Privacy Policy — SmartERP
SE
SmartChoice IQ · SmartERP

Privacy Policy

SmartERP Mobile Application — Powered by SmartChoice IQ

Last Updated: March 2026
01

Introduction

Welcome to SmartERP, a comprehensive enterprise resource planning mobile application developed and maintained by SmartChoice IQ. SmartERP is built on the ERPNext / Frappe framework and is designed to digitally manage Sales, Inventory, Human Resources, Accounting, and Field Operations for businesses of all sizes.

We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have in relation to it.

ℹ️
By downloading, installing, or using the SmartERP application, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the application immediately.
02

Data We Collect

SmartERP collects the following categories of data to deliver a complete and secure enterprise experience:

👤
Personal Information
Full name, email address, username, and hashed password.
📍
Location Data
Real-time GPS coordinates for attendance check-ins and field sales tracking.
📱
Device Information
Device model, OS version, unique device ID used for single-device security binding.
📷
Camera Access
Used for QR code scanning, identity verification, and visit documentation.
🖨️
Bluetooth
Used exclusively for connecting to thermal receipt printers via Bluetooth.
🔔
Notifications
Push notification tokens for work requests, approvals, and system alerts.
📊
Business Data
Sales invoices, inventory movements, purchase orders, and HR records linked to your company account.
🎙️
Audio Recording
Used solely for voice notes in field visit reports when explicitly initiated by the user.
⚠️
Important: We never collect sensitive financial data such as credit card numbers or bank credentials. All passwords are irreversibly hashed using bcrypt and are never stored or transmitted in plain text.
03

App Permissions

SmartERP requests the following device permissions. All permissions are used solely for the stated purpose and are never accessed in the background unless explicitly noted:

Permission Purpose Required
Location (Fine & Coarse) GPS-based attendance check-in, sales route tracking on the map dashboard Required
Camera QR code scanning for attendance and inventory; photo capture for visit reports Required
Bluetooth Connecting to Bluetooth thermal printers for receipt and invoice printing Optional
Microphone Voice note recording in field visit reports Optional
Notifications Receiving real-time work order approvals, alerts, and system messages Optional
Storage / Files Saving generated PDF invoices and reports locally on the device Optional
You can revoke any optional permission at any time via your device settings without losing access to the core ERP features that do not depend on that permission.
04

How We Use Your Data

We use the data we collect solely for the following business purposes:

  • To operate and improve core ERP features including Sales, Inventory, HR, Accounting, and Field Operations modules.
  • To authenticate users and secure access to company data based on role-based permissions.
  • To record attendance and departure via geo-validated QR check-in and check-out system.
  • To track and display sales representative routes and visit history on the map dashboard.
  • To document financial and commercial transactions linked to your company account.
  • To print sales invoices, material requests, and receipts via connected Bluetooth thermal printers.
  • To send push notifications for work requests, purchase order approvals, and system alerts.
  • To enforce single-device binding security — ensuring each user account is tied to one authorized device.
  • To diagnose technical issues and improve overall application performance and stability.
05

Data Sharing

We do not sell, rent, or trade your personal data to any third party. Data may only be shared in the following limited circumstances:

  • With your employer (the company registered in the SmartERP system) strictly within the scope of your assigned role permissions.
  • With infrastructure providers (e.g., DigitalOcean cloud hosting) under strict confidentiality and data processing agreements.
  • With Google Maps API for displaying sales routes and location-based features — subject to Google’s own Privacy Policy.
  • When legally required by court orders, government requests, or applicable law in the Republic of Iraq or other relevant jurisdictions.
  • In emergency situations to protect the safety and security of users or third parties.
All third-party service providers are vetted and operate under strict data processing agreements consistent with internationally recognized privacy standards, including GDPR-aligned data handling practices.
06

Data Storage & Security

  • All company data is stored on dedicated ERPNext / Frappe server instances provisioned per client on DigitalOcean infrastructure.
  • All communication between the SmartERP app and the server is encrypted via HTTPS / TLS 1.2+.
  • Passwords are hashed using bcrypt and are never stored or transmitted in plain text.
  • Session tokens (cookies) are signed and verified server-side. They expire after 24 hours of inactivity.
  • QR-based attendance tokens are HMAC-signed and expire within a short time window to prevent replay attacks.
  • Device binding (single-device security) uses a unique device fingerprint to prevent unauthorized access from unregistered devices.
  • Business data is retained for the duration of the active service contract. Upon termination, data is archived for 90 days before permanent deletion.
  • Local device storage (GetStorage) is used only to persist session credentials and user preferences — no sensitive business data is cached locally in plain text.
07

Your Rights

You have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you at any time.
  • Right to Rectification: Request correction of inaccurate or incomplete personal information.
  • Right to Erasure: Request deletion of your account and associated personal data, subject to applicable legal retention requirements.
  • Right to Restriction: Request that we limit processing of your data in certain circumstances.
  • Right to Data Portability: Request your data in a machine-readable format.
  • Right to Withdraw Consent: Revoke permission for location, camera, microphone, or Bluetooth access at any time via your device settings without penalty.
📌
Most data is managed through your company account within the ERP system. To request access, correction, or deletion of your personal data, please contact your system administrator or reach out to us directly at the address below.
08

Notifications & Communications

SmartERP sends real-time push notifications and in-app alerts related to: leave and absence requests, purchase and sales order approvals, material request updates, inventory alerts, and critical system messages.

Notifications are delivered via the Socket.IO real-time server and device push notification channels. You may manage or completely disable notifications at any time through your device settings. We do not send marketing, promotional, or advertising messages.

09

Children’s Privacy

SmartERP is an enterprise business application intended exclusively for use by adults aged 18 years and older in a professional workplace setting. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided personal information, we will take immediate steps to delete that information from our systems.

10

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

SmartChoice IQ — SmartERP Team

We respond to all privacy-related inquiries within 72 business hours.

✉️ privacy@smartchoice-iq.com