Privacy Policy
Last updated: June 28, 2026
1. Overview
This Privacy Policy explains how Digitspots Solutions ("Digitspots", "we") collects, uses, shares, and protects personal data through the HR Onboarding service at hronboarding.org (the "Service"). It applies to tenant administrators who sign up, the employees they onboard, and visitors to our marketing site.
2. Who we are
Digitspots Solutions is the data controller for marketing-site visitors and tenant admin accounts. For employee personal data that a tenant uploads or routes through the Service, the tenant is the data controller and Digitspots is the data processor. Our Data Protection Officer can be reached at dpo@hronboarding.org.
3. What data we collect
Account and tenant data
Name, work email, password hash (via AWS Cognito), company name, industry, employee-count band, country, timezone, and billing contact.
Employee data
Employee name, work email, role, department, start date, uploaded onboarding documents, and conversation transcripts between the employee and the HR assistant bot.
Usage telemetry
Pages viewed, features used, IP address, browser and OS, error logs, and audit logs of admin actions. Used to operate, secure, and improve the Service.
Payment data
Billing name, address, and last 4 digits of card. Full payment-card data is handled by Stripe and Paystack; we never receive or store it.
4. Why we collect each category
- Account and tenant data — to create and operate your account, authenticate users, send service notifications, and bill you.
- Employee data — to deliver onboarding workflows, route HR requests, and provide AI-assisted responses on your instructions.
- Usage telemetry — to keep the Service available and secure, debug issues, and prioritise product improvements.
- Payment data — to process subscriptions, prevent fraud, and meet tax and accounting obligations.
5. Legal basis (GDPR Article 6)
| Processing activity | Legal basis |
|---|---|
| Providing the Service to tenant admins | Performance of a contract |
| Processing employee data on tenant instruction | Processor — controller is the tenant |
| Service security, fraud prevention, debugging | Legitimate interests |
| Marketing emails to admins | Consent (with opt-out) |
| Compliance with tax / employment law | Legal obligation |
6. How we share data
We share personal data only with the subprocessors below, each under written contracts that require confidentiality and equivalent data protection standards.
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage, KMS encryption | us-east-1 (USA) |
| Anthropic | AI responses via Claude / Bedrock | AWS regions |
| Stripe | International card payments | USA / EU |
| Paystack | Nigerian card and bank payments | Nigeria |
| Amazon SES | Transactional email delivery | us-east-1 |
| Slack (Salesforce) | Slack message delivery | USA / EU |
| Meta (WhatsApp Business) | WhatsApp message delivery | EU / Global |
| Zoho | Zoho Cliq message delivery | Multi-region |
7. International transfers
The Service is hosted in AWS us-east-1 (United States). For Customers in the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, to transfer personal data internationally. A copy of the SCCs is available from dpo@hronboarding.org.
8. Data retention
| Category | Retention period |
|---|---|
| Employee HR records and onboarding documents | 7 years after employment ends (statutory) |
| Bot conversation transcripts | 90 days, then deleted |
| Audit logs | 30 days |
| Account credentials | For the life of the account + 30 days |
| Billing records | 7 years (tax law) |
| Marketing site cookies | Session only or 12 months for geo-region |
9. Your rights
Subject to applicable law (including GDPR, the Nigeria Data Protection Regulation, and the California Consumer Privacy Act), you have the right to:
- Access the personal data we hold about you;
- Receive a portable copy in a machine-readable format;
- Correct inaccurate or incomplete data (rectification);
- Delete your data, subject to legal retention obligations (erasure);
- Restrict or object to certain processing;
- Withdraw consent at any time where processing relies on consent;
- Lodge a complaint with a supervisory authority (e.g., the Nigeria Data Protection Commission, your EU data protection authority, or the UK ICO).
10. How to exercise your rights
Tenant admins can edit or delete most data directly from the admin dashboard. For requests that the dashboard does not cover, write to dpo@hronboarding.org from the email address on file. We respond within 30 days. Employees whose data was uploaded by their employer should contact their employer's HR team first; we will support tenant admins in fulfilling those requests.
11. Cookies
We use only essential cookies. See our Cookie Notice for the full list.
12. Children
The Service is intended for use by employers and their employees. It is not designed for or directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact dpo@hronboarding.org.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced in-product and by email to tenant admins at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
14. Contact
Digitspots Solutions — HR Onboarding
Data Protection Officer: dpo@hronboarding.org
General support: support@hronboarding.org