SmartAI Pty Ltd (“smartAI”) understands the importance of, and is committed to, protecting the privacy of data relating to an identifiable living individual (“Personal Information”) irrespective of where in the world a particular individual lives or works.
What Kinds of Personal Information do we Process?
Our work for clients and employers brings us and our chatbots into contact with different kinds of Personal Information (i.e.). We categorise these as follows:
- Identity/Profile Data includes first name, last name, applicant tracking reference, username plus key attributes such as skills relevant to a particular job, IP address, cookie-logs, work history, qualifications and certifications, plus some user preferences and feedback responses (to the extent we or an employer uses these).
- Contact Data includes physical address, email address, social media handles (twitter/LinkedIn/Instagram pages) and telephone numbers.
- Technical Data includes IP address, your login data, browser type and version, time zone setting and location, any plug-ins, operating system and some information about the devices you use to access smartAI’s chatbots and services.
- Usage Data includes information about how you use our services, our Bots, or our website, (such as duration of chat, information-types disclosed, number of topics or questions answered etc).
- Marketing and Communications Data includes your preferences in receiving marketing from us (or our partners) and your communication preferences.
- Aggregated Data includes analytical data, often arranged to provide statistical or demographic information about candidates or particular job campaigns. Aggregated Data will not be considered Personal Information when it does not directly or indirectly reveal a person’s identity. We may aggregate your responses with our chatbot along with other users’ responses to better understand response times, length of conversations with a Bot or to find out the percentage of users answering in a particular way. It is only when we combine Aggregated Data with your Personal Information so that you can be identified does aggregated data fall into the definition of Personal Information.
Does this Processing make us a Data Controller or Data Processor?
1smartAI complies with GDPR standards when we deal with people and partners in the EU. We also continue to apply data protection laws applying in specific jurisdictions where we operate (e.g. Australia, with the Privacy Act).
For the vast majority of our work, we act under instruction from clients and employers. They design the job campaigns, the person specifications, the questions to be asked and the information to be collected. We provide our AI-based tools and services in order to implement these requests. This makes us a data processor under GDPR. But as owners of our company and creator of our chatbots we are a data controller in respect of our systems, technical decisions and employees. The diagram below helpfully depicts the difference.
Data processor vs Data controller
When is smartAI a data processor and when are we a data controller?
When is smartAI a data processor and when are we a data controller?
HOW YOUR INFORMATION WILL BE COLLECTED
Generally, Personal Information will be collected from you directly when a smartAI ‘BOT’ interacts with you (after you have received an SMS, instant message or email with a link to our chatbot). At all times you are volunteering and consenting to this dialogue and exchange of information – you can withdraw and stop providing your information at any time in the process.
There may be other occasions when smartAI collects your Personal Information from other sources such as an information services provider, your employer or ex-employer, a recruitment agency whom you may have a direct relationship with, or other sources. You can choose not to provide smartAI with any Personal Information as you so wish.
WHY DOES smartAI NEED YOUR PERSONAL INFORMATION?
smartAI collects, holds and uses your Personal Information for the purposes of providing a service to you and to the employer or recruitment agent who has contracted us to engage with you.
smartAI may also collect, hold and use your Personal Information for:
- Employee engagement purposes or applicant tracking system integrations;
- administrative and business management purposes;
- marketing purposes and to identify and inform you of products, services and training courses that may be of interest to you (it is important to note that we will apply appropriate opt-in / opt-out choices which honour your prerogative to give your consent to such marketing, in line with appropriate EU or Australian law as the particular circumstances dictate);
- notifying you either by email, SMS or push notification; and/or
- any other legal requirement.
WHAT LAWFUL BASES DO WE HAVE FOR COLLECTING AND USING YOUR PERSONAL INFORMATION?
