1. Overview
Anima HR ("Anima HR," "we," "us," or "our") is a multi-tenant HR management platform. This Privacy Policy explains how we collect, use, store, and protect personal data when you visit animahr.io (our marketing website) or use the Anima HR application at *.animahr.io.
We take privacy seriously — not just as a legal obligation but as a core product value. We do not sell personal data. We do not use your employees' data for advertising. We give you full control over where your data lives.
Controller vs. Processor
For data you submit through the marketing site (e.g. signup forms, contact requests),
Anima HR is the data controller.
For employee and HR data processed inside your Anima HR workspace, your organization
is the data controller and Anima HR acts as a data processor on your behalf. Our
Data Processing Agreement (DPA) governs that relationship.
2. Who We Are
Anima HR
New Jersey, United States
For privacy-specific inquiries, use our contact form with the subject "Privacy Request" and we will respond within 30 days.
3. Data We Collect
3.1 Marketing website visitors
- Form submissions — name, work email, company name, team size, and any message you send via the contact or signup forms.
- Technical data — IP address, browser type, and referring URL collected automatically by our hosting infrastructure for security and abuse prevention. This data is not used for advertising or behavioral profiling.
3.2 Anima HR workspace (your employees' data)
When your organization uses Anima HR, you (the employer) submit HR data on behalf of your employees. This may include:
- Name, work email address, job title, department, and manager
- Employment dates, salary history, and leave records
- Performance review responses, feedback, and 1:1 notes
- Survey responses and people analytics scores
- Any custom fields your organization configures
We process this data strictly as a processor under your instructions. We do not access, analyze, or use employee data for any purpose other than delivering the service to you.
3.3 Account and billing data
- Workspace administrator email address and authentication credentials
- Billing contact name and email
- Payment method details — handled directly by Stripe; Anima HR never stores raw card numbers
4. How We Use Data
| Purpose | Data used |
|---|---|
| Provision and operate your workspace | Account data, HR data |
| Process payments | Billing contact, payment method (via Stripe) |
| Respond to support and sales inquiries | Contact form submissions |
| Send transactional emails (workspace setup, password reset) | Work email address |
| Security monitoring and abuse prevention | IP address, access logs |
| Improve the service (aggregated, anonymized analytics only) | Anonymized usage metrics |
We do not use personal data for advertising, behavioral profiling, or sale to third parties.
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases under GDPR Article 6:
- Contract performance — processing necessary to deliver the service you signed up for (Art. 6(1)(b)).
- Legitimate interests — security monitoring, fraud prevention, and service improvement, where our interests do not override your rights (Art. 6(1)(f)).
- Legal obligation — where we are required to retain records by applicable law (Art. 6(1)(c)).
- Consent — for optional marketing communications, where you have opted in (Art. 6(1)(a)). You may withdraw consent at any time.
For employee data processed inside your workspace, the legal basis is determined by your organization as the data controller. Our DPA sets out the appropriate safeguards.
6. Data Sharing
We do not sell, rent, or share personal data with third parties for marketing or advertising purposes — ever.
We share data only in the following limited circumstances:
- Sub-processors — infrastructure and service providers listed in Section 7, bound by data processing agreements.
- Legal requirements — if required by law, court order, or to protect the rights and safety of Anima HR or its users. We will notify you where legally permitted.
- Business transfers — in the event of a merger, acquisition, or asset sale, personal data may be transferred. We will notify affected users and honor existing privacy commitments.
7. Sub-processors
We use a minimal set of sub-processors. All are bound by data processing agreements and meet industry-standard security requirements.
| Sub-processor | Purpose | Location | Certifications |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, database, file storage, CDN, and compute | Your chosen region(s) | SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA eligible, FedRAMP |
| Stripe | Payment processing | United States | PCI DSS Level 1, SOC 1/2, ISO 27001 |
We will update this list when sub-processors are added or removed. Enterprise customers may request advance notice of sub-processor changes.
