Personal Data Processing Policy
Revision: 09/06/2026
This Personal Data Protection Policy describes the principles and grounds on which SmartCLM (ID No. 404793238) (hereinafter “the Company”) processes personal data, as well as the mechanisms and guarantees for protecting the rights of the data subject (users) in the course of data processing, and matters of information storage and security. This policy allows a data subject or potential data subject, a Company employee, or any other interested party to obtain, in a transparent, simple, and understandable manner, information about the Company's personal data processing policy, thereby ensuring the Company's transparency in the area of data processing and protection.
Please note that by checking the “I Agree” button, you confirm that you have read, agree to, and acknowledge the legal force of this document, meaning that the relationship between you and SmartCLM is governed in accordance with this document. This document constitutes an integral part of SmartCLM's standard terms of service, and is to be interpreted together with them.
Information about the Company can be found at the following link — https://www.smartclm.ai/
Personal data is processed by SmartCLM in accordance with Georgian legislation, in particular the Georgian Law on “Personal Data Protection” and other regulatory acts. The rights of the data subject are protected both under Georgian legislation and under the European data protection regulation (GDPR). The processing of data takes into account the established practice and relevant recommendations of the Personal Data Protection Service of Georgia.
Article 1. Scope of Application
1.1 This policy applies to all processes involving the Company's processing of personal data (hereinafter “Data”), including personal data processing carried out through persons authorized to process data — where such exists;
1.2 This policy document sets out the fundamental principles and rules related to the Company's operations, compliance with which is mandatory for all of the Company's employees, interns, contractors, and other related persons. These rules are aimed at ensuring data protection/security/compliance, and their violation entails the corresponding liability provided for by law.
Article 2. Definitions
2.1 Terms used in this policy document have the meaning defined by law and are to be construed in accordance with Article 3 of the Georgian Law on “Personal Data Protection”;
Article 3. Principles of Data Processing
3.1 The Company processes personal data in accordance with the Georgian Law on “Personal Data Protection.” For the purposes of processing personal data, the Company makes every effort to consistently comply with the following principles of personal data processing:
3.1.1 Lawfulness, fairness, transparency, and respect for dignity – data must be processed lawfully, fairly, transparently, and without infringing the dignity of the data subject.
Explanation: lawful processing of data means that data may be processed only where an appropriate legal basis exists and all legal requirements are complied with.
The principle of fairness requires that personal data not be processed to the detriment of the data subject, in a discriminatory manner, or in a way that is unexpected or misleading. Under this principle, obtaining or otherwise processing data by unfair means, through deception, or without the data subject's knowledge is not permitted.
Under the principle of transparency, it must be clear to individuals, before their data is processed, that data relating to them will be collected, used, or otherwise processed. Furthermore, where the Company provides individuals with certain information about the use and necessity of their personal data, this must be done in language they can understand.
The data processing process must be carried out without infringing the dignity of the data subject and must not create a risk of infringing human rights and freedoms.
3.1.2 Purpose limitation – data must be collected only for a specific, clearly defined, and legitimate purpose and must not be used for a purpose incompatible with that purpose.
Explanation: under this principle, defining the purpose of a processing operation is the first step for applying data protection legislation and developing appropriate data protection safeguards. Furthermore, defining the purpose is a precondition for imposing other requirements. The purpose limitation principle sets the boundaries within which personal data collected for a given purpose may be processed and subsequently used.
3.1.3 Proportionality – data must be processed only to the extent necessary to achieve the relevant legitimate purpose.
Explanation: personal data must be processed only where achieving the purpose of processing is not reasonably possible by other means. Processing must not constitute a disproportionate interference with the rights and freedoms of the data subject and must be carried out only to the extent necessary to achieve the defined purpose.
3.1.4 Accuracy – data must be authentic, accurate, and, where necessary, updated.
Taking into account the purpose(s) of data processing, the controller is obligated to ensure, without undue delay, the correction, erasure, or destruction of inaccurate data.
3.1.5 Storage limitation – data must be stored only for the period necessary to achieve the relevant legitimate purpose of data processing.
Explanation: the storage limitation principle implies that data must be deleted or anonymized as soon as the purpose of processing has been achieved. The storage limitation principle means that the controller must inform the data subject of the storage period in advance and must also be able to demonstrate compliance with the principle. Accordingly, storage periods must be determined within the organization before data processing begins.
