Watch Taking a Sledgehammer to Bottlenecks 🎥 as Ruth & Steph show how AI actually fixes margins.

Privacy & Data Protection

Privacy and data protection

GoSmarter processes data on behalf of our customers. This page describes our data protection practices and how we support your GDPR obligations.

This page provides a high-level overview. Detailed privacy control documentation is available on request under NDA.

Our role under GDPR

  • You (the customer) are the data controller: you decide what data is uploaded and processed
  • GoSmarter acts as a data processor: we process data according to your instructions via the platform
  • Microsoft Azure acts as a sub-processor: they host the infrastructure and provide AI services

What personal data does GoSmarter process?

GoSmarter is a B2B platform. The personal data we process is limited to what is required for account access, platform authorisation, and business-document workflows.

GoSmarter does not collect or process sensitive personal data (health, biometric, financial) as part of its core functionality.

Data Processing Agreement

We provide a Data Processing Agreement (DPA) that covers:

  • The scope and purpose of data processing
  • Technical and organisational security measures
  • Sub-processor obligations (Microsoft Azure)
  • Data subject rights support
  • Breach notification commitments
  • Data deletion on contract termination

Data Processing Agreement available on request via talktous@gosmarter.ai

Microsoft’s data processing commitments

As our infrastructure provider, Microsoft’s processing commitments apply:

Data subject rights

If your users or data subjects exercise their rights (access, rectification, erasure, portability), we support you by:

  • Providing access to data stored in GoSmarter through the platform or on request
  • Deleting user accounts and associated data when requested
  • Supporting data export in standard formats

Data can be accessed and managed through the GoSmarter application or by contacting us directly.

Data retention

  • Active data: Retained for the duration of your subscription
  • Uploaded documents: Stored in Azure Blob Storage for the duration of your subscription
  • Audit logs: Retained in line with our operational and compliance requirements
  • On contract termination: Data handling and deletion are managed according to contractual terms

International transfers

Core persistent data is hosted in UK regions. Where supporting processing uses EU regions, it remains within UK/EU operating boundaries. See Data Residency for more detail.

Key points for your security team

  • Data processor role: GoSmarter processes data under your instructions as controller
  • Limited personal data: Primarily user accounts and names on business documents
  • DPA available: Covers processing scope, security measures, breach notification, and deletion
  • Microsoft sub-processor: Covered by Microsoft’s Products and Services DPA
  • No AI model training: Contractual commitment from Microsoft
  • UK/EU only: No international transfers outside UK GDPR adequacy framework

Detailed information under NDA

Additional privacy and data protection evidence can be shared under mutual NDA, including:

  • Data flow and processing context documentation
  • Retention and deletion process details
  • Sub-processor and transfer assurance information
  • Operational control evidence relevant to due diligence

Request evidence

Email us, contact us online, or book a compliance call to request the NDA pack.