SMCZONE

Privacy Policy

1. Data Controller

The data controller is Individual Entrepreneur ANDRYTSA MARYIA, registered at Georgia, Tbilisi, Saburtalo district, Bakhtrioni str., N22, flat 7, Registration Number 305850969. Contact for privacy matters: [CONTACT_EMAIL].

This Policy describes what personal data we collect, how we use it, to whom we transfer it, and what rights data subjects have. The Policy is drafted with regard to the GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), the Law of Georgia on Personal Data Protection, and other applicable laws.

2. What Data We Collect

Data provided by the User: first name, last name, email address, username, country of residence, payment information (processed by the payment provider; we receive only masked data), Discord ID, content of correspondence with support.

Data collected automatically: IP address, browser type, operating system, country by IP geolocation, visit times, pages visited, device identifiers, traffic source, referrer, search queries.

Data received from third parties: payment status from the payment provider, data from analytics services, public data from social networks when authenticating through them.

We do NOT knowingly collect special categories of data (racial or ethnic origin, political opinions, religious beliefs, biometric data, health data). If such data was transmitted by mistake, it will be deleted.

3. Purposes and Legal Bases of Processing

Performance of a contract (Art. 6(1)(b) GDPR): creation and maintenance of the account, provision of the Service, payment processing, user support.

Compliance with legal obligations (Art. 6(1)(c) GDPR): retention of accounting and tax records, response to lawful requests of public authorities, compliance with sanctions requirements, payment-processor fraud-prevention requirements, accounting/tax obligations and other legal obligations where applicable.

Legitimate interests: fraud prevention, Service security, ensuring website functionality, product improvement, and protection of the Provider’s rights.

Consent (Art. 6(1)(a) GDPR): marketing emails to new subscribers, use of non-essential cookies, transfer of data to affiliates for marketing purposes.

Marketing emails and other direct marketing communications are sent only with the User’s prior consent, unless otherwise expressly permitted by mandatory applicable law. Each marketing message must include an easy unsubscribe option. After consent withdrawal, processing for direct marketing stops within a reasonable time, and for requests governed by Georgian law no later than 7 working days.

4. Sharing Data with Third Parties

We share personal data with the following categories of recipients: payment providers (Stripe, Paddle, LemonSqueezy, etc. — depending on the system used); email delivery services; analytics platforms; Discord platform; cloud hosting providers; CRM systems; external advisors (legal, tax, accounting) where necessary.

We enter into data processing agreements (DPAs) with all data processors, obliging them to comply with data protection requirements.

Some of our processors are located outside the EEA (e.g. in the USA). Data may be transferred to service providers in other countries, including payment processors, hosting, email services, analytics, CRM/support tools and advisors. Where a transfer is subject to GDPR/UK GDPR, applicable transfer mechanisms are used, including SCCs, the UK IDTA/Addendum or other approved mechanisms. Where a transfer is subject to Georgian law, it is made on applicable legal grounds, with safeguards and authorisations where required. A list of key processors and processing countries is available upon request at [CONTACT_EMAIL].

We do NOT sell personal data to third parties within the meaning of CCPA/CPRA.

5. Data Retention Period

Account data: for the entire duration of the account and 3 years after its deletion (to resolve potential disputes).

Payment data and invoices: 7 years (or such other period as required by the tax laws of Georgia).

Marketing data: until withdrawal of consent or 3 years from the last activity.

Security logs: up to 12 months.

6. Rights of Data Subjects

You have the following rights regarding your personal data: right of access; right to rectification of inaccurate data; right to erasure ("right to be forgotten"); right to restriction of processing; right to data portability; right to object to processing; right to withdraw consent at any time; right to lodge a complaint with a supervisory authority.

To exercise these rights, send a request to [CONTACT_EMAIL]. We respond to data subject requests within the time limits required by applicable law. For requests governed by Georgian law, a response is generally provided no later than 10 working days after receipt of the request; in special cases, this period may be extended by no more than 10 working days with notice to the data subject.

California residents (CCPA/CPRA): additionally have the right to know what categories of personal data are collected, the right to request deletion, the right to non-discrimination for exercising rights. Requests should be sent to [CONTACT_EMAIL].

7. Data Security

We implement reasonable technical and organisational measures to protect personal data: encryption in transit (TLS/SSL), role-based access control, regular security updates, restricted access to data.

No system can guarantee absolute security. In the event of a security incident, we record the incident, assess the risk and notify the competent supervisory authority within the time limits required by applicable law. For incidents governed by Georgian law, notification is made no later than 72 hours after identification where the incident causes significant damage or poses a significant threat to the rights and freedoms of data subjects. Where the incident creates a high risk to the User, we also notify the affected User where required by law.

8. Children

The Service is not intended for persons under 18 years of age. We do not knowingly collect personal data of children. If we become aware that data of a child has been collected without parental or legal guardian consent, such data will be deleted.

9. Changes to the Policy

We may update this Policy. The current version is always available on the website. We will notify users of material changes by email or through an in-account notice at least 14 days before the changes take effect.