Our commitment to protecting your personal data.
Online Smarty Ltd (Company No. 11339653) is committed to protecting the privacy and security of personal data in accordance with the following legislation:
We take a "privacy by design and by default" approach, ensuring that data protection is considered at every stage of our business processes, from service design to delivery.
As a small business, we are not required under Article 37 of the UK GDPR to appoint a formal Data Protection Officer (DPO). However, we take data protection seriously and have designated a data protection lead who is responsible for overseeing compliance with data protection legislation.
For all data protection enquiries, please contact:
We process personal data in the following contexts:
| Processing Activity | Data Categories | Data Subjects |
|---|---|---|
| Website contact form submissions | Name, email, phone number, message content | Prospective clients, website visitors |
| Service delivery (SEO, GEO, web design, AI automations, e-commerce) | Contact details, project requirements, business information, login credentials (where provided) | Clients |
| Website analytics | Pseudonymised browsing data, IP address (anonymised), device and browser information | Website visitors |
| Email communications | Email address, name, correspondence content | Clients, prospective clients, partners |
| WhatsApp communications | Phone number, name, message content | Clients, prospective clients |
| Invoicing and accounting | Name, company name, address, payment details | Clients |
We rely on the following legal bases under Article 6 of the UK GDPR and EU GDPR:
We use the following sub-processors to deliver our services and operate our website. Each sub-processor has been assessed for GDPR compliance:
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | Content delivery network, DDoS protection, DNS, and website security | United States (global CDN) | EU-U.S. Data Privacy Framework; Standard Contractual Clauses; GDPR page |
| Google LLC (Google Analytics) | Website analytics and usage reporting | United States | EU-U.S. Data Privacy Framework; Standard Contractual Clauses; IP anonymisation enabled; Google compliance |
| Zoho Corporation (Zoho Mail) | Business email hosting and processing | EU data centres (Netherlands) | GDPR compliant; EU data residency; Zoho GDPR |
| Web3Forms | Contact form submission handling and email delivery | United States | GDPR compliant; minimal data retention; Privacy Policy |
We maintain an up-to-date record of all sub-processors and their data processing activities. We will not engage a new sub-processor without first ensuring that appropriate data protection safeguards are in place.
In the event of a personal data breach, we will follow the procedures required under Articles 33 and 34 of the UK GDPR:
Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, we will provide a reasoned justification for the delay.
The notification to the ICO will include:
Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to the affected individuals without undue delay, in clear and plain language, describing the nature of the breach and the steps they can take to protect themselves.
We maintain a record of all personal data breaches, regardless of whether they meet the threshold for notification, including the facts, effects, and remedial actions taken.
In accordance with Article 35 of the UK GDPR, we conduct Data Protection Impact Assessments (DPIAs) before commencing any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes:
Given the nature of our current processing activities (digital marketing services for business clients), we have assessed that our standard processing operations do not trigger the requirement for a DPIA. However, we review this assessment regularly and will conduct a DPIA if the nature of our processing changes.
Under the UK GDPR and EU GDPR, you have the following rights. To exercise any of these rights, please email us at [email protected] with the subject line "Data Protection Request".
| Right | Description | Response Time |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. | 1 month |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. | 1 month |
| Erasure (Art. 17) | Request deletion of your data where no compelling reason exists for continued processing. | 1 month |
| Restriction (Art. 18) | Request that we restrict processing of your data in certain circumstances. | 1 month |
| Portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format. | 1 month |
| Objection (Art. 21) | Object to processing based on legitimate interest or direct marketing. | 1 month |
| Withdraw consent | Withdraw consent at any time where consent is the legal basis for processing. | Immediate |
We will not charge a fee for responding to your request, unless the request is manifestly unfounded or excessive. In complex cases, we may extend the response period by a further two months, but we will inform you of any extension within the initial one-month period.
We may need to verify your identity before fulfilling your request. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
The supervisory authority for data protection in the United Kingdom is the Information Commissioner's Office (ICO):
You have the right to lodge a complaint with the ICO at any time if you believe your data protection rights have been violated. However, we would appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first at [email protected].
If you are located in the European Economic Area, you may also lodge a complaint with your local Data Protection Authority. A full list of EU/EEA supervisory authorities is available on the European Data Protection Board (EDPB) website.
For all data protection enquiries, subject access requests, or to exercise any of your rights, please contact us:
For full details on how we collect, use, and protect your personal data, please refer to our Privacy Policy. For information about the cookies we use, please see our Cookie Policy.
Last updated: April 2026