Privacy Policy

Last updated: 11 February 2026

1. Introduction

HR Handbook ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and service at hrhandbook.co.uk (the "Service").

We are a data controller under UK GDPR and the Data Protection Act 2018. This policy complies with these regulations.

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly, including:

  • Account Information: Name, email address, company name, password (hashed)
  • Company Information: Company details, branding preferences, persona selection
  • Handbook Content: Policies, custom content, variable values you input
  • Compliance Check Data: Documents you upload for compliance checking
  • Communication Data: Messages you send to us, feedback, support requests

2.2 Automatically Collected Information

We automatically collect certain information when you use our Service:

  • Usage Data: Pages visited, features used, time spent, click patterns
  • Device Information: IP address, browser type, operating system, device identifiers
  • Log Data: Access times, error logs, performance metrics
  • Cookies and Tracking: See our Cookie Policy section below

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Provision

  • Create and manage your account
  • Provide handbook creation and customisation tools
  • Publish and host your handbooks
  • Process compliance checks and analysis
  • Send service-related communications

3.2 Legal Basis (UK GDPR)

We process your data based on:

  • Contract: To perform our contract with you (providing the Service)
  • Legitimate Interests: Service improvement, security, fraud prevention
  • Consent: Where you have given explicit consent (e.g., marketing emails)
  • Legal Obligation: To comply with legal requirements

3.3 Other Uses

  • Respond to your inquiries and provide support
  • Send important service updates and notifications
  • Improve and develop our Service
  • Prevent fraud and ensure security
  • Comply with legal obligations
  • Analyse usage patterns (anonymised and aggregated)

4. Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

4.1 Service Providers

We use trusted third-party service providers who process data on our behalf:

  • Supabase: Database and authentication services (EU-based)
  • OpenAI: AI analysis for compliance checking (US-based, with appropriate safeguards)
  • Email Services: For sending transactional and service emails
  • Hosting Providers: Vercel and other infrastructure providers

All service providers are contractually obligated to protect your data and use it only for specified purposes.

4.2 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal processes or government requests
  • Enforce our Terms & Conditions
  • Protect our rights, property, or safety
  • Prevent fraud or security issues

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

5. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Secure authentication and password hashing
  • Regular security assessments and updates
  • Access controls and authentication requirements
  • Secure data centres with physical security
  • Regular backups and disaster recovery procedures

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your personal data for as long as necessary to:

  • Provide the Service to you
  • Comply with legal obligations
  • Resolve disputes and enforce agreements
  • Maintain published handbooks (if you choose to keep them public)

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal purposes.

Published handbooks may remain accessible at their public URLs unless removed by you or requested for removal. We may also remove handbooks if we determine they are no longer in use.

7. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us at support@hrhandbook.co.uk. We will respond within one month.

8. Cookies and Tracking

We use cookies and similar technologies to:

  • Maintain your session and authentication
  • Remember your preferences
  • Analyse usage patterns (anonymised)
  • Improve service performance

You can control cookies through your browser settings. However, disabling cookies may affect Service functionality.

We do not use third-party advertising cookies or tracking for advertising purposes.

9. International Data Transfers

Your data is primarily stored and processed in the European Economic Area (EEA). However, some service providers may process data outside the EEA:

  • OpenAI (US): For compliance checking analysis. We use appropriate safeguards including Standard Contractual Clauses.
  • Vercel (US): For hosting. Data is processed with appropriate safeguards.

We ensure all international transfers comply with UK GDPR requirements and use appropriate safeguards.

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Your Responsibilities

When using our Service, you are responsible for:

  • Ensuring you have appropriate legal basis for processing any employee data you include in handbooks
  • Complying with data protection laws when publishing handbooks containing personal data
  • Obtaining necessary consents from employees where required
  • Maintaining the security of your account credentials

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email to your registered address
  • Notice through the Service
  • Updating the "Last updated" date

Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or wish to exercise your rights, please contact us:

Email: support@hrhandbook.co.uk
Website: hrhandbook.co.uk

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data appropriately:

ICO Website: ico.org.uk
ICO Helpline: 0303 123 1113