Trust Center
Legal Resources at Bob
Pento Privacy Policy

Pento Privacy Policy

Last Updated: April 18, 2024

This policy explains how we look after your information when you visit our website, if your employer uses Pento to assist with their payroll and organise the payment of your salary or if you’re a key contact employed by an existing or prospective Pento customer. 

It explains what information we collect about you, what we use it for and who we share it with. It also explains your rights and what to do if you have any concerns.

We sometimes need to make changes to this policy, to reflect changes in the way we do business or updates in the law. We will notify you of any important changes before they take effect. 

If you have any questions about this privacy policy you can contact us at contact@pento.io

1.Who we are and other Important Information

1.1 We are the Pento group (Pento, we, use or our) which is made up of the following companies:

Pento ApS, a company incorporated in Denmark (company number 37959383) with its registered office at Amaliegade 6. 2. tv., DK – 1256 Copenhagen K, Denmark. 

Pento Services Limited a company incorporated in England and Wales (company number 12311368) with its registered office at 1 Chapel Street, Warwick, CV34 4HLUnited Kingdom, and Information Commissioner’s Office (ICO) registration number ZA761531.

Pento Payroll Services Limited a company incorporated in Ireland (company number 693348) with its registered office at Penthouse Floor, 5 Lapps Quay, Cork, T12 RW7D, Ireland.

HiBob Group, as further detailed here – HiBob Group Subsidiaries

1.2 Our customers are employers located in Europe and the United Kingdom who use Pento to simplify their payroll processes. Our customers create an online profile for their business on the Pento platform and upload their employee information (such as the employee’s name, working hours and annual salary etc). As part of the registration process, the customer also can open an account with a nominated payment service provider (PSP) so that funds can easily transfer from the business account to the various payees (whether the employees themselves, or relevant tax authorities and pension providers). The customer also has the choice to integrate Pento with other suppliers that they use which are relevant to the payroll process (such as accounting platforms and HR software). 

1.3 If you are a website visitor or a key contact working for an existing or prospective Pento customer, Pento is the controller for your information (which means we decide what information we collect and how it is used). Key contacts are individuals that are either the person given login credentials to the Pento platform by our customer or we identify as a decision maker within the organisation. 

1.4 If you are an employee of a Pento customer using our payroll support service, Pento is the processor for your information and our customer is the controller (which means we must follow the instructions they give us). 

2.The information we collect about you

2.1 Personal data means any information which can (or could be used) to identify a living person. We have grouped together the types of personal data that we collect and where we receive it from below: 

  1. Key Contacts
Personal DataReceived from
identity information – full name, job title, name of your employeryou our customer
contact details – email address, telephone number, LinkedIn profileyou our customer
feedback – information and responses you provide when completing surveys or questionnairesyou

marketing – marketing preferences, preferred method of communication, how you interact with any marketing communications you receive from usyou you (via cookies and similar technologies)
enquiry information – any additional information you provide when you submit an enquiry form on our website, use our website chat function, contact us via social media, submit a helpdesk ticket or otherwise contact usyou
platform account information (if you have login credentials to our platform) – username, password, information about your activity on our platform, including audit logs, download errors, times and dates of log-in.you you (via cookies and similar technologies)
  1. Employees
Personal DataReceived from
identity information – full name, date of birth, home address, email, phone numberour customer
employment information – employment status, job title, name of employer, employment start date, employment end date (if applicable) our customer
financial information – salary, bonus and benefit entitlement, pension contribution, bank account details, national insurance information, PAYE reference numberour customer
special category information – this type of personal data is designated as especially sensitive because it results in a higher risk to you if it is misused. Pento does not intentionally collect special category data but it may be inferred from types of payment that are made (for example, statutory sickness pay)our customer
  1. Website visitors
Personal DataReceived from
identity information – full name, email, phone number you
employment information – name of employer, any information provided through the Support functionyou
technical information – internal protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating system and platform on the devices you use to access our systemsyou (via cookies and other similar technologies)
Usage information – information about how you use our systemsyou (via cookies and other similar technologies

2.2 Sometimes we anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information so that it becomes aggregated data. Aggregated data helps us identify trends (e.g. most viewed webpage on our website, average number of employees per customer). Data protection law does not apply to the use of aggregated data and the legal rights described below do not apply to it.

