Privacy Policy

Last updated: 7 July 2026

HankHR is HR and multi-country payroll software for teams in the United States, Malaysia, and Singapore. Running payroll means handling some of the most sensitive data an organisation holds — national IDs, bank details, pay. This policy explains, in plain language, what we collect, why, who we share it with, how we protect it, and the rights you have.

A note on how to read this: everything below describes how we actually handle data today, not an aspirational version. HankHR is a young company, and our practices will keep maturing — we update this page as they do. The data processing terms in your agreement with us govern the specifics for employee data; if you are relying on HankHR to meet a particular legal obligation, we would encourage you to review this policy and those terms with your own advisers.

Who we are

HankHR is operated by {LEGAL ENTITY NAME} (“HankHR”, “we”, “us”). We build and run the HankHR platform, which organisations use to manage their people, leave, time, payroll, reports, and documents.

For any privacy question, or to exercise a right described below, write to privacy@hankhr.co. Security matters go to security@hankhr.co.

The two roles we play

Whether HankHR is responsible for a given piece of data — or your employer is — depends on which of two hats we are wearing.

For employee personal data, we are a processor (a “service provider”). When a company uses HankHR to run its HR and payroll, that company decides what to collect and why, and we process it only on their instructions to deliver the service. The employing organisation is the controller of its employees’ data. If you are an employee whose employer uses HankHR, your employer — not HankHR — is your first point of contact for access, correction, or deletion, and their own privacy notice governs how they use your data.

For our own account, billing, and support data, we are a controller. When you sign up, contact support, or (once paid billing launches) pay us, we decide how that information is used, and this policy governs it directly.

What data we process

On behalf of our customers (as processor)

To run HR and payroll, the platform holds the data our customers put into it:

  • Organisation and legal-entity information — company details, registration and tax numbers, addresses, and pay cycles.
  • Employee personal data — names, contact details, national identifiers (US SSN or ITIN; Malaysian NRIC/MyKad or passport; Singapore NRIC/FIN), date of birth, and statutory numbers.
  • Payroll and financial data — compensation, deductions, contributions, the bank-account details used to pay employees, and payroll results.
  • Leave, attendance, and time entries — including time and scheduling data synced from Schedaddle.
  • Documents — files uploaded to employee or company records, including e-signature documents.
  • Candidate data (optional hiring add-on) — applications and resumes, for customers who enable hiring. Any equal-opportunity (EEO) or demographic data is kept schema-isolated from the rest of the record and is never used for screening.

For our own relationship with you (as controller)

  • Account data — the name, work email, and password (stored only as a secure hash) of the people who administer an account.
  • Billing data — the 30-day trial needs no card; once paid billing launches, we will handle plans, invoices, and payment status through our payment processor, and we never see or store full card numbers.
  • Support and communications — the messages you send us and our replies.
  • Marketing-site usage — minimal and essential-only (see Cookies below). We do not run third-party advertising or tracking on the site.

Where your data comes from

Most personal data reaches us directly from the customer and their employees — typed into the app, imported from a spreadsheet, or uploaded as a document. Some arrives through connected services you switch on, such as Schedaddle for time and scheduling. A small amount of non-personal reference data — public-holiday calendars used to calculate leave and pay — comes from third-party holiday-calendar sources and carries no personal data.

Why we process it

We use personal data to do the job you hired the software for, and for little else:

  • To provide the service — calculate payroll, apply statutory rules, and manage people, leave, time, reports, and documents.
  • To meet legal obligations — for example, retaining payroll and tax records for the periods each jurisdiction requires.
  • To keep the service secure and working — authentication, tenant isolation, audit logging, backups, and diagnosing errors.
  • To support you and, where relevant, to bill you.

What we do not do: we do not sell personal data, we do not share it for advertising, and we do not use your data — or your employees’ data — to train AI models. Where a law such as the GDPR asks us to name a lawful basis, we rely on performing our contract with you, complying with legal obligations, and our legitimate interest in running a secure, reliable service; for employee data, the employer as controller determines the lawful basis and instructs us accordingly.

The optional AI hiring add-on

Customers who enable the hiring add-on can use AI assistance to parse resumes and draft short screening summaries, via the Anthropic Claude API. Two commitments matter here:

  • It is assistive only. The AI does not make hiring decisions and produces no outcome with legal or similarly significant effect on a candidate — a person always decides. There is no automated decision-making of the kind that would trigger special rights under the GDPR.
  • It sees only what it needs. EEO and demographic data is never sent to the AI, and Anthropic does not use data sent through its API to train its models.

The add-on stays off unless a customer turns it on.

Who we share data with

We do not sell data or hand it to advertisers. We do rely on a small set of trusted infrastructure and service providers — “sub-processors” — who process data on our behalf, under contract, only to deliver the service:

  • Supabase — database, authentication, and file storage.
  • Vercel — application hosting.
  • Resend — transactional email (invites, notifications, payslip alerts).
  • BoldSign — e-signatures for documents.
  • Schedaddle — time and scheduling sync.
  • Sentry — error monitoring. Personal data is scrubbed from error reports before they leave the system.
  • Anthropic — the Claude API, used only for the optional AI hiring add-on described above. It never receives EEO data and makes no hiring decisions.
  • Stripe — payment processing, once paid billing launches. Card details go to Stripe, not to us.

