DATA PRIVACY POLICY

Effective Date: November 22, 2025

I. Introduction

At HR Zen, we’re revolutionizing how owners, managers, and employees interact with human resources and its related functions. To make this possible, we need to collect and use certain information. This Privacy Policy explains what information we collect, why we collect it and how we use and protect it.

II. Purpose and Scope

This Privacy Policy outlines the data privacy principles and practices of HR Zen (“HR Zen”) in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations. It applies to all personal data we collect, process, and store in connection with the use of our services and platform.

This Policy governs data handling in all stages of the data lifecycle: collection, processing, sharing, storage, retention, and disposal.

III. Definition of Terms

  • Personal Data – Any information that identifies or can reasonably identify an individual, including name, contact details, identification documents, account information, and payment details.
  • Data Subject – Any individual whose personal data is processed, including owners, managers, employees and other such users.
  • Processing – Any operation performed on personal data, whether automated or manual.
  • DPO – Data Protection Officer appointed by the Company to ensure compliance with the DPA.

IV. Data We Collect

We collect employee personal data necessary for the delivery of our services:

  • Full name
  • Contact number
  • Email address
  • Home address
  • Mother’s maiden name
  • Salary details
  • Government IDs (SSS, PHIC, HDMF, TIN)
  • Emergency contact name and contact number
  • Bank or digital wallet account details for payments

Automatically collected data:

  • IP address, browser type, device information
  • Activity logs, session data, clickstreams
  • Cookies and similar technologies

V. Purpose of Processing

We collect and process personal data for the following purposes:

  • To create and manage employer and employee user accounts and facilitate onboarding to the HR platform
  • To verify the identity of users and maintain accurate employee records
  • To manage employee profiles, including job information, schedules, and work assignments
  • To manage and track timekeeping, attendance, leave requests, and other HR-related transactions
  • To facilitate communication between employers, employees, and authorized HR personnel
  • To calculate and process payroll, benefits, reimbursements, and statutory contributions
  • To generate HR reports and analytics and to improve the functionality, performance, and security of the platform
  • To send service-related notices, policy updates, and other relevant HR or system announcements
  • To comply with lawful orders and regulatory requirements

VI. Legal Bases for Processing

Processing is conducted based on one or more of the following:

a. Consent

We process your personal data when you voluntarily provide it through the platform, such as when you create or update your employee profile, submit leave or overtime requests, upload documents, or enroll in benefits. Consent also applies where you allow us to use your data for optional communications (e.g., product updates, training materials, surveys) or for non-essential analytics and service improvements. You may withdraw your consent at any time, subject to legal, regulatory, or contractual restrictions, and subject to the rights of your employer as data controller, where applicable.

b. Contractual Necessity

Your personal data is necessary for us to fulfill our contractual obligations to your employer and to authorized users of the HR Zen platform. This includes creating and managing user accounts, maintaining employee records, managing schedules and shifts, processing timekeeping and attendance, handling leave and overtime requests, and generating payroll and related reports. Without this data, we may be unable to provide you or your employer with full access to our HR and payroll services.

c. Compliance with Legal Obligations

We may process and retain your data to comply with applicable laws and regulations, including those relating to labor, taxation, social security, and other statutory contributions, as well as anti-fraud and record-keeping requirements. We may also disclose your data to government agencies or regulatory authorities in response to lawful orders, subpoenas, audits, or similar legal processes.

d. Legitimate Interest

We process personal data to support our legitimate business interests, such as improving and securing our platform, detecting and preventing suspicious or unauthorized activity, conducting usage analytics, troubleshooting issues, and developing new features and functionalities. Where we rely on legitimate interests, we ensure that these do not override your fundamental rights and freedoms.

VII. Use of Information

Data collected through HR Zen is used to:

  • Provide and maintain our services – to operate, maintain, and improve the HR Zen platform; manage employee records; handle timekeeping, scheduling, attendance, and leave management; and support payroll and HR workflows.
  • Create and manage your account and employee profile – to register you as a user, store and update your personal and employment information, job details, schedules, and preferences, and tailor the platform to your role (e.g., employee, manager, HR administrator, or employer representative).
  • Verify identity and credentials – to authenticate users, confirm employment status or authorization levels, and help secure access to HR records and transactions.
  • Process payroll and financial transactions – to calculate and process salaries, allowances, deductions, benefits, reimbursements, and statutory contributions; generate payslips and payroll reports; and maintain audit logs and financial records.
  • Manage time, attendance, and leave – to record work hours, overtime, shift schedules, rest days, and leave balances; process leave, overtime, and schedule-change requests; and support approvals and related HR decisions.
  • Facilitate HR-related communication – to send essential notifications such as payroll and payment advisories, leave and approval updates, schedule changes, policy updates, system alerts, and other platform messages relevant to your role and activity.
  • Support employer reporting and compliance – to generate HR and payroll reports needed by your employer for internal management, audits, and compliance with labor, tax, social security, and other regulatory obligations.
  • Ensure security and prevent misuse – to monitor system usage, detect and investigate suspicious or fraudulent activities, enforce platform policies, and protect the integrity and security of HR data.
  • Analyze and improve the platform – to understand how the platform is used, optimize performance and user experience, enhance HR and payroll workflows, and develop new tools and features that better support employers and employees.

VIII. Data Sharing and Disclosure

Data collected is shared with trusted third parties when necessary to operate the platform, fulfill services, or to comply with legal obligations. These include:

  • Service providers: We may share your date with consultants and other service providers who perform services on our behalf, such as payment processors, cloud hosting providers, analytics providers, and customer support. These service providers are obligated to protect your data and are only authorized to use it for the purposes for which we provide it for.
  • Government agencies or regulators: We may disclose your data if required to do so by law or in response to valid requests by public authorities.
  • Professional advisors, such as legal counsel or auditors, for the purpose of compliance, risk management, or resolving disputes.

We make sure that any third party we work with, such as service providers, or payment platforms, follows strict confidentiality standards, puts proper data protection safeguards in place, and respects privacy rights in line with applicable data privacy laws. We use written agreements and other measures to monitor their compliance with this Policy. These third parties are only allowed to use personal data for authorized purposes and must follow our instructions to keep information secure.

IX. Data Retention

We retain personal data only for as long as:

  • Required to fulfill the purposes stated above
  • Necessary to comply with applicable laws (e.g., tax, accounting, audit)
  • Required to establish, exercise, or defend legal claims

As a rule, personal data shall be retained for a maximum period of five (5) years from the date of the last transaction or interaction, unless a longer retention period is required by applicable laws or justified by a legitimate business interest.

While users may delete their accounts through the dashboard, some personal information may be retained for a specific duration to comply with legal obligations or for legitimate business purposes.

X. Disposal of Data

After the retention period, or when the data is no longer necessary or relevant to the declared purpose, personal data shall be securely disposed of or anonymized through appropriate methods to prevent unauthorized access, disclosure, or use. Disposal shall be carried out in accordance with industry standards and applicable data protection regulations.

We conduct regular reviews of stored data and implement disposal schedules to ensure compliance with our data retention policy.

XI. Data Protection and Security Measures

HR Zen implements stringent technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. Employees must adhere to these measures:

  • Access Control: Access to personal data is strictly controlled based on your job function and "need-to-know" basis (Role-Based Access Control - RBAC). Multi-factor authentication (MFA) is mandatory for all admin and developer accounts.
  • Secure Systems: Only authorized personnel can access production databases and storage systems.
  • Data Encryption:
    Data in Transit: All data transmitted across our networks is encrypted using HTTPS/TLS 1.2 or higher.
    Data at Rest: While data at rest encryption is part of our upcoming security roadmap, employees must ensure data stored locally on company devices (laptops, external drives) is adequately secured.
  • Sensitive Financial Data Handling: Sensitive financial data, such as bank details, are never stored directly on our servers. Instead, they are tokenized and securely handled by our PCI-compliant payment partners (e.g., VeryGoodSecurity - VGS). Employees must never ask for or store unencrypted financial details.
  • Backups: Automated backups for our database are being implemented, with secure, geo-redundant storage planned for improved data resilience. Employees must follow all backup procedures for data they manage.
  • Employee Device Security: All company-issued devices (laptops, phones) must have up-to-date security software, firewalls, and be password-protected. Personal devices used for work must also comply with company security guidelines.
  • Physical Security: Ensure physical access to systems and documents containing personal data in our offices is secure.

