This Jurisdiction Specific Addendum (hereinafter “this Addendum”) sets forth supplemental provisions applicable to your use of the Products and/or Services provided by us through any means. This Addendum shall apply and is incorporated by reference into the Privacy Policy. If your use of the Products and/or Services provided by Smartee Group and its affiliates (hereinafter “Smartee,” “we,” “our,” or “this Platform”) falls within the scope of the specific jurisdictional legal requirements set forth in this Addendum, then this Addendum shall govern.
In the event of any conflict between this Addendum and the Privacy Policy or any other applicable attachments, this Addendum shall prevail.
We may update this Addendum from time to time. Upon receipt of notice of an update, your express consent, or your continued use of our Products and/or Services in any manner, you shall be deemed to have accepted the updated Addendum. If you do not consent with the updated Addendum, you must immediately cease using our Products and/or Services.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in the EEA, the UK and Switzerland, the following additional terms apply.
1.1 This Part A applies to the extent that the Smartee’s Products and/or Services (or any of them) Process Personal Data that is subject to the GDPR.
1.2 If you are patient and living in the EEA, UK, or Switzerland, Smartee's Entities are the joint controllers of your information processed in connection with this Addendum.
1.3 The following terms shall have the following meanings in this Part A:
Terms | Meanings |
EU GDPR | means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). |
GDPR | means, to the extent applicable to the relevant Processing of Products and/or services Data: (i) the EU GDPR; (ii) the UK GDPR; or (iii) the Swiss DPA, together (in each case) with any applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii) (as may be amended or superseded from time to time). |
UK GDPR | means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018. |
Swiss DPA | means Switzerland’s Federal Act on Data Protection. Where the Swiss DPA is applicable to processing of personal information, references in this Part A and in the Swiss SCCs to Articles of the GDPR are to the equivalent provisions of the Swiss DPA. |
Personal data | means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
Special categories of personal data | means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. |
Controller | means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. |
processor | means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
Joint Controllers | means two or more controllers jointly determine the purposes and means of processing. “Joint Controller” shall be construed accordingly. |
processing | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Standard Contractual Clauses | means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); (ii) where the Swiss DPA applies, the EU SCCs are amended so that the term “Member State” will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with clause 18.c of the EU SCCs ("Swiss SCCs"); and (iii) where the UK GDPR applies, the EU SCCs as amended by the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under s.119A(1) of the UK Data Protection Act 2018 (“UK Addendum”). |
2.1 The relationship between you and Smartee shall be determined by the nature of the personal data being processed and the specific purposes for which it is processed, as follows:
Purpose | Personal Information (data) | Processing role | |
a | You create a patient case management account on Smartee’s platform. | Name, Gender, Age, Dentition | You: Joint Controller Smartee: Joint Controller |
b | Smartee collaborates with suppliers, distributors, hospitals, clinics, doctors, other medical institutions, and professional orthodontic practitioners to provide Orthodontic Treatment (including, but not limited to, oral scanning, patient treatment data uploads, aligner design, post-production fine-tuning of aligner designs, or redesign initiation). | Imaging Data [Facial Photos, Oral Photos, X-ray Images (Radiographs)], Dental Scan Files, CBCT Files, STL Files | You: Joint Controller Smartee: Joint Controller |
c | Smartee partners with suppliers and/or other third-party business partners to provide invisible aligner design and/or manufacturing services to patients. | To provide patients with design and/or manufacturing services for invisible aligners:Name, Case Number, Age, Treatment Design Steps, Intraoral Scan Data, Occlusal Data, Manufacturing System Information (OEM), Imaging Data [Facial Photos, Oral Photos, X-ray Images (Radiographs)], STL Files To provide patients with manufacturing services for invisible aligners: Name, Case Number, Age, Treatment Design Steps, Intraoral Scan Data、Occlusal Data, Manufacturing System Information (OEM), STL Files | You: Joint Controller Smartee: Joint Controller |
d | Smartee facilitates financial settlement services for patients, suppliers, distributors, medical institutions, clinics, doctors, and other third parties. | Name, Products and Devices Used, contact information, bank account details, contact address, email address, tax-related codes (including but not limited to VAT, GST) | You: Joint Controller Smartee: Joint Controller |
e | Through distributors, hospitals, clinics, doctors, other medical institutions, and professional orthodontic practitioners, Smartee provides aligner delivery services to patients (where applicable). | Name, mobile phone number, landline, email, contact address, shipping information | You: Joint Controller Smartee: Joint Controller |
f | You provide marketing, recruitment, or related services to Smartee. | Service-Related Information | You: Joint Controller Smartee: Joint Controller |
g | You collaborate with Smartee to offer academic courses or training services. | Training Services-Related Information | You: Independent Controller Smartee: Independent Controller |
h | You cooperate with Smartee in conducting orthodontic-related research and testing. | Research and Testing-Related Information | You: Independent Controller Smartee: Independent Controller |
i | Smartee processes data solely in accordance with your instructions and does not autonomously determine the purposes of such processing. | Data Processed at Your Instruction | You: Controller Smartee: Processor |
j | Smartee provides data hosting or storage services and does not use such data for independent decision-making. | Data Hosted or Stored at Your Request | You: Controller Smartee: Processor |
k | You use Smartee’s platform to process data, but Smartee does not access or utilize that data. | Data You Process Using the Smartee Platform | You: Controller Smartee: Processor |
l | You instruct Smartee to process data pursuant to a Data Processing Agreement (DPA) executed between you and Smartee. | Data You Instruct Smartee to Process | You: Controller Smartee: Processor |
2.2 Joint Controller Terms
2.2.1 If you are a supplier, distributor, hospital, clinic, doctor, or any other third party (hereinafter “Relevant Third Parties”) and collaborate with Smartee's Entities to provide Products and/or Services to patients in the EEA, UK, or Switzerland by any means, then you and Smartee's entities are the joint controllers of personal information processed in connection with this Addendum. Smartee and you each acknowledge and consent that we are Joint Controllers in accordance with Article 26 GDPR for any Joint Processing specified in Clause 2.1 of this Part A.