Irrespective of where in the world an individual user lives or works, it is increasingly important for technology-solution providers like us to have appropriate and lawful justification for the different kinds of data processing which takes place. Using the GDPR as our benchmark (and refining these lawful bases as required to suit Australian and other regional contexts) we have reviewed the six kinds of legal justification that could apply to the processing of Personal Information. They are summarized as followed in the infographic below:
Applying these to smartAI’s business model, we are confident we have the following lawful bases for processing your data (in addition to any consent you provide via a job board, employment contract or registration with a recruitment agency or other person):
We possess a legitimate business interest in collecting and using your Personal Information especially where it is to serve our contractual requirements with employers and recruitment agents. We are a commercial enterprise which is innovating in the artificial-intelligence space. We can impact and benefit the recruitment, human resources, and employee engagement sectors of our society. We are bringing better, faster and more intelligent employee engagement solutions, enhancing speed of communication, accountability and records of conversations held, and related benefits to our clients in several geographical markets. We have taken time to study the three essential tests required for any “legitimate interests” examination and as a result, we believe the collation of limited Personal Information is integral and necessary for our business to function and for us to provide the smartAI Services to our customer-base. We have also considered alternate modes of operating without our chatbot solutions and weighed the balance of the impacts of our secure data processing on individuals. We take the view that there is minimal or no likelihood of harm to the rights and freedoms of the valued candidates, employees, clients, suppliers and partners whose Personal Information we hold.
On a less frequent basis, we are obliged to process much of the Personal Information we receive in order to fully perform our contractual terms with our clients and suppliers.
Similarly infrequently but equally importantly, we will also process Personal Information where we need to comply with other legal obligations – for example connected with any regulatory requests made of us by a tax authority, or a data protection regulator such as the NDC in Australia or the Information Commissioner’s Office (ICO) in the UK, or perhaps in the conduct of litigation between employee and employer where smartAI’s records may be required to assist a Court or other legal process.
You are under no obligation to provide your Personal Information to smartAI. However, without certain information from you, or where information provided is inaccurate or irrelevant, smartAI may not be able to provide its services to you and the employer or recruitment agent you are dealing with may be limited in its ability to provide its services or opportunities to you.
We deploy third party cookies in a rudimental way with standard Google Analytics when we offer the range of smartAI services.
Sharing your Personal Information
- clients of smartAI who may be your employer or a recruitment agency you are connected to;
- smartAI’s insurers;
- a professional association, a regulator or registration body if relevant to the provision of smartAI’s services or otherwise with your consent;
- smartAI’s professional advisors (which may or may not arise in the context of any corporate activity, due diligence or investment we undertake);
- any other entity, with your consent, or to whom disclosure is required or authorised by law; and/or
- any other third parties engaged to perform administrative or other services.
For information, one such core supplier of a service is FlowXO which provides a chatbot platform-based solution with integration-functionality which we rely upon. FlowXO take a very secure and responsible approach to data protection which includes the hosting of certain servers within the EU to provide extra assurance under GDPR terms – further details are available here: https://support.flowxo.com/article/228-flow-xo-privacy-policy;
Our provider of customer relationship management tools and service is HubSpot (in Australia and APAC). As a corporate group they subscribe to the following data sharing protocols which are summarised here: https://legal.hubspot.com/dpa.
The smartAI platform uses Microsoft Azure Services, Amazon Web Services and Google Cloud Services to manage its chat application and to avoid overhead operational constraints. We also use Xero for accounting and financial tasks. More details on the precise locations of data sets housed or hosted by global entities such as Microsoft, Amazon, Google and Xero are available on their respective websites.
smartAI may disclose Personal Information to certain important overseas service providers in order to provide our services, improve our services, and for administrative or business management purposes. Recipients of such overseas partners and business functions are currently located in the United Kingdom and India, but may also be located in other countries as we grow as a business and expand our geographical coverage. At all times smartAI will ensure that wherever in the world your data is stored or processed, it will be done so in full adherence to prevailing law.
What this means for data belonging to persons within Europe is that appropriate safeguards will be taken to ensure adequate protections are in place with regards to any “third country” we use for any overseas functions or processes in compliance with the GDPR. This will include use of the EU’s Standard Model Clauses where appropriate.
What this means for data residing in Australia, is that smartAI will take steps reasonable in the circumstances to ensure the overseas recipient complies with the Australian Privacy Principles or is bound by a substantially similar privacy scheme to that which exists in Australia (unless you consent to the overseas disclosure or it is otherwise required or permitted by local law).
If you are located in the EU or the UK we will house your personal data on servers located in these territories. If you are from the Asia/Pacific region we will house your personal data on servers located in Australia.
smartAI can aggregate your non-personally identifiable data
We may make certain automatically-collected, aggregated, or otherwise non-personally-identifiable information available to third parties for various purposes such as for industry research or benchmarking anonymised (or pseudonymised) trend analysis.
