Privacy Policy

1. Information We Collect

We collect information in the following categories:

• Account Information: Name, email address, company name, and billing details provided during registration.
• Customer Data: Employee records, payroll data, benefits information, and other HR data you enter into the platform.
• Usage Data: Feature usage analytics, session logs, and performance metrics to improve the Service.
• Device Information: Browser type, IP address, and device identifiers for security and support purposes.

2. How We Use Information

• Provide, maintain, and improve the Service
• Process payroll, tax calculations, and benefits administration on your behalf
• Send transactional communications (invoices, security alerts, service updates)
• Enforce our Terms of Service and protect against fraud
• Comply with legal obligations (tax reporting, audit requirements)

3. Data Protection

We implement industry-standard technical and organizational measures to protect your data:

• Tenant isolation: Each customer's data resides in a dedicated database schema with row-level security.
• Encryption at rest: AES-256 encryption for all stored data. Sensitive fields (SSN, bank accounts) use per-tenant key derivation via HashiCorp Vault Transit.
• Encryption in transit: TLS 1.3 for all connections between clients, load balancers, application servers, and databases.
• Audit trail: Append-only audit logging with 7-year retention for all data modifications.
• Access controls: Role-based access control with 15 granular roles and field-level permissions.
• MFA: FIDO2/WebAuthn multi-factor authentication for privileged roles.

4. Data Sharing

We do not sell your data. We share Customer Data only as necessary to provide the Service:

• Infrastructure providers: AWS (hosting), Stripe (billing). Governed by data processing agreements.
• Legal compliance: When required by law, regulation, or valid legal process.
• With your consent: Integration with third-party services you authorize (payroll providers, benefits carriers).

5. AI Features

The Service includes AI-powered features (resume parsing, anomaly detection, report generation, knowledge base chat). AI processing uses your data solely to provide functionality within your tenant. Customer Data is never used to train AI models. All AI-generated content is labeled as such.

6. Data Retention

Customer Data is retained for the duration of your subscription plus a 90-day export period after termination. Audit trail data is retained for 7 years per compliance requirements. After retention periods expire, data is permanently and irreversibly deleted.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access and export your personal data
• Correct inaccurate personal data
• Request deletion of personal data (subject to legal retention requirements)
• Object to or restrict processing
• Data portability

To exercise these rights, contact privacy@corvalonhrm.com.

8. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies. Analytics data is collected server-side without client-side tracking scripts.

9. Changes to This Policy

We will notify you of material changes to this Privacy Policy at least 30 days before they take effect via email and in-app notification.

10. Contact

For privacy-related inquiries: privacy@corvalonhrm.com