2.2.2 Where you are a Joint Controller with Smartee for the purpose of Clause 2.1 then such Joint Controllership applies only to the specific Processing activities identified in those Clauses (“Joint Processing”). Any subsequent or further Processing by Smartee (including transfers by Smartee to its affiliates or Processors, processing and packaging of orthodontic aligners) for the purposes identified by Clause 2.1 shall be undertaken by Smartee in its capacity as an independent Controller from you in accordance with Article 4(7) GDPR.
2.2.3 These Joint Controller Terms determine your and Smartee's responsibilities for compliance with the GDPR with respect to the Joint Processing.
2.2.4 Allocation of GDPR responsibilities
Your and Smartee's GDPR compliance responsibilities with respect to the Joint Processing shall be as follows:
GDPR compliance responsibility | Smartee's responsibility | Your responsibility | |
a | Article 6: Legal Basis | Smartee has the responsibility to establish a lawful basis in respect of its own Processing of Personal Data. | You have responsibility to establish a lawful basis in respect of your own Processing of Personal Data. |
b | Article 9: Legal Basis (Special categories of personal data) | Smartee has the responsibility to establish a lawful basis in respect of its own Processing of Special categories of personal data. | You have responsibility to establish a lawful basis in respect of your own Processing of Special categories of personal data. |
c | Articles 13, 14: Information | Smartee will display (or procure the display of) a publicly-available privacy notice describing its Processing activities (including the Joint Processing) that meets the requirements of Article 13 and 14 of the GDPR. | You must display (or procure the display of) a privacy notice (or any legal document of equivalent effect) describing your Processing activities (including the Joint Processing) to meet the requirements of Article 13 and 14. This includes as a minimum the provision of the following information: · That Smartee is a Joint Controller of the Joint Processing. · That you use Smartee Products as well as the purposes for which the collection and transmission of Personal Data that constitutes the Joint Processing takes place as set out in the Applicable Product Terms and Contract (Agreement). · That further information on how Smartee processes Personal Data, including the legal basis Smartee relies on and the ways to exercise Data Subject rights against Smartee, can be found in the relevant Smartee inventory privacy notice (with a hyperlink to such notice). |
d | Article 26(2): Making available Joint Controller Terms | This includes as a minimum the provision of the following information: That you and Smartee have: · entered into these Joint Controller Terms to determine the respective responsibilities for compliance with the obligations under the GDPR with regard to the Joint Processing (as specified in the Applicable Product Terms); · agreed that you are responsible for providing Data Subjects as a minimum with the information listed under point b in this table above; and · agreed that between the Parties, Smartee is responsible for enabling Data Subjects' rights under Articles 15-20 of the GDPR with regard to the Personal Data stored or otherwise Processed by Smartee after the Joint Processing. | |
e | Articles 15-20: Subject Rights | ||
f | Article 21: Right to object | Smartee will enable Data Subjects to exercise their right to object in respect of its own Processing of Personal Data. | You will enable Data Subjects to exercise their right to object in respect of your Processing of Personal Data. |
g | Article 32: Security | Smartee in respect of security of the Smartee’s Products and/or Services. | You in relation to your correct technical implementation and configuration of the Smartee’s Products and/or Services. |
h | Articles 33, 34: Personal Data Breaches | Smartee will comply with its obligations under the GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns Smartee's security obligations under these Joint Controller Terms | You will comply with your obligations under the GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns your security obligations under these Joint Controller Terms. |
2.2.5 All other responsibilities for compliance with obligations under the GDPR regarding the Joint Processing remain with each of Smartee and you individually.
2.2.6 You agree that Smartee may subcontract its data processing obligations under these Joint Controller Terms to third party Sub-processors (including Smartee group companies) provided that:
(a) any such Sub-processors are engaged on terms that impose obligations on the Sub-processor which are no less onerous than these Joint Controller Terms and related contract (agreement);
(b) where any Sub-processor fails to fulfil such obligations, Smartee shall remain fully liable to you for the performance of that Sub-processor’s obligations.
2.2.7 These Joint Controller Terms do not grant you any right to request the disclosure of Personal Data of any Smartee user that is Processed in connection with the Smartee’s Products and/or Services.
2.2.8 Smartee shall respond to the exercise of any Data Subject rights under Articles 15-21 GDPR in respect of Personal Data processed by Smartee. If Data Subjects exercise such rights with regard to the Joint Processing against you or if you are contacted by a supervisory authority with regard to the Joint Processing (each a "Request"), you will promptly notify Smartee at privacy_dpo@smarteealigners.com and provide all timely information, cooperation and assistance as Smartee reasonably requires in relation to such Request. You are not authorized to act or answer on Smartee's behalf.
2.2.9 If you access or use Smartee’s Products and/or Services for any business or commercial purpose, you agree that any claim, cause of action or dispute that you have against us, which arises out of or relates to these Joint Controller Terms, must be resolved exclusively in the courts of Spain, that you irrevocably submit to the jurisdiction of the Spain courts for the purpose of litigating any such claim and that the laws of Spain will govern these Joint Controller Terms, without regard to conflict of law provisions.
2.2.10 We may update these Joint Controller Terms from time to time. Other than changes required by law, we will provide you with 30 days’ notice of any material changes to the Joint Controller Terms (for example by email or to your account in a Products and/or Services). The updated Joint Controller Terms will be effective as of the time of posting, or such later date as may be specified in the updated terms. By continuing to access or use any of the Smartee’s Products and/or Services after any notification of an update to these Joint Controller Terms, you agree to be bound by it. If you do not agree to the updated Joint Controller Terms, please stop all use of Smartee’s Products and/or Services. If any portion of these Joint Controller Terms are found to be unenforceable, the remaining portion will remain in full force and effect. If we fail to enforce any portion of these Joint Controller Terms, it will not be considered a waiver. Any amendment to or waiver of these terms requested by you must be made in writing and signed by us.
