SmartOpsIT

Privacy Policy

SmartOps IT

1. Data Controller

The Data Controller for your personal data is SmartOps IT, operating as a Sole Trader in the United Kingdom.

Correspondence Address:
SmartOps IT
Lytchett House
13 Freeland Park
Wareham Road
Poole, Dorset
BH16 6FA
United Kingdom

Personal data is processed in accordance with the UK GDPR and the Data Protection Act 2018.

2. Scope and Purposes of Processing

We process personal data only to the extent necessary to carry out IT business activities, Managed Service Provider (MSP) services, and cybersecurity services.

Personal data is obtained directly from you or from systems and accounts to which you grant us authorised access.

Important note on roles (Controller vs Processor): When you contact us, visit our website, or we manage our own business administration, we act as a Data Controller. When providing MSP / IT / cybersecurity services, we may access and process personal data contained in a Client’s systems. In that context, we typically act as a Data Processor on the Client’s documented instructions, and the Client remains the Data Controller for those data. Where applicable, these arrangements are governed by a data processing agreement (DPA).

A. Contact Form / E-mail

Data scope: Name, e-mail address, message content, technical data (e.g. IP address).

Purpose: Responding to enquiries, preparing quotations, and providing IT and cybersecurity services.

Legal basis:

  • Article 6(1)(b) UK GDPR – performance of a contract or steps prior to entering into a contract.
  • Article 6(1)(f) UK GDPR – legitimate interests of the controller (business communication and service improvement).

B. MSP / IT & Cybersecurity Service Delivery (Client Systems)

Data scope (may include): business contact details, user identifiers, device identifiers, IP addresses, authentication events, system and security logs, tickets and service requests, configuration and inventory data, and (depending on the Client’s environment) limited content within emails/files/endpoints where necessary to resolve incidents.

Purposes:

  • delivering contracted IT/MSP services (support, monitoring, maintenance, incident response);
  • cybersecurity monitoring, detection, investigation and remediation;
  • ensuring availability, integrity and confidentiality of Client systems;
  • auditing and service accountability (e.g. change records, ticket history).

Legal basis: Where we act as a Processor, processing is carried out on the Client’s documented instructions and the Client determines the lawful basis as Controller. For our own administration related to service delivery (e.g. account management, billing, communications), we generally rely on:

  • Article 6(1)(b) UK GDPR – performance of a contract (with the Client);
  • Article 6(1)(f) UK GDPR – legitimate interests (delivering and securing services, preventing fraud/abuse, maintaining service quality).

C. Business Administration & Compliance

Purposes: invoicing, accounting, tax compliance, record-keeping, handling claims and disputes.

Legal basis:

  • Article 6(1)(c) UK GDPR – compliance with a legal obligation (e.g. tax/accounting requirements);
  • Article 6(1)(f) UK GDPR – legitimate interests (establishing, exercising or defending legal claims).

3. Technical Data and Security

Due to the nature of our services (IT / Cybersecurity), we may process technical data such as system logs or IP addresses. This data is used exclusively for:

  • ensuring system security;
  • detecting incidents and threats;
  • providing IT services.

Legal basis: Article 6(1)(f) UK GDPR – legitimate interest (IT security).

Security measures (examples): access controls and least privilege, MFA where available, encryption in transit where supported, logging and monitoring, incident response procedures, and staff confidentiality obligations.

4. Social Media

Our website contains links only to external services (Facebook, Instagram, LinkedIn).

We do not use tracking plugins or marketing pixels.

Once you click a link, the privacy policy of the relevant third-party service applies.

5. Cookies

We use only strictly necessary cookies (or similar technologies) that are essential for the website to function properly and securely. These do not collect information for marketing or analytics purposes.

  • ❌ We do not use Google Analytics (or similar analytics tools).
  • ❌ We do not use marketing or tracking cookies.
  • ❌ We do not use cookies for profiling or behavioural advertising.

Cookie consent: Because we only use strictly necessary cookies, a cookie consent banner is generally not required under PECR. If we ever introduce non-essential cookies (e.g. analytics), we will update this policy and implement an appropriate consent mechanism.

6. Data Recipients

Personal data may be shared with trusted third parties only where necessary for the operation of our business and service delivery, including:

  • hosting and e-mail service providers;
  • postal operators handling business correspondence;
  • public authorities (e.g. HMRC), where required by UK law;
  • customer support and helpdesk service providers (e.g. ticketing and support systems).

Where third parties act as our Processors, we use appropriate contractual safeguards (including confidentiality and security obligations) and share only the data necessary for the relevant purpose.

7. Data Transfers Outside the United Kingdom

As a rule, personal data is not transferred outside the United Kingdom.

Where a transfer occurs (e.g. due to the location of IT infrastructure or sub-processors), we ensure it is carried out in compliance with the UK GDPR, using appropriate safeguards for restricted transfers, such as the UK IDTA or the International Data Transfer Addendum to the EU SCCs (as applicable), and we implement additional measures where required.

8. Data Retention Period

  • contact data – for the duration of cooperation or handling of the enquiry, and thereafter as needed for record-keeping and dispute handling;
  • technical data and logs – for the period necessary to ensure IT security, auditability and incident investigation (retention varies by system and risk);
  • contact data – for the duration of cooperation or handling of the enquiry, and thereafter as needed for record-keeping and dispute handling;
  • financial and tax records – for the period required by law and guidance applicable to our business (typically at least 5 years after the 31 January submission deadline of the relevant tax year, and longer where required, e.g. in case of audits or disputes).

9. Your Rights

Under the UK GDPR, you have the right to:

  • be informed about how we use your personal data;
  • access your personal data;
  • rectify your personal data;
  • erase your personal data (“right to be forgotten”);
  • restrict processing;
  • object to processing based on legitimate interests;
  • data portability (in certain circumstances);
  • withdraw consent at any time (where we rely on consent);
  • not be subject to a decision based solely on automated processing, including profiling (where applicable).

To exercise your rights, please contact us at: info@smartopsit.co.uk. We may ask for information to verify your identity. We normally respond within one month, and may extend by up to two additional months for complex requests.

10. Complaints

You have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
https://ico.org.uk

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or our processing practices. The latest version will always be available on our website.

12. Required Information

Where we need personal data to enter into or perform a contract (e.g. to respond to a service enquiry or provide MSP services), failure to provide the required information may mean we are unable to provide the requested services or quotation.