By continuing to use this site you consent to the use of cookies in accordance with our privacy policy and Google's privacy policy.

SmartAssessor Privacy Policy

Version 1.2 – Effective 01.01.2026

1. About this policy

This privacy policy explains how personal data is processed in connection with SmartAssessor, the compliance assessment platform operated by Sendient Group. It sits alongside the SmartAssessor End User Licence Agreement and the Sendient Terms and Conditions of Supply, and should be read with them.

This policy applies globally to all users of SmartAssessor, wherever they access the Platform.

If you are an employee, consultant, auditor, or other individual using SmartAssessor, this policy tells you how your personal data is handled when you use the Platform.

2. Who we are

SmartAssessor is operated by one of the following entities, referred to together as Sendient Group.

Sendient Limited, a company registered in England and Wales, company number 14051013, registered office Stoneythorpe Hall, Southam, Warwickshire, CV47 2DL, United Kingdom.

SmartAssessor Limited, a company registered in England and Wales, company number 16904842, registered office Stoneythorpe Hall, Southam, Warwickshire, CV47 2DL, United Kingdom.

Sendient Inc, a Delaware corporation, registered office 16192 Coastal Highway, Lewes, Delaware 19958, United States of America.

The specific Sendient Group entity that provides the Platform to your organisation is identified in the contract between your organisation and that entity (the Customer Contract). That entity is referred to in this policy as the Provider.

3. Our role in respect of your personal data

Sendient Group has two distinct roles in respect of personal data processed in connection with SmartAssessor.

Processor role. For personal data submitted into the Platform by or on behalf of the Customer, including User Content and assessment evidence, Sendient Group acts as a processor. The Customer is the controller and determines what personal data is submitted, how it is used within the Platform, and how long it is retained. Sendient Group processes this personal data on the Customer's documented instructions, as set out in the Customer Contract and any Data Processing Agreement.

Controller role. For a defined set of activities that are necessary to operate and govern the Platform as a service, Sendient Group acts as a controller in its own right. These activities include creating and managing user accounts, authenticating users, securing the Platform, diagnosing and fixing errors, preventing and investigating misuse, processing payments, responding to support requests, generating usage analytics about how the Platform is used, and complying with legal obligations.

Multiple controllers. A Customer that is a consulting firm or certification body may use SmartAssessor to deliver services to its own clients (each an End Organisation). Depending on the arrangements between the Customer and the End Organisation, the End Organisation may also be a controller in respect of personal data it provides through the Customer. Where that is the case, Sendient Group processes that personal data on the Customer's instruction, which may in turn reflect the End Organisation's instruction to the Customer.

4. Personal data we process

The categories of personal data processed through SmartAssessor depend on what is submitted by users and what is ingested from connected systems. They may include the following.

User account data. Name, work email address, job title, organisation, professional role (such as consultant or auditor), professional credentials, and authentication data.

Assessment content. Narrative notes, findings, commentary, and evidence submitted by users in the course of conducting or supporting a compliance assessment.

End Organisation employee data. Personal data about individuals employed by or associated with an End Organisation where that data is submitted as compliance evidence, including competence records, training records, health and safety records, and records relevant to an audit finding.

Supplier data. Names and contact details of individuals at suppliers, and records of supplier performance, where supplied as evidence.

Financial data from accounting integrations. Customer and vendor contact details, transaction data, and related records ingested through authorised connections to QuickBooks, Xero, or Sage.

Evidence artefacts. Document uploads, images, video, and meeting or Teams transcripts submitted or ingested as part of the assessment process.

Voice data. Voice input submitted through the Platform, and the transcripts generated from it.

AI generated content. Content generated by the Platform's artificial intelligence components, where that content includes personal data drawn from the inputs above.

Technical and network data. IP address, device and browser information, session activity, authentication metadata, audit logs, prompt history, review actions, access control changes, export activity, error reports, and similar data generated automatically when you use the Platform.

The data submitted by or on behalf of the Customer may sometimes include special category personal data, as defined in applicable data protection law, for example where a health and safety record, a disciplinary file, or a meeting transcript contains information about an individual's health, trade union membership, or similar matters. It may also include personal data relating to criminal offences or allegations, for example where a disciplinary file or investigation record is submitted as compliance evidence. It is the Customer's responsibility to have a lawful basis for submitting such data and to ensure its submission through the Platform is appropriate.

5. How we obtain personal data

Personal data reaches the Platform in the following ways.

Directly from you, when you register, log in, or use the Platform.

From your employer or the organisation that authorised your access.

From the Customer or an End Organisation, where another user submits data concerning you or data relevant to you.

From third party integrations, where you or an administrator authorises the Platform to connect to external services such as QuickBooks, Xero, or Sage.

Automatically, from your use of the Platform, such as session logs, authentication metadata, error reports, and analytics events.

6. Why we process personal data

As processor, we process personal data on the documented instructions of the Customer, to deliver the Platform under the Customer Contract.

Where we act as controller, we process personal data to operate, maintain, and secure the Platform, authenticate users, diagnose and fix errors, prevent and investigate misuse, respond to support requests, generate usage analytics about how the Platform is used, enforce our terms, and comply with legal obligations.

7. Lawful bases

Where Sendient Group is a processor, the lawful basis for processing is established and communicated by the controller. Sendient Group processes personal data strictly in accordance with the controller's instructions as recorded in the Customer Contract, any Data Processing Agreement, and applicable law.

Where Sendient Group is a controller, the lawful bases relied on are one or more of the following, depending on the activity.

Contractual necessity, where processing is required to provide the Platform to the Customer and enable your use of it.

Legitimate interests, including running and securing the Platform, preventing misuse, and understanding how the Platform is used in aggregate. Our legitimate interests assessment balances these against your rights and freedoms.