2.3 Data Processing Terms
2.3.1 In conjunction with Clause 2.1, Smartee shall act as a Processor under the following circumstances:
(a) Smartee processes data solely on the instructions of the relevant third party and does not independently determine the purposes of data processing. In other words, if the third party expressly directs Smartee to perform specific data processing tasks, such as analyzing, storing, or forwarding personal data to other third parties, Smartee does not decide how the personal data will be used or how long it will be retained. For example,
(i) healthcare institutions or physicians may upload patients’ personal data to Smartee, with Smartee processing such data strictly according to their instructions;
(ii) healthcare institutions or physicians may require Smartee to store patients’ personal data while retaining full control over its use and deletion;
(iii) or healthcare institutions or physicians may use Smartee’s system to provide medical advice, with Smartee merely supplying technical support without utilizing the personal data for any other decisions.
(b) Smartee functions solely as a data custodian or storage provider and does not use the data for independent decision-making. For example,
(i) Smartee may offer data storage services (such as cloud storage for patients’ medical records) without employing the stored data for product manufacturing or other decisions;
(ii) patients’ personal data uploaded by distributors, healthcare institutions, or physicians remains under their control regarding access, modification, and deletion, while Smartee provides only the storage;
(iii) or healthcare institutions or physicians may require Smartee to host patients’ personal data for later download or analysis, with Smartee refraining from actively accessing or processing the data.
(c) Relevant third parties use Smartee’s platform to process data, but Smartee itself does not utilize the data. For example,
(i) Smartee may provide an information system in which healthcare institutions or physicians independently upload and manage patients’ personal data, Smartee’s role being limited to technical support without further decision-making regarding the data;
(ii) physicians might use the system for patient data analysis while Smartee does not interfere with the data processing.
(d) Relevant third parties instruct Smartee to process data under a signed Data Processing Agreement (DPA). For example,
(i) a commercial partner may enter into a DPA with Smartee that requires data processing (such as format conversion or image processing) only when authorized by healthcare institutions, physicians, or other cooperating third parties, thereby prohibiting Smartee from independently determining the purposes of processing;
(ii) alternatively, healthcare institutions or physicians may require Smartee to conduct specific data analysis tasks while retaining control and decision-making authority over the data.
2.3.2 When Smartee Processes Personal Data pursuant to these Data Processing Terms, you are the Controller of such Personal Data and Smartee is a Processor. Accordingly, Smartee shall:
(a) only Process the Personal Data in accordance with the applicable Product and/or Service Terms, Contracts and Agreement . Smartee shall not disclose the Personal Data to any third party except where such disclosure:
(i) is in accordance with the Product and/or Service Terms, Contracts and Agreement,
(ii) is to a Sub-processor pursuant to Clause 2.3.3; or
(iii) otherwise in accordance with your documented instructions including to any of your other Processors to whom you may instruct us to disclose the Personal Data;
(b) ensure that any person it authorizes to Process the Personal Data is subject to a duty of confidentiality (whether contractual or statutory);
(c) implement appropriate technical and organizational measures to protect the Personal Data from and against a Personal Data Breach;
(d) assist you by appropriate technical and organizational measures insofar as this is possible (taking into account the nature of the Processing) to enable you to fulfil any obligations to respond to requests for the exercise of Data Subject rights by a Data Subject under the GDPR;
(e) notify you without undue delay upon becoming aware of a Personal Data Breach, and provide details, at the time of notification or as soon as possible after notification, of the nature of the Personal Data Breach and number of records affected, the category and approximate number of affected Data Subjects, any anticipated consequences of the Personal Data Breach, and any actual or proposed remedies for mitigating the possible adverse effects of the Personal Data Breach;
(f) at your request and expense, provide you with such assistance as is reasonable in respect of any data protection impact assessment and/or consultation with a supervisory authority that you are required to undertake in accordance with the GDPR, taking into account the nature of the Processing and the information available to Smartee;
(g) on termination of the Product and/or Service Terms, Contracts and Agreement, delete the Personal Data within the period set forth in the applicable Product and/or Service Terms, Contracts and Agreement provided, however, that Smartee may keep the Personal Data if necessary to provide other services set forth in the applicable Product and/or Service Terms, Contracts and Agreement. Where the EU GDPR applies, the requirement to delete Personal Data shall not apply to the extent that European Union or EU Member State law requires continued storage of the Personal Data, where the UK GDPR applies, the requirement to delete Personal Data shall not apply to the extent that UK law requires continued storage of the Personal Data and, where the Swiss DPA applies, the requirement to delete Personal Data shall not apply to the extent that Swiss law requires continued storage of the Personal Data;
(h) make available to you all information that is reasonably necessary to demonstrate Smartee's compliance with its legal obligations as a Processor under Article 28 of the GDPR; and
(i) upon request, Smartee shall make available to you copies of any applicable information security and/or data protection audit certifications it may hold in respect of the Processing that is the subject of these Data Processing Terms.
2.3.3 You agree that Smartee may subcontract its data processing obligations under these Data Processing Terms to third party Sub-processors (including Smartee group companies) provided that:
(a) any such Sub-processors are engaged on terms that impose obligations on the Sub-processor which are no less onerous than these Data Processing Terms;
(b) where any Sub-processor fails to fulfil such obligations, Smartee shall remain fully liable to you for the performance of that Sub-processor's obligations.
2.3.4 If the parties' compliance with GDPR requirements relating to international transfers of Personal Data is affected by circumstances outside of the parties' control, including if the Standard Contractual Clauses or any other legal instrument for international transfers of Personal Data is invalidated, amended or replaced, then the parties will work together in good faith to reasonably resolve such non-compliance.
2.3.5 For the avoidance of doubt, a transfer of Personal Data to Smartee's Entities in EEA and/or UK shall not constitute a Restricted Transfer for the purposes of Clause 2.4. To the extent that Smartee’s Entities in EEA and/or UK transfers such Personal Data (including to its affiliates and Processors) and such transfer is a Restricted Transfer, then they shall ensure that such onward transfer is in compliance with the requirements of the GDPR (including, where necessary, by implementing Standard Contractual Clauses with the recipient of the Personal Data that is onward transferred).
