Customer data retention and protection policy

Welcome!

At Smartly Limited, we handle a lot of data as part of our daily operations. This data, which we call "Customer Data," includes any information you create or manage when using our products, as well as any information we have about you.

Why we protect your data
We know how important it is to keep your data safe. That's why we take steps to protect it from being misused, lost, or accessed by anyone who shouldn't see it. We use a variety of security measures, like backups, access controls, and encryption, to keep your data secure.

Our responsibilities
We are committed to following all the legal and business rules about how we keep, protect, and eventually destroy your data. This policy explains how we manage your data in line with these rules and our own security goals.

Who this policy applies to
This policy is for everyone involved with Smartly, including our board members, directors, employees, suppliers, and any third parties who have access to our systems. It covers all projects, systems, people, and processes that are part of Smartly's information systems.

Want to know more? 
For more details on how we handle your privacy, please check out our Privacy Policy at Smartly Privacy Policy.

We’re here to help, so if you have any questions, feel free to reach out!

General principles
There are several key general principles that must be adopted when considering this data retention and protection policy. These are:

• Records are retained for as long as they are needed for business, legal and accountability requirements in the jurisdictions in which Smartly operates.

• The protection of Records in terms of their confidentiality, integrity and availability must be in accordance with their security classification. 

• Records are systematically and securely destroyed or disposed of when legally appropriate to do so.

Customer record types 
Records held by Smartly are grouped into the categories listed in the table below along with their recommended retention period. 
 
Note that these are guidelines only and there may be specific circumstances where records need to be kept for a longer or shorter period. This should be decided on a case by case basis as part of the design of the information security elements of new or significantly changed processes and services. 

Customer record classification and storage 
Smartly must ensure that customer Records are named and classified consistently. Customer Records must be stored in an appropriate storage system. The system a Record is stored in is set up to retain the Record for the right amount of time, in accordance with the relevant retention period.

Use of cryptography 
Where appropriate to the classification of information and the storage medium, cryptographic techniques may be used to ensure the confidentiality and integrity of records. Care must be taken to ensure that encryption keys used to encrypt Records are securely stored for the life of the relevant Records.

Customer record retrieval 
There is little point in retaining records if they are not able to be accessed in line with business or legal requirements. Records must be able to be retrieved in a useable format within an acceptable period of time.  
 
The integrity of the records is important. Records must be stored in a way that preserves their integrity, and protects them from misuse, interference, loss, unauthorised access, modification and disclosure.

Customer record retention 
Smartly will only collect and retain Customer Data for the retention periods described in section 2.2. All Customer Data will be retained for the length of the retention period in order to maintain the integrity of the Records.  
 
Note that record keeping obligations are the customer’s to uphold with Smartly facilitating the keeping of Records while a commercial relationship exists with the customer and for a period of time after that relationship.  
 
Any activity to retire or decommission a system or its platform should take into consideration the retention period of the Records impacted. 

Customer record destruction 
Smartly will securely destroy Records from production systems within a reasonable amount of time at the end of the retention period. 
 
Customer record review 
The retention and storage of customer Records must be subject to a regular review process to ensure that: 

• The policy on data retention and protection remains valid.

• Customer Records are being retained according to this policy.

• Customer Records are being securely disposed of when no longer required.

• Legal, regulatory and contractual requirements are being fulfilled.

• Processes for Record retrieval are meeting business requirements. 

The results of these reviews must be recorded.

Download the pdf version here.