Privacy Policy

Okanlaw HR (“Okanlaw HR,” “we,” “us,” or “our”) operates a cloud-based HR and CRM management platform (the “Service”). For the purposes of applicable data protection law, Okanlaw HR acts as the data controller for information you provide when creating your account and using the Service, and as a data processor for personal data about third parties (e.g., your employees) that you upload to the platform.

For any privacy inquiries or data subject requests, please contact us at [email protected].

2.1 Information You Provide Directly

• Account Information: your name, work email address, password, company name, and role when you register for an account.
• Profile Information: profile photo, phone number, job title, and timezone preferences.
• Employee & HR Data: employee records including names, contact details, employment dates, salaries, leave balances, advance requests, and any documents you upload on behalf of your organisation.
• Billing Information: your billing address and payment method details. Note that full card numbers are handled directly by Stripe and are not stored on our servers.
• Communications: messages, feedback, or support requests you send to us.

2.2 Information Collected Automatically

• Usage Data: pages visited, features used, timestamps, click interactions, and session duration.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, and referring URLs.
• Authentication Logs: login timestamps, session tokens, and security events (e.g., two-factor authentication usage).
• Location Data: approximate geolocation derived from your IP address, used for session display and fraud prevention. If you grant permission, more precise location data may be used to update your session information.

2.3 Information from Third-Party Services

• Google Account Data: when you connect your Google account, we receive your Google email address, name, profile picture, and OAuth access tokens. We also receive calendar event data from Google Calendar, as described in Section 4.
• Stripe: we receive limited transaction information from Stripe, such as payment status and subscription identifiers, but not full card numbers.

We use the information we collect for the following purposes:

3.1 Providing and Improving the Service

• Creating and managing your account and workspace.
• Processing HR operations such as leave requests, payroll records, and employee management.
• Synchronising and displaying your Google Calendar events within the Service.
• Sending in-app, email, and push notifications about workflow events (e.g., leave approvals, meeting reminders).
• Diagnosing technical issues and improving Service performance and reliability.

3.2 Billing & Subscriptions

• Processing payments and managing your subscription through Stripe.
• Sending billing receipts, subscription confirmations, and renewal reminders.
• Preventing fraud and verifying payment information.

3.3 Communication

• Responding to your support requests and inquiries.
• Sending important account and service notifications (e.g., security alerts, Terms updates).
• Sending product updates, newsletters, and promotional communications, where you have opted in or where permitted by law. You may opt out at any time.

3.4 Security & Compliance

• Detecting, preventing, and responding to fraud, abuse, and security threats.
• Enforcing our Terms of Use and Acceptable Use Policy.
• Complying with applicable legal obligations.

3.5 Analytics

• Understanding how the Service is used in aggregate to guide product development.
• We use anonymised and aggregated data where possible for analytics purposes.

4.1 What Google Data We Access

When you choose to connect your Google account to Okanlaw HR, we request access to the following Google API scopes:

• Google Calendar (read/write): to display your calendar events within the Okanlaw HR calendar view, create new calendar events on your behalf (e.g., for scheduled meetings), and sync leave or work events.
• Calendar List (read): to retrieve a list of your Google Calendars so you can choose which calendars to display.
• Basic Profile (email & profile): to identify your connected Google account and display your name and email within the integration settings.

4.2 How We Use Google Data

Google user data accessed through Google APIs is used solely for the purposes described above — specifically, to power the Google Calendar integration feature within Okanlaw HR. We do not use Google user data for:

• advertising or marketing to you or any third party;
• selling or transferring to third parties for any purpose;
• training machine learning models or AI systems;
• any purpose unrelated to providing the Google Calendar integration feature within the Service.

4.3 Storage of Google Credentials

OAuth access tokens and refresh tokens issued by Google are stored in encrypted form in our database (Firebase Firestore with Google Cloud security rules). These tokens are used exclusively to make authorised API calls on your behalf. We do not store your Google password.

4.4 Revoking Google Access

You can disconnect your Google account from Okanlaw HR at any time from Settings → Integrations or from your HR Calendar view. You may also revoke access directly from your Google Account permissions page. Upon disconnection, we delete your stored Google OAuth tokens from our systems within 24 hours.

