Privacy Policy

Effective date: 16 February 2026

This Privacy Policy explains how SMBuddy (the “Service”) collects and uses personal data, what choices you have, and how we keep data safe. We wrote this to be human-friendly while still covering the requirements of the EU General Data Protection Regulation (GDPR) and relevant EU rules for AI-enabled services.

If you only read one section, read “Key points” below.

Key points

  • We collect only what we need to provide and improve SMBuddy.
  • You control what you upload. If you put personal or confidential data into SMBuddy, you are responsible for having the right to do so.
  • AI features may process your content. We use AI tools to help deliver the Service (for example, summarization, drafting, or automation). AI outputs can be wrong – you should verify important information.
  • We do not sell your data.
  • You can access, correct, export, or delete your personal data, subject to legal and operational limits.

Who we are

Controller (data operator): Holy Traction OÜ
Address: Sepapaja tn 6, 15551 Tallinn, Estonia
Email: privacy@smbuddy.co

“Controller” means we decide why and how your personal data is processed.

What SMBuddy is

SMBuddy provides premium support and hands-on help to set up and operate AI-enabled workflows and integrations on infrastructure selected by the customer (often a user-owned server/VPS). Depending on your setup, the Service may involve integrations with third-party platforms (for example, task boards, messaging, code hosting, payments, or cloud providers).

Personal data we collect

1) Data you provide

  • Account and contact details – name, email, billing details, company (if provided), and any info you share in support conversations.
  • Service content – text, files, prompts, notes, instructions, project descriptions, and other content you submit or that is created at your request.
  • Communications – messages you send to us (email, forms, chat, or other channels).

2) Data collected automatically

  • Usage data – pages/actions in the Service, timestamps, feature usage, performance metrics.
  • Device and log data – IP address, user agent, approximate location (derived from IP), diagnostics, error logs.
  • Cookies and similar technologies – used for session management, security, and analytics (see “Cookies” below).

3) Data from third parties

If you connect third-party services, we may receive data from them as needed to provide the integration – for example, identifiers, metadata, and content you choose to sync.

Why we process personal data (purposes)

We process personal data to:

  1. Provide and operate the Service – create accounts, authenticate users, deliver features, manage subscriptions.
  2. Provide customer support and professional services – respond to requests, troubleshoot, implement integrations.
  3. Maintain security and prevent abuse – detect fraud, secure accounts, protect infrastructure.
  4. Improve and develop SMBuddy – understand feature usage, fix bugs, improve performance.
  5. Comply with legal obligations – accounting, tax, responding to lawful requests.
  6. Communicate with you – service emails (important updates, security notices), and optional product communications (you can opt out of marketing).

We rely on one or more of these legal bases depending on the context:

  • Contract – to provide the Service you request.
  • Legitimate interests – for security, service improvement, and business operations (we balance this against your rights).
  • Consent – for certain cookies, marketing, or optional features where required.
  • Legal obligation – for tax, accounting, and regulatory compliance.

AI-related processing – what it means for you

SMBuddy may use AI models and automation tools to help deliver features (for example, drafting, summarizing, extracting tasks, or generating code snippets). This can involve processing your submitted content.

Important notes and risks

  • AI output may be inaccurate. Treat it as assistance, not ground truth.
  • Do not upload sensitive data unless necessary. If you must, limit it to the minimum.
  • Confidentiality depends on your choices. If you paste secrets (API keys, credentials) into messages or files, you increase risk. Use secret managers and environment variables where possible.

Automated decision-making

We do not make decisions that produce legal or similarly significant effects solely through automated processing (GDPR Article 22) without meaningful human involvement. If we ever introduce such processing, we will update this Policy and provide required safeguards.

EU AI rules

Where EU AI regulations apply to parts of our Service, we aim to follow the relevant transparency, safety, and governance expectations – including documenting systems, assessing risks, and providing appropriate user information.

Roles – controller vs processor

  • For your SMBuddy account data (subscriptions, billing contact details, support communications), we are the controller.
  • For content you submit to SMBuddy (prompts, files, project information), the role can vary:
    • In many cases, you are the controller of personal data contained in your content and we act as a processor providing the Service to you.
    • In other cases (for example, when you ask us to set up workflows that handle third-party data), you may be a controller or processor depending on your own obligations.

If you need a Data Processing Agreement (DPA) for your compliance, contact privacy@smbuddy.co.

Sharing data with others (processors and partners)

We share personal data only as needed to run SMBuddy.

