Trust Center
Legal Resources at Bob
Privacy Policy for End Users

Privacy Policy for End Users

Effective as of April, 2024.

Who we are and what we do?

We at Hi Bob Limited (together with its affiliated companies – “HiBob“, “we“, “our” or “us“) develop and operate a human resources management platform (the “Platform“) that helps companies streamline core HR processes (the “Customer” or “your organization”).

This Privacy Policy for End Users describes our privacy practices with respect to our Customers’ employees, staff and/or any individuals using the Platform on behalf of the Customer (“User”, “you” or “your”), and describes the ways in which the Customer typically handles via the Platform identified or identifiable data (“personal data” or “personal information”) relating to you.

As further explained in Section 9 below, the responsibility for complying with any legal requirements applicable to a “Data Controller” with respect to your personal data processed by us, lies with our Customer. In other words, your personal data is provided to us in the framework of our relationship with your organization and we are not responsible for its privacy practices. Your organization may have additional privacy notices explaining its own specific privacy practices, in which case, we encourage you to read them.

Note that this Policy does NOT cover our handling of personal data of individuals who engage with HiBob’s assets outside the platform, like our website visitors and business contacts. It also does not apply to our processing of personal data of individuals registered on the Platform as a Customer’s account administrator (“Admin”) or as the focal point for a Customer’s recruiting activities within the Platform’s Hiring Module (“Recruiter”), specifically in their roles as Admin or Recruiter. In these instances, we act as a Data Controller. To learn more about how we handle the personal data of such individuals, please visit our Privacy Policy.

If you have any questions or requests which pertain to your personal data processed by us on behalf of your organization, we suggest that you contact your organization’s Admin directly.

Specifically, this Privacy Policy for End Users describes our practices regarding –

  1. Data Collection
  2. Data Uses
  3. Data Location and Retention
  4. Data Disclosures
  5. Cookies and Tracking Technologies
  6. Service Communications
  7. Data Security
  8. Your Privacy Rights
  9. Roles & Responsibilities
  10. Additional Notices & Contact Details

We respect your privacy, and are strongly committed to making our practices regarding your personal data transparent and fair.

This Privacy Policy for End Users forms part of our End Users Terms of Use. Please read it carefully and make sure that you fully understand and agree to it.

1. Data Collection

We collect certain types of personal data regarding our Users as deemed relevant by your organization. Such data is typically generated through your interaction with the Platform, from other Users at your organization, or from third parties as may be instructed by your organization (including Service Providers, defined in Section ‎4 below).

Specifically, we collect the following categories of personal data:

User Data Received from You: When you sign up to the Platform and create your individual profile (“User Profile”), you provide us with personal data. This may include your name, gender and position, contact details (such as e-mail, phone and address), account login details (e-mail address and passwords which are automatically hashed), image, as well as any other data your organization deemed required for your use of the Platform. If your organization uses Single-Sign-On integration, we may receive other details you might have listed there (collectively “Profile Data”).

Once you are logged in to the Platform, you, your organization or other Users in your organization may submit additional details and documentation about you – each depending on the requirements set by your organization. This could include your government-issued ID or national security number, information and documentation concerning your employment, compensation and benefits, family status and details on your dependents and emergency contacts, bank account details, investment preferences and plans, and other information you or your organization choose to submit in order to further and more fully utilize the different features of the Platform (collectively and together with Profile Data – “User Data”).

Data Automatically Collected or Generated: When you interact with the Platform, we may collect, record or generate certain technical data about you. We do so either independently or with the help of third-party Service Providers (as defined in Section 4 below), including through the use of “cookies” and other tracking technologies (as detailed in Section ‎5 below).

Such data consists of connectivity, technical and aggregated usage data, such as IP addresses and general locations, device and application data (like type, operating system, browser version, locale and language settings used), date and time stamps of usage, the cookies and pixels installed or utilized on such device and the recorded activity (sessions, clicks and other interactions) of Users in connection with our Service (collectively – “Usage Data”).