2.4 Standard Contractual Clauses
If and to the extent that your use of the Smartee Products and/or Service involves a Restricted Transfer of Personal Data from you (as "data exporter") to a Smartee affiliate (as "data importer") then the Standard Contractual Clauses apply as follows:
2.4.1 in relation to Personal Data that is protected by the EU GDPR , the EU SCCs will apply completed as follows:
(a) if both you and Smartee are Controllers, Module One shall apply; if you are the Controller and Smartee is the Processor, Module Two shall apply.;
(b) in Clause 7, the optional docking clause will apply;
(c) if you are the Controller and Smartee is the Processor, then Clause 9, Option 2 shall apply. Additionally, any notice regarding changes to sub-processors must be provided at least 7 days in advance;
(d) in Clause 11, the optional language will not apply;
(e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Spanish law;
(f) in Clause 18(b), disputes shall be resolved before the courts of Spain;
(g) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to these Joint Controller Terms and Data Processing Terms; and
(h) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to these Joint Controller Terms and Data Processing Terms; and
2.4.2 in relation to Personal Data that is protected by the Swiss DPA, the Swiss SCCs will apply completed as set out in Clause 2.4.1 above, except that the Swiss SCCs will be governed by Swiss law for the purposes of Clause 17 of the Swiss SCCs; and
2.4.3 in relation to data that is protected by the UK GDPR, the EU SCCs as amended by the UK Addendum will apply and the UK Addendum shall be completed as follows:
(a) Tables 1 to 3 of the UK Addendum shall be completed with relevant information from the EU SCCs [as set out in Clause 2.4.1 above];
(b) the option "Importer" shall be checked in Table 4; and
(c) the start date of the UK Addendum (as set out in Table 1) shall be the date on which the parties entered this Agreement (Terms).
2.4.4 in the event that any provision of these Joint Controller Terms and Data Processing Terms contradict, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
3. Your Right
Under applicable law, you have the right to access, rectify, withdraw consent, or delete your personal data:
Withdraw your consent. You have the right to withdraw your consent at any time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Access your information. You can ask us, free of charge, to confirm what information we process about you, to provide certain information about the processing, and for a copy of your information. If your personal data is being processed, you have the right to be informed of certain details regarding that processing:
(a) the purposes of the processing; (b) the categories of personal information concerned; (c) the recipients or categories of recipient to whom the personal information have been or will be disclosed, in particular recipients in third countries or international organisations; (d) envisaged period for which the personal information will be stored; (e) the existence of the right to request from Smartee rectification or erasure of personal information or restriction of processing of personal information concerning the you or to object to such processing; (f) the right to lodge a complaint with a supervisory authority. For additional information, please contact your local data protection authority; (g) where the personal information are not collected from you, any available information as to their source.
Rectify your information. You can change or ask us to change or correct your information where that information is not accurate.
Erasure (delete) your information. You have the right to obtain from Smartee the erasure of personal information concerning you without undue delay and Smartee shall have the obligation to erase personal information without undue delay where one of the following grounds applies: (a) the personal information are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) you withdraws consent on which the processing is based according to point (a) of Article 6(1) and/or point (a) of Article 9(2) of GDPR, and where there is no other legal ground for the processing; (c) you objects to the processing pursuant to Article 21(1) of GDPR and there are no overriding legitimate grounds for the processing, or you objects to the processing pursuant to Article 21(2) of GDPR; (d) the personal information have been unlawfully processed; (e) the personal information have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal information have been collected in relation to the offer of information society services referred to in Article 8(1) of GDPR.
However, erasure shall not apply to the extent that processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which Smartee is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Smartee; (c) for reasons of public interest in the area of public health in accordance with GDPR’s points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR in so far as the right referred to in last paragraph is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims.
Restrict the processing of your information. You have the right to request the restriction of the processing of your information where (a) you are challenging the accuracy of the information, (b) the information has been unlawfully processed, but you are opposing the deletion of that information, (c) where you need the information to be retained for the pursuit or defence of a legal claim, or (d) you have objected to processing and you are awaiting the outcome of that objection request.
Object to the processing of your information. You have the right to object to the processing of your information in certain circumstances. This right applies when we are performing a task in the public interest, pursuing our legitimate interests or those of a third party, or when your data is processed for the purpose of facilitating scientific or historical research in certain circumstances. In submitting an objection request, please provide all relevant information, including the processing activity you are objecting to, why you want to object and how the processing activity affects you, and any additional information that you think will help us review your request. We will stop the particular processing if we don't have compelling legitimate grounds to continue that processing or don’t need it for legal claims.
Port your information. You have the right to data portability in circumstances where we rely on contractual necessity or consent as our legal basis. This means that you have the right to receive your information in a structured, commonly used, and machine-readable format and to share it with a third party. This right shall be without prejudice to object to the processing of your information.
That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Smartee. The right shall not adversely affect the rights and freedoms of others.
Smartee collaborates with AMAZON WEB SERVICES, INC. (AWS) to provide cloud storage services for doctors and patients in the EEA, the UK and Switzerland. This partnership ensures that personal information is stored locally or in compliance with applicable laws and regulations. For details regarding AWS's service provisions, privacy protections, and security measures, please refer to the AWS Service Terms.
If we store your personal information using other methods, we will obtain your consent and implement legally compliant measures.
