SmartPRO Docs ← Back to SmartPRO

Roles

For the data you load into SmartPRO about your employees, you are the data controller and SmartPRO is the data processor acting on your instructions. SmartPRO does not sell personal data or use your employees' data to train models.

What personal data we process

Category Examples
Identity Name, civil ID, passport number & expiry, nationality, gender, marital status
Contact Email, phone, address, emergency contact
Employment Contract terms, role, department, hire date
Financial Salary, allowances, deductions, IBAN, bank name/code/account
Attendance & leave Punches, sessions, leave balances
Documents Contracts, letters, uploaded files (CVs, IDs)
Usage Audit logs, session metadata

How we protect it

Data-subject requests

A data subject (employee) can request access, correction, or erasure of their personal data. Route requests through the controller (the employing company), whose administrators can view and correct records in-product; deletion/export beyond in-product tooling is handled by arrangement with SmartPRO support. (Define the SLA and the export/erasure mechanism before publishing — see "open items.")

Retention

Records are retained for the life of the account and your statutory record-keeping obligations under Oman labour and tax law. Automated retention/purge schedules are not yet enforced in-product (a roadmap item); deletion is currently performed on request. Do not state a specific retention period publicly until the policy is defined and approved.

Data residency

To be confirmed. Hosting region and database location determine residency; confirm with your deployment/infrastructure owner before making any residency claim (this matters for government and regulated customers).

Subprocessors

Third parties that may process data on our behalf are listed on the Subprocessors page. Several are optional and only engaged if you enable the related feature.

Open items before this page is published

  1. Confirm RD 6/2022 reference, effective date, and applicability.
  2. Define and approve the retention schedule and the data-subject-request SLA + export/erasure mechanism.
  3. Confirm data residency (hosting region).
  4. Align this page with your signed DPA and Privacy Policy and link them here.