3.1.6 Security – appropriate organizational and technical measures against relevant risks must be taken to protect data from unlawful processing.
Explanation: protecting the security of personal data requires the implementation of appropriate technical and organizational measures aimed at: preventing and managing data security breaches (incidents); ensuring the proper performance of data processing tasks and compliance with other principles; and facilitating the effective exercise of individuals' rights.
Article 4. Grounds for Data Processing
4.1 The following grounds are used when processing data:
- a) the consent of the data subject;
- b) an agreement concluded between the parties;
- c) obligations/circumstances defined by law;
- d) the need to review an application/provide a service;
- e) personal data may be processed for several purposes at the same time. In such a case, the Company ensures that, for each purpose:
- an appropriate legal basis exists (for example, a contract, an obligation provided for by law, the Company's legitimate interest, or the consent of the data subject);
- data protection and confidentiality requirements are complied with, so that the rights of the data subject are not violated.
Article 5. What Data We Collect and Why
Most of the data processed through the website/platform (SmartCLM – hereinafter “the Site”) is provided by the users themselves.
The primary purpose of SmartCLM's functionality is the automatic completion and generation of standard documents and/or contracts, the management of organizational processes, and the electronic signing of documents. The system constitutes a platform for managing electronic documents and workflows. (See Electronic Signature Policy) This process requires the processing of personal data through the Site, since providing the necessary data is essential for the data subject to create an accurate document, so that the document desired by the data subject can be produced. SmartCLM's model uses the data provided by the data subject, which is automatically transferred into the corresponding fields of a pre-approved document template. In the course of automated document drafting and workflow management, our system (as data processor) processes the amount of personal data that clients/users provide to the SmartCLM platform.
In the course of creating documents, we process only the data necessary to create the legal document:
- the first and last name of the parties to the contract and/or the signing persons;
- professional/organizational information: position, salary, name of the legal entity, identification data;
- contact information: email address, actual/legal address, phone number;
- identification numbers: personal number or other identification number (used only where required by the legal nature of the document);
- financial data: bank account numbers, payment details necessary to describe financial obligations in the contract (for example, to specify invoicing or payment terms);
- signature data: electronic signature details, including the date and time of signing;
- activity log: data on actions taken on the platform, such as the contract's edit history, comments, and changes to the document's status;
In addition to the above, additional data is collected through the website. The Company's server records the date, time, and method of accessing the website, the internet protocol address, the referrer, and other data reflecting the user's activities on the website. This data is processed for the purpose of detecting possible information security incidents, which is necessary to satisfy the Company's interest – including ensuring the integrity of the Company's electronic systems and maintaining business continuity.
For the purposes of using the SmartCLM system, the Company processes contracts concluded with clients and the personal data reflected in them.
Data of employees and interns
Data: first name, last name, personal number, contact details, email address, information on education and experience, CV, bank details, address.
Purpose: management of employment relationships, payment of salaries, internal communication, professional evaluation and development, and fulfillment of legal and tax obligations.
SmartCLM External Services
A list of all external services used by the website/application – what each one does, where it is used in the app, and where the data ends up.
1. Supabase
- What it is: our backend – database, authorization system, file storage, and small server-side functions.
- Where it is used in the app: everywhere – every screen reads/writes data through it.
- What data is sent: everything – user accounts, companies, employees, counterparties, all documents, signatures, uploaded files, activity logs.
- Where data is stored: AWS data center, Stockholm, Sweden (EU).
2. AWS (Amazon Web Services)
- What it is: the physical infrastructure used by Supabase. We have no direct communication with AWS.
- Where it is used in the app: indirectly – whatever Supabase requires.
- What data is sent: the same as with Supabase (the same servers).
- Where data is stored: Stockholm, Sweden (EU).
3. Vercel
- What it is: website hosting (HTML/JS/CSS loaded in the browser).
- Where it is used in the app: when the app loads in the browser – that's it.
- What data is sent: no user data; only standard web traffic logs (IP, browser).
- Where data is stored: global CDN edge infrastructure.
4. OpenAI
- What it is: the ChatGPT API – used to generate contract templates based on a prompt.
- Where it is used in the app: on the “Generate” page (/generate) – when a user writes a request to create a new template.
