Privacy Policy
PEOPLEFUSION HR SYSTEM
PRIVACY POLICY
Last Updated: November 19, 2025
1000215419 Ontario Ltd., operating as PeopleFusion ("PeopleFusion," "we," "us," or "our"), is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you use our human resources management system and related services (the "Services").
This Privacy Policy applies to personal information we collect through our Services, including information about employees, contractors, job applicants, and other individuals whose data is processed through our platform. If you are a customer organization using our Services, this Privacy Policy describes our data processing practices. Your organization may have its own privacy policies that apply to how it collects and uses personal information.
BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO ITS TERMS.
1. SCOPE AND APPLICATION
1.1 Who This Policy Applies To
This Privacy Policy applies to:
Customer organizations that subscribe to and use our Services ("Customers")
Employees, contractors, and authorized users of Customer organizations who access the Services ("End Users")
Individuals whose personal information is processed through the Services ("Data Subjects")
Visitors to our website and individuals who interact with our marketing communications
1.2 Our Role as Data Processor
When Customers use our Services to process personal information about their employees and other individuals, PeopleFusion acts as a data processor (or service provider) on behalf of the Customer, who acts as the data controller. This means we process personal information according to our Customers' instructions and for their purposes. Customers remain responsible for complying with applicable privacy laws regarding the personal information they control.
1.3 Our Role as Data Controller
For certain activities, such as marketing, website analytics, and our own business operations, PeopleFusion acts as a data controller and determines the purposes and means of processing personal information. This Privacy Policy describes how we handle personal information in our capacity as both a data controller and data processor.
1.4 Applicable Laws
We comply with applicable privacy and data protection laws, including:
Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
General Data Protection Regulation (GDPR) - European Union and United Kingdom
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) - United States
Other applicable national and regional data protection laws in countries where we operate or where our Customers are located
2. KEY DEFINITIONS
For purposes of this Privacy Policy:
"Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, identification numbers, location data, online identifiers, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
"Sensitive Personal Information" means personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, sex life or sexual orientation, or information about criminal convictions and offences.
"Processing" means any operation performed on personal information, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, combination, blocking, erasure, or destruction.
"Customer Data" means all personal information and other data submitted to the Services by or on behalf of our Customers.
"Data Subject" means an identified or identifiable natural person to whom personal information relates.
3. PERSONAL INFORMATION WE COLLECT
3.1 Information Provided by Customers
When Customers use our Services, they provide us with personal information about their employees and other individuals, which may include:
Employee Master Data:
Full name, preferred name, employee ID
Date of birth, age, gender
Nationality, citizenship status, work authorization
Contact information (email, phone, address)
Emergency contact details
Employment Information:
Job title, position, department, division
Employment start date, end date, employment status
Manager and reporting relationships
Work location, office assignment
Work schedule, time and attendance records
Compensation and Payroll Data:
Salary, wages, hourly rate, pay grade
Bonuses, commissions, incentive payments
Bank account details for direct deposit
Tax identification numbers, social insurance numbers
Payroll deductions, garnishments, benefits enrollment
Sensitive Personal Information:
Health and medical information (for benefits administration)
Disability status and accommodation requests
Race, ethnicity, veteran status (for diversity and compliance reporting)
Background check results, criminal records (where permitted by law)
Performance and Development Data:
Performance reviews and ratings
Goals and objectives
Training and certifications
Skills and competencies
Documents and Files:
Profile photographs
Identification documents
Contracts and employment agreements
Other documents uploaded by Customers
3.2 Information We Collect Automatically
When you use our Services, we automatically collect certain technical information:
Device information: IP address, browser type and version, operating system, device identifiers
Usage data: Pages viewed, features accessed, time spent on pages, clickstream data
Authentication data: Login credentials, authentication method, login history, last login timestamp
Location data: General geographic location based on IP address
Cookies and similar technologies: Session cookies, persistent cookies, web beacons, local storage
3.3 Information From Customer Administrators
When Customer administrators set up and manage accounts, we collect:
Account holder information (name, email, phone, job title)
Company information (company name, address, industry, size)
Billing and payment information (processed through secure payment providers)
Configuration preferences and custom field definitions
3.4 Information From Third-Party Sources
We may receive personal information from:
Third-party integrations and APIs that Customers authorize
Implementation partners and consultants working on behalf of Customers
Background check providers (when authorized by Customers)
Public sources and data enrichment services (for business contacts only)
4. HOW WE USE PERSONAL INFORMATION
4.1 Processing on Behalf of Customers
When acting as a data processor, we use Customer Data only as instructed by the Customer and for the following purposes:
