Smart Minds 360 Privacy Notice

Privacy Notice

This notice explains how Smart Minds 360 handles programme data in invite-only client workspaces. It is written for workshop and programme participants, managers, raters and administrators.

Language

Processor

Smart Minds Ltd.

Invite-only platform service for client-run 360 programmes.

Controller

The organisation that invited you into the relevant programme.

Effective date: 30 March 2026

Last updated: 30 March 2026

Effective date: 30 March 2026

Invite-only accessThe platform is used for client programmes and workshops with no public registration.

1. Scope of this notice

This notice applies to the Smart Minds 360 web platform used in client workshops, programmes and organisational development initiatives. The platform is not a public sign-up service.

It covers invited users such as participants, managers, raters, campaign administrators and other authorised users of a client workspace.

2. Roles in data protection

The organisation that invited you into the programme is the controller of programme data. It decides why the programme runs, who participates and how results are used.

Smart Minds Ltd. acts as processor for the Smart Minds 360 platform and processes programme data only to provide the platform, support secure access, send system communications and assist the controller with compliance operations.

  • Controller: the client organisation operating the workspace and programme.
  • Processor: Smart Minds Ltd., 1 Edison Str., apt. 22, Slatina district, Sofia 1111, Bulgaria

3. Categories of personal data

Depending on your role, the platform may process identity and business contact details, organisational role data, access records, campaign participation data, survey workflow data, survey answers, action-plan entries, notification data, communication delivery records and audit logs.

The platform is designed to support aggregated 360 reporting and role-based visibility. Individual rater identities should not be disclosed through participant reports where anonymity controls apply.

Where anonymity controls apply, visible rater-group results require at least 3 submitted ratings in the group. Groups below that threshold stay hidden as separate groups, and anonymous comment visibility follows the same threshold logic.

4. Sources of data

Data is normally supplied by the client organisation or its authorised administrators using the preloaded roster model. Additional operational data is created when users sign in, complete workflow steps, submit surveys or view reports.

5. Purpose of processing

Programme data is processed only to run the Smart Minds 360 workflow: secure workspace access, campaign setup, roster assignment, survey collection, reminder delivery, aggregated reporting, action planning, auditability and compliance support.

Smart Minds does not use programme data for independent marketing, behavioural advertising or unrelated commercial profiling.

6. Lawful basis

The controller is responsible for defining and documenting the lawful basis for each programme. Smart Minds acts only on the controller's documented instructions and service agreement.

For workplace-development and 360 feedback programmes, the controller may typically rely on legitimate interests or another controller-selected lawful basis under the organisation's internal policy and applicable law. If legitimate interests is used, the controller should also assess balancing factors and objection handling.

7. Recipients and subprocessors

Programme data is shared only with authorised users inside the client workspace and with approved service providers needed to run the platform.

The current processor chain for the platform includes Supabase for managed backend data services, including database and authentication, Vercel for web hosting and application server-side execution, and Brevo for transactional email delivery.

The detailed subprocessor record is maintained by Smart Minds as part of its processor documentation and may be provided through controller-facing contractual materials or supporting compliance records.

Visibility is role-based. Participants see their own tasks, reports and action plans, raters see only the surveys assigned to them, managers see only the approval or reporting views enabled for them, and administrators see only the workflow and reporting scope allowed by the controller's configuration.

8. International transfers

Where a service provider processes data outside the EEA, appropriate contractual safeguards such as Standard Contractual Clauses or equivalent mechanisms should be used where required. The relevant arrangement depends on the active vendor agreement and deployment setup.

The controller-processor documentation should also record any required transfer-risk assessment and supplementary safeguards relevant to the active infrastructure and vendor plan.

9. Retention

Programme data should be kept only for as long as necessary for the programme purpose, contractual obligations and applicable legal requirements.

Smart Minds 360 supports retention controls for key record groups such as raw responses, reports, action plans, notifications, communication events and audit logs. The controller remains responsible for the approved retention periods.

Different record types may have different retention periods because they support different purposes, for example immediate workflow delivery, post-programme reporting, action-plan follow-up or security and auditability requirements.

Removal of your workspace access or submission of an account-deletion request does not automatically require immediate erasure of all programme records. Relevant records may need to be retained for programme integrity, contractual obligations, auditability or applicable legal requirements until the approved retention period expires.

10. Your rights

Depending on applicable law, you may have rights of access, rectification, erasure, restriction, portability and objection, as well as the right to complain to a competent supervisory authority.

Because programme data is controlled by the client organisation, rights requests should normally be directed to your organisation first. Smart Minds may assist the organisation operationally as processor.

A complete rights response may combine system-generated materials with manual review or extraction by the controller or processor where needed to ensure the response is accurate and complete.

Where the platform offers a privacy-request or account-deletion request flow, that flow should be understood as a request for review and handling under the controller's policy, not as an automatic override of controller retention or legal obligations.

11. Security and accountability

The platform uses encrypted transport over HTTPS/TLS, role-based access, authenticated sessions, workspace scoping, managed infrastructure, controlled server-side access to privileged credentials, transactional communication controls and audit logging for key administrative and compliance events.

Access is limited according to workspace role and programme function, and key operational actions are traceable through system records used for security, auditability and compliance support. Audit records are restricted to authorised roles and are not exposed through ordinary end-user workflows.

These measures reduce risk and support accountability, but no digital system should be described as absolutely risk-free.

12. Automated decision-making

The platform is not designed to make solely automated decisions that produce legal effects or similarly significant effects on individuals. It supports workflow, reporting and development activity decided and interpreted by authorised human users.

13. Contact and complaints

For platform support, contact platforms@smart-minds.space. For programme privacy questions, contact the organisation that invited you to the programme.

If you are in Bulgaria or the Bulgarian authority is otherwise relevant to your case, you may contact the Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria, https://www.cpdp.bg/.

Return to the platform homepage and use your invitation or the login flow if needed.

Back to Platform Homepage
Smart Minds logo

Smart Minds 360

Smart Minds Ltd.

1 Edison Str., Slatina district, Sofia 1111, Bulgaria

platforms@smart-minds.space

© 2026 Smart Minds 360. All rights reserved.

PrivacyTermsCookiesFAQSupport