Политика за поверителност
Effective Date: May 20, 2025
C2 All-in-One HRIS Platform by Agile Futurist (“we,” “us,” or “our”) is committed to protecting the privacy and security of personal data processed through the C2 All-in-One Human Resources Information System (HRIS) Platform (“Platform”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you or your organization (“Client”) use our Platform and Services. It also outlines your rights regarding your personal data and how to контакт us.
By using the Platform, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.
1. Scope of This Privacy Policy
This Privacy Policy applies to personal data processed by C2 All-in-One HRIS Platform as a data processor on behalf of our Clients, who act as data controllers under applicable data protection laws (e.g., GDPR). Personal data includes any information relating to an identified or identifiable individual (“Data Subject”), such as employees, contractors, or job applicants managed by the Client through the Platform.
This Privacy Policy does not apply to:
- Personal data we process as a data controller for our own business purposes (e.g., marketing or customer relationship management), which is covered by our C2 All-in-One HRIS Platform General Privacy Policy (#).
- Data processed by Clients outside the Platform.
2. Information We Collect
We process personal data on behalf of Clients as part of providing the Platform and Services. The types of personal data we may process include:
2.1 Employee Data
- Identification Information: Name, employee ID, date of birth, gender, nationality.
- Контакт Информация: Email address, phone number, home address.
- Employment Information: Job title, department, hire date, employment status, salary, benefits, performance reviews, disciplinary records.
- Compliance Information: Tax identification numbers, social security numbers, work permits, background check results.
2.2 Recruitment Data
- Applicant Information: Resumes, cover letters, education history, work experience, references.
- Application Details: Interview notes, assessment results, offer letters.
2.3 Usage Data
- Platform Activity: Login times, IP addresses, device information (e.g., browser type, operating system), and actions taken within the Platform (e.g., pages viewed, features used).
- Analytics Data: Aggregated data used to improve the Platform, such as usage patterns and error logs.
2.4 Other Data
- Any additional data provided by the Client, such as emergency contacts, training records, or time-off requests.
3. How We Collect Information
We collect personal data in the following ways:
- Directly from Clients: Clients input personal data into the Platform to manage their HR functions (e.g., employee onboarding, payroll processing).
- Automatically: We collect usage data automatically through cookies, server logs, and similar technologies when users interact with the Platform.
- From Third Parties: We may receive data from third-party integrations (e.g., payroll providers, background check vendors) as directed by the Client.
4. How We Use Information
We process personal data solely to provide the Services as instructed by the Client, including:
4.1 Platform Functionality
- Managing employee records, payroll, benefits, and performance.
- Facilitating recruitment, onboarding, and compliance processes.
- Generating reports and analytics as requested by the Client.
4.2 Support and Maintenance
- Providing technical support to resolve issues with the Platform.
- Performing maintenance, updates, and improvements to ensure the Platform operates effectively.
4.3 Security and Compliance
- Implementing security measures to protect personal data from unauthorized access, disclosure, or loss.
- Complying with legal obligations, such as responding to lawful requests from authorities.
4.4 Usage Analytics
- Analyzing usage data to improve the Platform’s performance, features, and user experience (e.g., identifying common errors or optimizing workflows). Such analytics are typically aggregated and anonymized.
We do not use personal data for marketing or any purposes unrelated to the Services unless explicitly authorized by the Client.
5. Legal Basis for Processing (GDPR Compliance)
For Clients subject to the GDPR, we process personal data as a data processor on behalf of the Client (the data controller). The Client determines the legal basis for processing, which may include:
- Contractual Necessity: Processing is necessary to fulfill employment contracts (e.g., payroll processing).
- Legitimate Interests: Processing is necessary for the Client’s legitimate interests, such as managing HR operations, provided it does not override Data Subjects’ rights.
- Legal Obligation: Processing is required to comply with labor laws, tax regulations, or other legal requirements.
- Съгласие: Where applicable, the Client may obtain consent from Data Subjects for specific processing activities (e.g., sharing sensitive data).
As a data processor, we act only on the Client’s documented instructions and in compliance with the GDPR.
6. How We Share Information
We may share personal data in the following circumstances:
6.1 With Subprocessors
- We may engage third-party subprocessors (e.g., cloud hosting providers like AWS in eu-west-1, support ticketing systems) to deliver the Services. A list of subprocessors is available upon request.
- Subprocessors are contractually bound to process personal data in compliance with this Privacy Policy and applicable laws.
