Privacy Policy

1. Who We Are

SoftTrainer (“we”, “us”, “our”) provides an AI-powered soft skills assessment and training simulation platform. This Privacy Policy explains how we collect, use, store, and protect personal data when you visit our website at thesofttrainer.com or use our Services.

For privacy-related questions, contact our Data Protection contact at privacy@thesofttrainer.com. For general inquiries: info@thesofttrainer.com.

2. Controller and Processor Roles

2.1 When We Act as Processor

When providing our Services to Customer organisations (employers, HR departments, L&D teams), SoftTrainer acts as a data processor under GDPR Article 28. The Customer organisation is the data controller. We process personal data only on documented instructions from the Customer and in accordance with the applicable Data Processing Agreement.

2.2 When We Act as Controller

For website visitors, demo requesters, and marketing contacts, SoftTrainer acts as the data controller and determines the purposes and means of processing.

2.3 Data Processing Agreement

A Data Processing Agreement (DPA) is executed with every Customer organisation before processing begins, as required by GDPR Article 28. The DPA covers: processing purpose and scope, data categories and subject types, sub-processor obligations, audit rights, breach notification commitments, and data return/deletion procedures. To request our standard DPA, contact privacy@thesofttrainer.com.

3. Data We Collect

3.1 Information You Provide

• Account information: Name, email address, company name, and job title when you sign up or request a demo.
• Assessment data: Responses, interactions, and results from scenario-based assessments and training simulations completed through our platform.
• Communications: Information you provide when contacting us through forms, email, or other channels.

3.2 Information Collected Automatically

• Usage data: Pages visited, features used, session duration, and interaction patterns.
• Device information: Browser type, operating system, screen resolution, and language preference.
• Cookies and similar technologies: We use essential cookies for site functionality and analytics cookies to understand usage patterns. See Section 9.

3.3 Special Category Data

Our platform is not intended for the collection or processing of special category data (health information, political opinions, religious beliefs, etc.) as defined under GDPR Article 9. If special category data is inadvertently disclosed during assessment simulations, we may anonymise or delete such content. The Customer organisation is responsible for instructing participants not to share sensitive personal information during assessments.

4. How We Use Your Data

We process personal data for the following purposes:

• Providing the Services: Delivering assessments, generating competency reports, and enabling platform functionality.
• Improving the platform: Analysing usage patterns to improve features, performance, and user experience.
• Communication: Responding to inquiries, sending service-related notifications, and (with consent) marketing communications.
• Legal compliance: Meeting legal obligations, resolving disputes, and enforcing our agreements.

5. Legal Basis for Processing

Under the GDPR, we process personal data on the following legal bases:

• Contract performance: Processing necessary to deliver our Services under your agreement with us.
• Legitimate interests: Improving our platform, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
• Consent: Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.
• Legal obligation: Where processing is required to comply with applicable law.

6. AI, Automated Decision-Making, and Profiling

Our platform uses AI to analyse assessment interactions and generate competency reports.

6.1 How AI Is Used

• No model training on Customer Data: We do not use Customer Data to train our AI models. Customer data is processed solely to deliver the Services.
• Purpose limitation: AI processing is limited to delivering the Services described in the applicable Order Form.

6.2 Automated Decision-Making (GDPR Article 22)

Our AI generates competency scores and skill gap analyses based on assessment interactions. These outputs are designed to inform human decision-making, not replace it. Final decisions regarding hiring, promotion, training assignment, or performance evaluation remain with the Customer organisation's authorised personnel.

Under GDPR Article 22, you have the right to:

• Obtain human intervention in any assessment outcome
• Express your point of view regarding assessment results
• Contest any decision based on assessment outputs
• Receive meaningful information about the logic involved in the assessment

To exercise these rights, contact your employer (the data controller) or reach us at privacy@thesofttrainer.com.

6.3 EU AI Act

SoftTrainer monitors and aligns with the EU Artificial Intelligence Act (EU AI Act). Our platform is documented in accordance with the Act's risk-based framework, and transparency obligations are built into the product by design. We maintain ongoing review of our classification and documentation as regulatory guidance evolves.

7. Data Sharing and Sub-Processors

We do not sell personal data. We may share data with:

• Sub-processors: Third-party service providers who assist with hosting, analytics, AI processing, and platform operations. Each sub-processor is bound by a data processing agreement with obligations no less protective than those in our DPA with the Customer.
• Customer organisations: Assessment results and competency reports are shared with the Customer organisation that engaged our Services, as specified in the applicable Order Form.
• Legal requirements: Where required by law, regulation, or legal process.

A current list of sub-processors is available upon request. We notify Customers at least 30 days before engaging a new sub-processor, giving the Customer the right to object.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Active subscriptions: Data is retained for the duration of the Customer's subscription. Retention periods are configurable per organisation to match internal policies.
• Post-termination: Customer Data is available for retrieval for 30 days following termination, after which it is deleted. Deletion is verified and documented.
• On-demand deletion: Customers may request deletion of specific data at any time during the contract term.
• Marketing contacts: Contact information is retained until you unsubscribe or request deletion.
• Legal obligations: Some data may be retained longer where required by law.

9. Cookies

We use the following types of cookies:

• Essential cookies: Required for basic site functionality. Cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our website. You can opt out of analytics cookies through your browser settings.

We do not use advertising or tracking cookies.

10. Your Rights

Under the GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to legal obligations.
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Automated decisions: Rights related to automated decision-making, as described in Section 6.2.

To exercise any of these rights, contact us at privacy@thesofttrainer.com. We will respond within 30 days. If you are an employee of a Customer organisation, we may direct your request to your employer as the data controller.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls with role-based permissions and multi-factor authentication
• Regular third-party security assessments and vulnerability testing
• Continuous automated monitoring of infrastructure and codebase
• Data processing within the European Economic Area (EEA)

12. Data Breach Notification

In the event of a personal data breach, SoftTrainer will:

• Notify the affected Customer organisation within 48 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• Cooperate with the Customer in fulfilling their notification obligations to supervisory authorities (within 72 hours per GDPR Article 33) and affected data subjects (per GDPR Article 34)

13. International Transfers

We process data within the EEA. If any transfer outside the EEA is necessary, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

14. Age Restrictions

Our Services are designed for business use by adults. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be posted on this page with a revised effective date. For material changes, we will provide at least 30 days' advance notice via email or through the platform. We encourage you to review this policy periodically.