1. Introduction & Scope

HR Data Labs LLC (“HR Data Labs,” “we,” “our,” or “us”) is committed to protecting the privacy of every person who visits our website at hrdatalabs.com (the “Site”) or otherwise interacts with our services. This Privacy Policy explains what personal information we collect, how we use and protect it, and what rights you have with respect to your information.

This Policy applies to information collected through our Site, marketing communications, and related online activities. It does not apply to information we process as a data processor on behalf of our business clients under a separate Data Processing Agreement.

By using our Site, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Site.

2. Information We Collect

A. Information You Provide Directly

When you interact with our Site, you may voluntarily provide us with:

• Contact information — name, email address, phone number, job title, and company name submitted through contact forms, demo requests, or newsletter sign-ups.
• Communication content — messages, questions, or feedback you send us directly.
• Account credentials — if you register for a portal or client account, your username and password (stored in hashed form).

B. Information Collected Automatically

When you visit our Site, we and our service providers automatically collect certain technical information, including:

• Log data — IP address, browser type and version, operating system, referring URL, pages viewed, time and date of visit, and time spent on pages.
• Device identifiers — hardware model, unique device identifiers, and mobile network information.
• Cookie and tracking data — see Section 6 (Cookies and Tracking Technologies) for full detail.
• Analytics data — aggregated usage statistics collected via third-party analytics platforms.

C. Information from Third Parties

We may receive information about you from:

• Business partners and data enrichment providers that supplement contact records with professional profile data.
• Advertising platforms that provide campaign engagement signals.
• Publicly available professional directories (e.g., LinkedIn).

D. Sensitive Personal Information

We do not intentionally collect sensitive categories of personal information (such as race, ethnicity, religion, health data, or financial account numbers) through the Site. If we need to collect sensitive information in connection with a specific service engagement, we will provide a separate, specific notice and obtain your explicit consent where required by law.

3. How We Use Your Information

We do not sell your personal information to third parties for monetary consideration, and we do not use it for automated decision-making that produces legal or similarly significant effects without human review.

4. Legal Basis for Processing GDPR

For individuals in the European Economic Area (EEA) or United Kingdom, we rely on the following lawful bases under Article 6 of the GDPR:

• Legitimate interests (Art. 6(1)(f)) — Site analytics, security monitoring, fraud prevention, and direct B2B marketing communications, where our interests are not overridden by your rights.
• Contractual necessity (Art. 6(1)(b)) — Processing required to fulfill a service agreement or respond to your pre-contractual inquiries.
• Legal obligation (Art. 6(1)(c)) — Processing required by applicable law or a regulatory authority.
• Consent (Art. 6(1)(a)) — Where we rely on consent (e.g., optional marketing emails or non-essential cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.

Where we process special categories of personal data, we rely on Art. 9(2) of the GDPR and will identify the specific basis at the time of collection.

5. Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share it only in the following circumstances:

Service Providers

We engage trusted third-party vendors who process data on our behalf under written data processing agreements that restrict their use of your information to providing services to us. Categories of service providers include: cloud hosting, website analytics, email delivery, CRM platforms, and cybersecurity.

Business Transfers

If HR Data Labs LLC is acquired, merges with another company, or undergoes a similar transaction, personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

Legal Requirements

We may disclose information if required by law, court order, or government authority, or where we believe disclosure is necessary to protect the rights, property, or safety of HR Data Labs LLC, our users, or the public.

With Your Consent

We may share information for any other purpose with your prior, explicit consent.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (web beacons, pixels, local storage) to operate and improve our Site.

You can manage cookie preferences through our on-site Cookie Preference Center (displayed on first visit) or through your browser settings. Note that disabling certain cookies may affect Site functionality. Most browsers allow you to refuse new cookies, delete existing cookies, or receive a warning before a cookie is set.

For opt-out of analytics tracking, you may also use the Google Analytics Opt-out Browser Add-on or equivalent tools provided by other analytics vendors we use.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer period is required or permitted by law. Our general retention practices are:

• Contact form submissions: Up to 3 years from last interaction, or until you request deletion.
• Marketing email lists: Until you unsubscribe or request removal.
• Web analytics logs: 26 months from collection (consistent with standard analytics platform settings), then aggregated or deleted.
• Legal and compliance records: As required by applicable law, typically 7 years.
• Account data: For the duration of the account and up to 2 years following closure.

When retention periods expire, we securely delete or anonymize the data so it can no longer be associated with you.