XII. Data Subject Rights

In accordance with Section 16 of the DPA, data subjects are entitled to the following:

  • Right to be informed about processing activities
  • Right to object to processing
  • Right to access their personal data
  • Right to correct inaccurate data
  • Right to erasure or blocking
  • Right to data portability
  • Right to damages
  • Right to lodge a complaint with the National Privacy Commission

The data subject may exercise any of the rights provided under the Data Privacy Act by contacting our Data Protection Officer at privacy@hrzen.com. To verify the identity of the requesting party and to protect the confidentiality of personal data, we may request specific information. This security measure ensures that personal data is not disclosed to any individual who is not authorized to receive it. We may also request additional information, if necessary, to clarify the request and facilitate a timely and appropriate response.

XIII. Data Breach Management

In the event of a data breach, the DBMT shall perform the following actions in accordance with NPC Circular No. 16-03 and relevant laws:

  • Notification. The DBMT shall assess whether the breach is likely to result in serious harm to the affected data subjects. The DBMT will notify affected data subjects and the NPC within 72 hours from discovery of the breach, as required by law.
  • Containment and Mitigation. Immediate steps shall be taken to contain the breach, prevent further unauthorized access, and reduces the risk of harm. This may include isolating affected systems, disabling compromised accounts, or resetting credentials.
  • Documentation. All details of the breach—including its nature, scope, impact, response measures, and outcomes—shall be recorded in our Data Breach Management Register in compliance with accountability and documentation requirements.
  • Cooperate and Remediation. The organization shall fully cooperate with the NPC and other relevant authorities. Appropriate remedial actions shall be implemented, including reviews of security protocols, staff training, and long-term risk mitigation strategies.

XIV. Training and Awareness

All new employees will receive mandatory data privacy training during onboarding. Regular refresher training will be provided to ensure all employees remain aware of:

  • The principles of data protection.
  • Their responsibilities under this Policy.
  • Best practices for handling personal data securely.
  • How to identify and report potential privacy incidents.

XV. Third- Party Services and Cross-Border Data Transfers

Some features of our platform may integrate with third-party services such as payment processors, analytics tools, cloud providers, or social media platforms. These services operate independently and have their own privacy policies and data handling practices, which are beyond our control. We encourage users to review their privacy policies, as we do not assume responsibility for how they collect, use, or share personal data.

Where necessary, data may be transferred to third parties, provided that:

  • Adequate data protection measures are in place;
  • Contracts include standard data protection clauses; and,
  • The transfer complies with NPC Circulars and Advisory Guidelines.

XVI. Data Protection Officer (DPO)

If you have questions or concerns about this Policy or your rights as a data subject, you may contact our DPO at:


Data Protection Officer
privacy@hrzen.com
OP123-B, One Paseo, Cebu, Maria Luisa Road, Paseo Saturnino, Banilad, Cebu City, Cebu, Philippines

XVII. Policy Review and Updates

This Privacy Policy may be updated periodically to reflect changes in regulations or practices. Updates will be posted on our website or notified to users through email or in-app messages, where appropriate.

Clarity. Calm. Connection.

Nav

How It WorksComplianceWhy HRZenPricingContact Us

Legal

Privacy PolicyPrivacy NoticeTerms of Service

Follow Us

LinkedinInstagram

Punched Group

© 2025 HRZen Philippines. All rights reserved.