Effective: 2026-05-09
This Privacy Policy explains what personal data Smart Directs collects, how it is used, where it is stored, who else has access to it, and what rights you have over it. We aim to be specific rather than legalistic.
Smart Directs is operated by Havnwright Ltd, a software company registered in the United Kingdom. References to "we," "us," and "our" refer to Havnwright Ltd.
Account information you provide directly: your email address, display name, and password (stored hashed; we never see your plaintext password). Workspace data you create inside Smart Directs: organization name, team-member invitations, auto-reply rules and scenario flows you configure, partnership records, financial transactions, forms, and product entries. Connected channel data: when you link an Instagram Business account or a Telegram bot, we store the access tokens (encrypted at rest with AES-256-GCM), the channel ID, the channel display name, and a profile picture URL. Tokens are never readable in plaintext from our database. Message and comment content: when your connected accounts receive direct messages or comments, we store the content of those messages so we can apply auto-reply rules, render the conversation in your inbox, and demonstrate the auto-reply flow back to you. We retain this content for as long as the conversation remains in your workspace. Technical data: server access logs (IP address, user-agent, request path, timestamp) for security and abuse-prevention purposes, retained for up to 90 days. Public form submissions also include the submitter's IP address and user-agent.
When you connect an Instagram Business account, Smart Directs requests permission to access the following Meta Graph API resources, scoped to the account you connect: The Instagram account ID, username, and profile picture URL (read at connect time so we can show you which account is linked). Direct messages received by the connected Instagram account, and our outbound replies (read and write, for the auto-reply and unified inbox features). Comments on the connected account's posts that match keyword rules you configure (read, plus write to send the comment-to-DM private reply). The Facebook Page linked to the Instagram Business account (read of the page list at connect time so you can pick the right page; write of webhook subscription metadata so messages and comments arrive at our server in real time). We do not access your follower list, media library, insights, ads, or any data outside the scopes listed above. We do not post on your behalf without an explicit user-initiated action.
We use your data to operate the service: route incoming messages, fire auto-reply rules, render the conversation inbox, generate finance reports, send invoices via the forms feature, and provide team access controls. We use technical data (logs, IP addresses) for security monitoring, debugging, and abuse prevention. We use your contact email to send service-related notifications (password reset, billing alerts, security alerts, material policy changes). You can opt out of non-essential email at any time. We do not sell your data. We do not share it with advertisers. We do not use your message content to train any machine-learning model.
Application data is stored in Supabase Postgres, hosted in the EU (Frankfurt, Germany region). Object storage and uploaded media are stored in the same region. Access tokens for connected channels are encrypted at rest using AES-256-GCM with a key held in our server environment, separate from the database. Encrypted values use the prefix "enc:v1:" so legacy data and current data are distinguishable. Server infrastructure is hosted on Vercel, with TLS 1.3 in transit. We follow the principle of least privilege for staff access; in practice no Havnwright staff routinely access workspace data outside abuse investigations. Database backups are encrypted and aged out within 30 days. We do not restore deleted records from backup.
We rely on a small set of vendors to operate the service. None of them sell your data; each is contractually bound to process your data only on our instructions: Supabase (database, authentication, storage; EU region). Vercel (web hosting and edge delivery). Meta (Instagram and Facebook APIs, when you connect an Instagram Business account). Telegram (Bot API, when you connect a Telegram bot; bot tokens you provide are encrypted before storage). Stripe (payment processing, when paid plans launch; we never store full card details). Resend or Postmark (transactional email delivery for password resets and notifications). We do not transfer your data outside this set without your knowledge.
If you are in the UK or EU, the UK GDPR and EU GDPR give you the following rights over your personal data: access, rectification, erasure, restriction of processing, data portability, and objection. If you are in California, the CCPA gives you broadly equivalent rights. You can exercise most of these rights directly inside Smart Directs (Settings, Account, Delete account) or by emailing privacy@smartdirects.com from your registered email address. We respond within 30 days. Deletion in the app removes social account, conversation, and message records from the live database immediately, revokes encrypted tokens at the Meta side, and ages out database backups within 30 days. See our Data Deletion page for the full deletion runbook.
We use cookies for two purposes: Essential cookies for authentication and session management (HttpOnly, secure, SameSite=Lax). These are required for the service to function. A preference cookie for your language selection (NEXT_LOCALE). We do not use third-party advertising cookies, analytics trackers that share data with ad networks, or fingerprinting techniques.
Smart Directs is intended for businesses, creators, and team members aged 18 or older. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact us at privacy@smartdirects.com and we will delete it.
If we make material changes to this policy, we will notify registered account holders by email at least 14 days before the change takes effect. The Effective date at the top of this page reflects the most recent revision.
For privacy questions, data subject requests, or to report a privacy concern: privacy@smartdirects.com. Havnwright Ltd is registered with the UK Information Commissioner's Office (ICO) under registration number ZC015131. You may also lodge a complaint with the ICO directly at ico.org.uk.