Effective as of February 2022.
Who we are and what we do?
We at Hi Bob Limited (together with its affiliated companies – “HiBob“, “we“, “our” or “us“) develop and operate a human resources management platform (the “Platform“) that helps companies streamline core HR processes (the “Customer” or “your organization”).
The responsibility for establishing the appropriate legal basis and complying with any laws and regulations applicable to a data controller with respect to your personal data, lies with your organization – which may have additional privacy notices explaining its own specific privacy practices, in which case, we encourage you to read them.
If you have any questions or requests which pertain to your personal data processed by us on behalf of your organization, we suggest that you contact the account administrator for your organization’s account (“Admin”).
We respect your privacy, and are strongly committed to making our practices regarding your personal data transparent and fair.
We collect certain types of personal data regarding our Users as deemed relevant by your organization. Such data is typically generated through your interaction with the Platform, from other Users at your organization, or from third parties as may be instructed by your organization (including Service Providers, defined in Section 4 below).
Specifically, we collect the following categories of personal data:
User Data received from you: When you sign up to the Platform and create your individual profile (“User Profile”), you provide us with personal data. This may include your name, gender and position, contact details (such as e-mail, phone and address), account login details (e-mail address and passwords which are automatically hashed), image, as well as any other data your organization deemed required for your use of the Platform. If your organization uses Single-Sign-On integration, we may receive other details you might have listed there (collectively “Profile Data”).
Once you are logged in to the Platform, you (your organization or other Users in your organization) may submit additional details and documentation about you – each depending on the requirements set by your organization. This could include your government-issued ID or national security number, information and documentation concerning your employment, compensation and benefits, family status and details on your dependents and emergency contacts, bank account details, investment preferences and plans, and other information you or your organization choose to submit in order to further and more fully utilize the different features of the Platform (collectively and together with Profile Data, “User Data”).
Data automatically collected or generated: When you interact with the Platform, we may collect, record or generate certain technical data about you. We do so either independently or with the help of third-party Service Providers (as defined in Section 4 below), including through the use of “cookies” and other tracking technologies (as detailed in Section 5 below).
Such data consists of connectivity, technical and aggregated usage data, such as IP addresses and general locations, device and application data (like type, operating system, browser version, locale and language settings used), date and time stamps of usage, the cookies and pixels installed or utilized on such device and the recorded activity (sessions, clicks and other interactions) of Users in connection with our Service (collectively: “Usage Data”).
Data concerning service integrations: If, when using the Platform, you or your Admin choose to integrate your organization’s account with a third-party service (and such service is supported by our Platform), we will connect and integrate that third-party service to the Platform. The third-party provider of this integration may receive certain relevant data about or from your organization’s account (including User Data) or share certain relevant data from your account on their service with our Platform, depending on the nature and purpose of such integration. It is the responsibility of your organization to ensure that the privacy practices of such integration meet your organizations’ privacy standards.
Note that we do not receive or store your passwords for any of these third-party services (but do typically require your organization’s API key in order to integrate with them). If you do not wish your personal data to be shared with such third-party service(s), please contact your Admin.
Time and Attendance Module: Your organization may choose to utilize the optional Time and Attendance module, which provides an easy way for managing time attendance through the Platform, including by punching a clock and entering a time log to the Platform by using a geo-fencing technology indicating when a User has entered into a certain predefined geographical perimeter (“Auto Clock In”). In such case, should you use the Auto Clock In feature, certain limited geolocation information may be retained by us – however, this will never be the precise geolocation of the User or of their mobile device when it is outside the pre-defined perimeter. At your organization’s discretion, it may select to use the Time and Attendance module without the Auto Clock In feature, or configure it as “optional” for its Users, in which case you may switch it on or off via the “Settings” tab.
COVID-19 Vaccination Status feature (COVID-19 tracker): Your organization may choose to utilize the optional COVID-19 Vaccination Status feature, which provides a convenient way for you to share proof of your COVID-19 vaccination, negative test result, or recovery from COVID-19 with your organization, to the extent applicable laws permit or require such proof to be provided by employees. Your organization is solely responsible for establishing an appropriate legal basis and for complying with any applicable laws and regulations concerning its use of the COVID-19 tracker, which may vary between jurisdictions from time to time.
YourVoice Module: Your organization may choose to utilize the optional YourVoice module, which allows a secure and anonymous reporting mechanism of concerns related to workplace misconduct and/or harassment (“YV”). By using YV, your organization will be providing details of an appointed internal team member who is equipped to handle such claims (name, email, position in the organization and photo) (“Rep”). Please be aware that the information of such Rep may be maintained even after said Rep is no longer an employee of your organization for the purposes of maintaining a record of a claim submitted through YV.
If a User chooses to report any workplace misconduct and/or harassment via YV, such reporting individual will be requested to provide their non-organizational, personal e-mail address (which will be encrypted to ensure anonymization and that the report remains anonymized) for which any correspondence from the Rep on such matter will be received as well as a description of the claim and the category type of such claim (“YV Data”). YV Data shall also include a timestamp for the correspondence sent by and between the reporting User and the Rep. Your organization may choose to archive a specific case which has been reported once the case is closed and may either set an automatic deletion of closed and/or archived cases or may manually delete a particular case submitted via YV.