- What data is sent: only the user's free-text request (prompt) describing the desired template. There is a clear warning not to enter personal data (names, ID numbers, phone numbers, etc.). Actual personal data is subsequently filled into placeholders locally – it is not sent to OpenAI.
- Where data is stored: USA. Submitted data is stored for a maximum of 30 days for abuse monitoring purposes, and is then deleted.
- Note: the “AI Document Review” feature has been removed from the UI. The “Polish text” AI assistant is disabled.
5. Brevo (formerly Sendinblue)
- What it is: our email provider – sends all transactional emails.
- Where it is used in the app:
- registration and authorization (verification codes, password resets, magic links)
- inviting team members
- document-sharing notifications
- sending signed documents and the audit certificate to participants
- custom emails, feedback, notifying an administrator of a new user
- What data is sent: the recipient's email, subject, HTML content, and (for signed documents) the full PDF attachment plus the audit certificate PDF.
- Where data is stored: France / Germany (EU). Intra-European transfer – no cross-border risk.
6. Browserless.io
- What it is: a headless Chrome service that converts HTML documents to PDF.
- Where it is used in the app:
- generating the audit certificate PDF
- document preview / generating the signed PDF
- What data is sent: the full HTML of the document (text, parties, amounts, signature images, logo/letterhead).
- Where data is stored: Amsterdam, EU (production-ams.browserless.io). Stateless – used only for generation and then deleted; nothing is stored.
7. Flitt (Fondy)
- What it is: a card payment processor.
- Where it is used in the app: on the subscription/billing pages — when paying for or renewing a plan.
- What data is sent: order ID, amount, currency. Card details are entered directly on Flitt's page — they do not reach us. We receive only the payment status and a recurring-payment token (which does not contain the card number).
- Where data is stored: EU (Cyprus / Ukrainian legal entity, EU data centers). PCI-DSS Level 1 certified.
8. msg.ge
- What it is: a Georgian SMS gateway.
- Where it is used in the app:
- sending SMS OTP codes for phone verification
- sending document-sharing links via SMS
- What data is sent: phone number + SMS text (code or link). Document content is not sent.
- Where data is stored: Georgia.
Quick Map — “Where Does the Data Go?”
| Data | Goes to | Region |
|---|---|---|
| User accounts, documents, signatures | Supabase / AWS | Stockholm, EU |
| Emails + signed PDF attachments | Brevo | France / Germany, EU |
| Document HTML (for PDF generation) | Browserless | Amsterdam, EU |
| Phone numbers + OTP / SMS links | msg.ge | Georgia |
| Card data | Flitt (does not reach us) | EU |
| AI prompts (no personal data) | OpenAI | USA |
Article 6. Processing of Data by an Authorized Person (Where Applicable)
Data is processed only for purposes defined by the Company, taking into account the rules and prohibitions established by the Georgian Law on “Personal Data Protection.”
- An authorized person is obligated to process data only on the basis of the controller's written instructions (including those issued in electronic form);
- If an authorized person considers that the controller's instruction contravenes the Georgian Law on “Personal Data Protection,” it is obligated to immediately notify the controller of this;
- An authorized person ensures that access to data is granted only to those employees who require such access and who are obligated to maintain confidentiality;
- An authorized person takes appropriate technical and organizational measures to ensure data security (e.g., encryption, access control, logging), thereby ensuring the maximum protection of personal data;
- An authorized person is not authorized to transfer data to third parties without the controller's prior written consent;
- An authorized person is obligated to assist the controller in the exercise of the data subject's rights (access, erasure, correction, etc.);
- An authorized person is obligated to immediately notify the controller of any data security incident;
- An authorized person is obligated to have a data security incident response policy document.
Article 7. Data Storage and Security
Data provided by the user/client to the SmartCLM platform, which is necessary for the creation and generation of documents, is stored in the “SmartCLM” platform's database, in the cloud, in encrypted form, for the term of the SmartCLM service agreement concluded with the client, and following the expiry of the agreement, the data will be deleted within 1 (one) month, unless the service agreement is renewed.
Service agreements concluded with clients, as well as documents related to the performance of the agreement, are stored for 5 (five) years from the expiry/termination of the agreement;
Information processed for the purposes of performing the employment contracts of SmartCLM's employees is stored for 5 (five) years from the expiry and/or termination of the employment contract. If such information is related to ongoing legal proceedings, it is retained until the conclusion of those proceedings. Once the proceedings have concluded, the 5-year storage period no longer applies to that information, and further storage or processing of the data is carried out only where an appropriate legal basis exists. Applicant data is stored for 6 (six) months from the conclusion of the recruitment process.