8. Data Residency & International Transfers
Anima HR gives you explicit control over where your data is stored. During signup you choose a data region; your tenant's database is created exclusively in that region and data does not leave it unless you enable multi-region replication (Enterprise plan).
Available regions include locations in North America, Europe, Asia Pacific, and South America.
International transfers (GDPR)
If you select an EEA region, your data remains in the EEA. If you select a non-EEA region (e.g. US), transfers from the EEA are covered by Standard Contractual Clauses (SCCs) incorporated into our DPA. AWS participates in the EU-U.S. Data Privacy Framework.
9. Data Retention
| Data type | Retention period |
|---|---|
| Active workspace data (HR records, settings) | Retained while your subscription is active |
| Workspace data after account deletion | Deleted within 90 days of account closure |
| Billing records | 7 years (tax and legal compliance) |
| Security and access logs | 90 days |
| Marketing contact form submissions | 2 years, or until you request deletion |
You may request early deletion of your data at any time by contacting us. Deletion requests for workspace data are processed within 30 days.
10. Security
We apply security controls aligned with industry best practices. Key measures include:
- Encryption in transit — all data transmitted over TLS 1.2+.
- Encryption at rest — all databases and file storage encrypted with AES-256.
- Tenant isolation — each customer organization gets a dedicated database; there is no shared data store between tenants.
- Per-tenant signing keys — each tenant has a unique RSA-2048 signing key pair, encrypted with AES-256-GCM and stored in a secure secrets manager.
- Role-based access control (RBAC) — enforced at the API layer on every request; sensitive fields are redacted based on role.
- Audit logging — all write operations are logged with user identity, timestamp, and changed values.
- Rate limiting — sliding-window rate limiting per authenticated user to prevent abuse.
- No cross-tenant data access — tenant identity is validated on every API call to prevent cross-tenant token reuse.
Compliance roadmap
We are actively working toward SOC 2 Type II and ISO 27001 certification. Enterprise customers may request our current security documentation and controls summary via our contact form.
If you discover a security vulnerability, please report it responsibly via our contact form. We will acknowledge receipt within 48 hours and work to resolve confirmed issues promptly.
11. Your Rights
All users
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your personal data (subject to legal retention obligations).
- Portability — receive your data in a machine-readable format.
- Opt-out of marketing — unsubscribe from any marketing emails at any time.
EEA / UK residents (GDPR / UK GDPR)
In addition to the above, you have the right to:
- Restrict processing — ask us to limit how we use your data while a dispute is resolved.
- Object to processing — object to processing based on legitimate interests.
- Lodge a complaint — with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EEA).
California residents (CCPA / CPRA)
- Know — the categories of personal information collected and how it is used.
- Delete — request deletion of personal information we have collected.
- Opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising.
- Non-discrimination — we will not discriminate against you for exercising your privacy rights.
Employee data (workspace users)
If you are an employee whose data is processed inside an Anima HR workspace, your employer is the data controller. Please direct data subject requests to your employer's HR or IT team. We will cooperate with your employer to fulfill valid requests.
To exercise any of the above rights, use our contact form with subject line "Privacy Request". We will respond within 30 days (or sooner as required by applicable law).
13. Children's Privacy
Anima HR is a business-to-business HR platform intended for use by organizations and their adult employees. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor's data has been submitted, please contact us and we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify workspace administrators by email at least 30 days before the change takes effect.
- For significant changes affecting how we process employee data, we will update the DPA accordingly.
Continued use of the service after the effective date constitutes acceptance of the updated policy.
15. Contact Us
For privacy questions, data subject requests, or security concerns:
Anima HR
New Jersey, United States
Use our contact form — include the subject line "Privacy Request" so we can route your inquiry correctly.
We aim to respond to all privacy inquiries within 30 days.
For enterprise customers requiring a signed DPA, please see our Data Processing Agreement or reach out via the contact form to arrange execution.