3.How we use your information

3.1 Under European and UK data protection law, Pento must identify a legal justification (also known as a lawful basis) whenever we collect and use your personal data. The lawful bases that Pento rely on to use your personal data are:

  1. our legitimate interests (our justifiable business aims) but only if our interests are not outweighed by your other rights and freedoms (e.g. your right to privacy)
  2. to comply with a legal obligation that we have; and
  3. to do something that you have given your consent for.

3.2 The table below sets out the lawful basis we rely on to use your personal data. If we plan to use your personal data for a new reason that is not listed in the table, we will update our privacy policy and let you know.

PurposesJustification
Identify prospective customers and send correspondence to their key contactsLegitimate interests (necessary to promote our business activities)
Taking steps to enter into a contract with our customerLegitimate interests (necessary to conclude our contract and obtain contact details of key contacts)
Assist PSP carry out anti-money laundering checks on our customer (and their shareholders and directors)Legitimate interests (necessary to fulfil the terms of the contract between Pento and our customer, as Pento coordinates transfers to payees on customer payroll from the PSP account)
Responding to enquiries and requests for supportLegitimate interests (for prospective customers, necessary to provide information about our services and promote our business) Legitimate interests (for customers, necessary to fulfil the terms of the contract between Pento and our customer)
Administering and protecting our platform, services and systemsLegitimate interests (necessary to provide our services, monitor and improve network security and prevent fraud)  
Provide insight about how our platform, website and services are being usedLegitimate interests (necessary to identify areas for improvement and inform service development, including the type of content we publish in the future)
Sending marketing communications by emailConsent (where you are an individual) Legitimate interest (where your email address belongs to a corporate entity)
Introducing you to a third party that you have agreed to be introduced to for the purpose of you conducting business with that third party

Consent (where you are an individual)
Legitimate interest (where your email address belongs to a corporate entity)

Asking you to participate in surveys and other types of feedbackLegitimate interest (necessary for us to improve our platform and services)
Processing payment for our services and collecting and recovering monies owed to PentoLegitimate interests (necessary to fulfil the terms of the contract between Pento and our customer)
Issuing, responding or defending legal claimsLegitimate interest (to defend our business against and respond to legal claims)
Notifying you about changes to our privacy policyLegal obligation (necessary to comply with our obligations under data protection law).

4.Marketing

4.1 If you work for a Pento customer or you are a key contact, we market on a business-to-business basis – so we make sure we only ever send marketing communications to work contact details. You can unsubscribe at any time. 

4.2 Pento uses CRM and marketing tools from third party providers to help us deliver and monitor the communication we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future of our messages.

4.3 Pixels (which are a similar technology to cookies) within those emails enable us to see:

  1. if the email was opened
  2. where the device opening the email was located (based on the device’s IP address)
  3. the type of email service (e.g. Outlook) that was used 
  4. if the email (or its content) were shared on social media
  5. if the email was flagged as spam

5.Who we share your information with

5.1 We share your personal data with:

  1. our staff: Pento employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
  2. other entities in the Pento group: as a group of companies, the different Pento entities share information internally. We have a legal mechanism in place to ensure the safe transfer of information between our entities and employees.
  3. your employer: all our customers are required to agree to the Pento Terms and Conditions and our Data Processing Agreement which sets out the information we share with them as part of our services.
  4. the chosen PSP: for our service to work, our customers must open an account with a regulated PSP to facilitate the transfer of monies to their various payees. Pento and our customer each have a separate contract with the PSP which sets out our data protection obligations. When our customer agrees to the Pento Terms and Conditions, they authorise us to communicate with and instruct the PSP to transfer funds on their behalf. The PSPs act as a controller because they use your personal data for their own purposes (e.g. to comply with their legal obligations as an organisation regulated by a financial services regulator). For further information about how your chosen PSP uses personal data, you should read their privacy policy. 
  5. other suppliers used by your employer: Pento offers integrations with our platform which means that our service can seamlessly connect with existing suppliers used by our customer. This means that any personal data uploaded to our platform can transfer to those other systems. Our Data Processing Agreement includes an obligation which requires our customers to have an agreement in place with its suppliers that contains any necessary clauses related to their use of personal data.
  6. Pento suppliers: we use other organisations to help us provide our services (such as hosting our IT infrastructure, providing analytics insight, technical support, marketing, customer records management, collecting feedback, security monitoring and payment services). We ensure these organisations only have access to the information required to provide the support we use them for and we have a contract with them that contains confidentiality and data protection obligations.
  7. third parties linked to our website: where you click a link on our website which transfers you to a third-party website (such as LinkedIn, Facebook or Twitter), depending on your cookie settings and the option you selected on our cookie banner, some information may be transferred to those third parties.
  8. third party partners: where you agree to be introduced to partners for the purpose of making the introduction and managing the relationship following such introduction.
  9. regulatory authorities: such as national tax authorities (such as HM Revenue & Customers in the UK)
  10. our professional advisors: such as our accountants or legal advisors where we require specialist advice to help us conduct our business.
  11. any actual or potential buyer of our business