Legal obligation, where processing is required to comply with law, regulation, or a valid order of a court or regulator.

Consent, where explicitly obtained.

8. Automated decision making and AI

The Platform includes artificial intelligence features that generate assessment content, observations, and suggestions. These outputs are probabilistic, are advisory in nature, and are not a substitute for human judgement. They are subject to review by a qualified user before being acted on or formally recorded.

Sendient Group does not use the Platform to make solely automated decisions about individuals that produce legal or similarly significant effects.

9. Security and AI training restrictions

We apply appropriate technical and organisational security measures to protect personal data against loss, misuse, unauthorised access, and unauthorised disclosure. These include encryption in transit and at rest, role based access controls, multi factor authentication, regular security testing, and audit logging.

Sendient Group does not use Customer Data, User Content, or any personal data submitted through the Platform to train, fine tune, or improve any artificial intelligence model or any other product or service, without the prior written consent of the Customer. We contractually require the AI model providers we use to apply the same restriction.

10. Sub processors

We use a limited number of trusted sub processors to operate and support the Platform. Each is bound by a written data processing agreement or equivalent commitment, and each is required to apply appropriate technical and organisational security measures.

The categories of sub processor we use are as follows.

Cloud hosting and infrastructure (Microsoft Azure).

AI language models (Anthropic, OpenAI, Google).

Database (MongoDB Atlas, PostgreSQL, Azure Cosmos DB).

Retrieval and semantic search (EyeLevel).

Voice processing (ElevenLabs).

Authentication (Kinde).

Payment processing (Stripe).

Error tracking and diagnostics (Sentry).

Customer support (Zendesk).

Usage analytics (Google Analytics).

Further information about our sub processors, including their role, location, and the types of data they process, is available to Customers on request.

11. International transfers

Personal data processed through SmartAssessor may be transferred outside the country in which you are located, including between the United Kingdom, the European Economic Area, and the United States.

Where personal data is transferred from the United Kingdom or the European Economic Area to a country that is not the subject of an adequacy decision, Sendient Group relies on appropriate safeguards, including the United Kingdom International Data Transfer Agreement, the European Commission's Standard Contractual Clauses, and equivalent mechanisms recognised by applicable law.

The AI model providers we use (Anthropic, OpenAI, and Google) may process personal data in the United States and in other regions, depending on the endpoint and configuration used. We contract with our AI model providers on zero retention terms where available, and in all cases require that personal data submitted through the Platform is not used to train their models.

12. Retention

We retain personal data for the duration of the Customer Contract, plus 90 days to allow for data return or deletion, unless the Customer instructs a longer period to meet its own accreditation, certification, or regulatory retention obligations. Certification audit trails often require retention for three to seven years depending on the applicable scheme.

Backup copies and security logs follow separate retention cycles and are retained for shorter periods consistent with good security practice. These backup and log records are not accessible in ordinary production use of the Platform and are restored or reviewed only where necessary for disaster recovery, incident investigation, or audit.

After the applicable retention period ends, we securely delete or anonymise personal data, except where we are required to retain it to comply with law.

13. Your rights

Depending on the law that applies to you, you may have rights in respect of your personal data, including the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to object to processing, the right to data portability, and the right to withdraw consent.

Where Sendient Group processes personal data as processor, rights requests should normally be addressed to the Customer, who is the controller of that data. You may also contact Sendient Group directly. Where we are the controller of the relevant data, we will respond to your request. Where we are the processor, we will forward the request to the Customer and assist the Customer in responding.

If you are not satisfied with how we have handled your personal data, you have the right to complain to a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone 0303 123 1113, website ico.org.uk.

14. Security incidents

Where a security incident affects personal data processed through the Platform, Sendient Group will notify affected Customers without undue delay in accordance with applicable law and the Customer Contract. Where Sendient Group is the controller of the personal data affected, and where the incident is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority and, where required, affected individuals, in accordance with applicable law.

15. Cookies and similar technologies

The Platform uses cookies and similar client side technologies for the following purposes.

Essential cookies and storage. Required for the Platform to function, including authentication, session management, load balancing, and security. These are always set because the Platform cannot operate without them. We also use browser local storage and session storage for equivalent essential purposes, such as holding short term session state on your device.

Analytics cookies. Set in connection with Google Analytics to help us understand how the Platform is used in aggregate, so that we can improve its functional performance and user experience. Analytics cookies anonymise IP addresses where supported.

Where required by applicable law, a cookie notice is presented to you when you first access the Platform, and your consent is obtained before non essential cookies are set. You can control cookies through your browser settings at any time, though disabling essential cookies or clearing local storage may affect your ability to use the Platform.

We do not use cookies or similar technologies for advertising, cross site tracking, or sharing personal data with advertisers or marketing partners.

16. Contact us

For rights requests, data protection queries, and privacy complaints, contact privacy@sendient.ai.

By post, contact the Provider at the relevant address in clause 2.

17. Changes to this policy

We may update this policy from time to time to reflect changes in our services, in the sub processors we use, or in applicable law. The current version will always be available at https://smartassessor.ai/privacy-policy/. Material changes will be notified through the Platform or by email to the address associated with your account.

18. Governing law

This policy is governed by and construed in accordance with the laws of England and Wales. Nothing in this policy affects any rights you have under the law that applies to you where it provides stronger protection than this policy or cannot be excluded.

Sendient Limited | Company Registration No. 14051013 SmartAssessor Limited | Company Registration No. 16904842 Stoneythorpe Hall, Southam, Warwickshire, CV47 2DL, United Kingdom Sendient Inc | 16192 Coastal Highway, Lewes, Delaware 19958, United States of America privacy@sendient.ai | www.smartassessor.ai

 

Scroll to Top