Features Pricing About Contact
Login Start free trial

GDPR Statement

Last updated: 1 January 2026

Social Prysm Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679) and the UK Data Protection Act 2018. This statement explains how we apply these regulations to our Services and how you can exercise your rights.

1. Data controller

Social Prysm Ltd is the data controller for personal data we collect from visitors to smhub.com and from our direct customers. The controller contact details are:

  • Social Prysm Ltd
  • 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
  • Email: privacy@smhub.com

2. Data processor role

When our customers (for example, a social media agency) upload data about their own clients or end users into Social Prysm, the customer is the data controller and Social Prysm acts as the data processor. Our obligations as processor are set out in our Data Processing Agreement (DPA), which is available on request and incorporates the UK International Data Transfer Addendum and EU Standard Contractual Clauses.

3. Data Protection Officer

We have appointed a Data Protection Officer who is responsible for overseeing our data protection strategy and compliance. You can contact our DPO at dpo@smhub.com.

4. Legal basis for processing

We process personal data on the following lawful bases under Article 6 of the UK and EU GDPR:

  • Performance of a contract — to deliver the Services you have subscribed to.
  • Legitimate interests — to improve our Services, secure our systems and grow our business, balanced against the rights of data subjects.
  • Consent — for marketing communications and non-essential cookies. Consent is always freely given, specific, informed and unambiguous, and may be withdrawn at any time.
  • Legal obligation — to comply with tax, accounting and other legal requirements.

5. Your rights as a data subject

Under the UK and EU GDPR you have the following rights, which we honour in full and at no charge:

  • Right of access — obtain confirmation of whether we process your personal data and receive a copy of it.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data (the "right to be forgotten").
  • Right to restrict processing — request that we stop actively processing your data while a dispute is resolved.
  • Right to data portability — receive your data in a structured, commonly used, machine-readable format.
  • Right to object — object to processing based on legitimate interests or direct marketing.
  • Rights related to automated decision-making — we do not make solely automated decisions with legal or similarly significant effects on data subjects.
  • Right to withdraw consent — at any time, where processing is based on consent.
  • Right to lodge a complaint — with your local data protection authority. In the UK this is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please email privacy@smhub.com. We respond within 30 days and may ask you to verify your identity before processing the request.

6. International data transfers

Your personal data is primarily stored in the United Kingdom and European Union. Where data is transferred outside the UK/EEA (for example to a sub-processor based in the United States), we rely on appropriate safeguards including:

  • The EU Commission's Standard Contractual Clauses (SCCs).
  • The UK International Data Transfer Addendum to the SCCs.
  • Supplementary technical measures such as encryption and pseudonymisation.

7. Sub-processors

We only use carefully vetted sub-processors who meet UK/EU GDPR requirements. A current list of sub-processors is available on request from privacy@smhub.com. Customers are notified of any new sub-processor at least 30 days in advance.

8. Data breach notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay. Our incident response plan is tested annually.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for any processing activity likely to result in a high risk to data subjects, in line with Article 35 of the GDPR.

10. Training and accountability

All Social Prysm staff receive mandatory data protection training on induction and annually thereafter. We maintain records of processing activities (RoPA) in line with Article 30, and we review our policies and procedures at least once a year.

11. Contact

If you have any questions about our GDPR compliance or wish to exercise your rights, please contact our Data Protection Officer at dpo@smhub.com or write to Social Prysm Ltd, 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.