Effective as of August, 2024.
We at Hi Bob Limited (together with its affiliated companies – “HiBob“, “we“, “our” or “us“) develop and operate a human resources management platform (the “Platform“) that helps companies (the “Customer“) streamline core HR processes and cultivate interpersonal relationships within the organization.
This Privacy Policy describes our practices regarding the collection, storage, usage, and disclosure of data that relates to identified or identifiable individuals (“personal data” or “personal information” and “data subjects”, respectively), who:
The activities described above are the “Services” to which this Privacy Policy applies. Please note that this Privacy Policy does NOT cover our practices regarding individuals who use the Platform as the end-users under our Customers’ account and for their purposes, including a Customer’s employees, staff, and contractors (“End Users”).
If you are an End User, please visit our Privacy Policy for End Users which describes our practices relating to such personal data.
Specifically, this Privacy Policy describes our practices regarding –
We respect your privacy and are strongly committed to making our practices regarding your personal data transparent and fair.
Please read this Privacy Policy carefully and make sure that you fully understand and agree to it.
You are not legally required to provide us with any personal data, but without it, we may not be able to provide you with the full range of our Services or with the best user experience when interacting with our Sites.
We collect various types of personal data regarding our Visitors, Prospects, Community Members, and our Customers’ Admins, and Recruiters.. Such data is typically collected or generated through your interaction with us or our Services, through automatic means, or directly from you or through third parties (including via Service Providers, as defined in Section 4 below).
Specifically, depending on the nature of our relationship with you, we may process the following categories of your personal data:
Admin Data Received from You: When you are registered by us as an Admin of a Customer’s account, you may provide us with personal data relating to you. This typically includes your name, workplace, position, and contact information (such as professional e-mail and phone number). If you choose to send others an e-mail or message inviting them to use the Platform, we will use the contact information you provide us to automatically send such invitation e-mail or message on your behalf. Your name and e-mail address may be included in the invitation e-mail or message.
During your interaction with our Platform as an Admin, you may provide us with personal data relating to your organization’s End Users (e.g., contact details of your organization’s employees in order to sign them up to the Platform). Please note that in such instances, the Customer on behalf of which you are an Admin will be solely responsible for determining whether to provide us with said data, as well as for establishing an appropriate legal basis for such processing activities as required under applicable law.
Recruiter Data Received from You: When you are designated as our Customer’s recruiting manager within HiBob’s Hiring module, we may process certain personal data about you in your capacity as a Recruiter. This typically includes your name, position, workplace ID, and contact information (such as professional e-mail and phone number). If you use HiBob’s Hiring module to communicate with your organization’s job applicants about their application process, your name, position and e-mail address, as provided to us, may be included in such emails or messages. As part of your role as a Recruiter, you might also use our Hiring module to create job postings on third-party platforms for job vacancies at your organization. You are solely responsible for any information you enter into our Hiring module for these job postings, including your contact details or those of others you might choose to include in such postings.
During your interactions with our Platform as a Recruiter, you may provide us with personal data related to your organization’s job applicants. Please note that in such instances, the Customer for which you are acting as a Recruiter is solely responsible for deciding whether to provide us with this data, and for establishing an appropriate legal basis for these processing activities, as required by applicable law. To learn more about our privacy practices related to the HiBob Hiring Module, please visit the Bob Hiring Privacy Notice for Applicants.
Data Automatically Collected or Generated: When you visit or interact with our Sites or the Community, we may collect, record, or generate certain technical data about you. We do so either independently or with the help of third-party Service Providers (defined in Section 4 below), including through the use of “cookies” and other tracking technologies (in the manner further detailed in Section 5 below).
Such data usually consists of connectivity, technical and aggregated usage data, such as IP addresses and general locations, device and application data (such as type, operating system, mobile device ID, browser version, locale, and language settings used), date and time stamps of usage, the cookies and pixels installed or utilized on such device and your recorded activity (sessions, clicks, and other interactions) in connection with our Sites, Platform or Community. In addition, phone calls (e.g., with our sales representatives, customer success, etc.) may be automatically recorded, tracked, and analyzed, for purposes such as analytics, service, business quality control and improvements, and record-keeping purposes.
