Data security & legal info

Data security and Smartlook

Keeping data secure is paramount to Smartlook. As such we have held ourselves at a standard which not only complies with legal requirements, but also take steps to ensure trust with customers’ data.


Data is encrypted at rest using 256-bit Advanced Encryption Standard (AES-256) algorithm. Smartlook uses SSL/TLS encryption (Secure Sockets Layer / Transport Layer Security) and the latest security standards to protect your data. All incoming and outgoing data from our servers is encrypted. Smartlook is PCI compliant and DSS compliant.

Data security:

Our infrastructure is primed to deal with any potential data failures. Smartlook chooses to have it’s infrastructure hosted by AWS, which is ISO27001 and S0C2 certified. All data is backed up daily to assure security and ensure that our customers have 24-hour access.



Monitoring of Smartlook systems’ efficacy is routinely monitored to catch performance issues. This often means that our dev team can make adjustments and changes when needed to
solve problems before customers experience them.


Access to Smartlook accounts is authenticated using passwords stored in hashed format using bcrypt. Authentication is required to access any internal resources. All sensitive data is automatically masked and therefore not recorded and access to customer data is limited to employees who require it only for service and maintenance procedures.

In addition to our data security methods, Smartlook empowers our customers to take control of what is recorded. By connecting via our API, full customization of sensitive data masking is possible.

For more information about our data security see our Privacy Policy.

What can Smartlook record?

project settingsSmartlook gives you many options to customize which data is recorded. Be it data logs, mobile devices, IP addresses or form inputs; Smartlook allows you to decide what is and isn’t necessary. If you have visitors from within or outside of GDPR regulations, you can tailor the settings to your specific requirements.

Should I inform visitors that I record them?

It depends if you record personal data of your visitors using Smartlook and also on local laws in your country. If you don’t record any personal data, you don’t need to inform your visitors about the recording. If you do record personal data of your visitors through Smartlook, you are most likely required to inform them about this. Best way is to include it in your privacy policy that is easily accessible on your website.

If you have recording of forms inputs enabled in Smartlook, you are most likely collecting personal data of your visitors. Collecting of personal data is subject to local laws in your country. In most countries in European Union you are required to inform visitors of your website about the fact you collect their personal data through a 3rd party software. We recommend to add the following statement to your terms & conditions or privacy policy: “Your personal data might be collected by us or 3rd parties, such as, s.r.o., VAT ID CZ03668681”.

Legal requirements about personal data collection may vary across countries in the world. It’s best to consult a local lawyer in your country if you are unsure about your legal obligations in this area.

If one of your visitors doesn’t want to be tracked by Smartlook on your website, you can send him link to our opt-out page.

Yes. Tracking behavior and movement of your visitors using Smartlook is legal, just like using Google Analytics or other services for tracking visitors on your website.

From a legal point of view, it’s important if you record personal data of visitors using Smartlook. This is something you can set up in Smartlook. On most websites the only place where visitors might fill in personal data are forms. To ensure Smartlook doesn’t record any personal data, simply disable recording of form inputs in Smartlook settings.