Privacy Policy

Last updated: February 17, 2026

1. Introduction

Smalby Inc. ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy applies to all users of the Service, regardless of location.

2. Information We Collect

Information You Provide

  • Account information: name, email address, and password when you create an account
  • Profile information: profile picture, job title, and other optional details
  • Content: projects, tasks, comments, files, and other data you create within the Service
  • Communications: messages you send through the Service or to our support team
  • Payment information: billing address and payment method details (processed by our third-party payment processor; we do not store full credit card numbers)

Information Collected Automatically

  • Usage data: pages visited, features used, and actions taken within the Service
  • Device information: browser type, operating system, screen resolution, and device identifiers
  • Log data: IP address, access times, referring URLs, and error logs
  • Location data: approximate geographic location based on IP address (we do not collect precise GPS location)

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

  • Contract performance: processing necessary to provide you with the Service you requested
  • Legitimate interests: processing necessary for our legitimate business interests (e.g., improving the Service, preventing fraud), provided these interests are not overridden by your rights
  • Consent: where you have given explicit consent for specific processing activities (e.g., marketing communications)
  • Legal obligation: processing necessary to comply with applicable laws

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Create and manage your account
  • Process payments and manage billing
  • Send you technical notices, updates, and administrative messages
  • Respond to your comments, questions, and support requests
  • Monitor and analyze trends, usage, and activities in connection with the Service
  • Detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities
  • Comply with legal obligations and enforce our Terms of Service

5. Information Sharing and Third-Party Services

We do not sell, rent, or trade your personal information. We may share your information in the following circumstances:

  • With your organization: information is shared with other members of your organization as necessary for collaboration
  • Service providers: we share information with third-party vendors who assist in providing the Service, including:
    • Cloud infrastructure and hosting providers (e.g., AWS, Google Cloud)
    • Payment processing services
    • Email delivery services
    • Analytics and monitoring tools
    • Customer support tools
  • Legal requirements: we may disclose information if required by law, subpoena, court order, or other valid legal process
  • Business transfers: in connection with a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as a business asset; we will notify you of any such change
  • With your consent: we may share information for other purposes when you provide explicit consent

All third-party service providers are contractually obligated to protect your data and may only use it for the specific purposes we direct.

6. Data Storage and International Transfers

Your data is primarily stored on servers located in the United States. If you are accessing the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure your data receives adequate protection.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Role-based access controls and principle of least privilege
  • Multi-factor authentication for administrative access
  • Regular backups with encryption
  • Employee security training and confidentiality agreements

8. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as required by applicable law. Notification will include the nature of the breach, the data affected, steps we are taking to address the breach, and recommended actions you can take to protect yourself. We will also notify relevant supervisory authorities as required by GDPR and other applicable regulations.

9. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

  • Account data: retained for the duration of your account plus 30 days after deletion request
  • Usage logs: retained for up to 12 months
  • Payment records: retained for up to 7 years as required by tax and accounting regulations
  • Support communications: retained for up to 3 years

You may request deletion of your account and associated data at any time. We will delete or anonymize your information within 30 days of such a request, unless we are required to retain it for legal or legitimate business purposes.

10. Your Rights

For All Users

Regardless of your location, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Request deletion of your personal information
  • Export your data in a portable format

Additional Rights for EEA/UK Residents (GDPR)

  • Object to or restrict processing of your information
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local data protection authority
  • Right not to be subject to automated decision-making, including profiling

Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information is collected, used, shared, or sold
  • Request deletion of your personal information
  • Opt out of the sale or sharing of your personal information
  • Non-discrimination for exercising your privacy rights
  • Correct inaccurate personal information
  • Limit the use and disclosure of sensitive personal information

We do not sell or share your personal information as defined by the CCPA/CPRA. In the twelve (12) months preceding the date of this Privacy Policy, we have not sold or shared personal information of consumers.

To exercise any of these rights, please contact us at privacy@smalby.com. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

11. Cookies and Tracking Technologies

Types of Cookies We Use

  • Essential cookies: required for the Service to function (e.g., session management, authentication, security). These cannot be disabled.
  • Analytics cookies: help us understand how the Service is used and improve performance. These are only set with your consent where required by law.

Managing Cookies

You can control cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may prevent you from using certain features of the Service. We do not use cookies for advertising or tracking across third-party websites. We honor Do Not Track (DNT) browser signals.

12. Data Processing Agreement

For organizations that require a Data Processing Agreement (DPA) to comply with GDPR or other data protection regulations, we offer a standard DPA that covers our obligations as a data processor. To request a DPA, please contact us at privacy@smalby.com.

13. Children's Privacy

The Service is not intended for children under 16 years of age (or under 13 in jurisdictions where COPPA applies). We do not knowingly collect personal information from children. If we learn that we have collected information from a child under the applicable age, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance by posting the new policy on this page, updating the "Last updated" date, and sending an email notification to the address associated with your account. Your continued use of the Service after the effective date of changes constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:

For users in the EEA, you also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.