Platform Privacy Policy

Last modified: June 2026

This Platform Privacy Policy (“Privacy Policy”) is published by Wayfor S.A. (“Wayfor”, “we”, “us”, or “our”) to explain how we process the personal data of employees, contractors, and other authorised users (“Platform Users” or “you”) who access the Wayfor platform (Wayfor Learn and/or Wayfor AI Coach) (the “Platform”) on behalf of an organisation that has subscribed to our services (the “Client”). This Privacy Policy does not cover personal data collected through the Wayfor website (wayfor.ai), which is governed by our Website Privacy Policy, or the use of cookies, which is governed by our Cookie Policy. Both documents are available at wayfor.ai. This Privacy Policy is provided as a transparency measure to complement the privacy notice that your employer (the Client) is separately required to provide to you under applicable data protection law. Your employer’s privacy notice is the primary document governing how your personal data is processed.

1. Employer as Controller and Primary Contact

Your employer has entered into a service agreement with Wayfor governing the provision of the Platform. When you use the Wayfor Platform, your employer — the organisation that has subscribed to Wayfor’s services — is the primary data controller of your personal data. Your employer determines the purposes for which your data is processed and the legal bases that apply. Wayfor processes your data on your employer’s behalf, under your employer’s instructions, as a data processor within the meaning of Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Therefore, you should direct any questions, access requests, rectification requests, or deletion requests to your employer. Wayfor will assist your employer in responding but does not act independently of your employer’s instructions when processing your Platform data. The only circumstances in which Wayfor acts as an independent data controller and you may contact Wayfor directly are described in Section 2.

2. Wayfor as Independent Data Controller

For the majority of processing activities on the Platform, Wayfor acts as your employer’s processor and has no independent decision-making role. There are, however, four limited categories of processing in which Wayfor acts as an independent data controller — meaning Wayfor determines the purposes independently of your employer and is directly accountable to you for that processing. These are the situations in which you should contact Wayfor directly about your personal data.

(i) Compliance with Wayfor’s own legal obligations — where Wayfor is required by EU or Greek law (tax, corporate, employment, or regulatory law) to retain or produce data independently of your employer’s instructions. Legal basis: Article 6(1)(c) GDPR.

(ii) Establishment, exercise, or defence of legal claims — where Wayfor needs to process data in connection with litigation or legal proceedings to which Wayfor itself is a party. Legal basis: Article 6(1)(f) GDPR.

(iii) Security monitoring and fraud prevention — where Wayfor monitors its own infrastructure for intrusion, abuse, or fraudulent activity in order to protect the integrity of its systems. Legal basis: Article 6(1)(f) GDPR.

(iv) Product analytics using anonymised or aggregated data — where Wayfor uses data from which no individual can be identified in order to improve the Platform. No personal data is used for this purpose. Legal basis: Article 6(1)(f) GDPR. Where an agreement between Wayfor and your employer prohibits this activity, Wayfor will not carry it out.

For all other processing — your account, learning activity, AI Coach sessions, performance data, and technical logs — your employer is the controller and your employer is the primary contact.

3. Wayfor Contact Details

Wayfor S.A.
Registration Number: ELGEMI.180456803000
Address: 21 Karaiskaki Street, Kifissia, 14562, Greece
Email: info@wayfor.ai

Data Protection Officer (DPO):
Antonios Fix
Email: dpo@wayfor.ai

4. Categories of Personal Data Processed Through the Platform

The following categories of personal data are processed through the Platform on your employer’s behalf. The specific data processed in your case depends on the features activated by your employer and the integrations it has configured.

Account and Identity Data

• Full name, work email address, job title, department, and employer name (provided by the Client at onboarding).
• Profile photograph (if uploaded voluntarily).
• Platform login credentials (stored in hashed and encrypted form).
• Access level and system role within the Platform.

Learning and Performance Data

• Course enrolments, completions, assessment scores, and progress metrics.
• AI Coach session content, including questions submitted, responses generated, and coaching outcomes.
• Learning preferences and competency development data.
• Post-session feedback (where voluntarily provided).

Technical and Usage Data

• IP address, browser type, device information, and operating system.
• Session logs, access timestamps, feature interaction data, and event logs.
• Error logs and diagnostic data.

Communications Data

• In-platform messages and support-related communications.

Integration Data (where activated by your employer)

• Where your employer has activated integrations with HR or calendar systems, employee profile data and calendar event data from those systems may also be processed.

Wayfor does not intentionally collect special categories of personal data (Article 9 GDPR) through the Platform. If you voluntarily share such data through the AI Coach, it will be processed subject to any applicable consent mechanism. The Platform is intended solely for persons aged 18 and over.