Data Collected from the Community: To become a Community Member, you will be required to provide certain information such as your name and e-mail address, and may choose to share additional information such as your workplace, position, and profile picture (“Member Registration Data”). As a Community Member, you may choose to interact with other Community Members or visitors who might have access to the Community via various means available on the Community. Any information you submit to the Community during such interactions (“Member Content Data”), including personal data relating to you or others, may be visible to other Community Members and visitors and will be disclosed at your sole discretion. In particular, the Community’s job postings board is publicly available, and any data you choose to submit to it may be accessible to any member of the general public. Due to the public nature of the community, your posts and certain personal data may remain available on the Community irrespective of any other engagements you may have with us. You represent and warrant that any information you share on the Community does not infringe on any third party’s rights and will be shared in full compliance with the requirements of all applicable laws and regulations including, but not limited to, those pertaining to privacy and data protection applicable to the information shared by you.
Data Received from Other Third Parties: We may receive personal data concerning you from other sources. For example, if you participate in an event, webinar, or promotion that we sponsor or participate in, we may receive your personal data from its organizers. We may also receive your contact and professional details (e.g., your name, company, position, contact details, and professional experience, preferences, and interests) from our business partners or service providers, and through the use of tools and channels commonly used for connecting between companies and individuals in order to explore potential business and employment opportunities, such as LinkedIn and other similar platforms.
Data Obtained through Analytics Tools: We use analytics tools (e.g., Google Analytics) to collect data about the use of our Sites or the Community. Analytics tools collect data such as how often Visitors and Prospects visit the Sites, which pages they visit and when, and which website, ad, or e-mail message brought them there.
For the purposes of the California Consumer Privacy Act (“CCPA”), specifically in the last 12 months, we have collected the personal information described above, which falls within these CCPA-defined categories: Identifiers; Internet or other Electronic Network Activity Information; Customer Records Information; Audio, Electronic or Similar Information; and Geolocation Information. We do not use or disclose sensitive personal information as defined by the CCPA beyond what is necessary to provide our Services.
We use your personal data as necessary for the following purposes and in reliance on the lawful basis as further detailed in the chart below:
Visitors, Prospects, Community Members, Admins & Recruiters Data | |
Purpose | Lawful basis for processing |
To authenticate your identity, and provide you access and use of our Services. | -Performance of a Contract |
To facilitate, operate and provide our Services. | -Performance of a Contract (where applicable) -Legitimate Interests |
To provide customer service and technical support. | |
To support and enhance our data security measures, including for purposes of preventing and mitigating the risks of fraud, error, or any illegal or prohibited activity. | -Performance of a Contract (where applicable) -Legal Obligations -Legitimate Interests |
To gain a better understanding of how individuals use and interact with our Services, and how we could improve their and others’ user experience and continue improving our offerings and the overall performance of our Services. | -Consent (where applicable) -Legitimate Interests |
To facilitate and optimize our marketing campaigns, ad management and sales operations, and to manage and deliver advertisements for our products and Services more effectively, including on other websites and applications. This includes contextual, behavioral and interests-based advertising based on your and other’ activities, preferences or other data available to us or to our Service Providers (defined in Section 4 below), and business partners. | |
To explore and pursue growth opportunities by facilitating a stronger local presence and tailored experiences. | |
To facilitate, sponsor and offer certain events, contests and promotions. | |
To contact you with general or personalized service-related messages, as well as promotional messages that may be of specific interest to you (as further described in Section 6 below). | -Performance of a Contract (where applicable) -Consent (where applicable) -Legitimate Interests |
To evaluate, monitor, study and analyze the use of our Services in order to diagnose or fix problems and bugs as well as develop new features, technologies and improvements to our Services | -Legitimate Interests |
To create aggregated data, inferred non-personal data or anonymized or pseudonymized data (de-identified data), which we or our business partners may use to provide and improve our respective services, conduct research, or for any other purpose. | |
To enforce our agreements with you, resolve disputes, and protect our business interests and the interests and rights of third parties. | |
To comply with court orders and warrants, prevent misuse of the Services, and take any action in any related legal dispute and proceeding. | -Legal Obligations -Legitimate interests |
To comply with applicable laws and regulations. |
If you reside or are interacting with the Services in a territory governed by privacy laws under which “consent” is the only or most appropriate legal basis for processing personal data (in general, or specifically with respect to the types of personal data you choose to disclose via the Services), your acceptance of our Customer Subscription Terms (“Agreement”) or the Terms of Use (as applicable), and of this Privacy Policy will be deemed as your consent to the processing of your personal data for all purposes detailed in this Privacy Policy. If you wish to revoke such consent, please contact us by using the following support link.
