if you believe your data protection rights have been violated. However, we would appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first at [email protected].
If you are located in the European Economic Area, you may also lodge a complaint with your local Protecció de Dades Authority. A full list of EU/EEA supervisory authorities is available on the European Protecció de Dades Board (EDPB) website.
For all data protection enquiries, subject access requests, or to exercise any of your rights, please contact us:
For full details on how we collect, usem i protegim les teves dades personals, please refer to our Política de Privacitat. For information about the cookies we use, please see our Política de Cookies.
Last updated: Abril 2026