SmartCLM ← Back to homepage

Personal Data Processing Policy

Revision: 09/06/2026

This Personal Data Protection Policy describes the principles and grounds on which SmartCLM (ID No. 404793238) (hereinafter “the Company”) processes personal data, as well as the mechanisms and guarantees for protecting the rights of the data subject (users) in the course of data processing, and matters of information storage and security. This policy allows a data subject or potential data subject, a Company employee, or any other interested party to obtain, in a transparent, simple, and understandable manner, information about the Company's personal data processing policy, thereby ensuring the Company's transparency in the area of data processing and protection.

Please note that by checking the “I Agree” button, you confirm that you have read, agree to, and acknowledge the legal force of this document, meaning that the relationship between you and SmartCLM is governed in accordance with this document. This document constitutes an integral part of SmartCLM's standard terms of service, and is to be interpreted together with them.

Information about the Company can be found at the following link — https://www.smartclm.ai/

Personal data is processed by SmartCLM in accordance with Georgian legislation, in particular the Georgian Law on “Personal Data Protection” and other regulatory acts. The rights of the data subject are protected both under Georgian legislation and under the European data protection regulation (GDPR). The processing of data takes into account the established practice and relevant recommendations of the Personal Data Protection Service of Georgia.

Article 1. Scope of Application

1.1 This policy applies to all processes involving the Company's processing of personal data (hereinafter “Data”), including personal data processing carried out through persons authorized to process data — where such exists;

1.2 This policy document sets out the fundamental principles and rules related to the Company's operations, compliance with which is mandatory for all of the Company's employees, interns, contractors, and other related persons. These rules are aimed at ensuring data protection/security/compliance, and their violation entails the corresponding liability provided for by law.

Article 2. Definitions

2.1 Terms used in this policy document have the meaning defined by law and are to be construed in accordance with Article 3 of the Georgian Law on “Personal Data Protection”;

Article 3. Principles of Data Processing

3.1 The Company processes personal data in accordance with the Georgian Law on “Personal Data Protection.” For the purposes of processing personal data, the Company makes every effort to consistently comply with the following principles of personal data processing:

3.1.1 Lawfulness, fairness, transparency, and respect for dignity – data must be processed lawfully, fairly, transparently, and without infringing the dignity of the data subject.

Explanation: lawful processing of data means that data may be processed only where an appropriate legal basis exists and all legal requirements are complied with.

The principle of fairness requires that personal data not be processed to the detriment of the data subject, in a discriminatory manner, or in a way that is unexpected or misleading. Under this principle, obtaining or otherwise processing data by unfair means, through deception, or without the data subject's knowledge is not permitted.

Under the principle of transparency, it must be clear to individuals, before their data is processed, that data relating to them will be collected, used, or otherwise processed. Furthermore, where the Company provides individuals with certain information about the use and necessity of their personal data, this must be done in language they can understand.

The data processing process must be carried out without infringing the dignity of the data subject and must not create a risk of infringing human rights and freedoms.

3.1.2 Purpose limitation – data must be collected only for a specific, clearly defined, and legitimate purpose and must not be used for a purpose incompatible with that purpose.

Explanation: under this principle, defining the purpose of a processing operation is the first step for applying data protection legislation and developing appropriate data protection safeguards. Furthermore, defining the purpose is a precondition for imposing other requirements. The purpose limitation principle sets the boundaries within which personal data collected for a given purpose may be processed and subsequently used.

3.1.3 Proportionality – data must be processed only to the extent necessary to achieve the relevant legitimate purpose.

Explanation: personal data must be processed only where achieving the purpose of processing is not reasonably possible by other means. Processing must not constitute a disproportionate interference with the rights and freedoms of the data subject and must be carried out only to the extent necessary to achieve the defined purpose.

3.1.4 Accuracy – data must be authentic, accurate, and, where necessary, updated.

Taking into account the purpose(s) of data processing, the controller is obligated to ensure, without undue delay, the correction, erasure, or destruction of inaccurate data.

3.1.5 Storage limitation – data must be stored only for the period necessary to achieve the relevant legitimate purpose of data processing.

Explanation: the storage limitation principle implies that data must be deleted or anonymized as soon as the purpose of processing has been achieved. The storage limitation principle means that the controller must inform the data subject of the storage period in advance and must also be able to demonstrate compliance with the principle. Accordingly, storage periods must be determined within the organization before data processing begins.

3.1.6 Security – appropriate organizational and technical measures against relevant risks must be taken to protect data from unlawful processing.

Explanation: protecting the security of personal data requires the implementation of appropriate technical and organizational measures aimed at: preventing and managing data security breaches (incidents); ensuring the proper performance of data processing tasks and compliance with other principles; and facilitating the effective exercise of individuals' rights.

Article 4. Grounds for Data Processing

4.1 The following grounds are used when processing data:

Article 5. What Data We Collect and Why

Most of the data processed through the website/platform (SmartCLM – hereinafter “the Site”) is provided by the users themselves.

The primary purpose of SmartCLM's functionality is the automatic completion and generation of standard documents and/or contracts, the management of organizational processes, and the electronic signing of documents. The system constitutes a platform for managing electronic documents and workflows. (See Electronic Signature Policy) This process requires the processing of personal data through the Site, since providing the necessary data is essential for the data subject to create an accurate document, so that the document desired by the data subject can be produced. SmartCLM's model uses the data provided by the data subject, which is automatically transferred into the corresponding fields of a pre-approved document template. In the course of automated document drafting and workflow management, our system (as data processor) processes the amount of personal data that clients/users provide to the SmartCLM platform.