5. Purposes of Processing and Legal Bases

As data processor (your employer’s instructions)

In its capacity as processor, Wayfor processes your data exclusively for the purposes determined by your employer. These typically include: providing, operating, and maintaining the Platform; personalising your learning experience and delivering AI coaching outputs; enabling your employer to manage its workforce learning and development programmes; generating analytics and reporting for your employer; and communicating Platform-related notifications and system alerts. For the legal bases applicable to these activities, please consult your employer’s privacy notice.

As independent data controller (Section 2 activities only)

For the four categories described in Section 2, Wayfor relies on the legal bases stated in that section. Wayfor does not use your personal data for automated decision-making within the meaning of Article 22 GDPR. The AI Coach produces advisory outputs only and does not make binding decisions about your employment or performance.

6. Data Retention

Data is retained in accordance with the retention schedule in the applicable agreement between Wayfor and your employer. Standard retention periods are as follows:

Account Data, Learning Activity Data, Assessment Results: Active subscription period plus one year, after which full deletion from all systems is carried out.

System Logs: 90 days, with automatic deletion.

Analytics Data: One year in identifiable form, then anonymisation for long-term analysis.

Backup Data: Six months, with automatic deletion from backup systems.

Security and Audit Logs: 12 months from generation, unless longer retention is required by law.

Legal Claims Data: Until expiry of the applicable limitation period under Greek or EU law.

Anonymised or Aggregated Data: May be retained indefinitely as it no longer constitutes personal data.

Where our agreement with your Employer specifies different retention periods, those periods prevail. Following expiry of the applicable period, data is securely deleted in accordance with the deletion standard set out in the agreement.

7. Sub-processors and International Data Transfers

Sub-processors

Wayfor engages the following third-party service providers (sub-processors) to assist in delivering the Platform. All sub-processors are bound by data processing agreements imposing data protection obligations at least equivalent to those in Wayfor’s client agreements. Each sub-processor has access only to the minimum personal data necessary for its designated purpose.

Auth0 Inc., 10900 NE 8th Street, Suite 700, Bellevue, WA 98004, USA. Role: authentication services. Transfer mechanism: EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795).

Kurrent Limited, Unit 5 Paulton House, Old Mills, Paulton, Bristol, BS39 7SX, United Kingdom. Role: database operations. Location: EEA. Transfer mechanism: UK Adequacy Decision (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021).

Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. Role: cloud hosting, infrastructure, and AI model access. Location: EEA. No transfer outside EEA.

ElevenLabs Inc., 22 W 38th Street, New York, NY 10018, USA. Role: voice synthesis. Transfer mechanism: EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795).

Amplitude, Inc., 201 Third Street, Suite 200, San Francisco, CA 94103, USA. Role: product analytics (anonymised or aggregated data only). Transfer mechanism: EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795).

AC PM LLC (Postmark), 1 North Dearborn Street, 5th Floor, Chicago, IL 60602, USA. Role: transactional email delivery. Transfer mechanism: EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795).

LangChain Inc. (LangSmith), 501 2nd Street, Suite 120, San Francisco, CA 94107, USA. Role: LLM observability and AI pipeline management. Transfer mechanism: Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

UNIFIED API Inc., 325 Front Street West, 4th Floor, Toronto, Ontario, M5V 2Y1, Canada. Role: HR and calendar system integration. Transfer mechanism: European Commission adequacy decision for Canada (Commission Decision 2002/2/EC — PIPEDA).

An up-to-date sub-processor list is available upon request at dpo@wayfor.ai. Your employer will be notified of any new sub-processor in accordance with the procedure in the applicable agreement before the new sub-processor begins processing.

International data transfers

Personal data is stored within the European Economic Area (EEA) as the primary rule. Where sub-processors are established outside the EEA, the applicable transfer mechanism is identified above. Transfers to US-based sub-processors are covered under the European Commission’s adequacy decision of 10 July 2023 for the EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), under which each of those sub-processors is a certified participant with the exception of LangChain. LangChain is not a certified participant in the EU–US Data Privacy Framework and is accordingly not covered by the adequacy decision referenced above. The transfer mechanism applicable to transfers of personal data to LangChain are Standard Contractual Clauses according to Commission Implementing Decision (EU) 2021/914. Transfers to UNIFIED API Inc. are covered under the Commission’s adequacy decision for Canada (Commission Decision 2002/2/EC). Transfers to Kurrent Limited LTD are covered under the Commission’s adequacy decision for the UK (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021).

You may request further details about transfer safeguards by contacting dpo@wayfor.ai.

Wayfor does not sell, rent, or otherwise commercially exploit your personal data to any third party.