Providing and maintaining the Services
Processing, storing, and managing employee data
Enabling workflow approvals and automated processes
Generating reports and analytics as requested by Customers
Facilitating communication between users within the Services
Enforcing role-based access controls and permissions
Maintaining audit trails and compliance records
Backing up and recovering data
Complying with legal obligations applicable to us as a processor
4.2 Our Own Business Purposes
When acting as a data controller, we use personal information for:
Service Operations:
Account creation and management
User authentication and access control
Billing and payment processing
Customer support and technical assistance
Service Improvement:
Analyzing usage patterns and trends
Developing new features and functionality
Testing and quality assurance
Optimizing performance and user experience
Security and Fraud Prevention:
Detecting and preventing security incidents
Investigating suspicious activity
Enforcing our Terms and Conditions
Protecting against fraud and abuse
Communication:
Sending service announcements and updates
Responding to inquiries and support requests
Providing training and educational resources
Notifying about security incidents or system maintenance
Marketing (with consent where required):
Sending promotional materials about our Services
Conducting market research and surveys
Personalizing marketing communications
Legal Compliance:
Complying with legal obligations
Responding to lawful requests from authorities
Establishing, exercising, or defending legal claims
Conducting audits and compliance assessments
4.3 Legal Bases for Processing (GDPR)
For individuals in the European Economic Area (EEA) and United Kingdom, we process personal information based on the following legal grounds:
Contractual necessity: Processing is necessary to perform our contract with Customers
Legitimate interests: Processing is necessary for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring security
Legal obligations: Processing is necessary to comply with legal requirements
Consent: Where required by law, we obtain explicit consent for processing, particularly for marketing and certain types of sensitive personal information
5. HOW WE SHARE PERSONAL INFORMATION
5.1 Sharing with Service Providers
We share personal information with third-party service providers who perform services on our behalf, including:
Cloud hosting providers (including Hetzner for infrastructure services)
Data storage providers (including object storage services for employee images and documents)
Payment processors and billing services
Customer support and helpdesk platforms
Email and communication service providers
Analytics and monitoring services
Security and fraud prevention services
Professional services firms (legal, accounting, auditing)
These service providers are contractually obligated to use personal information only for the purposes of providing services to us and are required to maintain appropriate security measures and confidentiality.
5.2 Sharing Within Customer Organizations
Personal information in the Services is shared with authorized users within Customer organizations based on role-based access controls and permissions configured by the Customer. Customers control who within their organization can access specific employee data.
5.3 Business Transfers
If we are involved in a merger, acquisition, asset sale, financing, liquidation, bankruptcy, or other business transaction, personal information may be disclosed or transferred to potential or actual acquirers, successors, or assignees. We will provide notice before personal information is transferred and becomes subject to a different privacy policy.
5.4 Legal Requirements and Protection of Rights
We may disclose personal information when required by law or when we believe disclosure is necessary to:
Comply with legal obligations, court orders, or lawful government requests
Enforce our Terms and Conditions and other agreements
Protect our rights, property, or safety, or those of our users or the public
Detect, prevent, or respond to fraud, security incidents, or technical issues
Establish, exercise, or defend legal claims
5.5 With Your Consent
We may share personal information with third parties when we have obtained your consent to do so, such as when you authorize integrations with third-party applications or services.
5.6 Aggregated and De-identified Information
We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This includes statistical data, benchmarking information, and industry insights derived from aggregated Customer Data. Such information is not considered personal information.
6. INTERNATIONAL DATA TRANSFERS
6.1 Global Operations
PeopleFusion is based in Canada and operates globally. We serve customers in Canada, United States, United Kingdom, Spain, India, United Arab Emirates, Saudi Arabia, Qatar, Egypt, France, Switzerland, and other countries. As a result, personal information may be transferred to, stored in, and processed in countries outside of your country of residence, including countries that may not provide the same level of data protection as your home country.
6.2 Data Storage Locations
Customer Data is primarily stored in data centers operated by our infrastructure provider, Hetzner, in locations as specified in the service agreement with each Customer. Customers may select their preferred data storage region, subject to availability.
6.3 Transfer Mechanisms
When transferring personal information internationally, we implement appropriate safeguards, including:
Standard Contractual Clauses approved by the European Commission for transfers from the EEA
UK International Data Transfer Agreement (IDTA) for transfers from the UK
Adequacy decisions recognizing that certain countries provide adequate data protection
Other legally approved transfer mechanisms as applicable
6.4 Data Processing Agreement
For Customers subject to GDPR or other data protection laws requiring data processing agreements, we provide a separate Data Processing Agreement (DPA) that includes Standard Contractual Clauses and details our obligations as a data processor.