Personal data of individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland is controlled by SMARTEE ALIGNERS SPAIN S.L., based in Spain, and SMARTEE CLEAR ALIGNER (UK) LIMITED, based in the UK. When we transfer your information outside of the EEA, the UK, or Switzerland, we ensure it benefits from an adequate level of data protection by relying on:
Adequacy decisions. These are decisions from the European Commission under Article 45 GDPR (or equivalent decisions under other laws) where they recognise that a country offers an adequate level of data protection. Therefore, Smartee may lawfully transfer your personal information to countries and regions recognized under Adequacy Decisions. For details on the types of personal information collected, please refer to the “What Information We Collect” section; or
Article 49. In the absence of an adequacy decision, We rely on Article 49 (1)(b) and (c) GDPR to transfer Purchase Information as described in “What Information We Collect” to buyers and transaction fulfilment providers in countries without an adequacy decision when necessary to provide shopping features to facilitate the purchase and delivery of products, goods and services, or to process your orders; or
Standard contractual clauses. The European Commission has approved contractual clauses under Article 46 of the GDPR that allows companies in the EEA to transfer data outside the EEA. These (and their approved equivalent for the UK and Switzerland) are called standard contractual clauses. We rely on standard contractual clauses to transfer information as described in “What Information We Collect” to certain entities in our Corporate Group (as described here) and third parties in countries without an adequacy decision. For a copy of standard contractual clauses, please contact us at privacy_dpo@smarteealigners.com.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Japan, the following additional terms apply.
The following terms shall have the following meanings in this Part B:
Terms | Meanings |
APPI (個人情報の保護に関する法律) | means the Act on Protection of Personal Information of Japan (Act No.57 of 2003, as amended) , including any subsidiary legislation, regulations and any codes of practice, standards of performance, advisories, guidelines, frameworks, or written directions issued thereunder, in each case as amended, consolidated, re-enacted or replaced from time to time. |
PPC (個人情報保護委員会) | means the Personal Information Protection Commission of Japan. |
Personal Information (個人情報) | refers to data that can identify a specific individual. |
Sensitive Personal Information (要配慮個人情報) | includes details regarding an individual’s race, beliefs, social identity, medical history, criminal record, history of being a crime victim, and any other information designated under Japanese government ordinances that may result in discrimination, bias, or unfair treatment, thereby requiring special handling. |
2.1 Specification of Purpose
Smartee is required to specify the purpose of processing personal information as clearly as possible. Any modifications to the processing purpose must remain within a reasonable and relevant scope.
2.2 Exceptions to Purpose Limitation
Smartee may process personal information beyond the originally specified purpose in the following cases:
2.2.1 When required by Japanese laws and regulations (including local ordinances).
2.2.2 When necessary to protect an individual’s life, body, or property, and obtaining consent is difficult.
2.2.3 When necessary to improve public health or promote the sound development of children, and obtaining consent is difficult.
2.2.4 When necessary to cooperate with government agencies or local public bodies in performing statutory duties, where obtaining consent may hinder their execution.
2.2.5 When the data controller is an academic research institution, or when processing is partially for academic research purposes, provided it does not unfairly infringe on individual rights.
2.2.6 When providing personal data to an academic research institution that requires it for academic research purposes, except where it unfairly infringes on individual rights.
Before processing Sensitive Personal Information, Smartee will obtain your explicit consent, except in the following cases:
3.1 When required by Japanese laws and regulations.
3.2 When necessary to protect an individual’s life, body, or property, and obtaining consent is difficult.
3.3 When necessary to improve public health or promote children’s well-being, and obtaining consent is difficult.
3.4 When necessary to cooperate with government agencies or local public bodies in performing statutory duties, where obtaining consent may hinder their execution.
3.5 When processed by academic research institutions for academic research purposes, except where it unfairly infringes on individual rights.
3.6 When obtained from an academic research institution for academic research purposes, and the research is conducted jointly with Smartee.
3.7 When the information has been publicly disclosed by the individual, government agencies, local public bodies, academic research institutions, or other entities designated under Article 57, Paragraph 1 of APPI or PPC rules.
3.8 Any other situations deemed equivalent by Japanese government ordinances.
Smartee will conduct necessary and appropriate supervision of our employees, such as educating or training employees processing the Personal Information and Sensitive Personal Information. Where a data breach has occurred or where Smartee has determined that it is likely that such a breach has occurred by us or our service providers, Smartee will report the relevant facts to you promptly, investigate and report thereon, and implement recurrence prevention measures.
5.1 Transfers of Personal Information to the EEA, the UK, Switzerland
These are decisions from the European Commission and PPC under Article 45 GDPR (or equivalent decisions under other laws) where they recognise that a country offers an adequate level of data protection. Smartee is legally permitted to transfer personal information to countries and regions recognized under Adequacy Decisions. For details on the personal data we collect, please refer to the “What Information We Collect” section.
5.1.1 Smartee may transfer personal information to its UK subsidiary and medical centers for the purpose of providing Products and/or Services.
5.1.2 Smartee also collaborates with AMAZON WEB SERVICES, INC. (AWS) to provide cloud storage services for doctors and patients in Japan. This partnership ensures that personal information is stored locally or in compliance with applicable laws and regulations. For information on AWS's service provisions, privacy protections, and security measures, please refer to the AWS Service Terms.
5.2 Transfers of Personal Information to China
5.2.1 Smartee may transfer personal information to its China subsidiary for the purpose of providing Products and/or Services. Before transferring personal information to Smartee China, we will inform you of the purpose of the transfer, types of personal information involved, recipient details, and China’s personal data protection framework, and obtain your explicit consent.
5.2.2 PPC will assess the compliance of China’s personal data protection system with APPI requirements: 国外制度、中華人民共和国の個人情報の保護に関する制度等の調査
6.1 If you are a third party collaborating with Smartee and provide Personal Information and/or Sensitive Personal Information for processing, you shall adopt appropriate measures in accordance with APPI requirements, including, but not limited to, obtaining the individual’s consent, implementing appropriate security controls, and informing the individual of the purpose for transmitting personal information to Smartee, the personal data protection framework of the country in which Smartee is located, and the personal information protection measures adopted by Smartee.
6.2 When outsourcing or subcontracting the processing of the Personal Information and/or Sensitive Personal Information, Smartee will enter into a contract (agreement) imposing the same level of information protection obligations as set forth in the terms with the outsourcee/subcontractor who has been retained by us for the processing of all or part of the Personal Information and/or Sensitive Personal Information, and shall perform appropriate supervision and be responsible for the performance of the contract (agreement) by the outsourcee/subcontractor.
