SmartWidget UK
  1. Home
  2. Privacy Policy
Privacy Policy · UK GDPR & DPA 2018

How we handle your data.

Built in the UK. Conversation data stored in the EU. Plain English where we can, formal language where we have to. If something here isn't clear, email info@smartwidget.co.uk and we'll explain.

Last updated 17 May 2026 · version 1

Who we are

In plain English

SmartWidget is run by DadLink Technologies Limited, a UK company based in Cheshire. We're the data controller for your account with us. When your customers chat with the widget on your website, you're the controller for that data and we're the processor — meaning we only handle it on your behalf.

SmartWidget ("we", "us", "our") is a product operated by DadLink Technologies Limited, a company registered in England and Wales under company number 14396553, with its registered office at Handforth, Macclesfield, Cheshire.

For matters relating to this policy or how we process personal data, contact us at info@smartwidget.co.uk.

We are the data controller for personal data we collect about our direct customers (people who sign up to SmartWidget). When our customers deploy the widget on their own websites, our customers are the data controller for personal data their website visitors provide through the widget, and SmartWidget acts as a data processor, processing that data only on the customer's documented instructions and under our Data Processing Agreement.

What we collect

In plain English

Three categories: data about you as our customer (name, email, billing), data about how you use the product (logs, analytics), and data about your visitors (the people who chat with the widget on your site).

Account & profile data

When you sign up we collect your name, email address, password (stored hashed), business name where provided, and contact details you choose to add. If you upgrade to a paid plan, we collect billing information via our payment processor Stripe — we do not store full card numbers on our systems.

Widget conversation data

When a visitor to your website interacts with the widget, the conversation transcript is processed by our systems and stored in your dashboard. This typically includes the messages sent, timestamps, the visitor's session identifiers, IP address, browser/device information, and any information the visitor voluntarily provides (name, email, phone number, postcode, enquiry details).

You — as the website operator — are responsible for ensuring you have a lawful basis to collect this data from your visitors and that you have informed them appropriately in your own privacy notice.

Usage and technical data

We collect logs about how you and your visitors use the service — page views in our dashboard, dates and times of widget interactions, API request counts, errors and diagnostics. This is used to operate, secure and improve the service.

Communications

If you email us, call us or submit our contact form, we keep a record of that correspondence and your contact details. Records of contact form submissions are also stored briefly in our backend Firestore database as a backup in case the notification email to us fails.

Special category data

SmartWidget does not actively solicit special category data (such as health, racial or ethnic origin, religious beliefs, biometric data). Some customer industries — for example dental practices — may incidentally cause visitors to share health-related information during a chat. Where this happens, the customer is responsible for ensuring an Article 9 lawful basis (such as explicit consent) and for handling such data appropriately. The widget itself is configured not to provide clinical advice.

Lawful basis & purposes

In plain English

We process your data because we have to (to deliver the service you've paid for), because the law requires it (tax records), or because it's in our legitimate interest (e.g. fraud prevention, product improvement). Where neither applies, we ask for your consent.

  1. Performance of a contract (UK GDPR Article 6(1)(b)) — to deliver the SmartWidget service, manage your subscription, send transactional emails about your account.
  2. Legal obligation (Article 6(1)(c)) — to keep accounting records as required by UK tax law (typically 6+ years for VAT/Corporation Tax) and to respond to lawful requests from regulators or law enforcement.
  3. Legitimate interests (Article 6(1)(f)) — to operate, secure and improve the service; to detect and prevent fraud or abuse; to handle billing disputes; to send service announcements and security-relevant notices. We've assessed these as not overriding your fundamental rights.
  4. Consent (Article 6(1)(a)) — for any marketing emails that aren't strictly service-related. You can withdraw consent at any time.

How long we keep it

In plain English

Active accounts: as long as you're a customer. After cancellation: 30 days for account recovery, then deleted. Billing records: 7 years (tax law). Conversation transcripts: 24 months by default, or shorter if you ask.

