Smooth

Have better conversations with customers; spend less time managing it all

AI-first support chat for your business

Privacy Policy

Effective date: 13 August 2025

This Privacy Policy explains how Smooth (“Smooth”, “we”, “our”, or “us”) collects, uses, discloses, and protects personal information when you use our mobile application, backend services, and related features (collectively, the “Service”).

Smooth is a business communications app that:

  • Provides a secure inbox for business email threads
  • Processes incoming customer emails and generates AI-powered insights
  • Supports push and email notifications
  • Enables direct-to-cloud file uploads for onboarding chat history
  • Offers subscription access with in-app purchase flows

We are committed to privacy-by-design and security-by-default.

1. Who We Are and How to Contact Us

  • Controller: Freewheel Group Limited (trading as “Smooth”)
  • Contact: smooth@app.smooth.biz
  • EU/UK representative and DPO: available upon request via email above
  • Intended users: business users aged 16+

2. Personal Information We Process

We process the following categories of data, as necessary to operate the Service:

  1. Account and Business Profile
  • Name, email address, password hash
  • Business name, slug, roles, subscription status and expiration
  • User preferences (e.g., notifications)
  1. Authentication and Security
  • Access and refresh tokens
  • Token metadata and validity periods
  • Audit and security logs (IP address, timestamps, event types)
  1. Inbox and Messaging
  • Incoming and outgoing email content (subject, text, optional HTML)
  • Sender/recipient names and addresses
  • Message timestamps, message IDs, threading and labels
  • Indicators of attachments and processing state
  • Optional AI-derived metadata (e.g., action items, suggested responses)
  1. Notifications
  • Mobile push tokens and permissions
  • Email notification preferences and delivery status
  • Deep-link navigation data to route users to specific screens
  1. File Uploads (Chat History Onboarding)
  • File name, size, type, storage key
  • Upload completion events and status
  • Limited metadata necessary for secure storage and internal notifications
  1. Subscription and Payments
  • Subscription status, product/offering identifiers, expiration dates
  • Minimal purchase metadata from app stores or subscription infrastructure (no full payment card data is processed by us)
  1. Technical and Usage
  • Device and app version, operating system
  • Performance and error logs
  • Limited network metadata required to provide and secure the Service

We do not intentionally collect special categories of personal data.

3. Sources of Data

  • Directly from you (registration, settings, messaging, uploads)
  • From your business contacts (emails sent to your business inbox)
  • From your device/app (push token, deep-link navigation)
  • From third-party platforms used to deliver the Service (see Section 7)

4. Purposes and Legal Bases

We process data for the following purposes:

  • Provide, maintain, and improve the Service (contract performance)
  • Authenticate users and secure accounts (contract performance; legitimate interests)
  • Receive, store, and display business emails and threads (contract performance)
  • Generate AI insights such as label suggestions, action items, and suggested replies (contract performance; legitimate interests)
  • Send push and email notifications (consent where required; otherwise contract performance/legitimate interests)
  • Process subscription access and entitlements (contract performance)
  • Prevent abuse, secure infrastructure, and troubleshoot (legitimate interests; legal obligations)
  • Comply with legal requirements and enforce our rights (legal obligations; legitimate interests)

Where consent is required (e.g., push notifications in certain jurisdictions), we will seek your consent and you may withdraw it at any time in your device OS or app settings.

5. AI Features and Automated Processing

  • AI processing is applied to incoming customer messages to classify labels, extract action items, and suggest responses.
  • Outputs are recommendations for your review; you remain in control of editing and sending any outgoing communications.
  • We do not make solely automated decisions that produce legal or similarly significant effects on you.
  • We minimize inputs to external AI APIs and send only what’s necessary to generate the requested outputs.

6. Data Sharing and International Transfers

We share data with service providers (processors) strictly under contract and only as needed to operate the Service:

  • Cloud email infrastructure: Receiving, parsing, and sending email
  • Object storage: Storing emails and uploads
  • Webhooks and message processing: Reliable email ingestion and processing
  • Mobile push service: Sending app notifications
  • Transactional email service: Sending notification emails
  • Subscription infrastructure: Managing in-app purchases and entitlements (when enabled)
  • AI inference service: Generating AI insights from message content
  • Internal alerts: Notifying our team of large file uploads and operational events

Regions and transfers:

  • We configure cloud regions with a preference for EU/EEA/UK regions where feasible (for example, email receiving and storage, notification services, and object storage may be provisioned in EU-West).
  • Some providers may process data globally (including the United States). When we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses and supplementary measures.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising.

7. Key Subprocessors (Categories and Purposes)

  • Cloud email (receiving and transactional): Amazon Web Services (AWS) Simple Email Service (SES)
  • Object storage and file uploads: AWS Simple Storage Service (S3)
  • Webhooks and event delivery: AWS Simple Notification Service (SNS)
  • Mobile push notifications: Expo push service
  • AI inference: DigitalOcean AI Inference API (Llama model family)
  • Subscription management (if enabled): App stores and subscription infrastructure providers
  • Deep-link bridging: HTTP-to-deeplink redirection to open app content
  • Team notifications: Limited metadata to internal alerting channels (e.g., upload completion info)

We maintain an up-to-date list of subprocessors and will notify you of material changes as required by law.

8. Data Retention

  • Account and business data: For the life of the account and as needed for compliance and recordkeeping
  • Messaging data: Retained until you delete threads or close the business account, plus a short buffer period for backup integrity
  • AI outputs (action items, suggestions): Retained with the underlying messages unless you delete them
  • Push tokens and preferences: Until revoked or removed
  • File uploads (chat history): Retained as long as needed for onboarding and internal operations; you may request deletion
  • Logs and security records: Typically 30–90 days unless required longer for security, incident analysis, or legal obligations
  • Backup copies: Time-limited and securely purged on a rolling schedule

9. Your Rights

Subject to applicable law (e.g., GDPR/UK GDPR, CCPA/CPRA), you may have rights to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase data (“right to be forgotten”)
  • Restrict or object to certain processing
  • Data portability (structured, commonly used format)
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority (e.g., UK ICO)

To exercise rights, contact smooth@app.smooth.biz. We will verify your identity and respond within statutory timelines.

10. Children’s Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children under 16.

11. Security

We implement technical and organizational measures including:

  • Strong password hashing and token-based authentication
  • Transport-layer encryption (HTTPS/TLS)
  • Cloud security best practices and least-privilege access
  • Business-level data isolation where applicable
  • Input validation and ORM to reduce injection risks
  • Webhook signature validation and message deduplication
  • Server-side encryption for stored objects where supported by the provider No method is 100% secure, but we continuously improve controls and monitoring.

12. Account Deletion

You can request account and business deletion. We will:

  • Deactivate access
  • Remove personal data from active systems, subject to legal retention
  • Purge from backups on a standard rolling schedule

13. Third-Party Links

The Service may include links to third-party websites or services. Their privacy practices are governed by their own policies.

14. Changes to This Policy

We may update this Policy to reflect changes in laws, features, or practices. Material changes will be communicated via in-app notice or email. Continued use after the effective date constitutes acceptance.

15. Contact

For privacy inquiries or to exercise rights: smooth@app.smooth.biz