We also read public-holiday calendar data from third-party sources to calculate leave and pay; this carries no personal data. We may disclose data if the law requires it, or to protect our rights and users’ safety — and we push back on requests that overreach. If our company were ever acquired, we would tell affected customers before their data moved, and this policy would carry over.

Where your data is processed

HankHR serves customers in the US, Malaysia, and Singapore, and our infrastructure and sub-processors operate in the United States and other countries. This means personal data may be processed outside the country where it was collected. When data crosses borders we keep it protected — through encryption in transit and at rest, contractual data-protection commitments with every sub-processor, and, where a framework such as the GDPR requires it, a recognised transfer mechanism such as the Standard Contractual Clauses. For transfers out of Malaysia and Singapore, we apply comparable safeguards consistent with each country’s PDPA.

How we protect your data

Security is covered in full on our security page; in short:

  • National IDs and bank details are encrypted at rest with AES-256; organisation secrets use a separate owner-only key; everything travels over TLS.
  • Every organisation’s data is isolated by row-level security enforced in the database itself — not a filter in app code that a bug could slip past.
  • Sensitive fields are masked in the interface by default; revealing one is an explicit, audited action.
  • Changes to people and pay data are written to an append-only audit log, and approved payroll runs are locked so any payslip stays reproducible.
  • Personal data is scrubbed from error reports before they leave our systems.
  • HankHR calculates payroll and produces the bank file, but we never take custody of your money — you keep the final click and hold no funds with us.

On certifications, we would rather be straight than wave a badge: our data handling is aligned with the Malaysia and Singapore PDPAs and with GDPR principles, and SOC 2 Type II is in progress rather than complete. We will publish it the day it is issued.

How long we keep it

While an account is active, we keep the data needed to run the service. When a customer leaves, we delete or return their data on request — except where the law requires us to keep certain records longer. Payroll and tax records, in particular, carry statutory retention periods in each of the US, Malaysia, and Singapore, and we retain those for as long as the relevant law requires before deleting them. You can export your data in full at any time.

Your rights over your data

Whatever jurisdiction you are in, you can ask to access the personal data held about you, correct it, delete it, and receive an export in a portable format.

How you exercise these rights depends on whose data it is. If you are an employee whose employer uses HankHR, we hold your data as a processor on their behalf, so please raise requests with your employer — we will support them in responding. If it is your own account data with us, contact privacy@hankhr.co and we will handle it directly. We will not charge you for a reasonable request, and we will not treat you differently for making one.

How this works under the law where you are

Malaysia — PDPA 2010

We handle personal data in line with the Personal Data Protection Act 2010. For employee data we act on the employer’s instructions as a data processor; individuals may access or correct their data, withdraw consent, or limit processing through the employer as the data user.

Singapore — PDPA 2012

We follow the Personal Data Protection Act 2012, including its consent, purpose-limitation, and protection obligations. As with Malaysia, employee requests are routed through the employing organisation, and we support them as the organisation’s data intermediary.

European Union and United Kingdom — GDPR-aligned

Although we are focused on the US, Malaysia, and Singapore, we handle data in line with GDPR principles for completeness. Where the GDPR applies, you also have the right to object to or restrict certain processing, to data portability, and to lodge a complaint with your supervisory authority. We do not carry out automated decision-making that produces legal or similarly significant effects.

United States — CCPA/CPRA and other state laws

For most US employee data, HankHR acts as a service provider under the California Consumer Privacy Act (as amended by the CPRA) and the comparable laws now in force in Virginia, Colorado, Connecticut, Texas, and a growing list of other states. We process that data only to provide the service, we do not sell or share personal information for cross-context behavioural advertising, and we support our customers in responding to the access, correction, deletion, and opt-out requests these laws give their employees and applicants.

Cookies and the marketing site

We keep this simple. The HankHR app uses only the essential cookies needed to sign you in and keep your session secure. The marketing site adds just one small preference cookie that remembers your choice on the pricing page. There are no third-party advertising or tracking cookies, no analytics profiling, and nothing that follows you around the web. Because these cookies are essential or preference-only, there is no consent banner to click through.

Children’s data

HankHR is a workplace tool, not a consumer product, and it is not directed at children. We do not knowingly collect personal data from children. Where an employer’s workforce includes young workers, that data is processed on the employer’s instruction and under their responsibility.

If something goes wrong

If a security incident affects personal data we process, we will notify the affected customer without undue delay so they can meet their own obligations to employees and regulators, and we will give them what they need to respond. Where the law requires us to notify a regulator or individuals directly — for data we control — we will. To report a concern, write to security@hankhr.co.

Changes to this policy

As HankHR grows, this policy will change with it. When it does, we will update the date at the top of the page, and for material changes we will give notice — by email or in the app — before they take effect. Continuing to use HankHR after a change means the updated policy applies.

How to reach us

Questions, requests, or concerns about privacy: privacy@hankhr.co. Security reports: security@hankhr.co. By post: {LEGAL ENTITY NAME}, {REGISTERED ADDRESS}.