SMEInspect
Start a report
JurisdictionAustraliaUnited KingdomUnited States

Privacy Policy

Privacy Policy · United Kingdom · version 2026-06-21 · effective 21 June 2026

This Privacy Policy explains how SMEInspect handles personal data for United Kingdom users under the UK GDPR and the Data Protection Act 2018.

1. Introduction

This policy explains how ClarityIntel Pty Ltd, an Australian company (ABN 54 697 254 596), trading as SMEInspect (we, us, our), collects, uses, stores and discloses personal data when you use the SMEInspect website and services (the Service).

ClarityIntel Pty Ltd is the data controller for personal data processed about UK users of the Service. We are an Australian company selling cross-border into the United Kingdom with no UK-established entity; as described in section 11, your data is transferred to and processed in Australia and the United States.

This policy should be read with our Terms of Use.

2. The law that applies

We process personal data about UK users in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our use of cookies and similar technologies is governed by the Privacy and Electronic Communications Regulations (PECR).

Our supervisory authority is the Information Commissioner's Office (ICO), ico.org.uk. Our ICO registration number is [ICO registration number — to confirm].

3. What we collect and why

We may collect the following categories of personal data:

  • Account and contact details — name, email address and sign-in identifiers — to create your account, deliver Reports and communicate about your orders.
  • Transaction data — order history, payment status and acceptance records — to fulfil paid Reports and meet record-keeping obligations. Card details are processed by our payment provider; we do not store full card numbers.
  • Uploaded documents and inputs — financial statements, contracts and other materials you provide about a target business — to generate your Report and SMEInspect Estimate. These may incidentally contain personal data about third parties (for example, business owners or officers).
  • Public-registry data — information about the target business and its officers retrieved from public registers — to enrich your Report (see section 7).
  • Technical and usage data — IP address, browser type, device information and interaction logs — to secure the Service, diagnose faults and understand aggregate usage.
  • Communications — support enquiries and feedback — to respond and improve the Service.

4. Lawful bases

Under Article 6 of the UK GDPR, we rely on the following lawful bases:

  • Contract (Art 6(1)(b)) — to provide the Service you request, deliver Reports and Estimates, and process your orders.
  • Legitimate interests (Art 6(1)(f)) — to secure, operate, improve and protect the Service and to enrich Reports with public-registry data, balanced against your rights and freedoms. You may object as described in section 12.
  • Consent (Art 6(1)(a)) — for non-essential cookies and optional marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art 6(1)(c)) — to comply with tax, accounting, anti-fraud and other legal requirements.

5. Automated processing, AI and sub-processors

The Report and Estimate are produced by an automated inspection engine that applies AI/LLM inference to the documents and data you supply. We engage the following categories of sub-processor: hosting/infrastructure, the inspection/AI engine, payment processing, email delivery, and analytics.

We require by contract that our AI and inspection sub-processors do not train their models on your data or inputs. Your uploaded documents are used only to provide the Service to you.

We do not make solely-automated decisions that produce legal or similarly significant effects about you. The outputs are decision-support for you. You have rights in relation to automated decision-making and profiling as described in section 12.

6. How we use and disclose data

We use personal data to:

  • provide, operate, secure and improve the Service;
  • generate and deliver the Reports and Estimates you request;
  • process payments and prevent fraud;
  • send service-related messages (and marketing only where you have opted in);
  • comply with legal obligations and enforce our Terms of Use.

We may disclose personal data to our sub-processors (section 5) under contracts that require appropriate safeguards, to professional advisers where reasonably necessary, and to regulators, courts or law enforcement where required by law. We do not sell personal data, and we do not disclose your uploaded documents to the seller, broker or other parties to the transaction you are evaluating.

7. Third-party and registry data

To enrich your Report, we retrieve and process personal data about the target business and its officers from public registers (for example, company-registry filings). We rely on legitimate interests for this processing.

Where we process personal data we did not obtain directly from the individual, we take reasonable steps consistent with the UK GDPR. We do not control, and do not warrant, the accuracy or currency of public-registry data.

8. Cookies

We use strictly necessary cookies to run the Service (for example, sign-in and security). Under PECR, these do not require consent.

We set analytics and other non-essential cookies only with your consent, captured through our cookie banner. You can accept, reject or change your choices at any time via the cookie settings. Rejecting non-essential cookies does not affect access to the core Service.

9. Marketing

We send marketing communications only where you have consented (or where otherwise permitted by PECR for existing customers about similar products). Every marketing message includes an easy way to unsubscribe, and you can opt out at any time without affecting your use of the Service.

10. Storage, security and retention

Personal data and uploaded documents are encrypted in transit and at rest, with access limited to personnel and systems that need it to operate the Service. Hosting and processing take place in Australia and the United States (see section 11).

We retain personal data only as long as needed for the purposes in this policy:

  • Account and order data — for the life of your account plus a reasonable period after closure;
  • Uploaded documents — for 12 months after Report delivery, unless you request earlier deletion or a longer period is required by law;
  • Transaction and tax records — for 6 years, to meet UK tax and accounting obligations.

We action erasure requests within 30 days. Some data may persist in encrypted backups for a limited period before being overwritten. We securely delete or anonymise data when retention is no longer required.

11. Overseas and international transfers

As an Australian company, we transfer your personal data to Australia (our primary processing location) and to the United States (for the AI/inspection engine and certain sub-processors). These are transfers of UK personal data outside the United Kingdom.

Australia is not covered by a UK adequacy decision. We therefore safeguard these transfers using the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment and additional safeguards where appropriate. You may request a copy of the relevant transfer mechanism using the contact details in section 16.

12. Your rights

Under the UK GDPR, you have the right to:

  • access the personal data we hold about you;
  • rectification of inaccurate or incomplete data;
  • erasure of your data (the "right to be forgotten"), subject to legal retention requirements;
  • restriction of processing in certain circumstances;
  • data portability — to receive certain data in a structured, commonly used, machine-readable format and have it transmitted to another controller;
  • object to processing based on legitimate interests, and to object to direct marketing at any time;
  • rights in relation to automated decision-making and profiling.

To exercise any right, contact us using the details in section 16. We will respond within one month (extendable in line with the UK GDPR). We may need to verify your identity before responding. Exercising your rights is free in most cases.

13. Complaints

If you have concerns about how we handle your personal data, please contact us first using the details in section 16, and we will aim to resolve your complaint.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, the UK supervisory authority for data protection.

14. Children

The Service is intended for users aged 18 and over and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Changes

We may update this policy from time to time. Material changes will be posted on this page with a revised version label and effective date. We encourage you to review this policy periodically.

16. Contact

Privacy enquiries and data-subject requests: privacy@clarityintel.ai. Postal: PO Box 4127, Balgowlah Heights NSW 2093, Australia.

Data controller: ClarityIntel Pty Ltd (Australia), ABN 54 697 254 596.

UK Article 27 representative. We have appointed Prighter as our representative in the United Kingdom under Article 27 of the UK GDPR. UK users and the ICO may contact Prighter about the processing of personal data through Prighter's online portal at app.prighter.com/portal/14260907372, quoting "ClarityIntel Pty Ltd / SMEInspect".