Data typeRetention
Account profileWhile account is active; 30 days after cancellation, then deleted
Widget conversation transcripts24 months by default; can be reduced or extended in your dashboard
Billing records & invoices7 years (UK tax law)
Server & security logs90 days
Contact form / support emails12 months
Marketing email listsUntil you unsubscribe or for 3 years from last interaction
Backup snapshots30 days from creation

You can delete conversation transcripts at any time from your dashboard. On account closure, we delete or anonymise your personal data within 30 days, except where we are required by law to retain it (such as billing records).

Who we share data with

In plain English

We use a small number of specialist sub-processors to operate the service — hosting, payments, email, AI. We don't sell your data and we don't use it to train external AI models.

We do not sell personal data. We share data only with the sub-processors listed below, all of whom are bound by appropriate data protection agreements:

Sub-processorPurposeLocation
Google Cloud / FirebaseHosting, database, authenticationEU (europe-west2, London)
StripePayment processingUK / EU / US (under SCCs)
SendGrid (Twilio)Transactional emailUS (under SCCs)
SMS providerOutbound SMS alertsUK / EU
AI / LLM providersGenerating widget replies from your published contentEU / US (under SCCs and contractual no-training commitments)
CloudflareDNS, CDN, DDoS protectionGlobal edge

We require our AI/LLM providers, by contract, not to use conversation content to train their public foundation models. A current list of sub-processors is available on request to info@smartwidget.co.uk.

We may also disclose personal data where required by law (court order, regulator request), to enforce our terms, or to protect the safety of our users or third parties.

Where data is stored

In plain English

Your account and conversation data is stored in the UK (London region of Google Cloud). Some sub-processors (Stripe, SendGrid, AI providers) may process data in the US under approved transfer safeguards.

Primary storage of account data and conversation transcripts is in the United Kingdom, in Google Cloud's europe-west2 (London) region.

Where personal data is transferred to sub-processors located outside the UK or EEA (such as Stripe or SendGrid), we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or other approved transfer mechanisms as appropriate.

Your rights

In plain English

Under UK GDPR you have the right to see your data, correct it, delete it, take a copy elsewhere, restrict our use of it, and object to some processing. Email us and we'll handle it within one month.

Under the UK GDPR and Data Protection Act 2018 you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete your personal data, subject to limited legal exceptions.
  • Right to restriction — ask us to limit how we use your data in certain circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests, or to direct marketing.
  • Rights related to automated decision-making — we do not make solely-automated decisions that have legal or similarly significant effects on you.
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email info@smartwidget.co.uk. We will respond within one calendar month. There is no fee unless the request is manifestly unfounded or excessive. We may need to verify your identity before acting on a request.

If the data in question is about your website's visitors rather than about you, please direct your request to the website operator who deployed the widget — they are the data controller for that data.

Cookies

In plain English

The SmartWidget website uses essential cookies to keep you signed in and analytics to understand how the site is used. The widget itself uses minimal cookies to maintain chat sessions on customer websites.

The SmartWidget website (smartwidget.co.uk) uses cookies and similar technologies for the following purposes:

  • Strictly necessary cookies — to keep you signed in, remember your settings, and provide security. These do not require consent.
  • Analytics cookies — to understand how the website is used, set only with your consent.

The chat widget, when deployed on customer websites, sets a minimal session identifier in local storage to maintain conversation continuity. Visitors can clear this at any time using their browser's tools.

Children

SmartWidget is a B2B service and is not directed at children. We do not knowingly collect personal data from children under 13 (or under 16 in some jurisdictions). If you believe a child has provided us with personal data, contact info@smartwidget.co.uk and we will delete it.

Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+), encryption at rest, access controls based on principle of least privilege, regular security reviews, and incident response procedures. No system is perfectly secure — if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and, where required, notify affected individuals without undue delay.

Complaints & ICO

If you have a concern about how we handle your data, please contact us first at info@smartwidget.co.uk. We take complaints seriously and will work to resolve them quickly.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of the page shows when. For material changes that affect your rights, we'll notify you by email or via the dashboard at least 14 days before the change takes effect. Continuing to use SmartWidget after a change indicates acceptance of the updated policy.

Contact us

Privacy questions, rights requests, complaints, or anything else relating to this policy:

DadLink Technologies Limited
Handforth, Macclesfield
Cheshire, United Kingdom
Email: info@smartwidget.co.uk
Company number: 14396553

See also our Terms of Service.