If you are under the age of 15, please have your parent or legal guardian read this with you. If you do not have consent from your parent(s) or legal guardian(s) and your parent(s) or guardian(s) is not willing to use and receive Products and/or Services under their name, you must cease using and receiving Products and/or Services.
If you are reviewing these terms as the parent/legal guardian of a user who is under the age of 15, you hereby declare that such user is above the age of 13 and that you have read and acknowledged Smartee's Privacy Policy and Terms of Use and agree to the use by your child of the Products and/or Services, as well as Smartee's processing of your child's Personal Information and/or Sensitive Personal Information in accordance with Smartee's Privacy Policy.
Smartee is responsible for the accuracy of, or delete any, Personal Information and/or Sensitive Personal Information, as well as the authority to respond to any claims of rights under applicable laws and regulations. Smartee will provide disclosure regarding the processing of Personal Information and/or Sensitive Personal Information, and Smartee will be responsible for responding to the exercise of data subject rights and complaints from users.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Singapore, the following additional terms apply.
1.1 You have the right to be informed, the right to restrict or object to the processing of your data, the right to access and correct your personal data, the right to rectify personal data, and the right to data portability.
1.2 When personal data no longer serves the purpose for which it was originally collected, and its continued retention is no longer necessary for legal or business purposes, Smartee shall either cease retaining such data or remove any means by which the personal data can be linked to a specific individual.
2. Data Protection Officer
Data Protection Officer: If you wish to reach Smartee’s Data Protection Officer, please contact us at privacy_dpo@smarteealigners.com
Your consent may be categorized as either “consent” or “deemed consent.” The latter is further subdivided as follows:
Deemed Consent by Conduct. When an individual voluntarily provides personal information in a reasonable manner, Smartee is still obligated to inform the individual accordingly.
Deemed Consent by Contractual Necessity. When personal data is disclosed from Organization A to Organization B, and such disclosure is necessary for the formation or performance of a contract or transaction between the individual and Organization A.
Deemed Consent by Notification. When Smartee obtains consent through notification, it must conduct a Data Protection Impact Assessment (DPIA), fulfill its duty to inform the individual, and provide a reasonable opt-out period.
Smartee may rely on the above forms of consent to provide and/or collaborate with you in offering its Products and/or Services.
When we transfer your personal data outside of Singapore, we comply with applicable legal requirements by employing one or more of the following methods:
4.1 Obtaining your explicit or deemed consent for transfer of data to third countries.
4.2 Ensuring that the recipient is governed by legal regimes that provide protection equivalent to that under the Personal Data Protection Act (PDPA).
4.3 Entering into a data processing agreement with the recipient, which stipulates that personal data may be transferred to countries or regions outside of Singapore, and obligates the recipient to adhere to protection standards equivalent to those under the PDPA.
4.4 Implementing binding corporate rules within the Smartee Group that require all internal data recipients to maintain a level of data protection not inferior to that mandated by Singapore law.
5.1 In the event of a data breach, Smartee shall assess the incident. If the breach qualifies as notifiable under the PDPA, Smartee shall notify the affected individuals within three (3) days. The notification shall include:
5.1.1 A description of the data breach;
5.1.2 Details of Smartee’s response to the data breach;
5.1.3 Contact information for at least one authorized representative (e.g., the Data Protection Officer).
5.2 If the data breach has caused or is likely to cause significant harm to affected individuals, it shall be deemed a notifiable breach, and Smartee will assist the affected individuals in taking appropriate protective measures.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Hong Kong, China, the following additional terms apply.
1.1 You have the right to access and correct your personal data, to rectify such data, and to withdraw your consent. For further details, please refer to the Personal Data (Privacy) Ordinance.
1.2 Smartee must take all practicable steps to erase personal data held by Smartee where the data is no longer required for the purpose (including any directly related purpose) for which the data was used unless
1.2.1 any such erasure is prohibited under any law; or
1.2.2 it is in the public interest (including historical interest) for the data not to be erased.
By providing your consent, you authorize Smartee to transfer your personal data to Smartee's Entities in Mainland China for the purpose of providing you with Products and/or Services.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Australia, the following additional terms apply.
Certain entities in Smartee Group, located outside of Australia, are given access to your information so that they can provide Products and/or Services, as described in the section on “Shared Use of Personal Information” and “Provision and Disclosure of Personal Information”. Please see here for further information on the countries in which our group entities which receive personal information from Australia are located.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Mexico, the following additional terms apply.
All purposes of processing stated in this section of the main Privacy Policy are necessary purposes.
We use both human and automated means to process your data.
We may share your personal data to a third party for purposes of providing Products and/or Services. We will obtain your consent for such sharing as required by applicable laws.
By providing us with your personal data and using and receiving our Products and/or Services you agree to the transfers that require your consent. You can always revoke your consent and exercise your rights, as stated below.
You have the following rights with respect to your personal data: access, rectification, cancellation, opposition, consent withdrawal, limitation to the use and disclosure of your data. You can exercise your rights by sending your request to privacy_dpo@smarteealigners.com. To know more about the applicable requirements and procedure to exercise your rights, contact us to the mentioned email address. If you are under 18 years, you may exercise your rights through a parent or guardian. Your rights requests will be resolved as soon as possible according to the nature of your request.
You may review our “Processing of Personal Information of Children” section in the Privacy Policy.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Russia, the following additional terms apply.
When we process your personal data, we rely on the grounds of your consent, performance of a contract, agreement, our legitimate interest and obligations to process personal data, or when we are so required by law.
By using and receiving Products and/or Services, you consent to the processing of personal data in accordance with this Privacy Policy.
Your personal data may be transferred from Russia to China and stored in that location, outside of the country where you live.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Vietnam, the following additional terms apply.
We may process your personal data by manual or automated methods.
Subject to certain exceptions, you have statutory rights and obligations under applicable laws. In particular, you have the following statutory rights:
• Right to know;
• Right to consent and withdraw consent;
• Right to access;
• Right to delete data;
• Right to restrict data processing;
• Right to be provided with data;
• Right to object data processing;
• Right to complain, denounce or initiate lawsuits;
• Right to claim for damages; and
• Right to self-protection.