7. DATA SECURITY
7.1 Security Measures
We implement comprehensive technical and organizational security measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:
Technical Safeguards:
Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest using AES-256 encryption
Secure authentication mechanisms including multi-factor authentication
Firewall protection and intrusion detection systems
Regular security vulnerability assessments and penetration testing
Access Controls:
Role-based access control (RBAC) system
Principle of least privilege for all access
Multi-tenancy enforcement with Company ID segregation
Regular access reviews and permission audits
Monitoring and Logging:
Comprehensive audit trails of all data access and modifications
Real-time security monitoring and alerting
Logging of authentication attempts and user activities
Automated anomaly detection
Data Backup and Recovery:
Regular automated backups of all Customer Data
Encrypted backup storage
Tested disaster recovery procedures
Business continuity planning
7.2 Organizational Safeguards
Confidentiality agreements with all employees and contractors
Regular security awareness training for all personnel
Background checks for employees with access to Customer Data
Incident response procedures and security breach protocols
Regular security policy reviews and updates
7.3 Security Incident Notification
In the event of a security incident that affects personal information, we will notify affected Customers and, where required by law, Data Subjects and regulatory authorities without undue delay and within the timeframes required by applicable law. We will provide information about the nature of the incident, the personal information affected, and the measures taken to address the incident.
7.4 Limitations
While we implement industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of personal information. You are responsible for maintaining the confidentiality of your account credentials and for any activities that occur under your account.
8. DATA RETENTION AND DELETION
8.1 Retention Periods
We retain personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations:
Customer Data: Retained while the Customer maintains an active subscription and for thirty (30) days following termination, unless a longer retention period is requested or required by law
Account information: Retained for the duration of the customer relationship and for a reasonable period thereafter to address potential disputes or legal obligations
Audit logs: Retained for a minimum period as required by applicable law and our security policies, typically seven (7) years
Backup data: Retained in accordance with our backup retention policy, typically thirty (30) to ninety (90) days
Marketing communications: Retained until you opt-out or we determine the information is no longer needed
8.2 Deletion Upon Termination
When a Customer terminates their subscription, we provide a thirty (30) day grace period during which the Customer may retrieve their data. After this period, we securely delete or anonymize Customer Data from our production systems. Data in backups will be deleted in accordance with our standard backup retention schedule.
8.3 Legal Holds
Notwithstanding the above retention periods, we may retain personal information when required by law, court order, or to establish, exercise, or defend legal claims. We will retain such information only for as long as necessary for these purposes.
8.4 Secure Deletion Methods
When deleting personal information, we use secure deletion methods appropriate to the storage medium, including cryptographic erasure, secure overwriting, and physical destruction of storage media where applicable. Deleted data cannot be recovered or reconstructed.
9. YOUR RIGHTS AND CHOICES
9.1 Rights for All Individuals
Subject to applicable law, you have the following rights regarding your personal information:
Right to Access:
You have the right to request access to the personal information we hold about you and to receive information about how we process it.
Right to Correction:
You have the right to request correction of inaccurate or incomplete personal information.
Right to Deletion:
You have the right to request deletion of your personal information, subject to certain legal exceptions such as legal obligations to retain data.
Right to Object:
You have the right to object to processing of your personal information for certain purposes, including marketing.
Right to Data Portability:
You have the right to receive personal information you provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller.
9.2 Additional Rights for EEA and UK Residents (GDPR)
If you are located in the European Economic Area or United Kingdom, you have additional rights:
Right to restriction of processing: You may request that we restrict processing of your personal information in certain circumstances
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw consent at any time
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority
9.3 Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to know: You have the right to request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it
Right to delete: You have the right to request deletion of personal information, subject to certain exceptions
Right to opt-out of sale/sharing: You have the right to opt-out of the sale or sharing of your personal information (we do not sell or share personal information)
Right to correct: You have the right to request correction of inaccurate personal information
Right to limit use of sensitive personal information: You have the right to limit our use of sensitive personal information
Right to non-discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights
9.4 Rights for Canadian Residents (PIPEDA)
Under Canadian privacy law (PIPEDA), you have rights including:
Right to access: You have the right to know what personal information we hold about you
Right to accuracy: You have the right to challenge the accuracy and completeness of your information and have it amended
Right to file a complaint: You have the right to file a complaint with the Privacy Commissioner of Canada
9.5 How to Exercise Your Rights
To exercise any of the rights described above:
For End Users: Contact your employer or the Customer organization that uses our Services on your behalf. As a data processor, we can only respond to requests made through our Customers.
For Customer account holders and contacts: Email us at [Insert privacy email address] or use the privacy request form in your account settings
For website visitors: Email us at [Insert privacy email address]
We will respond to verified requests within the timeframes required by applicable law (generally 30-45 days). We may need to verify your identity before processing your request. We will not discriminate against you for exercising your rights.