8. AI-Specific Disclosures

• AI Coach sessions are processed through Wayfor’s AI infrastructure involving the sub-processors listed in Section 7. Applicable transfer safeguards are identified in that section.
• Wayfor does not use individually identifiable Platform User data to train, fine-tune, or improve AI models. Product improvement using anonymised or aggregated data may be carried out only where the applicable agreement permits it.
• AI Coach outputs are advisory only and do not constitute professional advice of any kind, whether legal, medical, financial, or otherwise.
• Where the applicable agreement requires per-user opt-in consent before recording or transcription of AI Coach sessions, Wayfor will implement that requirement. You may withdraw such consent at any time via your account settings or by contacting dpo@wayfor.ai.

9. Data Security

Wayfor implements appropriate technical and organisational security measures in accordance with Article 32 GDPR and the security annex of the applicable agreement. These measures include:

• Encryption of data in transit using TLS 1.2+ and at rest using AES-256.
• Role-based access controls and the principle of least privilege for all personnel.
• Multi-factor authentication for access to production systems.
• Ongoing vulnerability management.
• ISO/IEC 27001:2022-certified Information Security Management System.
• Business continuity and disaster recovery procedures.

No system of data transmission or storage can be guaranteed to be completely secure.

10. Data Breach Notification

In the event of a personal data breach affecting Platform User data, Wayfor will notify your employer (the Client) without undue delay and in accordance with the timeline in the applicable agreement. Your employer, as controller, is responsible for notifying the competent supervisory authority within 72 hours under Article 33 GDPR, and for notifying you directly where the breach is likely to result in a high risk to your rights and freedoms under Article 34 GDPR. Wayfor will provide your employer with all information needed to make those notifications.

11. Your Data Protection Rights — Who to Contact for What

You have the following rights under the GDPR:

Right of access (Art. 15 GDPR): You may request a copy of your personal data. For Platform data processed on your employer’s behalf, direct your request to your employer.

Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete data. Direct to your employer for Platform data.

Right to erasure (Art. 17 GDPR): You may request deletion of your personal data where no lawful basis for retention exists. Direct to your employer for Platform data.

Right to restriction of processing (Art. 18 GDPR): You may request that processing be limited in specific circumstances. Direct to your employer for Platform data.

Right to data portability (Art. 20 GDPR): You may request that your personal data be provided to you or transferred to another organisation in a machine-readable format. Direct to your employer for Platform data.

Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests. Direct to your employer for Platform data.

Right not to be subject to automated decisions (Art. 22 GDPR): Wayfor does not carry out automated decision-making with legal or similarly significant effects. The AI Coach produces advisory outputs only.

Right to withdraw consent (Art. 7(3) GDPR): Where consent is the legal basis — in particular, consent to AI Coach session recording — you may withdraw it at any time via your account settings or by contacting dpo@wayfor.ai, without affecting the lawfulness of prior processing.

To exercise rights relating to Wayfor’s own controller activities (Section 2 above), contact dpo@wayfor.ai providing your name, work email address, employer name, and a description of your request. Wayfor will respond within one (1) month of receipt, free of charge, as required by Article 12(3) GDPR. Wayfor may ask you to verify your identity before processing your request.

Wayfor will not discriminate against you in any way for exercising your data protection rights.

12. Right to Complain

If you have concerns about how your personal data is handled, we encourage you to contact your employer’s data protection team in the first instance so that the matter can be addressed directly.

You also have the right to lodge a complaint with the competent supervisory authority at any time. As Wayfor S.A. is established in Greece, the lead supervisory authority is:

Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ)
Address: Kifissias 1-3, 115 23, Athens, Greece
Email: contact@dpa.gr
Tel: +30 210 6475 600
Website: www.dpa.gr

If you are located in another EU/EEA Member State, you may also lodge a complaint with the supervisory authority in your country of residence or place of work.

13. Minors

The Wayfor Platform is intended solely for use by persons aged 18 and over. Wayfor does not knowingly process personal data of minors. If you believe a minor has accessed the Platform, please contact dpo@wayfor.ai immediately.

14. Changes to This Privacy Policy

Wayfor may update this Privacy Policy from time to time to reflect changes in applicable law, data processing practices, or Platform features. The date of the last modification is shown at the top of this document. Where changes are material, Wayfor will notify the Client in advance in accordance with the amendment procedure in the applicable agreement. We recommend reviewing this Privacy Policy periodically.

15. Contact

For general inquiries about this Privacy Policy email Wayfor S.A. at dpo@wayfor.ai.

For data protection matters or to exercise rights relating to Wayfor’s own controller activities (Section 2) email Antonios Fix at dpo@wayfor.ai.