Privacy Policy

• Identifiers & contact details: name, email, phone, employer, role, account IDs.
• Professional & compliance data: CV/resume, certifications, due-diligence/background results permitted by law/contract.
• Transactional data: proposals, statements of work, invoices, support tickets.
• Technical & usage data: IP address, device/browser, pages viewed, diagnostic logs, cookies/SDK telemetry.
• Sensitive data (limited, purpose-bound): government ID for screening, payment data handled by PCI-compliant processors, security clearance artifacts for defense projects, and—when we are a HIPAA Business Associate—PHI strictly per Business Associate Agreement (BAA).

Sources: directly from you; your employer; our vendors (hosting, security, analytics, screening, payments, communications); publicly available sources.

• Provide, secure, and improve our services and websites (including monitoring, detecting, and preventing security incidents).
• Communicate about proposals, statements of work, project updates, security notices, and support.
• Manage client/vendor relationships and billing; perform auditing, compliance, and risk management.
• Recruit and evaluate candidates (including lawful background screening).
• Comply with legal/regulatory obligations (e.g., export controls/ITAR/EAR, CUI handling, sector rules) and respond to lawful requests.
• Enforce terms, protect rights, safety, and integrity of our systems.

EU/UK legal bases (where applicable): contract, legitimate interests (e.g., security, B2B communications), legal obligation, and consent (e.g., certain cookies/marketing). You may withdraw consent at any time.

We use cookies and similar technologies for site operation, security, and analytics. Where required (e.g., EU/UK), we seek consent via a banner. We honor browser-based universal opt-out mechanisms where laws require (e.g., Colorado CPA Global Privacy Control/UOOM).

We disclose personal information to:

• Service providers/processors: hosting, security, analytics, background checks, payment processing, communications.
• Clients: when engaged as a processor, per contract.
• Affiliates: for operational purposes consistent with this Policy.
• Authorities: when required by law or to protect rights/safety.
• Business transfers: merger, acquisition, restructuring.

We do not “sell” personal information as defined by applicable laws and do not “share” it for cross-context behavioral advertising. If this changes, we will update this Policy and provide required notices/opt-outs.

When transferring personal information across borders, we use appropriate safeguards, such as EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) or UK Addendum. Where applicable, we may also rely on adequacy decisions (e.g., the EU-U.S. Data Privacy Framework and the UK-U.S. Data Bridge for certified U.S. recipients).

We maintain administrative, technical, and physical safeguards proportionate to risk, including access controls/least privilege, encryption in transit and at rest where appropriate, network and application security, logging/monitoring, vulnerability management, secure SDLC practices, and vendor risk management. No method is 100% secure; we regularly review and enhance our program.

We retain personal information only for as long as necessary to fulfill the purposes above, meet legal/regulatory/accounting requirements, resolve disputes, and enforce agreements. Contractual retention (e.g., BAA, CUI) controls where applicable.

United States

Depending on your state, you may have rights to access/know, correct, delete, portability, and to opt out of targeted advertising, sale, and certain profiling; some states require an appeals process for denied requests. We will verify and respond within required timelines and honor universal opt-out signals where mandated (e.g., Colorado), and comply with state consumer health data laws where applicable (e.g., Washington’s MHMDA and Nevada SB370).

Canada

Under PIPEDA (and substantially similar provincial laws, e.g., Alberta/BC PIPA; Québec’s private-sector law as modernized by Law 25), you may request access and correction, withdraw consent (subject to legal/contractual limits), and lodge complaints with relevant privacy regulators. Québec Law 25 adds obligations such as appointing a privacy officer and assessments for certain processing.

EU/UK

Under GDPR/UK GDPR, you may request access, correction, deletion, restriction, portability, and object to processing (including direct marketing). You may lodge complaints with an EU supervisory authority or the UK ICO.

How to exercise rights / appeal: Email privacy@smarttechks.com
For U.S. states with an appeal right, you may appeal a decision by replying “Appeal” to our response; if denied, you may contact your state Attorney General.

Authorized agents (CA): We accept requests via authorized agents consistent with verification rules.

• Healthcare (U.S.): When acting as a Business Associate, we handle PHI strictly under the client’s BAA and HIPAA/HITECH requirements.
• Financial services: For engagements subject to GLBA or similar rules, we implement controls aligned with client and legal requirements.
• Defense & government data: We handle CUI and export-controlled data (e.g., ITAR/EAR) only as contractually authorized and per applicable law.

Our services are for business use and are not directed to children.

Our sites may link to third-party services; their privacy practices are governed by their own policies.

• Email: privacy@smarttechks.com
• Mail: Smart Tech LLC, Attn: Privacy Office, 131 W 135th St, #1039 Overland Park, KS 66223, USA
• EU/UK representative or DPO (if applicable): Contact details available at the above email.

This Policy applies to our controller activities. For client projects where we are a processor/service provider, the client’s instructions and contract control (e.g., including BAAs, DPAs, SCCs/IDTA, and security annexes).

• This Policy is designed to align with current privacy frameworks, including EU/UK GDPR transfer tools (SCCs, IDTA/Addendum), the EU-U.S. DPF/UK-U.S. Data Bridge (for certified recipients), Colorado’s universal opt-out, and U.S. consumer health data statutes (WA/NV).