In the course of creating documents, we process only the data necessary to create the legal document:

In addition to the above, additional data is collected through the website. The Company's server records the date, time, and method of accessing the website, the internet protocol address, the referrer, and other data reflecting the user's activities on the website. This data is processed for the purpose of detecting possible information security incidents, which is necessary to satisfy the Company's interest – including ensuring the integrity of the Company's electronic systems and maintaining business continuity.

For the purposes of using the SmartCLM system, the Company processes contracts concluded with clients and the personal data reflected in them.

Data of employees and interns

Data: first name, last name, personal number, contact details, email address, information on education and experience, CV, bank details, address.

Purpose: management of employment relationships, payment of salaries, internal communication, professional evaluation and development, and fulfillment of legal and tax obligations.

SmartCLM External Services

A list of all external services used by the website/application – what each one does, where it is used in the app, and where the data ends up.

1. Supabase

2. AWS (Amazon Web Services)

3. Vercel

4. OpenAI

5. Brevo (formerly Sendinblue)

6. Browserless.io

7. Flitt (Fondy)

8. msg.ge

Quick Map — “Where Does the Data Go?”

DataGoes toRegion
User accounts, documents, signaturesSupabase / AWSStockholm, EU
Emails + signed PDF attachmentsBrevoFrance / Germany, EU
Document HTML (for PDF generation)BrowserlessAmsterdam, EU
Phone numbers + OTP / SMS linksmsg.geGeorgia
Card dataFlitt (does not reach us)EU
AI prompts (no personal data)OpenAIUSA

Article 6. Processing of Data by an Authorized Person (Where Applicable)

Data is processed only for purposes defined by the Company, taking into account the rules and prohibitions established by the Georgian Law on “Personal Data Protection.”

Article 7. Data Storage and Security

Data provided by the user/client to the SmartCLM platform, which is necessary for the creation and generation of documents, is stored in the “SmartCLM” platform's database, in the cloud, in encrypted form, for the term of the SmartCLM service agreement concluded with the client, and following the expiry of the agreement, the data will be deleted within 1 (one) month, unless the service agreement is renewed.

Service agreements concluded with clients, as well as documents related to the performance of the agreement, are stored for 5 (five) years from the expiry/termination of the agreement;

Information processed for the purposes of performing the employment contracts of SmartCLM's employees is stored for 5 (five) years from the expiry and/or termination of the employment contract. If such information is related to ongoing legal proceedings, it is retained until the conclusion of those proceedings. Once the proceedings have concluded, the 5-year storage period no longer applies to that information, and further storage or processing of the data is carried out only where an appropriate legal basis exists. Applicant data is stored for 6 (six) months from the conclusion of the recruitment process.

The Company uses multi-layer technical measures to protect data security, so that personal data is maximally protected from unlawful access:

1. Access Control and Authentication

2. Data Encryption

a) Data is protected by both principal encryption methods:

3. System Security and Protection

4. Backup Creation and Recovery

The Company ensures that, within SmartCLM, access to personal data is logged and regularly audited.

Article 9. Rights of the Data Subject

9.1 The law defines the following rights of the data subject; accordingly, the data subject is entitled to exercise the rights set out below:

Category of Data Subject RightRegulatory Basis — Articles of the Law “On Personal Data Protection”
Right to receive information about data processingArticle 13
Right to access data and obtain a copyArticle 14
Right to rectify, update, and complete dataArticle 15
Right to stop the processing of, erase, or destroy dataArticle 16
Right to block dataArticle 17
Right to data portabilityArticle 18
Rights related to automated individual decision-makingArticle 19
Right to withdraw consentArticle 20
Right to appealArticle 22

Upon a data subject's request, the controller (the Company) is obligated to ensure, in the manner established by law, the exercise of the data subject's rights, including taking all measures necessary to comply with the requirements of the law and, where necessary, to demonstrate such compliance.

The obligation to protect the rights of the data subject also extends to the authorized processor with respect to data held/existing with it, where applicable.

9.2 If you have any questions regarding personal data protection, you may contact us at the following email: welcome@smartclm.ai

Information the Data Subject Must Provide

When making a request, the subject must indicate:

Within 2 weeks of receiving an application/complaint, the Company will provide the data subject, in writing, with a reasoned response on the matter raised.

Article 10. Obligation to Notify of an Incident

10.1 The controller is obligated to record any incident, its resulting consequences, and the measures taken, and to notify the Personal Data Protection Service thereof in writing or electronically no later than 72 hours after discovery of the incident, except where it is unlikely that the incident will cause significant harm and/or pose a significant threat to fundamental human rights and freedoms.

10.2 If an incident is highly likely to cause significant harm and/or pose a significant threat to fundamental human rights and freedoms, the controller is obligated to notify the data subject of the incident as soon as possible after its discovery, without undue delay;

10.3 An authorized processor is obligated to immediately notify the controller of an incident;

10.4 The controller (the Company) has developed a data security incident response policy document, the purpose of which is to define a unified standard for responding to data security incidents, so as to ensure the protection of personal data and the minimization of risks.

Article 11. Enforcement

11.1 To ensure the measures provided for by this policy document, the Company will (as necessary) develop additional written documents and take other appropriate measures in the manner established by law;

11.2 The Personal Data Protection Policy document is approved on the basis of an order of the Company's director and is made available to interested persons on the Company's official website, https://www.smartclm.ai/

Article 12. Validity of the Policy Document and Amendments Thereto

12.1 This policy document will be reviewed at least once a year and, where necessary, appropriate amendments will be made to it;

12.2 This policy document is binding on the Company's employees from the day they are made aware of it.

As a data subject, you have the right, in connection with matters of personal data protection, to protect your rights and/or submit a complaint to either SmartCLM and/or the State Audit Office.

Contact information:
Phone: +995 500 001235
Email: welcome@smartclm.ai
Legal address: 46B, Vasil Petriashvili St., Mtatsminda District, Tbilisi