6.2 With Client-Authorized Third Parties
- We may share data with third parties (e.g., payroll providers, benefits administrators) as directed by the Client through Platform integrations.
6.3 For Legal Reasons
- We may disclose personal data if required by law, court order, or government authority, or to protect our rights, property, or safety.
6.4 Business Transfers
- In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections.
We do not sell personal data to third parties.
7. Data Security
We implement industry-standard technical and organizational measures to protect personal data, including:
- Шифриране: Data is encrypted in transit (using TLS 1.2 or higher) and at rest (using AES-256 encryption).
- Access Controls: Role-based access ensures only authorized personnel can access personal data.
- Monitoring and Auditing: Regular security audits and monitoring to detect and respond to threats.
- Реагиране при инциденти: In the event of a data breach, we will notify the Client within 72 hours of discovery and take steps to mitigate harm.
8. Data Retention and Deletion
- Retention: We retain personal data for as long as necessary to provide the Services or as instructed by the Client. Upon termination of the Service Agreement, we provide a 30-day period for the Client to export their data, after which we delete all Client Data from our systems, unless required to retain it by law.
- Backups: Data in backups may be retained for up to 90 days before being securely deleted.
9. Data Subject Rights
As a data processor, we assist Clients in fulfilling Data Subjects’ rights under applicable laws, such as the GDPR. These rights may include:
- Access: The right to obtain a copy of their personal data.
- Rectification: The right to correct inaccurate data.
- Erasure: The right to request deletion of their data.
- Restriction: The right to restrict processing in certain circumstances.
- Portability: The right to receive their data in a structured, machine-readable format.
- Objection: The right to object to processing based on legitimate interests.
Data Subjects should direct requests to the Client (the data controller). We will assist the Client in responding to such requests as required by law.
10. International Data Transfers
For Clients in the European Economic Area (EEA), personal data may be transferred to and processed in regions outside the EEA, such as the United States, where our subprocessors (e.g., AWS) operate. We ensure such transfers comply with GDPR requirements through:
- Standard Contractual Clauses (SCCs): We enter into SCCs with subprocessors to ensure adequate protection of personal data.
- Data Residency: Where possible, we process data within the EEA (e.g., using AWS eu-west-1 region for EEA Clients).
11. Cookies and Tracking Technologies
We use cookies and similar technologies to collect usage data and improve the Platform:
- Essential Cookies: Необходими за функционирането на Платформата (напр. управление на сесии).
- Аналитични бисквиткиИзползва се за разбиране на използването на платформата (например Google Analytics, само анонимизирани данни).
- НастройкиКлиентите могат да управляват предпочитанията си за бисквитки чрез настройките на Платформата, въпреки че деактивирането на основни бисквитки може да повлияе на функционалността.
12. Връзки към трети страни
Платформата може да съдържа връзки към уебсайтове или услуги на трети страни (например интеграции с доставчици на заплати). Ние не носим отговорност за практиките за поверителност на тези трети страни. Насърчаваме ви да прегледате техните политики за поверителност.
13. Детска поверителност
Платформата не е предназначена за използване от лица под 16-годишна възраст. Ние не събираме съзнателно лични данни от деца под 16 години.
14. Промени в тази Политика за поверителност
Можем да актуализираме тази Политика за поверителност от време на време, за да отразим промените в нашите практики или законови изисквания. Ще уведомим Клиентите за съществени промени по имейл или чрез Платформата поне 30 дни преди влизането в сила на промените. Актуализираната политика ще бъде публикувана на нашия уебсайт с нова дата на влизане в сила.
15. Контакт Us
Ако имате въпроси относно тази Политика за поверителност или нашите практики за работа с данни, или ако желаете да упражните правата си за защита на данните, моля, контакт Клиентът (Вашият работодател) като администратор на данни. За въпроси относно нашата роля като обработващ данни, можете да се свържете с нас на:
C2 Цялостна HRIS платформа
Имейл: privacy@cognitis.cloud
Длъжностно лице по защита на данните (ДЛЗД): За клиенти от ЕИП, нашият ДПО може да бъде намерен на dpo@cognitis.cloud.
📩 За въпроси или уточнения, контакт: Форма за контакт
16. Оплаквания
Ако смятате, че правата ви за поверителност са били нарушени, можете да подадете жалба до местния орган за защита на данните. За жителите на ЕИП, можете контакт надзорният орган във вашата страна (например, комисар за защита на данните в Ирландия за данни, обработвани в eu-west-1).
