01
Controller
This Privacy Policy applies to SmashOne, the operator of smashone.ai for the European public surface.
Privacy Policy
Last updated: May 2026
Your privacy at SmashOne
How we collect, use, and protect your data under the GDPR.
02
Scope
This policy covers the information you give us when you create an account, the information collected when you use SmashOne, and the information received from the social media platforms you choose to connect: base channels Facebook, Instagram, and Telegram, and optional add-ons WhatsApp Business, TikTok, and Google Business Profile when enabled for your account.
03
Add-on channels
WhatsApp Business, TikTok, and Google Business Profile are optional paid add-on channels. We process data from an add-on channel only when you choose that add-on, it is enabled for your account, and the connected third-party platform provides the data needed for the feature. Add-on billing starts on Day 15 after the 14-day free trial unless the checkout says otherwise. If an add-on channel is unavailable, withdrawn, or removed for platform access, legal, safety, or policy reasons, we stop collecting new data from that removed channel where technically possible, stop future add-on charges for that removed channel, and keep our customer-facing availability statements aligned with UCPD rules against misleading commercial claims.
04
Data we collect
We collect account details, business profile information, connected platform metadata, catalog items, scheduled content, messages, billing records, support communications, security logs, and product usage events needed to operate the service.
05
How we use data
We use data to provide publishing, messaging, AI assistant, analytics, billing, security, support, product improvement, abuse prevention, and legal compliance.
06
Legal bases (GDPR Article 6)
We process personal data only where we have a legal basis under Article 6 GDPR. The table below maps our main purposes to their legal basis.
| Purpose | Data categories | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Providing the service (publishing, messaging, scheduling, catalog, AI assistant) | Account, content, connected-platform data | Performance of a contract — Art. 6(1)(b) |
| AI assistant replying to your customers on your behalf | Customer-conversation content (we act as processor for you) | Performance of a contract — Art. 6(1)(b) |
| Billing, setup fee, payments and invoicing | Billing and transaction data | Contract — Art. 6(1)(b); and legal obligation for accounting/tax records — Art. 6(1)(c) |
| Security, fraud and abuse prevention, audit logging | Account, usage, device/IP data | Legitimate interests — Art. 6(1)(f) (keeping the service and accounts secure) |
| Support | Contact and ticket data | Contract — Art. 6(1)(b) and legitimate interests — Art. 6(1)(f) |
| Product improvement and service analytics | Usage data (aggregated where possible) | Legitimate interests — Art. 6(1)(f) |
| Optional analytics or marketing cookies (only if you enable them) | Cookie and usage data | Consent — Art. 6(1)(a) |
| Legal compliance (responding to lawful requests, DSA notices, record-keeping) | As required | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, we balance our interest against your rights and only proceed where your interests do not override ours; you may object at any time. Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.
07
Social platform data
Connected social account data is used only to deliver requested publishing, messaging, analytics, and AI assistant features. We do not sell personal information.
08
AI assistant data
The assistant uses your business profile, FAQ, catalog, connected platform messages, and configured tone to draft answers. Sensitive or off-script items can be escalated for human review.
09
Service providers
We use service providers for hosting, analytics, payments, communications, monitoring, and AI processing. They process data only for the service purposes we authorize.
10
Sub-processors and international transfers
We use the following sub-processors to operate the service: Hetzner Online GmbH (Germany) for EU application hosting and compute; DigitalOcean, LLC (Frankfurt, Germany) for managed PostgreSQL, Valkey cache, and object storage including backups; Brevo (Sendinblue SAS, France) for transactional email; Google LLC (Vertex AI) for AI assistant processing, currently configured with a global processing location; Cloudflare, Inc. for DNS, CDN, WAF, and TLS edge security; Sentry (Functional Software, Inc.) for error monitoring with PII minimisation; PostHog (EU Cloud) for pseudonymous server-side product analytics; and ScrapingBee SAS (France) to retrieve your public business website for the assistant’s knowledge base. Where a sub-processor is US-incorporated or processes data outside the EEA (DigitalOcean, Google, Cloudflare, Sentry, PostHog), transfers rely on the EU-US Data Privacy Framework adequacy decision where applicable or Standard Contractual Clauses with supplementary safeguards. Payment processing is not engaged yet and will be added when EU billing goes live. The current list, with regions and dates, is maintained on our Sub-processors page; we notify customers at least 30 days before adding a new sub-processor.
11
GDPR rights
EU users may request access, deletion, correction, restriction, portability, or objection. Poland data-protection authority reference: UODO. SmashOne does not sell personal information. Send requests to info@smashone.ai.
12
Responding to your requests
We answer data-subject requests within one month of receiving them, free of charge. For complex or numerous requests we may extend this by a further two months, and we will tell you within the first month if we need the extension and why. We may ask you to verify your identity before we act, and if a request is manifestly unfounded or excessive we may charge a reasonable fee or decline, explaining why. Where we rely on your consent, you can withdraw it at any time without affecting processing carried out before withdrawal. SmashOne does not make decisions producing legal or similarly significant effects about you based solely on automated processing. You also have the right to lodge a complaint with the Polish supervisory authority — the Urząd Ochrony Danych Osobowych (UODO) — or with your local EU data-protection authority. To exercise any right, contact info@smashone.ai.
13
Retention
We keep personal data only as long as necessary for the purpose it was collected, then delete or anonymise it. The table below sets out how long we keep each category.
| Data category | Retention |
|---|---|
| Account and profile data | For the life of your account; deleted or anonymised within 90 days after account closure |
| Content, posts and drafts | For the life of your account; deleted on account deletion |
| Connected-platform access tokens | Until you disconnect the platform or close your account; revoked on disconnection |
| Customer-conversation / CRM data (we process on your instructions) | For the life of your account, or per your documented instructions as controller |
| Billing, invoices and tax records | Up to 5 years from the end of the relevant financial year, as required by Polish accounting and tax law |
| Security and audit logs | Up to 12 months, then deleted or anonymised |
| Support tickets | Up to 24 months after resolution |
| Optional analytics data (if enabled) | Aggregated; up to 14 months |
| Backups | Rolling backups overwritten within a 35-day cycle |
On a verified erasure request we delete your data within the response time set out above, except where we must keep specific records to meet a legal obligation (for example billing and tax records).
14
Contact
Privacy requests: info@smashone.ai. Company: SmashOne, Poland, KRS registration pending. Impressum details will be completed after KRS.