3. Data Location and Retention
Data Location: Your personal data is maintained, processed and stored by us and our authorized Service Providers (defined below) in the US, EU, UK, Australia, Canada and Israel. We may also retain your personal data in other locations as reasonably necessary for the proper performance and delivery of our Services, or as may be required by law.
While privacy laws may vary between jurisdictions, HiBob and its affiliates and Service Providers are each committed to protecting personal data in accordance with this Privacy Policy and customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in their jurisdiction.
For transfers of personal data originating from the European Economic Area (EEA), the UK, or Switzerland to countries that are not considered as offering an adequate level of data protection based on adequacy decisions published by the European Commission (and associated), the UK, and Switzerland (as relevant), we and the relevant data exporters and importers have entered into standard contractual clauses as approved by the European Commission (available here), the UK (available here), or Switzerland. You can obtain a copy by contacting us as indicated in Section 10 below. For data transfers to countries that have been recognized to be providing an adequate level of data protection, we rely on such adequacy findings regarding the level of data protection offered by the recipient country.
Data Retention: We will retain your personal data for as long as it is reasonably necessary in order to establish, maintain and expand our relationship and provide you with our Services and offerings; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e., as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our data retention policy and applicable laws.
Please note that except as required by applicable law or our specific agreements with you, we will not be obligated to retain your personal data for any particular period, and we are free to securely delete, anonymize or restrict access to it for any reason and at any time, with or without notice to you. If you have any questions about our data retention policy, please contact us by using the following support link.
Hi Bob, Inc., our US subsidiary, complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework as set forth by the US Department of Commerce, and where appropriate – primarily relies on such certification for accepting transfers of personal data from the EEA, UK and Switzerland to the US (as applicable).
We have certified to the US Department of Commerce that Hi Bob, Inc. adheres to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF, and from the UK (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. We furthermore certify that Hi Bob, Inc. adheres to the Swiss-US Data Privacy Framework Principles (Swiss-US DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF. We will remain liable for onward transfers of your personal data to third parties (including our Service Providers) in accordance with applicable data transfer mechanisms. If there is any conflict between the terms in this Policy and the EU-US DPF Principles and/or the Swiss-US DPF, the Principles shall govern with respect to personal data transferred under the DPF. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Service Providers: We engage selected third-party companies and individuals to perform services complementary to our own. Such service providers include hosting and server co-location services, communications, and content delivery networks (CDNs), data and cyber security services, billing and payment processing services, fraud detection and prevention services, web analytics, e-mail distribution, marketing and monitoring services, session or activity recording services, remote access services, performance measurement, data optimization and enrichment services, social and advertising networks, content providers, e-mail and communication distribution, voice-mails, call recording systems, support and customer relation management systems (including support ticketing systems, chatbots and related messaging functions), and our legal, compliance and financial advisors (collectively, “Service Providers“).These Service Providers may have access to your personal data and may utilize artificial intelligence, generative artificial intelligence, machine learning or similar technologies, depending on each of their specific roles and purposes in facilitating and enhancing our Service, and may only use it for such limited purposes as determined in our Agreements with them.
Service Integrations: Admins and Recruiters may choose to connect the Platform with third-party services that are supported by our Platform. The provider of such integrated third-party service may receive certain data about you, or disclose certain relevant data from your activity on the third-party provider’s services to us, depending on the nature and purpose of such integration. Such service integration typically requires the permission/approval of your organization’s Admin. Please note that we do not receive or store your personal password for any of these third-party services (but do typically require your organization’s API credentials in order to integrate with them).
Partnerships: We may engage selected business and channel partners, resellers, distributors and providers of professional services related to our Services, which allow us to explore and pursue growth opportunities by facilitating a stronger local presence and tailored experiences for you. In such instances, we may disclose relevant contact, business and usage details to the respective partner, to allow them to engage with you for such purposes. If you directly engage with any of our partners, please note that any aspect of that engagement which is not directly related to the Services and directed by HiBob, is beyond the scope of HiBob’s terms and Privacy Policy, and may therefore be governed by the partner’s terms and privacy policy.