You may exercise these rights by contacting us through the details in the Contact section, and we will respond to your requests regardless of the location in which your data is stored.
You have the following statutory obligations:
• Protect your own personal data;
• Request other relevant organizations and individuals to protect your personal data;
• Respect and protect personal data of others;
• Provide complete and accurate personal data upon giving consent to the processing of your personal data; and
• Other obligations under applicable laws.
If you are below 16 years old or under guardianship:
3.1 you must obtain approval from your parent(s) or legal guardian(s); and
3.2 your parent(s) or legal guardian(s) are responsible for: (i) all your actions in connection with your access to and use of Products and/or Services; (ii) your compliance with this policy; and (iii) ensuring that any of your participation in Products and/or Services will not, in any event, result in any violation of applicable laws and regulations relating to child protections.
If you do not have consent from your parent(s) or legal guardian(s) and your parent(s) or guardian(s) is not willing to use and receive Products and/or Services under their name, you must cease using and receiving Products and/or Services if you are not at least 16 years of age.
----------------------------------------------------------------------------------------------------------------------
If you are using Smartee’s Products and/or Services in Brazil, the following additional terms apply.
Brazilian law provides certain rights to individuals with regard to their personal data. Thus, we seek to ensure transparency and access controls in order to allow users to benefit from the mentioned rights.
We will respond and/or fulfill your requests for the exercise of your rights below, according to the applicable law and when applicable, to the Brazilian General Data Protection Law - LGPD:
• confirmation of whether your data are being processed;
• access to your data;
• correction of incomplete, inaccurate or outdated data;
• anonymization, blocking or erasure of data;
• portability of personal data to a third party;
• object to the processing of personal data;
• information of public and private entities with which we shared data;
• information about the possibility to refuse providing personal data and the respective consequences, when applicable;
• withdrawal of your consent.
• request a review of decisions made solely based on automated processing of personal data affecting your interests, including decisions made to define your personal, professional, consumer or credit profile, or aspects of your personality.
We encourage you to contact us if you are not satisfied with how we have responded to any of your rights requests. You also have the right to lodge a complaint with the Brazilian Data Protection Authority (ANPD).
For your safety and to allow us to make sure that we do not disclose any of your personal data to unauthorized third parties, in order to verify your identity and guarantee the adequate exercise of your rights, we may request specific information and/or documents from you before we can properly respond to a request received concerning your data. All data and documents received from you in the process of responding to your requests will be used for the strict purposes of analyzing your request, authenticating your identity, and finally responding to your request.
In certain situations, we may have legitimate reasons not to comply with some of your requests. For instance, we may choose not to disclose certain information to you when a disclosure could adversely impact our business whenever there is a risk of violation to our trade secrets or intellectual property rights. In addition, we may refrain from complying with a request for erasure when the maintenance of your data is required for complying with legal or regulatory obligations or when such maintenance is required to protect our rights and interests in case a dispute arises. Whenever this is the case and we are unable to comply with a request you make, we will let you know the reasons why we cannot fulfill your request.
In case of doubt about your privacy, your rights or how to exercise them, please contact us through the form " Contact Us". If you have any questions about the processing of your personal data, we would like to clarify them.
If you wish to reach the Smartee's Data Protection Officer, contact us at privacy_dpo@smarteealigners.com
We keep your application access logs, under confidentiality, in a controlled and safe environment for at least 6 months, in order to comply with legal obligations.
The Policy may have been prepared in the English language.
International data transfers are necessary for us to provide our Products and/or Services. If you are located in Brazil, we will always rely on one of the international data transfer mechanisms under applicable data protection laws and regulations.
Data exporter(s):
Name | You or any of your affiliates that make a Restricted Transfer to a Smartee affiliate. |
Address | When you use and accept the Products and/or Services provided by Smartee, the following data may be collected either directly from you or through other lawful means (e.g., shipment processing and bank transfers). |
Contact person’s name, position and contact details: | When you use and accept the Products and/or Services provided by Smartee, you may provide your name and contact details to Smartee, or Smartee may obtain your address details through other lawful means (such as shipment processing and bank transfers). |
Activities relevant to the data transferred under these Clauses: | A patient and/or doctor of Smartee’s Products and/or Services. |
Signature and date: | The Annex I shall be deemed executed upon acceptance of this Privacy Policy or any related Contract (Agreement) pertaining to Smartee’s Products and/or Services. |
Role (controller/processor): | Joint Controller /Controller/Processor |
Data importer(s):
Name | Shanghai Smartee Denti-Technology Co., Ltd. and/or SMARTEE ALIGNERS SPAIN SL and/or SMARTEE CLEAR ALIGNER (UK) LIMITED and/or any other Smartee affiliates when they receive Personal Data pursuant to a Restricted Transfer. |
Address | Shanghai Smartee Denti-Technology Co., Ltd., Building E, Jixian Center, Lane 565 Shengxia Road, Pudong New Area, Shanghai, China. SMARTEE ALIGNERS SPAIN SL, C/ BRONCE, NUMERO 10, PORTAL B, 1° B SMARTEE CLEAR ALIGNER (UK) LIMITED, First Floor, 2 Hampton Court Road, Birmingham, England, B17 9AE |
Contact person’s name, position and contact details: | Questions in connection with these Standard Contractual Clauses can contact at privacy_dpo@smarteealigners.com. |
Activities relevant to the data transferred under these Clauses: | Provision of Smartee’s Products and/or Services. |
Signature and date: | The Annex I shall be deemed executed upon acceptance of this Privacy Policy or any related Contract (Agreement) pertaining to Products and/or Services. |
Role (controller/processor): | Joint Controller /Controller/Processor |
Categories of data subjects whose personal data is transferred: | Individuals whose data are collected by Smartee’s Products and/or Services. |
