1. SCOPE OF THIS NOTICE

This Smackdab Application Privacy Notice (“Application Notice”) applies specifically to the Personal Data that Smackdab Inc. (“Smackdab,” “we,” “us,” or “our”) processes on behalf of our Clients within the hosted Smackdab software applications, platform, related mobile applications, and add-on applications (collectively, the “Service”). This Application Notice addresses data subjects whose Personal Data our Clients (or their authorized Users) submit, store, manage, or otherwise process using the Service (“Client Data”).

This Application Notice does not apply to:

• Personal Data Smackdab collects directly through its own publicly accessible websites (like smackdab.ai), marketing activities, sales processes, or account management activities. For information on how Smackdab processes that data as a Data Controller, please see the main Smackdab Privacy Policy available at https://smackdab.ai/legal/privacy-policy.

• Data processed via third-party integrations connected to the Service, which are governed by the terms and privacy policies of those third parties.

Attorney Note: This scope distinction is crucial. Ensure the main Privacy Policy (linked above) clearly covers Smackdab’s role as a Controller for website/marketing data, and that this Application Notice consistently reflects Smackdab’s Processor role for Service data.

2. SMACKDAB’S ROLE: DATA PROCESSOR

When processing Client Data within the Service, Smackdab acts as a Data Processor or Service Provider under applicable data protection laws (like GDPR and CCPA). Our Client, the entity or individual who subscribed to the Service, acts as the Data Controller or Business.

This means:

• The Client determines the purposes and means of processing Client Data within the Service.

• Smackdab processes Client Data only on behalf of and according to the documented instructions of the Client, as outlined in the Smackdab Terms of Service (“TOS”) and the Data Processing Addendum (“DPA”) agreed upon with the Client.

• Smackdab does not own, control, or direct the use of Client Data, except as authorized by the Client or as necessary to provide, maintain, and secure the Service, or as required by law.

Attorney Note: This section correctly defines the roles under GDPR/CCPA. Ensure the DPA explicitly contains the necessary processor clauses required by Article 28 GDPR and relevant CCPA provisions.

3. CATEGORIES OF PERSONAL DATA PROCESSED

Smackdab Clients use the Service to store and manage information related to their own business activities, which may include Personal Data about their customers, employees, contacts, leads, or other individuals. Because Clients determine what data they submit, the specific categories of Personal Data processed within the Service vary and are controlled by the Client. Smackdab generally has no direct knowledge of the specific types of Personal Data being stored by a Client unless access is required for support or service provision as described below.

If you are an individual whose data is being managed within the Smackdab Service by one of our Clients, that Client’s privacy notice, rather than this Application Notice, governs the processing of your Personal Data.

Attorney Note: Emphasizing that the Client’s privacy notice governs the end-user relationship is correct and important for managing expectations and liability.

4. HOW WE RECEIVE AND PROCESS PERSONAL DATA

We receive Personal Data covered by this Notice when our Clients or their authorized Users input data into the Service, or when data is synced from integrated third-party services as directed by the Client. Smackdab processes this Client Data for the following limited purposes:

• To Provide and Maintain the Service: Processing Client Data as necessary to operate the features and functionality of the Service subscribed to by the Client, according to the Client’s configuration and instructions.

• Client Support: Accessing Client Data only as necessary to provide technical support or account administration assistance requested by the Client.

• Security and Prevention: Detecting and blocking spam, security incidents, or malicious/fraudulent activity within the Service infrastructure. Protecting against misuse of the Service.

• Service Improvement (Aggregated/Anonymized Data): We may aggregate and anonymize data derived from the use of the Service (including metadata or structural data related to Client Data, but not the identifiable Client Data itself) to analyze usage trends, improve system performance, and develop new features. This aggregated/anonymized data does not identify individuals or specific Clients.

• Legal Compliance: As required by applicable law, court order, or governmental regulation.

Smackdab personnel do not access Client Data except as strictly necessary for the purposes listed above, typically upon Client request or authorization, or as required by law.