4.5 Human Access to Google Data

Access to Google user data by Okanlaw HR personnel is limited to cases where it is necessary to investigate a technical issue reported by you, and only with your consent. Such access is logged and subject to our internal data handling procedures.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under one of the following legal bases:

• Performance of a Contract (Art. 6(1)(b) GDPR): processing necessary to provide the Service to you, including account management, HR features, billing, and integrations.
• Legitimate Interests (Art. 6(1)(f) GDPR): processing for fraud prevention, security, improving the Service, and sending transactional communications where our interests are not overridden by your rights.
• Consent (Art. 6(1)(a) GDPR): where you explicitly consent, such as when connecting your Google account or opting in to marketing emails. You may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c) GDPR): where we are required to retain or disclose data by law.

Where you upload personal data about your employees or other individuals (as a data controller), you are responsible for ensuring you have a valid legal basis for processing that data.

We do not sell, rent, or trade your personal information. We share your data only in the following limited circumstances:

6.1 Service Providers

We work with trusted third-party service providers who process data on our behalf under strict confidentiality and data processing agreements:

• Google LLC (Firebase, Google Cloud, Google APIs): infrastructure, database, authentication, and calendar integration.
• Stripe, Inc.: payment processing and subscription management.

6.2 Within Your Organisation

Workspace Admins within your organisation can access employee profiles, HR records, and activity logs for the users in their workspace. Access levels are configurable through role-based permissions within the Service.

6.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we reasonably believe that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or illegal activity; or (d) protect the safety of users or the public.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on our Service prior to your data being transferred and becoming subject to a different privacy policy.

6.5 With Your Consent

We may share your information with other parties where you have given us your explicit consent to do so.

We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specifically:

• Account data: retained for the duration of your subscription. Upon account deletion, active data is removed within 30 days.
• Billing records: retained for up to 7 years for financial and tax compliance purposes.
• Security and audit logs: retained for up to 12 months.
• Google OAuth tokens: deleted within 24 hours of disconnecting your Google account.
• Support communications: retained for up to 3 years to resolve disputes or recurring issues.
• Anonymised analytics data: may be retained indefinitely as it does not identify you personally.

After the applicable retention period, data is securely deleted or anonymised.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest within our Firebase/Google Cloud infrastructure.
• Firestore security rules restricting data access to authenticated and authorised users only.
• Two-factor authentication (2FA) available and encouraged for all accounts.
• Role-based access controls (RBAC) limiting employee data access to authorised personnel.
• Regular security reviews and access auditing of our internal systems.
• OAuth tokens stored with restricted database access rules.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

We use cookies and similar technologies to operate and improve the Service. The types of cookies we use include:

• Strictly Necessary Cookies: required for authentication, session management, and basic Service functionality. These cannot be disabled.
• Preference Cookies: remember your settings such as language, timezone, and UI preferences.
• Analytics Cookies: help us understand how the Service is used (e.g., which features are most used) to improve the experience. We use anonymised data where possible.

You can control non-essential cookies through your browser settings. However, disabling certain cookies may affect the functionality of the Service. We do not use cookies for third-party advertising.

Depending on your location, you may have the following rights regarding your personal data:

10.1 Rights for All Users

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete personal data.
• Deletion: request deletion of your personal data, subject to our legal retention obligations.
• Data Portability: export your data in a machine-readable format using the in-app export feature, or request it from us.
• Opt-out of Marketing: unsubscribe from marketing emails at any time via the unsubscribe link in any email, or by contacting us.
• Disconnect Google: revoke Google Calendar access at any time from Settings → Integrations.

10.2 Additional Rights for EEA / UK Users (GDPR / UK GDPR)

• Right to Restrict Processing: request that we limit how we use your data in certain circumstances.
• Right to Object: object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: you have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

10.3 Exercising Your Rights

To exercise any of the above rights, please contact us at [email protected]. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling certain requests.

Okanlaw HR operates using infrastructure provided by Google Cloud (Firebase), which may process and store your data in data centres located in the United States and other countries. When data is transferred from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

Our third-party payment processor, Stripe, Inc., is also a US-based company and processes data in accordance with its own privacy commitments and applicable transfer mechanisms.

The Service is intended for use by businesses and professionals and is not directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe we may have collected information from a child, please contact us at [email protected].

The Service may contain links to third-party websites, services, or integrations (including Google, Stripe, and others). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use in connection with our platform:

• Google Privacy Policy
• Stripe Privacy Policy

We are not responsible for the privacy practices or content of any third-party service.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email and/or by posting a prominent notice within the Service at least 14 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

For EEA residents wishing to lodge a complaint with a supervisory authority, you can find your local Data Protection Authority at edpb.europa.eu.