Privacy policy

Last updated: 2nd January, 2025

1. Introduction

At PandaHR, safeguarding your privacy and personal information is our highest priority. This privacy policy explains in detail how we collect, use, share, and protect your personal information, ensuring full compliance with all applicable data protection laws, including the General Data Protection Regulation (GDPR). We are committed to transparency and accountability in our data handling practices, so you can trust us to manage your information responsibly and securely.

2. Information we collect

  • Personal information: Includes name, email address, phone number, billing address, and payment details provided during account registration.
  • Usage data: Includes IP addresses, log files, device and browser information, interactions with features, timestamps for accessing our services, and location data.
  • Transaction data: Includes details of purchases, payment history, and subscriptions associated with your account.
  • Metadata: Includes records of user preferences, API usage, session duration, and error logs.
  • Cookies and similar technologies: Information gathered via cookies to enhance user experience and ensure the proper functioning of our services. See Section 13 for more details.
  • Data from third parties: Includes information received from subprocessors (e.g., Mailgun for email delivery) or payment processors.

3. How we use your information

  • Service provision: To deliver, maintain, and improve our services.
  • Communication: To send account notifications, updates, and customer support messages.
  • Compliance: To meet legal obligations and respond to lawful requests.
  • Data analytics: To understand service performance and improve user experience.
  • Security: To detect and mitigate security threats and unauthorized access.

4. Lawful basis for processing

We process your personal data based on the following lawful bases as defined under GDPR:

  • Consent: When you have explicitly agreed to the processing of your data.
  • Contractual necessity: To fulfil our obligations under the terms of service.
  • Legal obligations: To comply with applicable laws.
  • Legitimate interests: For activities such as improving service functionality, provided these do not override your fundamental rights.

5. Data retention

Your data is retained only as long as necessary to provide our services or comply with legal obligations. Specifically:

  • Inactive accounts: Deleted after six months of inactivity (e.g., no login or payment activity).
  • Immediate deletion: Available upon request via our support team, ensuring compliance with our security protocols.
  • Usage logs: Retained for up to one year for operational analytics and troubleshooting.
  • Backup data: Retained for a limited period, usually 30 days, and securely deleted.
  • Cookies: Retained as per the details in Section 13, depending on their type and purpose.

6. Our GDPR responsibilities

As a data processor under GDPR, PandaHR commits to the following:

  • Compliance with GDPR principles: We process personal data lawfully, transparently, and for specific purposes.
  • Data security: We implement robust technical and organisational measures to protect personal data.
  • Data subject rights: We facilitate access, rectification, erasure, and other rights as required by GDPR.
  • Data breach notification: We promptly notify clients of any data breaches as required by GDPR.

7. Client GDPR responsibilities

As data controllers, clients are responsible for:

  • Lawful processing: Ensuring personal data is processed lawfully and transparently.
  • Consent management: Obtaining and managing consent where required, and informing data subjects about processing activities.
  • Data protection impact assessments (DPIAs): Conducting DPIAs for high-risk processing activities.
  • Data subject requests: Establishing processes to handle data subject requests in accordance with GDPR timelines.
  • Retention of employee data: Employers are encouraged to define retention policies for employee data. Offboarded employee details should be deleted when no longer required for legal or business purposes. Indefinite retention is discouraged unless legally justified.

8. Subprocessors and data sharing

We work with trusted subprocessors to provide our services. These subprocessors may process your data for specific purposes under strict data protection agreements. Our subprocessors include:

  • AWS: For secure cloud hosting and data storage.
  • Sentry: For performance and error logging.
  • Mailgun: For email delivery services.

We ensure all subprocessors comply with applicable data protection laws and maintain high security standards. For the latest list of subprocessors, please visit our subprocessors page.

  • We do not sell your data to third parties.
  • We may share data as required to comply with legal obligations or protect our rights.

9. Your rights

Under GDPR and other data protection laws, you have the following rights:

  • Access: To request a copy of your personal data.
  • Rectification: To correct inaccurate or incomplete data.
  • Erasure: To request deletion of your personal data ("right to be forgotten").
  • Restriction: To limit how your data is processed.
  • Data portability: To receive your data in a structured, machine-readable format.
  • Objection: To object to certain data processing activities, such as direct marketing.
  • Withdraw consent: To withdraw your consent at any time where processing is based on consent.

To exercise your rights, please contact our support team at [email protected].

10. Data security

  • All data is encrypted at rest and in transit.
  • Access controls ensure that only authorised personnel can access your data.
  • Regular security audits are conducted to maintain high standards.

11. International data transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Such transfers are safeguarded by appropriate legal mechanisms, such as standard contractual clauses or adequacy decisions.

12. Changes to this policy

We may update this privacy policy from time to time. You will be notified of significant changes via email or through updates posted on our website.

13. Cookies and similar technologies

We use cookies and similar technologies to enhance user experience and ensure the proper functioning of our services. The following outlines the types of cookies we use and their purposes:

  • Essential cookies: Necessary for the operation of our website and services, such as maintaining session states.
  • Preference cookies: Store user preferences, such as language selection or interface customisations.

We do not use cookies for advertising or marketing purposes. Users can manage cookie preferences through their browser settings or by using the cookie consent banner available on our site. For more information, please contact us at [email protected].

14. Contact us

If you have any questions about this privacy policy, please contact us at [email protected].