You may request access to your Personal Information
In most cases, you are advised to seek your Personal Information from the organisation who contracted us to provide a service to it. They will hold the comprehensive range of information relating to a particular employer, recruitment campaign, employee engagement initiative or a job for you.
Nevertheless, to the extent we hold a small amount of Personal Information about you, you can gain access to it by contacting us. We will deal with all bona fide requests for access to Personal Information as quickly as possible.
IT Security – our organizational and technical measures
smartAI takes all reasonable steps to ensure Personal Information it holds is protected against misuse, interference and loss and from unauthorised access, modification or disclosure. Any minimal amount of Personal Information we hold about you is stored on secure servers, and all data transferred between you and the smartAI Service is encrypted.
Our experience in artificial intelligence, chatbots, modern technology, coding and development gives us considerable insight into how to design and maintain suitable “organisational and technical measures” – all geared towards the protection and integrity of the data sets we hold.
In line with our updated security breach protocols, we will advise you at the first reasonable opportunity upon discovering or being advised of a security breach where your rights and freedoms are at high risk. Please be aware that we have put in place a precautionary data breach response procedure, having borrowed from best practice for handing cyber attacks and human error from around the globe.
How long do we keep your Personal Information
smartAI will destroy or de identify Personal Information in circumstances where it is no longer required, unless we are otherwise required or authorised by law to retain the information.
We will only retain your Personal Information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Information for a longer period in the event of a complaint, regulatory request to us, or if we reasonably believe there is a prospect of litigation in connection with the data we hold.
To determine the appropriate retention periods for each kind of data, we consider (i) the amount, nature and sensitivity of the Personal Information, (ii) the potential risk of harm from unauthorised use or disclosure of those personal details, (iii) the purposes for which they are processed, (iv) whether we can achieve those purposes through other means, and (v) the applicable jurisdictional rules which may differ from state to state or region to region (where we reserve the right to implement different retention and deletion schedules for data belonging to individuals in the EU and UK, where GDPR-standard rules may apply.
smartAI is committed to continuously checking the validity of its assessment of the appropriate retention periods for different kinds of data it holds. This assessment is contained in our retention and disposals policy which you can request from us by contacting our data protection officer at the email address below.
Your rights under modern data protection principles
Article 5 of the GDPR codifies several key principles which provide you with rights. smartAI as a modern, progressive and increasingly global company follows the spirit of these leading data protection principles for your benefit (and in particular any individuals residing in the EU or UK). Principles such as purpose-limitation, storage-limitation, data accuracy, data security and integrity and data minimisation are honoured by smartAI in the following expression of your rights:
(a) The right to request a copy of any Personal Information that we hold about you (essentially your “subject access rights”);
(b) The right to be told, where any information is not collected directly by us, what available information exists as to the source of the information about you;
(c) The right to be told of the existence of automated responses or workflows which we confirm is at the heart of the AI-driven chatbots we design and maintain. There is therefore an inbuilt element of personal profiling which we conduct for the purposes of service improvement, service delivery to paying clients, trend-analytics and related functions;
(d) The right to object to the processing of data where the processing is based on either the conditions of public interest or our legitimate business interests;
(e) The right to have all Personal Information erased (in other words, the right to be forgotten) which practically involves the removal of your data and any account you may have with us or with your employer or recruitment agency (but please be aware it will be impossible to use the smartAI Services once you trigger such rights);
(f) The right to restrict processing where you have objected to the processing;
(g) The right to have inaccurate data amended or destroyed; and
(h) The right to prevent processing that is likely to cause unwarranted substantial damage or distress to you.
How to make a subject access request – to edit, delete, or access your Personal Information:
As you will note above, you have the right to ask for a copy of any Personal Information that smartAI holds about you in our records, to correct any inaccuracies and to update any out-of-date information. We are aware of the range of subject access requests which can arise (especially under GDPR when exercised by relevant individuals in the EU). We will provide you with a copy of the Personal Information undergoing processing in electronic emailable form. Any additional copies will incur a fee to cover our reasonable costs (including our employee’s time to assist with this additional work).
This policy may be updated from time to time
How to contact us?
For further information or enquiries regarding Personal Information that any of our partners such as employers or recruitment agencies or we ourselves may hold about you, or if you would like to opt out of receiving any promotional communications, please write to:
smartAI data protection officer at info@smartAI.com.au
Last update: October 2020