Privacy Policy

• Company as Data Processor: For services provided to business clients, the subscribing entity (the Customer) acts as Data Controller, and 1stAskHR acts as Data Processor. We process Customer Data only per Customer instructions and this Policy.
• Customer as Data Controller: The Customer is responsible for establishing legal basis for processing employee data and responding to data subject rights requests.
• Direct Relationships: We act as Data Controller only for business contact information of Customer administrators used for billing and relationship management.

1. Customer Data (Provided by the Company)

   • Identity Data: Name, job title, and employee ID.
   • Contact Data: Professional email addresses and distinct login credentials.
   • HR Content: Text, files, and information related to HR queries submitted to the platform.

2. Technical and Usage Data (Automatically Collected)

   • Infrastructure Logs: Collected via Microsoft Azure and Vercel, including IP addresses, browser types, and access times. Privacy terms:Microsoft,Vercel.
   • Performance Metrics: Via Vercel Analytics for website views and impressions without cross-site tracking cookies. Privacy terms:Vercel Privacy Policy.
   • Attribution Data: Via Apollo to identify visitors arriving from prospecting campaigns. Privacy terms:Apollo Privacy Policy.
   • Usage Data: Aggregated anonymous statistics derived from service usage to improve AI models, excluding personally identifiable employee data.

3. Payment Data

   • Dodo Payments: For direct website signups, payment information is processed by Dodo Payments as Merchant of Record. We do not store full credit card details. Privacy terms:Dodo Payments Privacy Policy.
   • Microsoft/Azure: For marketplace purchases, payment data is handled by Microsoft under marketplace terms. Privacy terms:Microsoft Privacy Statement.

To provide the AI-driven Service, we use specialized third-party sub-processors. Data processing by these entities is governed by their respective privacy terms.

• Primary Storage: Customer Data is stored and processed on Microsoft Azure servers located in the United States.
• Safeguards: For users in the EU or UK, transfers to the United States or India are protected by appropriate safeguards (for example, Standard Contractual Clauses) as required by GDPR.

1. Retention Period

   We retain Customer Data only as long as the Customer maintains an active subscription or as required by law.

2. 30-Day Grace Period

   • Account Termination: After subscription termination or valid data deletion request, 1stAskHR applies a 30-day grace period.
   • Permanent Purge: During this window, data remains soft-deleted. After 30 days, it is permanently purged from active systems and cannot be recovered.

3. Data Portability

   Automated data portability tools are not currently offered. For manual exports (for example GDPR portability requests), emailsupport@1staskhr.com.

• Prohibition: Uploading, inputting, or processing Protected Health Information (PHI) as defined by HIPAA or similar sensitive medical data is prohibited.
• Liability: We do not monitor for PHI and assume no liability for unauthorized disclosure when PHI is uploaded in violation of this Policy.

• Encryption: Data is encrypted at rest and in transit using security protocols supported by Microsoft Azure.
• Access Control: Access to Customer Data by staff is limited to authorized personnel for support and maintenance.
• Safety Filters: AI safety filters are used to reduce generation of discriminatory or hateful content.

Authorized Users (employees) should contact their employer (the Customer / Data Controller) to exercise applicable rights.

• Right of Access and Rectification: Access and correct personal data.
• Right to Erasure: Request deletion of personal data (subject to retention and grace period terms).
• Right to Restrict Processing: Request limits on how personal data is processed.