Privacy Policy
This Privacy Policy applies to SmartKali LLC, a company incorporated in the State of Delaware, United States. Contact: audit@smartkali.com · Effective date: June 7, 2026
Who We Are
SmartKali (“we”, “our”, “us”) is a professional cybersecurity company providing penetration testing, vulnerability assessments and security audit services to businesses worldwide. We operate as a remote-first company serving clients primarily in the United States, United Arab Emirates, United Kingdom, Canada, Brazil and internationally.
Data Controller: SmartKali, operated by Alejandro Molina.
Contact: audit@smartkali.com
Website: https://smartkali.com
This Privacy Policy applies to all personal data collected through our website smartkali.com, our contact forms and our service engagements. By using our website or submitting an audit request, you agree to the practices described in this policy.
Data We Collect
We collect only the data necessary to respond to your inquiry and deliver our services. This includes:
- Contact information: Full name, company name, business email address, phone number (optional).
- Audit request details: Type of audit requested, target URL or system description, estimated budget range, additional context you provide.
- Technical data: IP address, browser type, operating system, referring URL, pages visited and timestamps — collected automatically via server logs.
- Communication data: Content of emails or messages you send to us.
We do not collect payment card data directly. We do not use third-party advertising trackers. We do not use Google Analytics or similar invasive analytics platforms.
How We Use Your Data
Your personal data is used exclusively for the following purposes:
- Responding to your audit request and sending you a service proposal within 24 hours.
- Communicating with you regarding your engagement, including scoping, scheduling and report delivery.
- Maintaining records of authorized security engagements for legal and compliance purposes.
- Improving our website and services based on aggregated, anonymized usage data.
- Complying with applicable legal obligations.
We do not sell, rent or trade your personal data to third parties. We do not use your data for unsolicited marketing without your explicit consent.
Legal Basis for Processing
Depending on your jurisdiction, our legal basis for processing your personal data includes:
- Contractual necessity: Processing required to fulfill a service agreement or pre-contractual steps at your request.
- Legitimate interests: Operating our business, maintaining security records and preventing fraud.
- Legal obligation: Compliance with applicable laws in the USA, UAE, UK, Canada and Brazil.
- Consent: Where required by law (e.g., EU/UK GDPR), we will obtain your explicit consent before processing.
Data Sharing
We do not share your personal data with third parties except in the following limited circumstances:
- Service providers: Infrastructure providers (hosting, email delivery) bound by data processing agreements. Currently: Hestia Control Panel on a dedicated server. No data is shared with advertising networks.
- Legal requirements: If required by law, court order or regulatory authority in any applicable jurisdiction.
- Business transfers: In the unlikely event of a merger or acquisition, data would be transferred subject to equivalent privacy protections.
Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:
- Audit request records: Retained for a minimum of 5 years to maintain evidence of authorized engagements, as required by cybersecurity best practices and applicable laws.
- Server logs: Retained for 90 days, then automatically purged.
- Email communications: Retained for the duration of the business relationship and up to 3 years thereafter.
Upon written request, we will delete your personal data unless retention is required by law.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
- Right to portability: Request your data in a structured, machine-readable format (GDPR/UK GDPR).
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
- CCPA rights (California residents): Right to know, delete and opt-out of sale of personal information. We do not sell personal information.
- PDPL UAE rights: Right to access, correction and erasure of personal data processed in relation to UAE engagements.
- PIPEDA rights (Canadian residents): Access and correction of personal information held by us.
To exercise any of these rights, contact us at audit@smartkali.com. We will respond within 30 days.
Cookies & Tracking
Our website uses strictly necessary session cookies only. These are used to maintain form security (CSRF protection) during your session and are not used for tracking or advertising.
- PHPSESSID: Session cookie for CSRF form protection. Expires when you close your browser. HttpOnly, Secure, SameSite=Strict.
We do not use third-party cookies, advertising pixels, Google Analytics, Facebook Pixel or any other behavioral tracking technology. Our website does not require a cookie consent banner because we only use technically necessary cookies.
Security Measures
As a cybersecurity company, we apply rigorous technical and organizational measures to protect your data:
- TLS 1.3 encryption for all data in transit (HTTPS).
- HSTS (HTTP Strict Transport Security) with preload enabled.
- CSRF protection on all forms.
- Strict Content Security Policy (CSP) headers.
- Server hardening with fail2ban, rate limiting and intrusion detection.
- Database access restricted to localhost only.
- Configuration files stored outside the web root with strict file permissions.
- Regular security audits of our own infrastructure.
International Data Transfers
Our server infrastructure is currently hosted in Brazil (São Paulo region). By submitting your data from the USA, UAE, UK, Canada or any other country, you acknowledge that your data may be processed in Brazil, which may have different data protection laws than your jurisdiction.
We ensure appropriate safeguards are in place for international transfers in compliance with applicable regulations, including GDPR standard contractual clauses where required.
Minors
Our services are intended exclusively for businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted data to us, please contact us immediately and we will delete it.
Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. The “Last updated” date at the top of this page will reflect any changes. We encourage you to review this policy regularly.
For material changes, we will make reasonable efforts to notify existing clients via email.
Contact Us
For any questions, requests or concerns regarding your personal data or this Privacy Policy, please contact us:
SmartKali — Privacy Inquiries
We aim to respond to all privacy-related inquiries within 5 business days and fulfill data subject requests within 30 days as required by applicable law.