GDPR Compliance
How we protect your data and respect your rights under the EU General Data Protection Regulation
Your Rights Under GDPR (Articles 15-22)
1. Data Protection at SmartWMS
Protecting your data is our highest priority. SmartWMS is fully GDPR compliant and meets all requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679). We implement privacy by design and by default (Art. 25), ensuring data protection is built into every aspect of our warehouse management platform.
2. SmartWMS Data Categories
SmartWMS processes the following categories of personal and operational data: • Account data: name, email, phone, company, job title • Warehouse operations: inventory movements, order processing, stock levels • IoT telemetry: device readings, sensor data, environmental measurements • Quality control: inspection results, defect reports, hold records • Labor management: shift schedules, worker performance metrics, attendance • Delivery routes: addresses, route optimization data, GPS coordinates • Lot traceability: batch numbers, origin data, expiry dates, recall information • Technical data: IP address, browser type, device info, access logs • Payment data: processed via Stripe (we do not store card details)
3. Legal Basis for Processing (Art. 6 GDPR)
We process data under the following legal bases: • Contract performance (Art. 6(1)(b)): Providing the SmartWMS service — inventory management, order processing, warehouse operations • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, analytics • Legal obligation (Art. 6(1)(c)): Tax records, audit logs, regulatory compliance, data retention requirements • Consent (Art. 6(1)(a)): Marketing communications, optional analytics cookies, newsletter subscription You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. Sub-Processors
We use the following categories of sub-processors, all bound by Data Processing Agreements (DPAs): • Cloud hosting: EU-based infrastructure (data stored within the EU) • Payment processing: Stripe (PCI DSS Level 1 certified) • Email delivery: SMTP service for transactional and marketing emails • Error monitoring: Sentry for application error tracking • Analytics: anonymized usage analytics We maintain an up-to-date list of sub-processors and will notify you of any changes with 30 days' advance notice.
5. Cross-Border Data Transfers
Your data is primarily stored and processed within the European Economic Area (EEA). When data transfer outside the EEA is necessary, we rely on: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions by the European Commission • Binding Corporate Rules where applicable We ensure all international transfers provide an essentially equivalent level of protection as guaranteed within the EU.
6. Data Breach Notification (Art. 33-34)
In the event of a personal data breach: • We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach (Art. 33) • If the breach is likely to result in high risk to your rights and freedoms, we will notify affected individuals without undue delay (Art. 34) • We maintain a breach register documenting all incidents, their effects, and remedial actions taken • Our incident response team is available 24/7 to detect, assess, and respond to potential breaches
7. Data Processing Principles
We adhere to the core GDPR principles (Art. 5): • Lawfulness, fairness, and transparency: Clear privacy policy, valid legal bases • Purpose limitation: Data used only for specified, explicit, and legitimate purposes • Data minimization: We collect only what is necessary for the service • Accuracy: Tools to update and correct your data at any time • Storage limitation: Defined retention periods, automatic deletion after account closure • Integrity and confidentiality: TLS encryption, access controls, regular security audits • Accountability: Documentation, DPO appointment, regular compliance reviews
8. Technical and Organizational Measures
We implement comprehensive security measures: • TLS/SSL encryption for all data in transit • Encryption at rest for sensitive data • Multi-factor authentication support • Role-based access control with tenant isolation • Regular penetration testing and security audits • Automated daily backups with 30-day retention • Network segmentation and firewall protection • Employee security training and confidentiality agreements • Sentry error monitoring for rapid incident detection
9. Data Protection Officer
Our Data Protection Officer oversees GDPR compliance and is your point of contact for all privacy matters: Email: dpo@smartwms.one General privacy inquiries: privacy@smartwms.one You also have the right to lodge a complaint with your local data protection supervisory authority at any time.
72-Hour Breach Notification
In compliance with GDPR Articles 33-34, we commit to notifying the relevant supervisory authority within 72 hours of becoming aware of any personal data breach, and affected individuals without undue delay when the breach poses a high risk to their rights and freedoms.
Exercise Your Rights
Access your personal data, request an export, or delete your account directly from the SmartWMS application. Alternatively, contact our Data Protection Officer for any GDPR-related request.