OPTIONAL MODULES AND OFFERINGS

Time and Attendance Module:Your organization may choose to utilize the optional Time and Attendance module, which provides an easy way for managing time attendance through the Platform, including by punching a clock and entering a time log to the Platform by using a geo-fencing technology indicating when a User has entered into a certain predefined geographical perimeter (“Auto Clock In”). In such case, should you use the Auto Clock In feature, certain limited geolocation information may be retained by us. However, this will never be the precise geolocation of the User or of their mobile device when it is outside the pre-defined perimeter. At your organization’s discretion, it may select to use the Time and Attendance module without the Auto Clock In feature, or configure it as “optional” for its Users, in which case you may switch it on or off via the “Settings” tab.

Hiring Module: Your organization may choose to utilize the optional Hiring Module, which provides your organization a convenient way to streamline its recruiting processes. The recruiting manager(s) designated by your organization to serve as a Recruiter within the Hiring Module may assign you as the hiring manager for a specific job recruitment process, grant you access to the personal data of applicants considered for that role, and/or disclose your contact details as the relevant contact person when creating job postings on third-party platforms for job vacancies at your organization. Your organization is solely responsible for establishing an appropriate legal basis and for complying with any applicable laws and regulations concerning its use of the Hiring Module. To learn more about our privacy practices relating to the Hiring Module, please visit the Bob Hiring Privacy Notice for Applicants.

YourVoice Module: Your organization may choose to utilize the optional YourVoice module, which allows a secure and anonymous reporting mechanism of concerns related to workplace misconduct and/or harassment (“YV”). By using YV, your organization will be providing details of an appointed internal team member who is equipped to handle such claims (name, email, position in the organization and photo) (“Rep”). Please be aware that the information of such Rep may be maintained even after said Rep is no longer an employee of your organization for the purposes of maintaining a record of a claim submitted through YV.

If a User chooses to report any workplace misconduct and/or harassment via YV, such reporting individual will be requested to provide their non-organizational, personal e-mail address (which will be encrypted to ensure anonymization and that the report remains anonymized) for which any correspondence from the Rep on such matter will be received as well as a description of the claim and the category type of such claim (“YV Data”). YV Data shall also include a timestamp for the correspondence sent by and between the reporting User and the Rep. Your organization may choose to archive a specific case which has been reported once the case is closed and may either set an automatic deletion of closed and/or archived cases or may manually delete a particular case submitted via YV.

Benchmarking Offering:Your organization may choose to utilize the optional benchmarking offering, which allows it to gain valuable insights by comparing its talent management metrics with those of other companies. This offering utilizes specific metrics within the Platform that are anonymized and aggregated for each Customer, ensuring that no individual User can be identified. These metrics are then pooled to form a comprehensive benchmarking scale which includes anonymous and aggregated data across multiple Customers (“Benchmarking Data”). For instance, if your organization conducts eNPS (Employer Net Promoter Score) surveys through the Platform to measure its employees’ job satisfaction, the collective score of all employees will be shared with HiBob quarterly. We will gather similar data across multiple Customers, allowing your organization to compare its eNPS score with others and enhance its HR strategies accordingly. While your organization is ultimately responsible for establishing any required legal basis to access the benchmarking offering, please note that HiBob has appropriate measures in place to maintain the anonymity of your data.

For the purposes of the California Consumer Privacy Act (“CCPA”), Usage Data as defined above includes Identifiers (such as IP address); Internet or other Electronic Network Activity Information; and Geolocation Information. In the past 12 months, we have collected the above-listed categories of personal information. We do not use or disclose sensitive personal information as defined by the CCPA beyond what is necessary to provide our Platform and related services.

In any event, personal data processed via any of our modules and offerings will only be processed by HiBob on behalf of your organization – our Customer, in accordance with your organizations’ instructions and as further agreed upon in our mutually executed Data Processing Addendum, any other agreements between us and your organization, and this Privacy Policy for End Users

2. Data Uses

In general terms, your organization may use our Platform to process your personal data in order to better manage its human resources and employee benefits, to track workflows and individual performance, and to cultivate interpersonal relationships within the organization. HiBob may process your User Data and Usage Data as is necessary for the performance of our services and to facilitate, operate, and maintain the Platform (all in accordance with the instructions provided to us by your organization in its role as a Data Controller); to comply with our legal and contractual obligations; providing customer service and technical support; and protecting and securing our Users, Customers, ourselves and our Platform.

We do not sell nor share your personal information for the intents and purposes of the CCPA.