5.2 If Pento were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. If we are the processor for that information, we will also check with the controller before any information is released (unless the law does not allow us to do so).

6.Where your information is located or transferred to

6.1 We only transfer information outside of the UK or European Economic Area where we have a valid legal mechanism in place (to make sure your personal data is guaranteed a level of protection, regardless of where in the world it is located, e.g. by using contracts approved by the European Commission or the UK Secretary of State).

6.2 If you would like to know more about the specific legal mechanism we have in place, please contact us at contact@pento.io

7.How we keep your information safe

7.1 We put in place security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:

  1. access controls and user authentication
  2. internal IT and network security 
  3. regular testing and review of our security measures
  4. staff policies and training
  5. incident and breach reporting processes
  6. making regular back-up copies of information
  7. business continuity and disaster recovery processes

7.2 If there is a security incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.

7.3 If you notice any unusual activity on your account (or believe your account has been otherwise compromised) please let us know by emailing us at contact@pento.io

8.How long we keep your information

8.1 If you are a customer employee, at the end of our contractual relationship with our customer we offer our customer the option of downloading the information before we delete it from our systems. We may keep your personal data for up to 3 months from the date that our contract ends if we do not receive an instruction to delete it, but after that time period expires we always delete your personal data. 

8.2 For key contacts, we keep your information until you ask us to remove your details from our records or we are informed that you no longer work for that organisation.

8.3 If you browse our website, we keep analytical information collected by cookies (and similar technologies) for up to 2 years.

8.4 We may, in rare circumstances, keep your information for longer than the periods stated above. We only do this if we have a very good reason (for example, because we need to respond to a legal claim) and where possible we will notify you if this is the case.

9.Your legal rights

9.1 You have specific legal rights in relation to your personal data. If you want to make any of the legal requests below, you can contact us at contact@pento.io

9.2 It is usually free for you to exercise your rights and we aim to respond within 1 month (although we may ask you if we can extend this deadline up to a maximum of 2 months if your request is particularly complex or we receive multiple requests at once).

9.3 We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. If this happens we will always inform you in writing.

9.4 We may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive.

9.5 We do not respond directly to requests which relate to personal data where Pento acts as the processor. In this situation, we forward your request to the relevant controller (usually our customer) and await their instruction before we take any action.

9.6 You have the legal right to:

Legal rightWhat you are entitled to
Access to your personal dataYou must be told if your personal data is being used and you can ask for a copy of your personal data as well as information about how we are using it to make sure we are abiding by the law
Have your personal data correctedYou can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
Have your personal data deletedYou can ask us to delete or remove your personal data if there is no good reason for us to continuing holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
Restrict the way Pento uses your personal dataYou can ask us to restrict how we use your personal data and temporarily limit the way we use it (e.g. whilst you check that the personal data we hold for you is correct)
Object to the way Pento uses your personal dataYou can object to us using your personal data if you want us to stop using it. We always comply with your request if you ask us to stop sending you marketing communications but in other cases, we decide whether we will continue. If we think there is a good reason for us to keep using the information, we will let you know and explain our decision.
Ask Pento to transfer your personal data to another organisationYou can ask us to send you or another organisation an electronic copy of your personal data.
To complain to a data protection regulatorYou are always free to complain to a regulator if you are unhappy with the way Pento collects or uses your personal data, but we hope we can help answer any questions or worries you have before it reaches that stage. You can always contact us at contact@pento.io

Otherwise the most relevant regulators for Pento are: the Danish Data Protection Agency in Denmark the ICO in the UK the Data Protection Commission in Ireland

10.How we use cookies

10.1 Our website and platform use cookies and similar technologies (such as beacons and pixels). For information about what cookies are and how we use them, and to accept or reject certain types of cookies, please click the shield symbol in the bottom right corner of the window.