Humzio

Privacy Policy

Last updated: 20 June 2026

1. Introduction

Humzio (“Humzio”, “we”, “our”, or us”) operates an HR operations platform at humzio.com (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it.

By accessing or using the Service you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

2. Data Controller

Humzio Ltd is the data controller for personal data collected through the Service. When your organisation uses Humzio to manage its workforce, your organisation (the Customer”) acts as the data controller for employee personal data processed within its workspace, and Humzio acts as a data processor on its behalf.

Questions about how your employer processes your data should be directed to your employer's HR team or DPO, not to Humzio directly.

3. Data We Collect

3.1 Account and Identity Data

  • Full name and work email address
  • Job title and department
  • Profile avatar (if uploaded)
  • Two-factor authentication secret (encrypted with AES-256 Fernet at rest)

3.2 Employment Data (processed on behalf of your organisation)

  • Employment status, start date, and reporting line
  • Leave balances and leave request history
  • Attendance and time entries (hours, work location)
  • Performance review responses and ratings
  • Banking details for payroll (stored encrypted)
  • Skills, education, and certification records

3.3 Usage and Technical Data

  • IP address and user-agent at login
  • Request IDs and structured access logs
  • Session tokens (httpOnly cookie; never accessible to JavaScript)
  • Audit log entries — actor, entity, timestamp, before/after diff

3.4 Contact Form Data

If you submit a contact enquiry, we collect your name, work email, company name (optional), and message content.

4. How We Use Your Data

  • Service delivery — authenticate you, display your profile, process leave requests, generate org charts and reports.
  • Security and fraud prevention — detect suspicious login attempts, enforce rate limits, maintain the audit trail.
  • Notifications — real-time in-app and email notifications (leave decisions, review assignments, password resets, invitations).
  • Legal compliance — maintain records required by employment and tax law where applicable.
  • Service improvement — anonymised, aggregated analytics only. We do not sell your data.

5. Legal Basis for Processing

Where GDPR or UK GDPR applies, we rely on the following lawful bases:

  • Contract — processing necessary to deliver the Service under our agreement with your organisation or with you directly.
  • Legitimate interests — security monitoring, fraud prevention, audit logging, and service reliability.
  • Legal obligation — retaining records required by applicable law.
  • Consent — optional profile data (social links, certifications) you choose to provide.

6. Data Retention

We retain personal data for as long as your organisation's subscription is active and for 90 days after termination to allow data export. Audit logs are retained for 3 years to satisfy compliance obligations unless your organisation requests earlier deletion.

Individual employee data is soft-deleted when an account is deactivated. Hard deletion (GDPR erasure) is available via the organisation admin and is permanently recorded in the audit trail.

7. Data Sharing

We do not sell, rent, or trade personal data. We share data only:

  • Within your organisation — as controlled by the roles and permissions your administrator has configured.
  • Sub-processors — infrastructure providers (cloud hosting, database, object storage, SMTP relay) under data-processing agreements that bind them to equivalent protections. A current sub-processor list is available on request.
  • Legal requirements — where required by law, court order, or to protect the rights, property, or safety of Humzio or others.

8. Security

We apply defence-in-depth across the stack:

  • Encryption in transit — TLS 1.2+ for all client-server communication.
  • Encryption at rest — sensitive fields encrypted with AES-256 Fernet; passwords hashed with Argon2id.
  • Multi-tenant isolation — Postgres row-level security ensures one organisation cannot access another's data.
  • Authentication hardening — short-lived JWTs (15 min), httpOnly refresh cookies, optional TOTP 2FA, rate-limited login, and exponential lockout.
  • Audit trail — every write records actor, entity, before/after diff, and request ID.

Despite these measures, no system is perfectly secure. We encourage you to use a strong, unique password and to enable two-factor authentication.

9. Your Rights

Subject to applicable law (including GDPR and UK GDPR), you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention obligations).
  • Restriction — ask us to restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is consent-based.

For data your employer controls, contact your HR team in the first instance. For data Humzio controls directly, use our contact form or email privacy@humzio.com. We respond within 30 days. You may also lodge a complaint with your local data-protection authority (e.g. the ICO in the UK).

10. Cookies

We use a minimal set of cookies:

  • humzio_refresh (httpOnly, Secure, SameSite=Lax) — stores your encrypted refresh token. Strictly necessary; cannot be disabled.
  • humzio_session — a non-httpOnly presence hint used by the middleware to decide whether to redirect to the login page. Contains no sensitive data.

We do not use advertising, tracking, or third-party analytics cookies.

11. Children

The Service is designed for use by organisations and their employees. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Policy

We may update this Policy from time to time. We will notify organisation administrators of material changes by email at least 14 days before they take effect. Continued use of the Service after a change constitutes acceptance of the revised Policy.

13. Contact

For privacy queries or data subject requests: