Who is the controller?
Smart IT US Inc. is the data controller for personal data collected via penumbra.health.
You can contact us at legal@smart-it.io or Smart IT US Inc., 30 N Gould St Ste R, Sheridan, Wyoming 82801, USA.
We do not currently target Penumbra to individuals in the EEA. If our activities change such that an EU representative under Article 27 is required, we will update this notice.
Legal bases for processing
We process your data on one of the following legal bases:
| Processing | Legal basis |
|---|---|
| Sending you marketing emails you signed up for | Consent (Article 6(1)(a)) |
| Setting non-essential cookies (analytics, advertising) | Consent (Article 6(1)(a)) — collected via cookie banner |
| Running our site, security, fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Analytics in aggregate | Legitimate interests (Article 6(1)(f)) |
| Responding to legal requests | Legal obligation (Article 6(1)(c)) |
You can withdraw consent at any time without affecting the lawfulness of processing done before.
Your rights under GDPR
You have the right to:
- Access your data (Article 15)
- Rectify inaccurate data (Article 16)
- Erase your data — "right to be forgotten" (Article 17)
- Restrict processing (Article 18)
- Portability — receive your data in a portable format (Article 20)
- Object to processing based on legitimate interests, including profiling (Article 21)
- Object to direct marketing at any time (Article 21(2))
- Not be subject to fully automated decisions with legal or similarly significant effects (Article 22) — we don't do this
To exercise any right, email legal@smart-it.io. We respond within 30 days.
Right to complain
You can lodge a complaint with your local Data Protection Authority. Find yours: edpb.europa.eu/about-edpb/about-edpb/members_en
International transfers
We (the controller) are based in the United States (Wyoming). When you give us your data, it is transferred to and processed in the United States, where most of our service providers are also based.
For transfers from the EEA to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) with our service providers, plus additional safeguards (encryption, access controls). Copies are available on request.
Special categories of data
In the standard Wave 1 flow, we do not collect special category data (health data, biometric data, etc.) directly. However, because Penumbra relates to migraine pattern tracking, your interaction with the site may reveal interest in health-related topics. We do not use such inferences for advertising or ad targeting, and we do not create special-category profiles based on this activity.
If we later add functionality that collects special-category data directly (such as a health-symptoms quiz), we will obtain explicit consent under Article 9(2)(a) and publish a dedicated privacy layer for that flow.