7-day free trial on all plans · Company email required · No charge for 7 daysStart trial →
Global Rail
Trial
Legal · smert.ai Limited

Privacy Policy

Last updated: 17 June 2026

smert.ai Limited, a Hong Kong company ("smert.ai", "we"), operates the Global Rail Cyber Security platform (the "Service"). This Privacy Policy explains what personal data we collect, why, how it is used, and the rights available to individuals. It applies to visitors of our marketing site and to account holders of the Service.

1. Controller

smert.ai Limited (Hong Kong) is the data controller for personal data we collect about visitors and customer account holders. For customer-submitted scan data, smert.ai acts as a data processor on behalf of the customer organisation; see our Data Processing Addendum.

2. Personal data we collect

  • Account data: business email, name, organisation, role.
  • Authentication data: hashed passwords, OAuth identifiers, MFA factors.
  • Usage data: IP address, device/browser info, pages viewed, feature usage, timestamps.
  • Audit inputs: URLs, repository links, contract addresses, agent endpoints, configuration you submit for testing.
  • Audit outputs: findings, proofs-of-concept, reports.
  • Billing data: via our payment processor; we do not store full card numbers.
  • Support data: messages you send us and related metadata.

3. Why we use personal data (purposes & bases)

  • Provide the Service — performance of contract.
  • Account security & abuse prevention — legitimate interest, legal obligation.
  • Billing — performance of contract, legal obligation.
  • Product analytics & improvement — legitimate interest in operating and improving the Service.
  • Marketing communications — consent (you may opt out at any time).
  • Compliance & legal claims — legal obligation, legitimate interest.

4. Sub-processors

We use carefully selected service providers to operate the Service:

  • Cloud database & auth (Supabase / Lovable Cloud).
  • Edge & CDN (Cloudflare).
  • AI model gateway (Lovable AI Gateway, including Google Gemini).
  • Payments (Stripe, when enabled).
  • Transactional email provider.

5. International transfers

Personal data may be processed outside Hong Kong, including in the European Economic Area and the United States. Where required, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent mechanisms.

6. Retention

We retain account data for the life of the account plus a reasonable period for legal, accounting, or dispute-resolution purposes. Audit artefacts are retained per the Authorization to Test. Server logs are retained for up to 12 months.

7. Your rights

Subject to applicable law (including the Hong Kong Personal Data (Privacy) Ordinance and, where applicable, the EU/UK GDPR), you may request access, correction, deletion, portability, restriction, or objection. You may also lodge a complaint with the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) or your local supervisory authority. Email support@smertai.com to exercise rights.

8. Security

We use encryption in transit and at rest, tenant-isolated row-level security, MFA for privileged accounts, signed/HMAC ingest paths, and an immutable audit log. No system is 100% secure; we will notify affected customers without undue delay in the event of a confirmed personal-data breach.

9. Cookies

See our Cookie Policy. We use strictly necessary cookies for sessions and security, and (with consent where required) analytics cookies to improve the Service.

10. Children

The Service is not intended for individuals under 18. We do not knowingly collect data from children.

11. Changes

We may update this Policy. Material changes will be notified in-app or by email at least 14 days before they take effect.

12. Contact

smert.ai Limited, Hong Kong SAR. support@smertai.com.