8. Security

We implement industry-standard administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include:

• TLS encryption for data in transit
• Encryption at rest for sensitive data stores
• Role-based access controls and least-privilege principles
• Regular vulnerability assessments and penetration testing
• Employee privacy and security training

No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your rights or freedoms, we will notify you and applicable regulators as required by law.

9. International Data Transfers GDPR

HR Data Labs LLC is based in the United States. If you access our Site from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country.

For transfers of personal data from the EEA or the United Kingdom to the United States, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission and/or UK Information Commissioner’s Office, incorporated into our data processing agreements with vendors.
• EU-U.S. Data Privacy Framework certification, where applicable.
• UK International Data Transfer Agreements (IDTAs) where UK GDPR applies.

You may request a copy of the relevant safeguards by contacting us at the address below.

10. Children’s Privacy

Our Site is directed to business professionals and is not intended for children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will take steps to delete it promptly.

11. Health Information Notice HIPAA

HR Data Labs LLC provides data analytics and consulting services to employers and HR professionals. In certain client engagements, we may act as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act with respect to Protected Health Information (PHI) shared by covered entity clients.

Where we act as a Business Associate:

• We process PHI only as specified in a written Business Associate Agreement (BAA) with the applicable covered entity client.
• We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule.
• We do not use or disclose PHI for purposes other than those permitted by the BAA and applicable law.
• We will notify covered entity clients of any breach of unsecured PHI in accordance with the HIPAA Breach Notification Rule.

This Policy governs information collected through our Site and does not serve as a HIPAA Notice of Privacy Practices. Individuals whose PHI is processed on behalf of a covered entity client should direct privacy inquiries to that covered entity.

12. Your Rights — EU / UK Residents GDPR

If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR or UK GDPR:

• Right of Access (Art. 15) — Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16) — Ask us to correct inaccurate or incomplete data.
• Right to Erasure / “Right to be Forgotten” (Art. 17) — Request deletion of your data where it is no longer necessary or where you withdraw consent.
• Right to Restriction of Processing (Art. 18) — Ask us to limit how we use your data in certain circumstances.
• Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21) — Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent — Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Right to Lodge a Complaint — File a complaint with your local supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the Information Commissioner’s Office (ICO).

To exercise any of these rights, please contact us using the details in Section 16. We will respond within 30 days (extendable to 90 days for complex requests with notice). We may need to verify your identity before processing your request.

13. Your Rights — California Residents CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

• Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete — Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct — Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — Direct us not to sell or share your personal information for cross-context behavioral advertising. To opt out, click “Do Not Sell or Share My Personal Information” in the footer of our Site, or contact us directly.
• Right to Limit Use of Sensitive Personal Information — Restrict our use of sensitive personal information to purposes necessary for providing services.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights. We will not deny goods or services, charge different prices, or provide a different level of service because you exercised your privacy rights.

Categories of Personal Information Collected (past 12 months)

To submit a verifiable consumer request, contact us as described in Section 16. You may also designate an authorized agent to make requests on your behalf (we will require written authorization and may verify your identity directly).

14. Your Rights — Other U.S. State Residents US State Laws

Residents of the following states have privacy rights substantially similar to those described above:

• Virginia — Consumer Data Protection Act (VCDPA)
• Colorado — Colorado Privacy Act (CPA)
• Connecticut — Data Privacy Act (CTDPA)
• Utah — Consumer Privacy Act (UCPA)
• Texas — Data Privacy and Security Act (TDPSA)
• Oregon, Montana, New Hampshire, New Jersey, and other states with enacted comprehensive privacy laws

Rights typically available under these laws include the right to access, correct, delete, obtain a portable copy of, and opt out of processing of your personal data for purposes of targeted advertising, sale, or certain profiling activities. We will process requests from residents of these states consistent with applicable law. To submit a request, contact us as described in Section 16.

If we deny your request, you may appeal by responding to our denial notice with a written explanation. If you remain unsatisfied, you may lodge a complaint with your state’s attorney general or applicable supervisory authority.

15. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will post the updated policy on this page with a new “Last Updated” date and, where appropriate, provide additional notice (such as a prominent banner on our Site or an email notification).

We encourage you to review this Policy periodically. Your continued use of the Site after any changes constitutes your acceptance of the updated Policy.

16. Contact Us

For questions, concerns, or to exercise any privacy right described in this Policy, please contact our Privacy Team:

Note: This Privacy Policy is provided for informational and transparency purposes. It does not constitute legal advice. HR Data Labs LLC recommends consulting qualified legal counsel to ensure ongoing compliance with applicable privacy laws.