Digital Safety Helpdesk

Privacy Policy

What should be mentioned in the Privacy Policy:

  • What data do we collect?
  • How do we collect your data?
  • How will we use your data?
  • How do we store your data?
  • What are your data protection rights?
  • Changes to our privacy policy
  • How to contact us
  • How to contact the appropriate authorities

SMEX’s Digital Safety Helpdesk (“Digital Safety Helpdesk”, “The Helpdesk”, “we”) advocates for and respects your right to privacy and is committed to protecting it through our compliance with the practices described in this privacy policy, including when you visit our websites and engage with us, online and offline.

This policy aims at providing the data subject with information about the Helpdesk’s practices regarding processing (collecting, using, maintaining, protecting and/or disclosing) of personal data collected or shared by the data subject when consulting with our Digital Safety Helpdesk. 

By consulting with the Digital Safety Helpdesk you agree to the practices listed below. We reserve the right to update this policy without previous notice. 

You may access  our Code of Practice here

The Helpdesk incident handlers receive your messages (tickets, cases, incidents) through a ticketing system tool referred to as “Zammad” or “Link”, owned by our partners CDR. Please check CDR’s privacy policy here.

  • Data we may collect about you 

The Helpdesk tries, throughout its work, to collect as little personal data as possible. In some cases, the Helpdesk needs to collect personal data to resolve a case. The legal basis for collecting data is your consent, which must be freely given, specific, informed and unambiguous. The personal data is used to provide the incident handler with information and to help them solve the case at hand. 

This data includes:

  • Name
  • Phone number
  • Gender
  • Age

The information collected will only be shared with the Helpdesk handlers who are bound by a non-disclosure agreement.

Information that is collected by the Helpdesk and all conversations with the HelpDesk team will remain in CDRs databases unless instructed otherwise from the user. 

SMEX reserves the right to store non-identifiable data:

  • Ticket created time
  • Ticket closing time
  • Incident handler who first responded
  • the number of requests, 
  • the platforms the users are facing problems with, 
  • the main channel of communication (WhatsApp, Signal or Email), 
  • the country, 
  • the type of the user (journalists, lawyers, activists..), 
  • the ticket type (suspended account, hacked account, asking for a digital security tip..)

for advocacy purposes, as well as to comply with contractual obligations. 

  • Disclosure of your personal data 

We do not sell user’s information to third parties and will not transfer or share this information unless compelled by law and we will challenge any subpoena or official demand to access it. 

  • Transfer of your personal data

Your information (both personal data and non personal data) is encrypted in transit, transferred and stored on CDR’s servers, located in the Netherlands.  For more information, please refer to the CDR’s Privacy Policy here.

We take industry standard precautions and security measures to protect your personal data from misuse, breaches and loss. Like with every digital tool, there are risks, even if rare, out of the HelpDesk’s control. We store shared and downloadable data you provide to us on employee devices provided by SMEX and are embedded with security protections and measures.

The safety and security of your information also depends on you, please remember not to share your personal information unless it is impossible to solve the case otherwise. Please do not share personal data when there is no need to. 

  • What are your rights? 

You have a number of rights concerning your personal data: 

  • The right to request information regarding the data concerning you
  • The right to access your personal data: You have the right to request SMEX for copies of your personal data. We may charge you a small fee for this service.
  • The right to rectification: You have the right to request that SMEX corrects any information you believe is inaccurate. You also have the right to request SMEX to complete the information you believe is incomplete.
  • The right to erasure: You have the right to request that SMEX erases your personal data, under certain conditions.
  • The right to restrict processing: You have the right to request that SMEX restricts the processing of your personal data, under certain conditions.
  • The right to object to processing: You have the right to object to SMEX’s processing of your personal data, under certain conditions. 
  • The right to portability:  You have the right to request that SMEX transfers the data that we have collected to another organization, or directly to you, under certain conditions.
  •  and rights relating to automated decision-making

The right to lodge a complaint with a supervisory authority if such possibility is provided in your country. 

To exercise these rights, please contact SMEX on

If you make a request, we have one month to respond to you.

  • Changes to the privacy policy 

We will post any changes made to this policy in this section, please check this page frequently. 

SMEX keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on 29-05-2023.


  1. Personal data: any information relating to an identified or identifiable natural person
  • Categories of personal data:

General personal data: may include personal identification details such as name and address, customer relationships, personal finances, tax-related matters, debts, sick days, work-related circumstances, family circumstances, residence, car, qualifications, applications, CV, date of employment, position, area of work, work phone, key data: name, address, date of birth, IP address or other similar non-sensitive information

Sensitive personal data: 

  • Details of racial or ethnic origin
  • Political, religious or philosophical beliefs
  • Trade union affiliation
  • The processing of genetic data and/or biometric data for the purpose of uniquely identifying a natural person
  • Health details
  • Information about a person’s sex life or sexual orientation

Details of criminal offences: information that a person has committed a particular offence, but it may also be e.g. information that a person is serving a prison sentence. In other words, details of criminal offences are information which can be used to deduce that a person has committed a criminal offence. Rules for the processing of information concerning criminal offences are not laid down in the regulation, but will be determined in the individual countries.

  1. Data subject: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  2. Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  3. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  4. Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  5. Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data
  6. Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her