Privacy Policy

We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal data when you use our services.

Contents

1. What information we collect
2. How we use your information
3. Sharing and disclosure
4. Cookies and similar technologies
5. Data storage and security
6. International data transfers
7. Your rights under UK GDPR
8. Special category (sensitive) data
9. Children’s data
10. Changes to this policy
11. Contact information

1. What Information We Collect

We collect the following categories of personal data:

1. Information You Provide to Us

This includes:

• Contact details (name, email address, phone number)
• User credentials and profiles
• Content submitted through our platform (including text, files, uploads)
• Data entered during onboarding or training (which may include sensitive data like ethnicity or salary)

1. Information We Collect Automatically

We may collect:

• Usage data (pages visited, features used, timestamps)
• Device and browser information
• IP address and location data (approximate)
• Cookies and similar tracking technologies

2. How We Use Your Information

We use personal data to:

• Provide, operate, and improve our services
• Respond to user inquiries or support requests
• Personalise user experiences
• Send administrative or system notifications
• Enforce our terms of service
• Meet legal and regulatory obligations
• Conduct research and analytics
• With consent, send marketing communications (which you can opt out of at any time)

Legal bases for processing include: consent, performance of a contract, legal obligation, and our legitimate interests.

3. Sharing and Disclosure

We do not sell your data. We may share it with:

• Service providers (e.g., email platforms, cloud storage, analytics tools)
• Legal or regulatory authorities, when required
• Third parties during business transfers (e.g. merger, acquisition)

Sub-processors

To deliver our services, we engage trusted sub-processors. These sub-processors are bound by data protection obligations equivalent to those in our Privacy Policy and Data Processing Agreement. Our current sub-processors include:

Core infrastructure & hosting

• Microsoft Azure – Legacy hosting environment (to be decommissioned by October 2025)
• Amazon Web Services (AWS) – Current hosting environment

Customer communications & notifications

• Intercom – Customer support platform
• Mailerlite – Email marketing and communications
• SendGrid – Email delivery platform
• Twilio – SMS/voice messaging platform

Workflow automation

• Zapier – Workflow automation platform

CRM & analytics

• Pipedrive – CRM platform
• Hotjar – Analytics/session recording tool

Mobile app distribution

• Apple App Store – iOS app distribution
• Google Play Store – Android app distribution

Payment processing

• GoCardless – Client/employee billing information

A full list of sub-processors will always be available on this page. Their privacy policies can be found in the ‘Resources & Further Information’ section of this policy.

4. Cookies and Similar Technologies

We use cookies and tracking tools to:

• Authenticate users
• Monitor performance and errors
• Improve the platform

You can manage cookie preferences in your browser settings.

5. Data Storage and Security

We store your data on secure servers located in the UK and EEA.

Security measures include:

• Encryption (in transit and at rest)
• Access controls and logging
• Regular audits and vulnerability scanning

We retain data only as long as necessary for the purposes described in this policy.

6. International Data Transfers

When we transfer your data outside the UK or EEA (e.g., to US-based processors), we ensure appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs)
• Transfers to countries with adequate protection standards

7. Your Rights Under UK GDPR

You have the following rights:

• Access – Request a copy of your data
• Rectification – Correct inaccurate or incomplete data
• Erasure – Ask us to delete your data (subject to exceptions)
• Objection – Object to data processing based on legitimate interests
• Restriction – Ask us to restrict processing
• Portability – Request your data in a structured format
• Withdraw consent – At any time, for processing based on consent
• Lodge a complaint – With the UK Information Commissioner’s Office (ICO)

To exercise any of these rights, please contact us at help@onehrsoftware.com.

8. Special Category (Sensitive) Data

Our platform may collect and process special category data (such as ethnicity, gender identity, or salary) for purposes related to equity analysis or employer compliance.

We rely on one or more of the following legal bases:

• Explicit consent (where you have provided it)
• Contractual necessity (for service delivery)
• Legal obligation (where required by law)

We apply heightened safeguards when processing such data.

9. Children’s Data

Our services are not intended for use by children under the age of 16. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If significant changes are made, we will notify you through the platform or via email.

11. Contact Us

If you have questions or concerns about this Privacy Policy, contact us at help@onehrsoftware.com.

Resources & Further Information

Overview of the GDPR – General Data Protection Regulation

Data Protection Act 1998

Privacy and Electronic Communications Regulations 2003

The Guide to the PECR 2003

Amazon Web Services (AWS) Privacy Policy

Apple App Store Policy

Facebook/Meta Privacy Policy

GoCardless Privacy Policy

Google Privacy Policy

Hotjar Privacy Policy

Intercom Privacy Policy

LinkedIn Privacy Policy

Mailerlite Privacy Policy

Microsoft Privacy Policy

Microsoft Azure Privacy Policy

Pipedrive Privacy Policy

SendGrid and Twilio Privacy Policy

X Privacy Policy

YouTube Privacy Policy

Zapier Privacy Policy

Zoom Privacy Policy

Last updated: 20 August 2025