Datenschutzrichtlinie

Effective Date: May 20, 2025

C2 All-in-One HRIS Platform by Agile Futurist (“we,” “us,” or “our”) is committed to protecting the privacy and security of personal data processed through the C2 All-in-One Human Resources Information System (HRIS) Platform (“Platform”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you or your organization (“Client”) use our Platform and Services. It also outlines your rights regarding your personal data and how to Kontakt us.

By using the Platform, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.


1. Scope of This Privacy Policy

This Privacy Policy applies to personal data processed by C2 All-in-One HRIS Platform as a data processor on behalf of our Clients, who act as data controllers under applicable data protection laws (e.g., GDPR). Personal data includes any information relating to an identified or identifiable individual (“Data Subject”), such as employees, contractors, or job applicants managed by the Client through the Platform.

This Privacy Policy does not apply to:

  • Personal data we process as a data controller for our own business purposes (e.g., marketing or customer relationship management), which is covered by our C2 All-in-One HRIS Platform General Privacy Policy (#).
  • Data processed by Clients outside the Platform.

2. Information We Collect

We process personal data on behalf of Clients as part of providing the Platform and Services. The types of personal data we may process include:

2.1 Employee Data
  • Identification Information: Name, employee ID, date of birth, gender, nationality.
  • Kontakt Information: Email address, phone number, home address.
  • Employment Information: Job title, department, hire date, employment status, salary, benefits, performance reviews, disciplinary records.
  • Compliance Information: Tax identification numbers, social security numbers, work permits, background check results.
2.2 Recruitment Data
  • Applicant Information: Resumes, cover letters, education history, work experience, references.
  • Application Details: Interview notes, assessment results, offer letters.
2.3 Usage Data
  • Platform Activity: Login times, IP addresses, device information (e.g., browser type, operating system), and actions taken within the Platform (e.g., pages viewed, features used).
  • Analytics Data: Aggregated data used to improve the Platform, such as usage patterns and error logs.

2.4 Other Data

  • Any additional data provided by the Client, such as emergency contacts, training records, or time-off requests.

3. How We Collect Information

We collect personal data in the following ways:

  • Directly from Clients: Clients input personal data into the Platform to manage their HR functions (e.g., employee onboarding, payroll processing).
  • Automatically: We collect usage data automatically through cookies, server logs, and similar technologies when users interact with the Platform.
  • From Third Parties: We may receive data from third-party integrations (e.g., payroll providers, background check vendors) as directed by the Client.

4. How We Use Information

We process personal data solely to provide the Services as instructed by the Client, including:

4.1 Platform Functionality

  • Managing employee records, payroll, benefits, and performance.
  • Facilitating recruitment, onboarding, and compliance processes.
  • Generating reports and analytics as requested by the Client.

4.2 Support and Maintenance

  • Providing technical support to resolve issues with the Platform.
  • Performing maintenance, updates, and improvements to ensure the Platform operates effectively.

4.3 Security and Compliance

  • Implementing security measures to protect personal data from unauthorized access, disclosure, or loss.
  • Complying with legal obligations, such as responding to lawful requests from authorities.

4.4 Usage Analytics

  • Analyzing usage data to improve the Platform’s performance, features, and user experience (e.g., identifying common errors or optimizing workflows). Such analytics are typically aggregated and anonymized.

We do not use personal data for marketing or any purposes unrelated to the Services unless explicitly authorized by the Client.


5. Legal Basis for Processing (GDPR Compliance)

For Clients subject to the GDPR, we process personal data as a data processor on behalf of the Client (the data controller). The Client determines the legal basis for processing, which may include:

  • Contractual Necessity: Processing is necessary to fulfill employment contracts (e.g., payroll processing).
  • Legitimate Interests: Processing is necessary for the Client’s legitimate interests, such as managing HR operations, provided it does not override Data Subjects’ rights.
  • Legal Obligation: Processing is required to comply with labor laws, tax regulations, or other legal requirements.
  • Einwilligung: Where applicable, the Client may obtain consent from Data Subjects for specific processing activities (e.g., sharing sensitive data).

As a data processor, we act only on the Client’s documented instructions and in compliance with the GDPR.


6. How We Share Information

We may share personal data in the following circumstances:

6.1 With Subprocessors
  • We may engage third-party subprocessors (e.g., cloud hosting providers like AWS in eu-west-1, support ticketing systems) to deliver the Services. A list of subprocessors is available upon request.
  • Subprocessors are contractually bound to process personal data in compliance with this Privacy Policy and applicable laws.
6.2 With Client-Authorized Third Parties
  • We may share data with third parties (e.g., payroll providers, benefits administrators) as directed by the Client through Platform integrations.
6.3 For Legal Reasons
  • We may disclose personal data if required by law, court order, or government authority, or to protect our rights, property, or safety.