9.6 Marketing Communications
You may opt-out of receiving marketing communications from us by clicking the "unsubscribe" link in any marketing email, adjusting your communication preferences in your account settings, or contacting us at [Insert privacy email address]. Please note that even if you opt-out of marketing communications, we may still send you transactional and administrative messages related to the Services.
10. COOKIES AND TRACKING TECHNOLOGIES
10.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. We use cookies and similar tracking technologies (such as web beacons, pixels, and local storage) to provide, improve, protect, and market our Services.
10.2 Types of Cookies We Use
Essential Cookies:
Required for the Services to function properly. These cookies enable core functionality such as security, authentication, and session management. Without these cookies, the Services cannot function properly.
Functional Cookies:
Remember your preferences and settings, such as language preference, time zone, and display options. These cookies enhance your user experience.
Analytics Cookies:
Help us understand how visitors interact with our Services by collecting information about usage patterns, pages visited, and features used. We use this information to improve our Services.
Marketing Cookies:
Track visitors across websites to display relevant advertisements and measure the effectiveness of marketing campaigns. We only use marketing cookies with your consent where required by law.
10.3 Third-Party Cookies
Some cookies are placed by third-party services that appear on our pages. We use the following types of third-party services:
Analytics services (e.g., Google Analytics) to analyze usage and improve our Services
Advertising platforms (with consent where required) for targeted advertising
Customer support tools for chat and helpdesk functionality
10.4 Managing Cookies
You can control cookies through:
Cookie consent banner: When you first visit our website, you can accept or reject non-essential cookies
Cookie preferences: You can update your cookie preferences at any time through the cookie settings link in the footer of our website
Browser settings: Most browsers allow you to refuse cookies or delete cookies. Please note that disabling cookies may affect the functionality of the Services
Opt-out tools: You can opt-out of interest-based advertising through industry opt-out pages such as the Digital Advertising Alliance (DAA) or Network Advertising Initiative (NAI)
10.5 Do Not Track Signals
Some browsers include a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we provide you with choices about cookies and tracking as described above.
11. CHILDREN'S PRIVACY
Our Services are not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at [Insert privacy email address]. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete such information.
Our Services are designed for use in employment contexts and may process personal information about employees who are under 18 years old (such as junior employees or apprentices) when provided by our Customers. In such cases, the Customer is responsible for obtaining any necessary consents from parents or legal guardians as required by applicable law.
12. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Privacy Policy.
If we make material changes that significantly affect your rights, we will provide notice through one or more of the following methods: (a) email notification to the address associated with your account; (b) a prominent notice within the Services; (c) a notice on our website; or (d) other appropriate means. Material changes will take effect 30 days after such notice, unless otherwise required by law.
Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Privacy Policy, you must stop using the Services and contact us to terminate your account.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.
13. CONTACT INFORMATION AND COMPLAINTS
13.1 Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
1000215419 Ontario Ltd. (PeopleFusion)
Privacy Officer
Email: [Insert your privacy email address]
Website: [Insert your website URL]
Mailing Address: [Insert your business address]
13.2 Filing a Complaint
We are committed to resolving privacy concerns. If you believe we have not complied with this Privacy Policy or applicable privacy laws, please contact us first using the contact information above. We will investigate your complaint and respond within a reasonable timeframe.
If you are not satisfied with our response, you have the right to lodge a complaint with the applicable data protection authority:
Canada: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
European Union: Your national data protection authority (supervisory authority list available at edpb.europa.eu)
United Kingdom: Information Commissioner's Office (ico.org.uk)
Other jurisdictions: Contact your local data protection authority
14. ADDITIONAL DISCLOSURES FOR SPECIFIC JURISDICTIONS
14.1 California Residents - CCPA/CPRA Disclosures
Categories of Personal Information Collected:
We collect the following categories of personal information: identifiers (name, email, etc.); commercial information; employment information; financial information; geolocation data; electronic network activity; professional information; education information; characteristics of protected classifications; and inferences drawn from the above.
Business Purposes for Collection:
We collect and use personal information for business purposes as described in Section 4 of this Privacy Policy.
Sale or Sharing of Personal Information:
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
Retention:
We retain personal information as described in Section 8 of this Privacy Policy.
14.2 EEA and UK Residents - GDPR Disclosures
Data Controller:
For personal information processed as described in this Privacy Policy, 1000215419 Ontario Ltd. is the data controller. For Customer Data, the Customer is the data controller and we are the data processor.
Legal Bases:
We process personal information based on the legal bases described in Section 4.3 of this Privacy Policy.
International Transfers:
We use Standard Contractual Clauses approved by the European Commission for international transfers as described in Section 6 of this Privacy Policy.
Your Rights:
Your rights are described in Section 9.2 of this Privacy Policy.
BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY.
*** END OF DOCUMENT ***