3. Data Location & Retention

Data Location: HiBob maintains offices in the EU, UK, US, Israel, Canada and Australia. Your personal data may be accessed from any of those locations (or other locations as reasonably necessary for the Platform’s activity) by HiBob’s employees tasked with handling your organization’s data. Such access usually occurs in the course of providing your organization with customer support, technical assistance, and similar services.

The Service Providers (defined in Section 4 below) we use to process your personal data on behalf of your organization, deemed as our “Sub-Processors”, are typically located in the EU. However, HiBob may use Sub-Processors in other locations as reasonably necessary for the Platform’s activity. A list of our current Sub-Processors (including locations) is available here.

For transfers of personal data originating from the European Economic Area (EEA), the UK, or Switzerland to countries that are not considered as offering an adequate level of data protection based on adequacy decisions published by the European Commission (and associated), the UK, and Switzerland (as relevant), we and the relevant data exporters and importers have entered into standard contractual clauses as approved by the European Commission (available here), the UK (available here), or Switzerland. For data transfers to countries that have been recognized to be providing an adequate level of data protection, we rely on such adequacy findings regarding the level of data protection offered by the recipient country.

Data Retention: We retain your personal data on behalf of your organization and in accordance with its instructions. We may retain some of your personal data after the termination of our engagement with your organization to the extent reasonably necessary to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e., as required by laws applicable to log-keeping, records and bookkeeping, etc.), all in accordance with our agreements with the relevant Customer, applicable laws and our data retention policy.

Please note that except as required by applicable law or our specific agreements with your organization, we will not be obligated to retain your personal data for any particular period, and we are free to securely delete, anonymize or restrict access to it for any reason and at any time, with or without notice to you.

If you have any questions about our data retention practices, please contact your organization’s Admin.

4. Data Disclosures

Service Providers: We engage selected third-party companies and individuals to perform services complementary to our own. Such service providers include providers of services such as hosting and server co-location, communications and content delivery networks (CDNs), data and cyber security, fraud detection and prevention, web analytics, e-mail distribution, remote access, performance measurement, e-mail, support and customer relation management systems, and any other relevant services (collectively, “Service Providers“). These Service Providers may have access to your personal data and may utilize artificial intelligence, generative artificial intelligence or similar technologies, each depending on their specific roles and purposes, and may only use it for such limited purposes as determined in our agreements with them, subject to the approval of your organization’s Admin or as authorized by your organization.

Customers and other Users: Your personal data may be disclosed to your organization (including data and communications concerning your User Profile). In such cases, disclosing such data means that the account’s Admin(s) may access it on behalf of your organization, and will be able to monitor, process and analyze your personal data. Your organization’s Admin can determine that your User Profile (or parts of it) will be made available to other Users on the same account. If your organization adds any of its service providers to the Platform, then such service providers may also have access to your User Profile, and possibly to your User Data as well (depending on the privileges you, your Admin, or your organization grant them).

Please note that any personal data you submit to any area in the Platform may be accessed, copied or processed by your organizations’ Admin(s), and that HiBob is not responsible for and does not control any further disclosure, use or monitoring by or on behalf of your organization.

Service Integrations: Your organization’s Admin or Recruiter may choose to connect your organization’s account with third-party services that are supported by our Platform. In such cases, the provider of such integrated third-party service may receive certain relevant data about or from your organization’s account (including User Data), or disclose certain relevant data from your organization’s account on their service to our Platform, depending on the nature and purpose of such integration. Please be aware that it is the responsibility of your organization to ensure that the privacy practices of such integration meet your organizations’ privacy standards. We do not receive or store your personal password for any such third-party services, but do typically require your organization’s API key in order to integrate with them. If you do not wish your personal data to be disclosed to such third-party service(s), please contact your organization’s Admin.

Legal Compliance: In exceptional circumstances, we may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we believe in good faith that: (i) we are legally compelled to do so; (ii) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (iii) such disclosure is required to protect the security or integrity of our products and services.

Protecting Rights and Safety: We may disclose your personal data to others if we believe in good faith that this will help protect the rights, property, or safety of HiBob, any of our Users or Customers, or any members of the general public.

HiBob Subsidiaries and Affiliated Companies: We may disclose personal data internally within our group, for the purposes described in this Privacy Policy for End Users.

