Smart Way

GDPR and Smart Way personal data processing

Edition of April 13, 2026. This page explains how Smart Way organizes the processing of personal data taking into account the requirements of Regulation (EU) 2016/679 (GDPR), the Law of Ukraine "On the Protection of Personal Data" and standard practices for SaaS services in the field of LMS, HR and candidate evaluation. It supplements the Privacy Policy and Terms of Use.

1. Scope and roles of the parties

For visitors to Smart Way's public website, people who leave a request for a demo, contact support or send a commercial request, Smart Way usually acts as the controller of personal data and independently determines the purpose and methods of their processing.

For data that the client uploads to the LMS, testing system, recruiting or HR processes, Smart Way usually acts as a processor according to the client's documented instructions, and the client remains the controller of such data, unless otherwise expressly provided by contract or law.

2. What personal data can be processed

Depending on the usage scenario, Smart Way can process:

  • contact data: name, work email, phone, position, company name;
  • account data: login, role, login history, access settings;
  • learning and assessment data: assigned courses, test results, learning progress, comments, certificates, module completion data;
  • technical data: IP address, browser type, interface language, system logs, session identifiers and other technical information required for the security and stable operation of the service;
  • communication data: content of calls to the support service, requests for consultation or demo.

Smart Way does not require the intentional upload of special categories of personal data, unless it is necessary for the agreed customer process and has no separate legal basis. The client who downloads such data is responsible for the legality of their transfer and for informing the data subjects.

3. Legal basis of processing

Smart Way may rely on the following legal grounds:

  • performance of the contract or actions prior to the conclusion of the contract;
  • legitimate interest, in particular for the security of the service, fraud prevention, logging, protection of Smart Way rights and product improvement;
  • consent of the data subject, if it is required for marketing mailings, certain types of analytics or advertising technologies;
  • performance of duties imposed on us by law.

4. Purposes of processing

Personal data is used to:

  • create and maintain accounts and provide access to the service;
  • execute the client's LMS, recruiting and HR scenarios, including training, testing, reporting and administration;
  • process requests for demos, commercial offers, consultations and support requests;
  • support security, backup, auditing and incident investigations;
  • analyze product usage, improve UX and measure marketing effectiveness;
  • fulfill legal, accounting and contractual obligations.

5. Access to data and providers involved

Access to personal data is granted only to those employees and contractors of Smart Way who objectively need it to perform their functions. We may involve hosting providers, infrastructure providers, email services, payment services, communication tools, analytical and advertising platforms, but only to the extent necessary to provide the service or support business processes.

If Smart Way acts as a processor, we do not use the customer's personal data for our own independent purposes, except for cases expressly provided by law, contract or separately agreed with the customer.

6. International transfers

If there is a need to transfer data outside of Ukraine or the European Economic Area to provide service, backup, analytics or support, Smart Way applies appropriate safeguards compatible with the GDPR, such as contractual provisions on confidentiality, Standard Contractual Clauses, technical protection measures or other legal mechanisms permitted by law.

7. Storage terms

We store personal data no longer than is necessary for the stated purpose of processing, performance of the contract, protection against claims, compliance with accounting and legal obligations. The duration of storage may depend on the type of data, the role of Smart Way (controller/processor), customer settings and backup periods.

After termination of the contract, Smart Way may retain individual technical logs, backup copies or accounts for a reasonable period necessary for security, auditing and compliance with legal obligations, after which the data will be deleted or anonymised.

8. Rights of data subjects

If your processing is covered by the GDPR, you may have the right to access data, rectification, erasure, restriction of processing, objection, data portability, withdrawal of consent and complaint to a competent supervisory authority. If Smart Way acts as a processor, we will direct such a request to the controller or help the client fulfill it within the limits of the contract and available technical capabilities.

9. Responsibilities of the client as a controller

If you upload data of employees, candidates, contractors, course participants or others to Smart Way, you confirm that you have a valid legal basis to do so, have provided appropriate notice to data subjects, obtained the necessary consents where required and do not upload excessive or manifestly illegal data.

If necessary, Smart Way can enter into an additional data processing agreement (DPA) with the client, which details the subject of processing, types of data, categories of data subjects, instructions of the client, sub-processors, retention periods and security measures.

10. Security

Smart Way applies legal, organizational and technical security measures appropriate to the nature of the service and processing risks: role-based access control, access minimization, encryption in transit, monitoring, backup, event logs, infrastructure access restrictions and internal incident response procedures. At the same time, no system can guarantee absolute security, so users should also take care of passwords, access rights and legality of downloaded content.

11. Contacts and Updates

For issues of personal data protection, data subject requests, DPA or clarification of controller/processor roles, contact support@smartway.pro. Postal address: FOP Rushanskyi S.M., str. Shevchenko 25, Ivanivka village, Berezivsky district, Odesa region, Ukraine, 67200.

Smart Way may update this page if service functionality, legal requirements or data processing model changes. The current edition is located at https://smartway.pro/uk/gdpr/.