Event Partners: If you register for any event that we host, organize or sponsor, then with your permission we may disclose your registration details to others, including the hosts, organizers, speakers, service providers, and sponsors of that event, so that they may contact you with relevant information and offers, or to fulfill any promotions related to that event.
Disclosing your Feedback or Recommendations: If you submit a public review or feedback, note that we may (at our discretion) store and present your review to Visitors of our Sites and Services (including other Customers), or to other Community Members (as applicable). If you wish to remove your public review, please contact us by using the following support link.
Legal Compliance: In exceptional circumstances, we may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant, or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we believe in good faith that: (i) we are legally compelled to do so; (ii) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (iii) such disclosure is required to protect the security or integrity of our End Users, Customers, Visitors, Prospects, ourselves or our Services.
Protecting Rights and Safety: We may disclose your personal data to others if we believe in good faith that this will help protect the rights, property or personal safety of HiBob, any of our End Users or Customers, or any members of the general public.
HiBob Subsidiaries and Affiliated Companies: We may disclose personal data internally within our group, for the purposes described in this Privacy Policy. In addition, should HiBob or any of its subsidiaries or affiliates undergo any change in control or ownership, including by means of merger, acquisition or purchase of any of its assets, your personal data may be disclosed with the parties involved in such an event. If we believe that such change in control might materially affect your personal data then stored with us, we will notify you of this event and the choices you may have via e-mail or prominent notice on our Services.
For the avoidance of doubt, HiBob may disclose your personal data in additional manners, pursuant to your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal and anonymous. We may transfer, disclose or otherwise use non-personal data at our sole discretion and without the need for further approval.
In the last 12 months, we may have disclosed to the third parties listed above the following CCPA-defined categories of personal information: Identifiers; Internet or other Electronic Network Activity Information; Customer Records Information; Audio, Electronic or Similar Information; and Geolocation Information.
Our Sites and Service (including some of our Service Providers) utilize “cookies”, anonymous identifiers, pixels, container tags and other technologies in order for us to provide our Service and ensure that it performs properly, to analyze our performance and marketing activities, and to personalize your experience. Such cookies and similar files or tags may also be temporarily placed on your device. Certain cookies and other technologies serve to recall personal data, such as an IP address, previously indicated by a User. Under some data protection laws, like the CCPA and other US state privacy laws, our disclosure of this data to third parties for targeted advertising may considered as a “sale” or “sharing” of personal information. For more information about the type of cookies we use and how to exercise your right to opt out of such data selling or sharing please visit our Cookie Policy.
Service Communications: We may contact you with important information regarding our Service. For example, we may send you notifications (through any of the means available to us) of changes or updates to our Service, billing issues, service changes, etc. Please note that you will not be able to opt-out of receiving certain service communications which are integral to your use (like billing notices).
Promotional Communications: We may also notify you about new features, additional offerings, events and special opportunities or any other information we think You will find valuable. We may provide such notices through any of the contact means available to us (e.g. phone, mobile or e-mail), through the Service, or through our marketing campaigns on any other sites or platforms.
If you do not wish to receive such promotional communications, you may notify HiBob at any time by sending an e-mail to [email protected], or by following the “unsubscribe”, “stop”, “opt-out” or “change e-mail preferences” instructions contained in the promotional communications you receive.
In order to protect your Personal Data held with us, we are using industry-standard physical, procedural and technical security measures, including encryption as appropriate. However, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any Personal Data stored with us or with any third parties as described in Section 4 above. To learn more, please visit https://staging2.hibob.com/security/ .
If you wish to exercise your rights under applicable laws (including the EU or UK General Data Protection Regulation (GDPR), the CCPA or other US state privacy laws), you may do so by contacting us at [email protected].
Such rights may include – each to the extent available to you under the laws that apply to you – the right to know or request access to specific pieces of personal data collected, categories of data collected and sources from whom it was collected, as well as the purposes of collecting it and categories of third parties to whom we have disclosed it; the right to request rectification or erasure of your personal data held with HiBob; the right to restrict the processing of such data and to object at any time to the processing of your personal data which is based on our legitimate interests as details in Section 2 above (including the right to opt out of the sale or sharing of your data for targeted advertising); to port such data; or the right to equal services and prices (e.g., freedom from discrimination). If you are a GDPR-protected individual, you also have the right to lodge a complaint with the relevant supervisory authority in the EEA, UK or Switzerland, as applicable.