For the avoidance of doubt, HiBob may disclose your personal data in additional manners, pursuant to your organizations’ or your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal and anonymous. We may transfer, disclose or otherwise use non-personal data at our sole discretion and without the need for further approval.

In the past 12 months, we may have disclosed to the third parties listed above the following CCPA-defined categories of personal information: Identifiers; Internet or other Electronic Network Activity Information; and Geolocation Information.

5. Cookies and Tracking Technologies

Our Platform (including some of our Service Providers) utilizes “cookies” – anonymous identifiers, pixels, container tags and similar technologies in order to perform certain activities. Such cookies and similar files or tags may also be temporarily placed on your device. Such cookies are used only as is necessary for the Platform to work properly (for example: cookies that authenticate User login to the Platform). We may use certain anonymous identifiers to analyze your organization’s overall usage and/or activity on the Platform to improve our services and offering to our Customers (e.g., we use cookies to learn which parts of the Platform perform better). Where cookies on the Platform contain personal data, such data forms part of the Usage Data as defined in Section 1 above. To learn more about our practices concerning cookies and tracking, please see our Cookie Policy

6. Service Communications

We may contact you with important information regarding our Platform. For example, we may send you notifications (through any of the means available to us) of log-in attempts or password reset notices. Your organization and other Users on the same account, may also send you notifications, messages and other updates regarding their or your use of the Platform. You can control your communications and notifications settings from your User Profile settings. However, please note that you will not be able to opt-out of receiving certain service communications which are integral to your use (like password resets).

7. Data Security

In order to protect your personal data held with us, we are using industry-standard physical, procedural and technical security measures, including encryption as appropriate. However, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any personal data stored with us or with any third parties as described in Section 4 above. To learn more, please visit https://staging.hibob.com/security/.

8. Your Privacy Rights

You may have certain rights under the laws that apply to you, including the EU or UK General Data Protection Regulation (GDPR), the CCPA or other US state privacy laws – such as the right to know or request access to specific pieces of personal data collected, categories of data collected and sources from whom it was collected, as well as the purposes of collecting it and categories of third parties to whom it was disclosed; the right to request rectification or erasure of your personal data held with HiBob; the right to restrict the processing of such data and to object to its processing; the right to port such personal data; or the right to equal services and prices (e.g., freedom from discrimination). Should you wish to exercise your rights or make any request or query with regard to personal data we process on your organization’s behalf, please contact your organization’s Admin directly.

9. Roles & Responsibilities

Certain data protection laws and regulations, such as the GDPR or the CCPA, typically distinguish between two main roles for parties processing personal data: the “Data Controller” (or under the CCPA, “business”), who determines the purposes and means of the processing; and the “Data Processor” (or under the CCPA, “service provider”), who processes the data on behalf of the Data Controller (or “business”). Below we explain how these roles apply to the provision of our Platform, to the extent that such laws and regulations apply.

Your organization is the Data Controller (or “business”) of the personal data uploaded or submitted to the Platform. HiBob processes such data as the Data Processor (or “service provider”) on behalf of your organization, in accordance with its reasonable instructions and subject to our Terms, the Data Processing Addendum mutually executed by us and your organization, or any other commercial agreements we may have in place with your organization.

Your organization is responsible for meeting any legal requirements applicable to a Data Controller. If you would like to make any requests or queries regarding our processing of your personal data on behalf of your organization, please contact your organization’s Admin directly.

HiBob assumes the role of Data Controller (solely to the extent applicable under law) with regard to your Usage Data and Benchmarking Data (as those terms are defined in Section 1 above), and with regards to the processing of personal data relating to Admins and Recruiters in their roles as Admin or Recruiter, and our website visitors, prospects and business contacts, as further elaborated in our Privacy Policy.

10. Additional Notices & Contact Details

External Links: While our Platform may contain links to other websites or services or provide integrations of third-party solutions, we are not responsible for their privacy practices. We encourage you to pay attention when you leave our Platform for the website or application of such third parties, and to read the privacy policies of each and every website and service you visit. This Privacy Policy for End Users applies only to Users using our Platform.

Additional Questions: If you have any comments or questions regarding this Privacy Policy for End Users, please contact the Admin of your organization or HiBob’s support at the following link, or our Data Protection Officer at dpo@hibob.com.

You can find our old Privacy Policy terms here.