Categories of personal data transferred: | Orthodontic Service (patient): Name, Gender, Age, Dentition, Products and Devices Used, Delivery Address, Email, Postal Code Orthodontic Service (doctor): Name, Mobile Phone Number, Landline Phone Number, Email Address, Contact Address, Qualifications Relevant to Orthodontic Diagnosis and Treatment, Third-party Doctor Registration Number, Shipping Information (please note: the multiple shipping details you provide may contain Additional Names, Phone Numbers, Addresses, etc.), Bank Account Details, Tax-Related Codes (including but not limited to VAT, GST), Qualifications Relevant to Orthodontic Diagnosis and Treatment, Third-Party Doctor Registration Number Smartee Academy Service: Full Name, Professional Role, Country of Residence, Organization, Email, Payment details |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | Case Number, Imaging Data [Facial Photos, Oral Photos, X-ray Images (Radiographs)], Dental Scan Files, CBCT Files, STL Files, Treatment Design Steps, Intraoral Scan Data, Occlusal Data, Manufacturing System Information (OEM) |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous throughout the provision of the Smartee’s Products and/or Services to the data exporter and/or doctor and/or patient. |
Nature of the processing: | The provision of the Smartee’s Products and/or Services for which Smartee (or its affiliates) are a Joint Controller and/or Controller and/or Processor, as identified in Clause 2.1 of Part A of these Jurisdiction Specific Addendum. |
Purpose(s) of the data transfer and further processing: | Transfers necessary for the provision of the Smartee’s Products and/or Services for which Smartee (or its affiliates) are a Joint Controller and/or Controller and/or Processor, as identified in Clause 2.1 of Part A of these Jurisdiction Specific Addendum. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | For the duration of the relevant Smartee’s Products and/or Services, and as otherwise required by applicable law. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | As described above and in: (i) the Joint Controller Terms in clause 2.2 of Part A of these Jurisdiction Specific Addendum (ii) the Data Processing Terms in Clause 2.3 of Part A of these Jurisdiction Specific Addendum; and (iii) the relevant Terms and/or Contract and/or Agreement and/or any documents that apply to the Smartee’s Products and/or Services provided to the data exporter and/or doctor and/or patient. |
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) | Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs. Where the UK GDPR applies, the UK Information Commissioner's Office. Where the Swiss DPA applies, the Swiss Federal Data Protection and Information Commissioner. |
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
The Smartee system is deployed on a cloud platform, with the physical environment secured by the cloud service provider. The provider also guarantees the business processing capacity of key network equipment.
The Smartee system communicates with external systems via cloud firewalls and Access Control List (ACL) policies configured by the cloud service provider, with all communications denied by default. Critical network areas are deployed within an internal network, and key network devices, security equipment, and communication lines are safeguarded by the provider. Application servers operate in an active-standby configuration to ensure redundancy, while the database employs a master-slave (hot backup) model to maintain high availability. The system uses HTTPS, RDP, and TIS protocols for remote management, with cryptographic techniques ensuring data integrity and confidentiality during transmission.
Network boundaries are protected by cloud firewalls and ACL policies provided by the cloud service provider, with all communications blocked by default. Security measures include:
3.1 Cloud firewalls with intrusion prevention modules;
3.2 Web Application Firewall (WAF) services;
3.3 Cloud Security Center (Enterprise Edition); and
3.4 Audit functions for detecting and analyzing network attacks and abnormal traffic.
Smartee servers are managed via a bastion host that, together with the servers, authenticates user identities under a complex authentication policy. Each server is equipped with a Cloud Security Center (Enterprise Edition) agent for host intrusion detection. Additionally, Huorong 5.0 is installed for malicious code detection and removal. Authentication data is encrypted and protected to ensure integrity, and users log in via HTTPS.
Smartee centrally manages all cloud hosts and security services through the cloud service provider’s control panel. This system monitors network conditions, security components, and virtual machine statuses, while the provider’s logging service enables centralized audit management. Each virtual machine is equipped with a Cloud Security Center (Enterprise Edition) agent to manage security policies, detect malicious code, and handle patch upgrades centrally. The provider’s security group center collects and analyzes security incidents across the network, issuing alerts as needed.
Smartee has established a comprehensive information security policy framework, which includes:
6.1 The General Principles of Cybersecurity Management System, outlining overall cybersecurity policies and strategies—including objectives, scope, principles, and framework;
6.2 Detailed management requirements and procedures covering physical security, host security, network security, application security, data security, system development, and security operations; and
6.3 An integrated information security management system comprised of security strategies, management policies, and operational procedures.
Smartee maintains a well-structured security management organization with clearly defined responsibilities:
7.1 Privacy Office: Serves as the highest information security management body, led by an executive and including a designated Data Protection Officer (DPO);
7.2 Information Security Task Force: Executes security management activities for the information system; and
7.3 Dedicated Network and Security Administrators: Responsible for ensuring network and system security.
The Human Resources Department at Smartee is responsible for personnel recruitment, ensuring strict adherence to recruitment and offboarding security policies. The Cybersecurity Training Policy mandates security awareness training for all employees, and the employee handbook explicitly outlines security responsibilities and disciplinary measures. Access to office areas requires prior approval and must be accompanied by authorized personnel.
Smartee selects security measures based on its security protection level and the results of risk analyses:
9.1 The business department is authorized to propose procurement requests for cybersecurity products, which are reviewed and approved by the Finance Department. All such products comply with relevant national regulations.
9.2 The development environment is located within office premises, while the production environment is deployed on the cloud platform. The testing environment is physically isolated from the production environment to ensure effective control over test data and results.
9.3 Security administrators oversee system implementation, ensure construction quality, and manage system acceptance and deployment.
Smartee enforces strict operational security measures, which include:
10.1 Requiring employees to return office keys upon reassignment and prohibiting the hosting of visitors in office areas;
10.2 Mandating that employees log out of terminal computers when leaving their workstations and secure sensitive paper documents;
10.3 Assigning a security administrator to maintain equipment and network infrastructure, with periodic maintenance logs recorded;
10.4 Designating a system administrator to manage user accounts, including account requests, creation, and deletion;
10.5 Implementing security policies that outline configuration and operational procedures for critical devices to ensure secure and optimized system settings; and
10.6 Establishing an incident response and emergency management system to effectively handle security breaches.