Attorney Note: Ensure the “Service Improvement” purpose aligns with the definition of “Usage Data” in the TOS and that the anonymization/aggregation methods meet legal standards. Confirm consistency with DPA provisions regarding permitted processing purposes.

5. DATA SUBJECT RIGHTS

Smackdab acts as a Data Processor for Client Data. Therefore, if you are an individual who wishes to exercise your data protection rights (such as rights to access, correct, amend, delete, restrict processing, or data portability) regarding Personal Data that a Smackdab Client processes about you using our Service, please direct your request to the Smackdab Client (i.e., the company or organization that manages your data within Smackdab). The Client, as the Data Controller, is responsible for handling your request.

Smackdab will reasonably cooperate with our Clients, upon their request, to assist them in responding to data subject rights requests concerning Client Data processed within the Service.

Attorney Note: Clearly directing data subjects to the Client (Controller) is correct. The DPA should detail the specific mechanisms and timelines for Smackdab’s cooperation with the Client on these requests.

6. DATA SECURITY

Smackdab implements and maintains appropriate technical and organizational security measures designed to protect Client Data processed within the Service against unauthorized access, disclosure, alteration, or destruction. These measures are further described in our security documentation ([ATTN: Insert Link if Security Documentation/Trust Center exists, e.g., https://smackdab.ai/legal/security-practices]) and our DPA with Clients.

Attorney Note: A dedicated, publicly accessible (or available to clients) security documentation page/trust center is recommended. Ensure the description here aligns with commitments in the DPA and TOS (Section 7.5).

7. SUB-PROCESSORS

Smackdab engages third-party service providers (sub-processors) to assist in providing the Service (e.g., hosting infrastructure). These sub-processors may have access to Client Data solely for the purpose of providing their services to Smackdab and are bound by confidentiality and data protection obligations. A list of Smackdab’s key sub-processors is available at [ATTN: Insert Link to Sub-processor List – This list must be created and kept current, e.g., https://smackdab.ai/legal/subprocessors].

Attorney Note: Maintaining an up-to-date sub-processor list and having a process for notifying Clients of changes (as required by GDPR) is critical. Ensure the DPA covers sub-processor obligations and notification procedures.

8. DATA RETENTION

Smackdab retains Client Data processed within the Service according to the instructions of the applicable Client, or for the duration specified in our agreement with the Client. Upon termination of the Client’s account or specific instruction from the Client, Smackdab will delete Client Data in accordance with the terms of the TOS and DPA, typically within a defined period (e.g., 180 days following account closure), unless retention is required by law.

Attorney Note: The retention period (e.g., 180 days post-termination) should be consistent between this Notice, the TOS (Section 10.5), and the DPA. Ensure operational capability to delete data within this timeframe.

9. INTERNATIONAL TRANSFERS

Client Data may be processed in the United States or other locations where Smackdab or its sub-processors maintain facilities. Smackdab ensures that international transfers of Client Data are conducted in compliance with Applicable Laws, using appropriate safeguards such as Standard Contractual Clauses, as detailed in our DPA with Clients.

Attorney Note: Specify the transfer mechanisms used (e.g., EU-US Data Privacy Framework certification, SCCs) accurately in the DPA and ensure compliance with ongoing requirements for these mechanisms.

10. CHANGES TO THIS NOTICE

We may update this Application Notice from time to time. We will notify Clients of material changes as required by our agreement with them. The “Last Updated” date at the top indicates the latest revision.

Attorney Note: Clarify how Clients will be notified of material changes (e.g., email, account notification). Ensure this aligns with the modification notice provisions in the TOS and DPA.

11. CONTACT US

If you have questions about this Application Notice or Smackdab’s role as a Data Processor, please contact us at [email protected] or via mail at the address listed in our main Privacy Policy.

Remember, if your inquiry relates to your Personal Data managed by a Smackdab Client within the Service or exercising your data subject rights, please contact the relevant Smackdab Client directly.

Attorney Note: Ensure [email protected] is monitored. Confirm the main Privacy Policy contains the correct legal entity name and physical mailing address.