staffora
Home Features About Architecture Docs API Contact GitHub

Privacy Policy

Last updated: March 2026

1. Introduction

Staffora Ltd ("Staffora", "we", "us", or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, store, and share information when you use the Staffora HRIS platform (the "Service").

This policy applies to all users of the Service, including organisation administrators, employees whose data is managed within the platform, and visitors to our website. By using the Service, you agree to the practices described in this policy.

This Privacy Policy should be read alongside our Terms of Service, which govern your use of the platform.

2. Information We Collect

2.1 Account Information

When you create an account or are invited to join an organisation on Staffora, we collect information necessary to set up and maintain your account, including:

  • Full name
  • Email address
  • Company or organisation name
  • Job title
  • Phone number (optional)
  • Account preferences and settings

2.2 HR Data (Customer Data)

Organisations using Staffora upload and manage employee records within the platform. This HR data may include:

  • Employee names and contact information
  • Employment history and position details
  • Compensation and payroll data
  • Benefits enrolment and selections
  • Performance reviews and evaluations
  • Training records and certifications

This data is owned by the customer organisation and is processed by Staffora strictly in accordance with the Terms of Service (Section 5). We act as a data processor on behalf of the customer, who remains the data controller.

2.3 Usage Data

We collect anonymized and aggregated data about how the Service is used. This includes:

  • Pages and features accessed
  • Navigation patterns
  • Time spent on different areas of the platform

Usage data is used solely to improve the Service and is never linked back to identifiable individuals.

2.4 Device & Technical Information

When you access the Service, we automatically collect certain technical information for security and troubleshooting purposes:

  • Browser type and version
  • Operating system
  • IP address
  • Device identifiers
  • Approximate geographic location (derived from IP address)

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service — to operate, maintain, and deliver the features of the Staffora platform
  • Improving the Platform — to analyse usage patterns and develop new features, improvements, and optimisations
  • Transactional Communications — to send account-related notifications such as password resets and security alerts
  • Security Monitoring — to detect, prevent, and respond to security incidents, fraud, or abuse
  • Customer Support — to respond to your enquiries and resolve technical issues
  • Legal Compliance — to comply with applicable laws, regulations, and legal processes

We do not use your personal information for advertising. We do not sell your data.

4. Data Storage & Security

Protecting your data is fundamental to our business. We implement industry-standard security measures across every layer of the platform:

  • Encryption — all data is encrypted at rest using AES-256 and in transit using TLS 1.3
  • Multi-Tenant Isolation — customer data is logically separated using PostgreSQL Row-Level Security (RLS), ensuring no organisation can access another's data
  • Security Audits — we conduct regular penetration testing and security assessments
  • Compliance — we are actively pursuing SOC 2 Type II certification
  • Data Residency — customers can select their data residency region (United States or European Union) during initial setup

5. Data Sharing

We do not sell your personal information or HR data. We may share information only in the following limited circumstances:

  • Infrastructure Providers — cloud hosting and infrastructure services that are contractually bound to protect your data and process it only on our behalf
  • Community Platforms — collaboration tools such as GitHub used for issue tracking and community contributions
  • Email Service — transactional email providers used solely for delivering account-related communications
  • Legal Requirements — we may disclose information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others

6. Data Retention

We retain your data according to the following schedule:

  • Active accounts — data is retained for as long as your account or organisation remains active
  • After termination — following account termination, you have a 30-day window to export your data. After this period, all customer data is permanently deleted from our primary systems. Backups containing your data are purged within 90 days
  • Audit logs — retention is configurable per organisation, with a default retention period of 7 years to meet regulatory requirements
  • Anonymized data — aggregated, anonymized usage data that cannot be linked to individuals may be retained indefinitely for analytical purposes

7. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that we correct inaccurate or incomplete data
  • Deletion — request that we delete your personal data, subject to legal retention obligations
  • Portability — receive your data in a structured, commonly used, machine-readable format
  • Restrict Processing — request that we limit how we use your data in certain circumstances
  • Object — object to our processing of your personal data where we rely on legitimate interests

To exercise any of these rights, please contact us at contact@staffora.co.uk. We will respond to your request within 30 days.

Employees: If your employer uses Staffora to manage your HR data, please direct any data access or deletion requests to your employer in the first instance, as they are the data controller for your employment records.

California residents (CCPA): You have the right to know what personal information we collect, request its deletion, and opt out of any sale of personal information. As stated above, we do not sell personal information. To exercise your CCPA rights, contact contact@staffora.co.uk.

8. Cookies

We use cookies and similar technologies on the Service as follows:

  • Essential cookies — session management, CSRF protection, and user preferences. These are always set and are necessary for the Service to function
  • Analytics cookies — privacy-focused analytics to understand usage patterns. These are only set with your consent

We do not use advertising or tracking cookies. We do not share cookie data with third-party advertisers.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete that information as quickly as possible.

If you believe we may have collected information from a child, please contact us at contact@staffora.co.uk.

10. International Data Transfers

Staffora operates globally, and your data may be transferred to and processed in countries other than your own. When we transfer personal data outside the European Economic Area (EEA), the United Kingdom, or Switzerland, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) — we use EU-approved SCCs for cross-border data transfers
  • Data Processing Agreements — all sub-processors are bound by DPAs that require equivalent levels of data protection
  • Data Residency Options — customers can choose their preferred data residency region to ensure data remains within their jurisdiction

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page.

For material changes that significantly affect how we handle your personal information, we will provide at least 30 days' notice via email to account holders before the changes take effect. Your continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with your local data protection authority if you believe your personal information has been handled in a way that does not comply with applicable data protection law.