Service providers (processors)

We may use trusted vendors for:

  • Hosting and infrastructure (cloud/VPS, storage, networking)
  • Payments and billing
  • Customer support and communication
  • Analytics and monitoring
  • Productivity and project management tools (if used in your engagement)
  • AI model providers (to deliver AI features)

AI model providers

When you use AI-enabled features, your inputs (and related context) may be processed by third-party AI providers, currently including Anthropic and OpenAI, strictly to deliver the requested functionality and operate the Service.

Depending on your configuration, common categories may include providers such as cloud hosting, email delivery, payment processors, task boards, code hosting, messaging platforms, analytics/monitoring, and AI providers.

When you connect third-party services

If you connect SMBuddy to third-party services, data will be shared with those services according to your settings and their privacy policies.

We may disclose data if required by law or to protect rights, safety, and security.

International data transfers

We are based in Estonia (EU). Some service providers may process data outside the European Economic Area (EEA).

When personal data is transferred outside the EEA, we use appropriate safeguards, such as:

  • European Commission adequacy decisions (where available)
  • Standard Contractual Clauses (SCCs) and, where needed, supplementary measures
  • where applicable, reliance on recognized transfer frameworks for specific providers (if available)

How long we keep data (retention)

We keep personal data only as long as necessary:

  • Account and subscription data – for the life of your account and as required for legal/tax purposes.
  • Support communications – as needed to support you, maintain records, and improve Service quality.
  • Service content – retained according to the feature and your requests. If you ask us to delete content, we will do so unless we must keep it for legal reasons or to protect security.
  • Logs and security data – typically kept for limited periods to investigate incidents and prevent abuse.

You can request deletion – see “Your rights” below.

Security

We use appropriate technical and organizational measures designed to protect personal data, such as:

  • access controls and least-privilege practices
  • encryption in transit (and where appropriate, at rest)
  • monitoring and logging
  • vendor security reviews and contractual protections

No system is perfectly secure. You are responsible for keeping your credentials safe and using strong authentication.

Cookies

We use cookies and similar technologies for:

  • Essential functionality – logins, sessions, security
  • Analytics – to understand usage and improve SMBuddy

Advertising pixels (optional)

We may add advertising/measurement pixels in the future (for example, Meta Pixel or Google tags) to measure campaign performance and improve marketing. If we do, we will:

  • use them only where permitted by law
  • request consent for non-essential cookies where required (for example, in the EEA/UK)
  • provide controls to refuse or withdraw consent

Where required, we ask for consent for non-essential cookies. You can also control cookies via your browser settings.

Global Privacy Control (GPC)

If your browser sends the Global Privacy Control signal, we will treat it as an opt-out from certain forms of data sharing for targeted advertising where required by applicable law.

US privacy disclosures

If you are a resident of certain US states (including California), you may have additional rights under state privacy laws.

What we do (and do not do)

  • No sale of personal information. We do not sell your personal information.
  • Sharing for targeted advertising. If we enable advertising pixels or similar technologies, we will provide a way to opt out of “sharing”/targeted advertising where required by law.

Your rights may include

Depending on your state, you may have the right to:

  • access/know the personal information we hold about you
  • delete personal information
  • correct inaccurate personal information
  • opt out of targeted advertising and certain data sharing
  • limit the use/disclosure of certain sensitive personal information
  • not be discriminated against for exercising privacy rights
  • appeal our decision if we deny your request (where required)

To exercise these rights, email privacy@smbuddy.co. We may verify your identity before fulfilling requests.

Children

SMBuddy is not intended for children. We do not knowingly collect personal data from:

  • children under 16 (EEA/UK standard), or
  • children under 13 (US COPPA standard).

If you believe a child has provided personal data to us, contact privacy@smbuddy.co and we will take appropriate steps.

Your rights (GDPR)

If you are in the EEA/UK (and often elsewhere), you may have rights to:

  • Access – know what data we have about you
  • Rectification – correct inaccurate data
  • Erasure – request deletion (subject to legal/operational limits)
  • Restriction – limit processing in certain cases
  • Objection – object to processing based on legitimate interests
  • Portability – receive your data in a usable format
  • Withdraw consent – where processing is based on consent

To exercise rights, email privacy@smbuddy.co. We may verify your identity before fulfilling requests.

Complaints

You can also lodge a complaint with your local data protection authority. In Estonia, the supervisory authority is the Estonian Data Protection Inspectorate.

SMBuddy may link to or integrate with third-party services. Their privacy practices are governed by their own policies. We recommend reviewing them before connecting services.

Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the Service or by email. The “Effective date” at the top shows when this version began to apply.

Contact

Questions or requests about privacy:

privacy@smbuddy.co
Holy Traction OÜ
Sepapaja tn 6, 15551 Tallinn, Estonia