Effective date: 1 June 2026
Operator: SmartSec Academy OÜ
Privacy contact: info@smartsecacademy.com
This Privacy Policy explains how SmartSec Academy collects, uses, stores, and protects personal information.
This policy applies to:
• visitors to the SmartSec Academy website
• organisations using SmartSec Academy for cybersecurity awareness training
• employees and users enrolled in training programmes
• individuals who contact us or interact with our services
• certificate holders and individuals whose certificates are verified through our website
This policy applies only to information processed by SmartSec Academy. It does not cover third-party websites or services linked from our website or platform.
SmartSec Academy collects only the information reasonably necessary to operate the website, deliver training, issue certificates, support organisations, and maintain service security.
This may include:
• name
• work email address
• organisation name
• role, department, or team, where relevant to training delivery
• training enrolment information
• information related to your training, progress, completion, and certificate
• messages, enquiries, or support requests sent to us
Where an organisation purchases or manages training for employees or users, the organisation may provide limited information needed to enrol users, manage access, monitor completion, and support certificate issuance.
This may include names, work email addresses, organisation details, and training status information.
When you use our website or platform, we may collect limited technical information, such as:
• IP address
• browser type and device information
• access timestamps
• pages viewed
• basic interaction or usage data
• security and diagnostic information
This information is used for website functionality, security, operational reliability, analytics, and service improvement.
We use personal information for the following purposes:
• delivering cybersecurity awareness training
• creating and managing user access
• tracking training progress and completion
• issuing and verifying certificates
• providing organisations with visibility into training status
• responding to enquiries and support requests
• maintaining website, platform, and account security
• improving website reliability and user experience
• meeting contractual, legal, regulatory, or administrative obligations
• keeping appropriate business and audit records
We do not sell personal data.
We do not use personal data for intrusive tracking, unnecessary profiling, or unrelated marketing purposes.
Where SmartSec Academy is used by an organisation, the organisation may receive limited information about user training status.
This may include:
• whether a user has been enrolled
• whether training has been started or completed
• completion date
• certificate status
• relevant assessment or completion records
This information is provided to support organisational assurance, training administration, and record keeping.
Training certificates are issued only after confirmed completion of the required training steps and any required confirmation or assessment process.
Certificate verification is designed to:
• confirm certificate authenticity
• use a unique certificate reference
• avoid disclosure of unnecessary personal information
• support organisational assurance and audit needs
Public verification uses a unique certificate reference and returns only the certificate status: Valid, Invalid, or Expired. No personal learner data is displayed publicly.
Information such as learner name, email, or completion date may be used internally to issue, manage, and verify certificates, but it is not shown in the public verification result.
SmartSec Academy may provide website-based support or information tools, including SmartSecGPT.
SmartSecGPT is designed to provide general information and guidance about SmartSec Academy, cybersecurity awareness, and related public-facing topics.
Information submitted through SmartSecGPT or similar website tools may be processed in order to provide a response, improve reliability, prevent misuse, and maintain service quality.
SmartSecGPT responses may be incomplete or inaccurate and should not be treated as legal, technical, compliance, financial, or professional advice.
Visitors should not submit sensitive personal information, confidential business information, passwords, payment details, security credentials, or private organisational data through website chat or support tools unless specifically requested through an appropriate secure process.
Where applicable, SmartSec Academy processes personal information based on one or more of the following legal grounds:
• performance of a contract, including training delivery, access management, and certification
• legitimate interests, including website security, service improvement, fraud prevention, business administration, and operational integrity
• legal or regulatory obligations
• consent, where consent is required, including for certain cookies or optional communications
Where consent is used, you may withdraw consent where applicable.
SmartSec Academy does not sell personal data.
Personal information may be shared only where necessary and appropriate, including:
• with the organisation sponsoring or managing the training
• with trusted service providers who support website, platform, payment, hosting, security, analytics, communication, or certificate operations
• where required by law, regulation, court order, or legal process
• where necessary to protect the security, rights, or legitimate interests of SmartSec Academy, users, or others
Service providers are expected to process personal information only as needed to provide their services and subject to appropriate confidentiality, security, or contractual obligations.
SmartSec Academy may use third-party service providers to operate the website and platform.
These may include services for:
• website hosting and content delivery
• payment processing
• login and account management
• email and communications
• analytics and performance monitoring
• cookie consent management
• video delivery
• certificate and record management
• security and abuse prevention
Examples may include providers such as Webflow, Cloudflare, Stripe, Memberstack, Supabase, Resend, Cookiebot, Google services, AI service providers used to support SmartSecGPT, and other operational tools used to deliver or improve the service.
Third-party services may process personal information according to their own privacy terms where applicable.
SmartSec Academy uses cookies and similar technologies to support website functionality, platform security, performance monitoring, cookie consent management, and limited analytics.
We use Cookiebot to manage cookie consent preferences on this website.
Visitors can accept, reject, or manage non-essential cookies through the cookie banner or privacy controls available on the website.
For more information, please refer to our Cookies Policy.
Personal information is retained only for as long as necessary for the purposes for which it was collected.
This may include retention needed to:
• deliver training
• manage user access
• maintain completion and certificate records
• support certificate verification
• respond to enquiries or support requests
• meet contractual, legal, accounting, tax, or audit requirements
• protect against misuse, disputes, or security incidents
When personal information is no longer required, it is securely deleted, anonymised, or retained only where there is a legitimate reason to do so.
SmartSec Academy implements appropriate technical and organisational measures to protect personal information.
These may include:
• access controls
• secure systems and infrastructure
• controlled certificate issuance and verification processes
• use of reputable service providers
• website and platform security measures
• administrative safeguards and limited access to personal information
While no online system can guarantee absolute security, we take reasonable and proportionate steps to protect personal information against unauthorised access, loss, misuse, alteration, or disclosure.
SmartSec Academy may use service providers or technical infrastructure located in different countries.
Where personal information is processed or stored outside your country or region, we take reasonable steps to ensure appropriate safeguards are in place.
This may include using reputable service providers, contractual protections, and other safeguards required by applicable data protection laws.
Depending on your location and applicable law, you may have rights in relation to your personal information.
These may include the right to:
• access your personal information
• request correction of inaccurate or incomplete information
• request deletion of personal information, subject to legal, contractual, or operational limits
• object to certain processing activities
• request restriction of processing
• request a copy of your personal information in a portable format, where applicable
• withdraw consent, where processing is based on consent
Requests can be made using the contact details below.
We may need to verify your identity before responding to certain requests.
If you have concerns about how your personal information is handled, please contact us first so we can try to resolve the issue.
Where applicable, you may also have the right to complain to a relevant data protection supervisory authority, such as the UK Information Commissioner’s Office or the data protection authority in your country of residence.
If your access to SmartSec Academy was provided by your employer or another organisation, some requests may need to be handled together with that organisation.
For example, requests relating to training enrolment, completion records, or certificate status may involve both SmartSec Academy and the organisation responsible for managing the training relationship.
SmartSec Academy’s core business training services are intended for organisations and working-age users.
Our services are not intended to knowingly collect personal information from children through the business training platform.
If we become aware that personal information has been collected from a child without appropriate authority or consent, we will take reasonable steps to delete or manage that information appropriately.
We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, third-party providers, or operational practices.
The latest version will always be published on our website.
For privacy-related questions or requests, contact:
info@smartsecacademy.com