Business: Smart Tribe Digital (Smart Tribe Suite CRM)
 Location: United Kingdom
 Applies To: EU/UK clients and their end users

๐Ÿ”’ 1. Lawful Basis for Processing

  • We collect and process only necessary personal data.

  • We identify and document our lawful basis for data processing (e.g., contract performance, consent).

  • Clients are advised to obtain consent where required from their own users/customers.

๐Ÿงพ 2. Data Processing Agreements (DPA)

  • We have a DPA template for our clients (controllers).

  • We have signed a DPA with our third-party CRM provider.

  • Sub-processors (e.g., Stripe, Twilio) are covered under written contracts.

๐Ÿ›ก๏ธ 3. Security Measures

  • The platform uses encryption (HTTPS, TLS) and secure user authentication (e.g., passwords, optional 2FA).

  • Access to user data is restricted to authorised personnel.

  • Activity logs are maintained for accountability (via the CRM provider).

๐ŸŒ 4. International Data Transfers

  • Our CRM provider and sub-processors ensure Standard Contractual Clauses (SCCs) or UK equivalents for data transfers outside the UK/EU.

  • Clients are made aware of third-party data transfer mechanisms in our privacy policy and DPA.

๐Ÿ“ฌ 5. Consent & Communication

  • Clients are required to implement consent mechanisms for email/SMS campaigns.

  • Users can manage preferences or unsubscribe from communications.

  • Cookie banners (if applicable) are implemented on any front-facing sites.

๐Ÿ” 6. Data Subject Rights

  • Users can request access, rectification, deletion, or export of their data.

  • We have procedures to support clients handling such requests from their customers.

  • Requests are responded to within 30 days.

๐Ÿงน 7. Data Retention & Deletion

  • Data is retained only as long as necessary.

  • Personal data is deleted upon client request or service termination.

  • No local or offline backups of customer data are stored outside our CRM platform.

๐Ÿšจ 8. Breach Notification

  • A data breach response procedure is in place.

  • Clients will be informed of any breach affecting their data within 72 hours (or sooner).

  • Breach logs and reports are maintained securely.

๐Ÿงพ 9. Documentation & Recordkeeping

  • Records of processing activities are maintained.

  • Sub-processor and third-party service documentation is reviewed regularly.

๐Ÿ‘ฅ 10. Accountability

  • Staff and contractors are aware of GDPR responsibilities.

  • We provide clients with a privacy policy, DPA, and T&Cs to clarify obligations.

We review compliance at least once per year or when services change.