In general terms, your organization may use our Platform to process your personal data in order to better manage its human resources and employee benefits, to track workflows and individual performance, and to cultivate interpersonal relationships within the organization.
HiBob may process your User and Usage Data as is necessary for the performance of our services and to facilitate, operate, and maintain the Platform (all in accordance with the instructions provided to us by your organization in their role of data controller); to comply with our legal and contractual obligations; providing customer service and technical support; and protecting and securing our Users, Customers, ourselves and our Platform.
We do not sell your personal information for the intents and purposes of the California Consumer Privacy Act (CCPA).
Data Location: Your personal data may be maintained, processed, accessed and stored by us and our authorized Service Providers (defined in Section 4 below) in different locations.
HiBob maintains offices in the EU, UK, US, Israel and Australia. Your personal data may be accessed from any of those locations (or other locations as reasonably necessary for the Platform’s activity) by HiBob employees tasked with handling your organization’s data. Such access usually occurs in the course of providing your organization with customer support, technical assistance, etc.
The Service Providers we use to process your personal data on behalf of your organization, deemed as our “Sub-Processors”, are typically located in the EU, however, HiBob may use Sub-Processors in other locations as reasonably necessary for our activity. A list of our current Sub-Processors is available here.
For data transfers from the EU to countries which are not considered to be offering an adequate level of data protection, we and our relevant Service Providers have entered into Standard Contractual Clauses as approved by the European Commission.
Data Retention: We retain your personal data on behalf of your organization and in accordance with their instructions. We may retain some of your personal data after the termination of our engagement with your organization to the extent reasonably necessary to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e., as required by laws applicable to log-keeping, records and bookkeeping, etc.), all in accordance with our agreements with relevant Customers, applicable laws and where applicable, our retention policy.
Please note that except as required by applicable law or our specific agreements with your organization, we will not be obligated to retain your personal data for any particular period, and we are free to securely delete, anonymize or restrict access to it for any reason and at any time, with or without notice to you.
If you have any questions about our data retention practices, please contact your Admin or your organization.
Legal Compliance: In exceptional circumstances, we may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we believe in good faith that: (i) we are legally compelled to do so; (ii) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (iii) such disclosure is required to protect the security or integrity of our products and services.
Service Providers: We may engage selected third-party companies and individuals to perform services complementary to our own. Such service providers include hosting and server co-location services, communications and content delivery networks (CDNs), data and cyber security services, fraud detection and prevention services, web analytics, e-mail distribution, remote access services, performance measurement, e-mail, support and customer relation management systems, and any other relevant services (collectively, “Service Providers“).
These Service Providers may have access to your personal data, each depending on their specific roles and purposes, and may only use it for such limited purposes as determined in our agreements with them.
Sharing Personal Data with our Customers, their Users and service providers: We may share your personal data with your organization (including data and communications concerning your User Profile). In such cases, sharing such data means that the account’s Admin(s) may access it on behalf of your organization, and will be able to monitor, process and analyze your personal data. Your Admin can determine that your User Profile (or parts of it) will be made available to other Users on the same account. If your organization adds any of its service providers to the Platform, then such service providers may also have access to your User Profile, and possibly to your User Data as well (depending on the privileges you or your organization grant them).
Please note that any personal data you submit to any area in the Platform may be accessed, copied or processed by your organizations’ Admin(s), and that HiBob is not responsible for and does not control any further disclosure, use or monitoring by or on behalf of your organization.
For the avoidance of doubt, HiBob may share your personal data in additional manners, pursuant to your organizations’ or your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal and anonymous. We may transfer, share or otherwise use non-personal data at our sole discretion and without the need for further approval.
Service Communications: We may contact you with important information regarding our Platform. For example, we may send you notifications (through any of the means available to us) of log-in attempts or password reset notices. Your organization and other Users on the same account, may also send you notifications, messages and other updates regarding their or your use of the Platform. You can control your communications and notifications settings from your User Profile settings. However, please note that you will not be able to opt-out of receiving certain service communications which are integral to your use (like password resets).
In order to protect your personal data held with us, we are using industry-standard physical, procedural and technical security measures, including encryption as appropriate. However, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any personal data stored with us or with any third parties as described in Section 4 above. To learn more, please visit https://www.hibob.com/security/.
You may have certain rights under any applicable law, including the EU General Data Protection Regulation (GDPR) – such as the right to request access to, and rectification or erasure of your personal data held with HiBob, or to restrict or object to such personal data’s processing, or to port such personal data, or the right to equal services and prices (each to the extent available to you under the laws which apply to you). Should you wish to exercise your rights or make any request or query with regard to personal data we process on your organization’s behalf, please contact your organization’s Admin directly.
Certain data protection laws and regulations, such as the GDPR, typically distinguish between two main roles for parties processing Personal Data: the “Data Controller”, who determines the purposes and means of processing; and the “Data Processor”, who processes the data on behalf of the Data Controller. Below we explain how these roles apply to us.
Your organization is the Data Controller of the personal data uploaded or submitted to the Platform. HiBob processes such data as the Data Processor on behalf of your organization, in accordance with its reasonable instructions and subject to our Terms, our Data Processing Addendum and any other commercial agreements we may have with your organization.
Your organization is responsible for meeting any legal requirements applicable to Data Controllers. If you would like to make any requests or queries regarding our processing of your personal data on behalf of your organization, please contact your Admin directly.