Privacy Policy

Smart365Guide("we", "our", "us") operates the Smart365Guide platform: an AI-powered user-guidance and onboarding service that helps users navigate web applications through contextual guidance bots, workflow automation, and voice-enabled step-by-step assistance.

For privacy enquiries, contact us at: privacy@smart365guide.com

2.1 Data You Provide Directly

• Account data: name, email address, organisation name, password (hashed — never stored in plaintext).
• Billing data: payment method details processed and tokenised by Stripe. We store only a Stripe customer ID and subscription status — no raw card numbers.
• Communications: support requests, feedback, or other messages you send us.

2.2 Data Collected Automatically via the SDK

When you embed the Smart365Guide SDK on your website or application, the following data is automatically collected from end-users of your application:

• DOM & Layout Data: Structural page snapshots including element types, ARIA labels, form schemas, navigation links, and component hierarchy. This captures the structure of your UI — not the personal content of individual users (e.g., names, addresses, or financial data entered into forms are excluded).
• Interaction Events: Click sequences, route transitions, form interactions, scroll depth, guide activations, voice command patterns, and session step flows.
• Session & Device Metadata: Browser type, operating system, device class (desktop/mobile/tablet), screen dimensions, language, timezone, connection type, and core web vitals (TTFB, FCP, LCP, CLS).
• Anonymised Session IDs: We assign ephemeral session identifiers. These are not linked to personally identifiable information unless your application explicitly sends us a user identifier.

2.3 Data Collected via OAuth / Social Login

If you sign in using Google or GitHub OAuth, we receive your name, email address, and profile avatar from those providers, subject to their own privacy policies.

Specifically, we use collected data to:

• Train AI models: Guide-generation, intent-detection, reinforcement-learning navigation agents, and Retrieval-Augmented Generation (RAG) systems that power contextual assistance.
• Build the Site Graph:Construct a structural knowledge graph of your application's pages, routes, and interactive elements to enable accurate AI-driven navigation guidance.
• Deliver the Service: Provide real-time guide suggestions, voice assistance, and workflow automation to end-users.
• Improve accuracy: Evaluate model performance, identify failure modes, and retrain models to improve suggestion quality.
• Security & fraud prevention: Detect misuse, abuse, and unauthorised access attempts.
• Account management: Process payments, send service notifications, and respond to support requests.

By embedding the Smart365Guide SDK or widget on your website or application, and by registering an account on the Smart365Guide platform, you expressly consent toSmart365Guide using the collected DOM layout data, interaction events, and session telemetry to train its AI models, as described in §3.

This consent covers:

• Supervised and unsupervised training of guide-generation and navigation models using anonymised interaction sequences from your application.
• Reinforcement learning using reward signals derived from successful guide completions recorded in your application.
• Embedding your application's structural data into Smart365Guide's RAG knowledge base to improve context retrieval.

You may withdraw this consent at any time by deleting your account and removing the SDK. We will cease using your data in new training runs within 90 days of account deletion. Data already incorporated into trained model weights cannot be surgically removed but will be excluded from future fine-tuning cycles.

We share data only in the following limited circumstances:

• Stripe: Payment processing. Stripe receives billing data under their own privacy policy. We store only a customer token.
• Infrastructure providers: Cloud hosting, database, and CDN providers who process data on our behalf under data-processing agreements with GDPR-equivalent protections.
• Legal requirements: If required by law, court order, or governmental authority, we may disclose data as legally compelled.
• Business transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred to the acquiring entity, which will be bound by the terms of this Privacy Policy.

We never sell, rent, or trade your data or your end-users' data to any third party for advertising, marketing, or any other commercial purpose.

• Account data: Retained for the duration of your account and for up to 90 days after deletion.
• Session telemetry & interaction events: Retained for up to 24 months for training purposes, then aggregated or deleted.
• DOM snapshots: Retained while your application is active and for 12 months after account termination.
• Billing records: Retained for 7 years as required by financial regulations.

We implement industry-standard technical and organisational measures to protect your data, including:

• HMAC-SHA256 request signing for all SDK communications.
• AES-256 encryption at rest for sensitive data fields.
• TLS 1.3 encryption in transit for all data transfers.
• Rate limiting, IP-based access controls, and anomaly detection.
• Bcrypt password hashing with per-user salts.

No security system is impenetrable. In the event of a data breach affecting your data, we will notify affected users within 72 hours as required by applicable law.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and personal data (subject to legal retention obligations and the limitations on model-weight removal described in §4).
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdrawal of Consent: Withdraw AI training consent as described in §4.

To exercise these rights, contact privacy@smart365guide.com. We will respond within 30 days.

Smart365Guide uses strictly necessary cookies for session authentication and CSRF protection. We do not use third-party advertising cookies or tracking pixels. Analytics data is collected through our own SDK telemetry pipeline described in §2, not through browser cookies.

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us immediately and we will delete it.

Your data may be processed in countries outside your own. Where we transfer data internationally, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. Continued use of the Service constitutes acceptance of the updated policy.

For any privacy-related questions, requests, or complaints, contact our Privacy Team:

privacy@smart365guide.com