You may designate an authorized agent, in writing or through a power of attorney, to request to exercise your privacy rights on your behalf. The authorized agent may submit a request to exercise these rights by emailing us. In such cases, we may request further information to verify such power of attorney and authorization.
Please note that once you contact us by e-mail, we may require additional information and documents, including certain personal data, in order to authenticate and validate your identity and to process your request. Such additional data will be then retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request), in accordance with Section 3 above.
In compliance with the EU-U.S. DPF, and the UK Extension of the EU-U.S. DPP and the Swiss-U.S. DPF Principles, Hi Bob, Inc. commits to resolve complaints about our collection or use of your personal data. EEA, UK and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework compliance should submit inquiries to [email protected].
If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, Hi Bob, Inc. has further committed to cooperate with the EU Data Protection Authorities (DPAs), the UK Information Commissioner Office (UK ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) to independently address complaints that we have been unable to resolve.
Furthermore, subject to certain conditions (as described under the EU-US DPF Principles that Hi Bob, Inc. adheres to), you may invoke binding arbitration by delivering a notice to us via [email protected]. Please note that Hi Bob, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Certain data protection laws and regulations, such as the GDPR or the CCPA, typically distinguish between two main roles for parties processing personal data: the “data controller” (or under the CCPA, “business”), who determines the purposes and means of processing; and the “data processor” (or under the CCPA, “service provider”), who processes the data on behalf of the data controller (or “business”). Below we explain how these roles apply to our Services, to the extent that such laws and regulations apply.
HiBob is the “data controller” (or “business”) of personal data relating to its Visitors, Community Members, Prospects, Recruiters and Admins, as well as of End Users’ aggregated ‘Usage data’ and ‘Benchmarking Data’ (as such terms are defined in our Privacy Policy for End Users). With respect to such data, we assume the responsibilities of data controller (solely to the extent applicable under the law), as set forth in this Privacy Policy. In such instances, our Service Providers processing such data will assume the role of “data processor” (or “service provider”).
HiBob is the “data processor” (or “service provider”) of End Users’ personal data uploaded or submitted to the Platform. For the avoidance of doubt, we process such data on behalf of our Customer (who is the “data controller” or “business”) and strictly in accordance with its instructions, subject to our Terms and Data Processing Agreement or other commercial agreement with such Customer. In such instances, our Service Providers processing such data will assume the role of “sub-processors” of such data. To learn more about our processing activities within the Platform, please visit our Privacy Policy for End Users.
Updates and Amendments: We may update and amend this Privacy Policy from time to time by posting an amended version on our Service. The amended version will be effective as of the date it is published. When we make material changes to this Privacy Policy which in our discretion may affect your personal data, we’ll provide you with notice as appropriate under the circumstances. Your continued use of the Service after the changes have been implemented will constitute your acceptance of the changes.
External Links: While our Services may contain links to other websites or services, we are not responsible for their privacy practices. We encourage you to pay attention when you leave our Services for the website or application of such third parties, and to read the privacy policies of each and every website and service you visit. This Privacy Policy applies only to our Services.
Our Services are not designed to attract underage children: We do not knowingly collect personal data from children and do not wish to do so. If we learn that a person who is underage according to the law applicable to then is using the Services, we will attempt to prohibit and block such use and will make our best efforts to promptly delete any personal data stored with us with regard to such a child. If you believe that we might have any such data, please contact us by using the following support link.For the purposes of the CCPA, we don’t have actual knowledge that we “sell” or “share” the personal information of individuals under 16 years of age.
Data Protection Officer: HiBob has appointed PrivacyTeam Ltd. as our Data Protection Officer (DPO), for monitoring and advising on HiBob’s ongoing privacy compliance and serving as a point of contact on privacy matters for individuals and supervisory authorities. If you have any comments or questions regarding this Privacy Policy, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your personal data is handled by HiBob, please contact our DPO at [email protected].
Questions, concerns or complaints: If you have any comments or questions regarding this Privacy Policy, or if you have any concerns regarding your personal data held with us, please contact HiBob’s support by using the following support link, or our Data Protection Officer at [email protected], or write to us at: Hi Bob (UK) Limited, 5 New Street Square, London, England EC4A 3TW.
You can find our old Privacy Policy terms here.