At a glance

Who is the controller?

Smart IT US Inc. is the data controller for personal data collected via penumbra.health.

You can contact us at legal@smart-it.io or Smart IT US Inc., 30 N Gould St Ste R, Sheridan, Wyoming 82801, USA.

We do not currently target Penumbra to individuals in the EEA. If our activities change such that an EU representative under Article 27 is required, we will update this notice.

Legal bases for processing

We process your data on one of the following legal bases:

ProcessingLegal basis
Sending you marketing emails you signed up forConsent (Article 6(1)(a))
Setting non-essential cookies (analytics, advertising)Consent (Article 6(1)(a)) — collected via cookie banner
Running our site, security, fraud preventionLegitimate interests (Article 6(1)(f))
Analytics in aggregateLegitimate interests (Article 6(1)(f))
Responding to legal requestsLegal obligation (Article 6(1)(c))

You can withdraw consent at any time without affecting the lawfulness of processing done before.

Your rights under GDPR

You have the right to:

To exercise any right, email legal@smart-it.io. We respond within 30 days.

Right to complain

You can lodge a complaint with your local Data Protection Authority. Find yours: edpb.europa.eu/about-edpb/about-edpb/members_en

International transfers

We (the controller) are based in the United States (Wyoming). When you give us your data, it is transferred to and processed in the United States, where most of our service providers are also based.

For transfers from the EEA to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) with our service providers, plus additional safeguards (encryption, access controls). Copies are available on request.

Special categories of data

In the standard Wave 1 flow, we do not collect special category data (health data, biometric data, etc.) directly. However, because Penumbra relates to migraine pattern tracking, your interaction with the site may reveal interest in health-related topics. We do not use such inferences for advertising or ad targeting, and we do not create special-category profiles based on this activity.

If we later add functionality that collects special-category data directly (such as a health-symptoms quiz), we will obtain explicit consent under Article 9(2)(a) and publish a dedicated privacy layer for that flow.