6.4 Business Transfers

  • In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections.

We do not sell personal data to third parties.


7. Data Security

We implement industry-standard technical and organizational measures to protect personal data, including:

  • Verschlüsselung: Data is encrypted in transit (using TLS 1.2 or higher) and at rest (using AES-256 encryption).
  • Access Controls: Role-based access ensures only authorized personnel can access personal data.
  • Monitoring and Auditing: Regular security audits and monitoring to detect and respond to threats.
  • Notfallreaktion: In the event of a data breach, we will notify the Client within 72 hours of discovery and take steps to mitigate harm.

8. Data Retention and Deletion

  • Retention: We retain personal data for as long as necessary to provide the Services or as instructed by the Client. Upon termination of the Service Agreement, we provide a 30-day period for the Client to export their data, after which we delete all Client Data from our systems, unless required to retain it by law.
  • Backups: Data in backups may be retained for up to 90 days before being securely deleted.

9. Data Subject Rights

As a data processor, we assist Clients in fulfilling Data Subjects’ rights under applicable laws, such as the GDPR. These rights may include:

  • Access: The right to obtain a copy of their personal data.
  • Rectification: The right to correct inaccurate data.
  • Erasure: The right to request deletion of their data.
  • Restriction: The right to restrict processing in certain circumstances.
  • Portability: The right to receive their data in a structured, machine-readable format.
  • Objection: The right to object to processing based on legitimate interests.

Data Subjects should direct requests to the Client (the data controller). We will assist the Client in responding to such requests as required by law.


10. International Data Transfers

For Clients in the European Economic Area (EEA), personal data may be transferred to and processed in regions outside the EEA, such as the United States, where our subprocessors (e.g., AWS) operate. We ensure such transfers comply with GDPR requirements through:

  • Standard Contractual Clauses (SCCs): We enter into SCCs with subprocessors to ensure adequate protection of personal data.
  • Data Residency: Where possible, we process data within the EEA (e.g., using AWS eu-west-1 region for EEA Clients).

11. Cookies and Tracking Technologies

We use cookies and similar technologies to collect usage data and improve the Platform:

  • Essential Cookies: Erforderlich für die Funktionsfähigkeit der Plattform (z. B. Sitzungsverwaltung).
  • Analyse-CookiesZur Analyse der Plattformnutzung (z. B. Google Analytics, nur anonymisierte Daten).
  • EinstellungenKunden können die Cookie-Einstellungen über die Einstellungen der Plattform verwalten, wobei das Deaktivieren von essentiellen Cookies die Funktionalität beeinträchtigen kann.

12. Links von Drittanbietern

Die Plattform kann Links zu Websites oder Diensten Dritter enthalten (z. B. Integrationen mit Gehaltsabrechnungsanbietern). Wir sind nicht für die Datenschutzpraktiken dieser Dritten verantwortlich. Wir empfehlen Ihnen, deren Datenschutzrichtlinien zu lesen.


13. Datenschutz für Kinder

Die Plattform ist nicht für Personen unter 16 Jahren bestimmt. Wir sammeln wissentlich keine personenbezogenen Daten von Kindern unter 16 Jahren.


14. Änderungen dieser Datenschutzerklärung

Wir können diese Datenschutzrichtlinie von Zeit zu Zeit aktualisieren, um Änderungen unserer Praktiken oder rechtlichen Anforderungen widerzuspiegeln. Wir werden Kunden mindestens 30 Tage vor Inkrafttreten von wesentlichen Änderungen per E-Mail oder über die Plattform informieren. Die aktualisierte Richtlinie wird mit dem neuen Inkrafttreten auf unserer Website veröffentlicht.


15. Kontakt Us

Wenn Sie Fragen zu dieser Datenschutzerklärung oder unseren Datenschutzpraktiken haben oder Ihre Datenschutzrechte ausüben möchten, wenden Sie sich bitte Kontakt Der Kunde (Ihr Arbeitgeber) als Verantwortlicher für die Datenverarbeitung. Für Fragen zu unserer Rolle als Auftragsverarbeiter erreichen Sie uns unter:

C2 All-in-One HRIS-Plattform
E-Mail privacy@cognitis.cloud

Datenschutzbeauftragter: Für EWR-Kunden ist unser DSG-Beauftragter erreichbar unter dpo@cognitis.cloud.

📩 Für Fragen oder Klärungen, Kontakt: Kontaktformular


16. Beschwerden

Wenn Sie glauben, dass Ihre Datenschutzrechte verletzt wurden, können Sie eine Beschwerde bei Ihrer örtlichen Datenschutzbehörde einreichen. Für Einwohner des EWR können Sie Kontakt die Aufsichtsbehörde in Ihrem Land (z. B. der Datenschutzbeauftragte in Irland für in eu-west-1 verarbeitete Daten).