The Company uses multi-layer technical measures to protect data security, so that personal data is maximally protected from unlawful access:
1. Access Control and Authentication
- a) strong password policy;
- b) two-factor authentication;
- c) automatic lockout;
2. Data Encryption
a) Data is protected by both principal encryption methods:
- Encryption at rest: all personal data stored in the SmartCLM platform's databases and cloud storage is stored in encrypted form.
- Encryption in transit: data transmitted between the user's browser and our servers, as well as between services via the Application API, uses TLS/SSL protocols, ensuring that data is transmitted in encrypted form.
3. System Security and Protection
- a) security patches and updates;
- b) network security;
4. Backup Creation and Recovery
- regular copying of data;
- recovery testing;
The Company ensures that, within SmartCLM, access to personal data is logged and regularly audited.
Article 9. Rights of the Data Subject
9.1 The law defines the following rights of the data subject; accordingly, the data subject is entitled to exercise the rights set out below:
| Category of Data Subject Right | Regulatory Basis — Articles of the Law “On Personal Data Protection” |
|---|---|
| Right to receive information about data processing | Article 13 |
| Right to access data and obtain a copy | Article 14 |
| Right to rectify, update, and complete data | Article 15 |
| Right to stop the processing of, erase, or destroy data | Article 16 |
| Right to block data | Article 17 |
| Right to data portability | Article 18 |
| Rights related to automated individual decision-making | Article 19 |
| Right to withdraw consent | Article 20 |
| Right to appeal | Article 22 |
Upon a data subject's request, the controller (the Company) is obligated to ensure, in the manner established by law, the exercise of the data subject's rights, including taking all measures necessary to comply with the requirements of the law and, where necessary, to demonstrate such compliance.
The obligation to protect the rights of the data subject also extends to the authorized processor with respect to data held/existing with it, where applicable.
9.2 If you have any questions regarding personal data protection, you may contact us at the following email: welcome@smartclm.ai
Information the Data Subject Must Provide
When making a request, the subject must indicate:
- 1) full first and last name, or the name of the legal entity;
- 2) identity-confirming information (for example, a personal number);
- 3) the specific request – relating to personal data;
- 4) in any case, additional information that will enable the Company to precisely identify the data to which the request relates.
Within 2 weeks of receiving an application/complaint, the Company will provide the data subject, in writing, with a reasoned response on the matter raised.
Article 10. Obligation to Notify of an Incident
10.1 The controller is obligated to record any incident, its resulting consequences, and the measures taken, and to notify the Personal Data Protection Service thereof in writing or electronically no later than 72 hours after discovery of the incident, except where it is unlikely that the incident will cause significant harm and/or pose a significant threat to fundamental human rights and freedoms.
10.2 If an incident is highly likely to cause significant harm and/or pose a significant threat to fundamental human rights and freedoms, the controller is obligated to notify the data subject of the incident as soon as possible after its discovery, without undue delay;
10.3 An authorized processor is obligated to immediately notify the controller of an incident;
10.4 The controller (the Company) has developed a data security incident response policy document, the purpose of which is to define a unified standard for responding to data security incidents, so as to ensure the protection of personal data and the minimization of risks.
Article 11. Enforcement
11.1 To ensure the measures provided for by this policy document, the Company will (as necessary) develop additional written documents and take other appropriate measures in the manner established by law;
11.2 The Personal Data Protection Policy document is approved on the basis of an order of the Company's director and is made available to interested persons on the Company's official website, https://www.smartclm.ai/
Article 12. Validity of the Policy Document and Amendments Thereto
12.1 This policy document will be reviewed at least once a year and, where necessary, appropriate amendments will be made to it;
12.2 This policy document is binding on the Company's employees from the day they are made aware of it.
As a data subject, you have the right, in connection with matters of personal data protection, to protect your rights and/or submit a complaint to either SmartCLM and/or the State Audit Office.
Contact information:
Phone: +995 500 001235
Email: welcome@smartclm.ai
Legal address: 46B, Vasil Petriashvili St., Mtatsminda District, Tbilisi
