Privacy Policy
Effective Date: April 15, 2026 | Last Updated: April 15, 2026
Smalt AI PLT ("Smalt AI", "we", "our", or "us") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered productivity and financial modelling platform (the "Service").
1. Who We Are
Smalt AI is the data controller responsible for your personal data. If you have questions about this policy or our data practices, contact us at:
Email: support@smaltai.com
2. Information We Collect
2.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email, company name, job title | Account creation and management |
| Payment Information | Billing address, payment method (processed via Stripe) | Subscription billing |
| Communication Data | Support tickets, emails, feedback | Customer support and product improvement |
| User Content | Documents, financial models, queries submitted to the AI | Providing the Service |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Features used, session duration, interaction patterns | Service improvement and analytics |
| Device Data | Browser type, OS, IP address, device identifiers | Security and troubleshooting |
| Cookies | Session cookies only (we do not use analytics or advertising cookies) | See our Cookie Policy |
2.3 Information from Third Parties
We may receive information from:
- Single Sign-On providers (Google) when you choose to authenticate via SSO
- Your organisation's administrator, if your account is part of an enterprise subscription
3. How We Use Your Information
We process your personal data for the following purposes:
- Service Delivery: To provide, maintain, and improve the Smalt AI platform
- Account Management: To create and manage your account and subscription
- Communication: To respond to inquiries, send service updates, and provide support
- Security: To detect, prevent, and address fraud, abuse, and technical issues
- Analytics: To understand usage patterns and improve user experience
- Legal Compliance: To comply with applicable laws and regulations
4. Legal Basis for Processing (GDPR)
| Purpose | Legal Basis |
|---|---|
| Service delivery | Performance of contract (Art. 6(1)(b)) |
| Account management & billing | Performance of contract (Art. 6(1)(b)) |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics & improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. How We Handle Your AI Inputs and Outputs
This section is particularly important for our B2B customers:
- Your Content is Yours: You retain all rights to the data you input into Smalt AI and the outputs generated.
- No Training on Your Data: We do not use your proprietary business data, financial models, or queries to train our AI models or any third-party models.
- Processing: Your inputs are processed by our AI infrastructure solely to provide you with the requested output. Queries are sent to our LLM providers (see Section 7) in a manner that does not identify you personally.
- Retention: Conversation history and generated outputs are retained for the duration of your subscription to enable features such as conversation history. You may delete your data at any time.
- Isolation: Enterprise customer data is logically isolated. No cross-tenant data access is possible.
6. Data Sharing and Disclosure
We do not sell your personal data. We share data only in these circumstances:
6.1 Service Providers (Sub-processors)
We use carefully selected third-party providers to operate our Service. A complete list is available in our Sub-processors List. Key categories include:
- Cloud Infrastructure: Amazon Web Services (AWS)
- Authentication: Supabase (email/password, with optional Google Sign-In)
- AI Model Providers: Anthropic, Google (Gemini)
- Third-party Integrations: Composio (OAuth-connected tools), Apollo (contact lookup), Firecrawl (web research)
- Payment Processing: Stripe
- Email Services: Amazon SES, Resend
6.2 Other Disclosures
- Legal Requirements: When required by law, regulation, or legal process
- Protection of Rights: To protect the rights, safety, or property of Smalt AI, our users, or the public
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with prior notice)
7. International Data Transfers
Your data may be transferred to and processed in countries outside your jurisdiction, including the United States (where our cloud and AI providers operate). We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Ensuring recipients maintain appropriate security certifications
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of subscription + 30 days |
| AI conversation history | Duration of subscription (deletable by user) |
| Billing records | 7 years (legal requirement) |
| Server logs | 90 days |
| Analytics data | 26 months (anonymised) |
9. Your Rights
Depending on your jurisdiction, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Request limitation of processing
- Objection: Object to processing based on legitimate interest
- Withdraw Consent: Where processing is based on consent
To exercise these rights, contact us at support@smaltai.com. We will respond within 30 days.
10. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication
- Regular security assessments and monitoring
- Incident response procedures
For more details, see our Security & Trust Center.
11. Children's Privacy
Our Service is not directed to individuals under 18. We do not knowingly collect data from minors.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.
13. Contact Us
Email: support@smaltai.com
Website: www.smaltai.com
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.