Completely FREE & open-source HR software.
Comprehensive solution to manage all HR challenges in one single place.
(Revision July 2025)
This Service Privacy Policy covers the privacy practices employed by OrangeHRM when OrangeHRM customers (“Customer”, “You”) use our Cloud-Based Enterprise Applications (the “Cloud Service”) or On-Premise Enterprise applications (the “On-Premise Service”) or both (“Cloud Service and On-Premise Service”, “Service”). This Privacy Policy does not apply to any information or data obtained by OrangeHRM for any other purpose, such as marketing purposes. Please refer to the OrangeHRM Privacy Policy
When we use the terms “OrangeHRM”, or “us” or “we” in this policy, we are referring toexte OrangeHRM Inc.
Our Data Protection Officer oversees how we collect, use, distribute and secure your information to ensure your rights are respected. Our Data Protection Officer can be contacted at dpo@orangehrm.com
In the normal course of using the OrangeHRM Cloud or On-Premise Service, Customers will enter electronic data into the OrangeHRM systems (“Customer Data”).
Customers may input Customer Data into data templates and submit these to OrangeHRM through secure channels. OrangeHRM Implementation consultants will assist with the import of such data into the OrangeHRM Cloud or On-Premise Service
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the categories of Personal Data listed below based on the OrangeHRM modules purchased;
We have a comprehensive, written information security program in place that includes industry-standard, administrative, technical, and physical safeguards to protect Customer Data from unauthorized access.
Our infrastructure service providers are Rackspace Inc and Amazon Web Services, Inc. They maintain various certifications that help us validate our security policies and processes as well as comply with applicable legislation such as GDPR, Jamaican Data Protection Act, Singapore Personal Data Protection Act, and international standards. If you want to know more about OrangeHRM GDPR Compliant please refer to this. The following compliance frameworks have been examined and validated :
OrangeHRM Advanced Cloud Service
Our infrastructure service provider is Rackspace Inc.
OrangeHRM Open Source Cloud Service
Our infrastructure service provider is Amazon Web Services, Inc.
For the On-Premise Service and the cloud service, we may temporarily retain customer-submitted data templates containing customer data in the OrangeHRM secure facility, until Customer data is successfully imported into the on-premise and cloud Services. OrangeHRM Vault is a secure file transfer platform where customers can submit password-protected data files directly. Only authorized consultants will have access to these files through OrangeHRM Vault. OrangeHRM Vault will automatically validate these files for security and remove them from storage regularly.
All OrangeHRM AI (Artificial Intelligence) features are designed in compliance with “Privacy by Design” principles and undergo continuous security validation.
We process customer data at the request of our customers and do not have direct control or ownership of the personal data processed by the system. Prior to sending data to OrangeHRM for processing purposes, you are responsible for complying with any regulations or laws that require you to provide notice, disclosure, and/or obtain consent.
We offer a comprehensive set of data protection capabilities ranging from role-based access control to data encryption; from corporate policy publishing tools to data management with extensive audit logs. It enables Customers to gain access to, correct, and limit the processing of their personal data.
New capabilities in OrangeHRM software version 6.4 upwards allow you to purge terminated employees and candidates from the entire system including audit trails. This is to help you to practice data subject requests such as the right to be forgotten.
If you are using the Recruitment module, you can now obtain job application consent by laying out your data policy and requiring a check in the checkbox before allowing a candidate to apply for a vacancy.
Any data subject request that is directed to us will be forwarded to the customer and we will assist the customer in meeting any obligation to respond to such data subject requests. If the customer requests help from OrangeHRM to comply with data protection regulations, OrangeHRM will respond to their request within 30 business days.
In the OrangeHRM Cloud Service, if you have a valid SAAS agreement with OrangeHRM, your data will be retained in our servers. Should you purge any specific employee or candidate records, this data will be immediately purged from the system. Such information will then be completely removed from OrangeHRM backups after 4 weeks.
Between 10 and 30 days after the agreement between OrangeHRM and the Customer is terminated, OrangeHRM will remove the customer's personal data from the OrangeHRM servers, and all customer personal data will be fully purged from OrangeHRM backups after a further 4 weeks.
For On-Premise service, we will ensure that any temporary data such as customer data templates, is purged between 10 and 30 days after the termination of the agreement between OrangeHRM and the Customer.
Note: Under OrangeHRM standard agreements, the aforementioned data retention periods will be valid. Customers who have subscribed to OrangeHRM extended services will have their data retained for longer than the above mentioned periods (can go up to 12 weeks).
OrangeHRM may, where it concludes that it is legally obligated to do so, disclose personal data to law enforcement or other government authorities. OrangeHRM will notify customers of such requests unless prohibited by law.
Prior to using sensitive personal information about you for any service improvements, we will first request your consent. Before you give your consent, we will tell you what information we collect and how we use it. You have the right to withdraw your consent at any time by contacting us. Clients retain the flexibility to enable or disable each AI feature.
Per the relevant agreement between the Customer and OrangeHRM, we may access customer data within OrangeHRM to provide the service, prevent or address service or technical problems, respond to support issues, respond to the customer’s instructions, or as may be required by law.
We may process anonymized data to troubleshoot customer-specific issues and for quality control purposes.
We may process anonymized data to track how the Service’s various components are used. This information is used to drive feature development and service enhancements as well as to provide recommendations on how our products and services can add value for you. OrangeHRM does not sell your information to any party under any circumstances and OrangeHRM is not responsible for any PII data sold by the data controller.
All customer data is anonymized before it is provided to any third-party AI models (such as those provided by OpenAI via API). This data is not used for training any machine learning models. No AI output is finalized without human validation by the Customer or their authorized users.
OrangeHRM has introduced a set of AI-powered features to enhance HR functionality and user experience. Customers can choose which AI capabilities to enable. When enabled, the AI features may process certain types of Customer Data already stored in the OrangeHRM system.
Customers and their authorized users may access the Service directly via a URL that is unique to their tenant or may elect to use internal launch pages for single sign-on or other purposes. As they utilize the service, customers provide information for processing and storage. Customers may also configure the Service to allow end users to input information directly into the Service
To comply with applicable law, regulation or authorized requests, we may share your information with third parties. We will notify you of such incidents unless prohibited by law.
Sub-processors processing personal data as part of the Services See the complete Sub-Processor list here.
In Cloud Service, we store customer data in the nearest data center used by OrangeHRM to provide your specific service, Eg: European client data is stored in European centers.
In Cloud Service and On-Premises Service, we may transfer anonymized data from European region Data Centers to North American Rackspace Data Centers and Asian technical support centers for the purposes of providing the Service, preventing or addressing service or technical problems, responding to support issues, and responding to the Customer’s instructions.
OrangeHRM will not discriminate against you for exercising your privacy rights. Regardless of your privacy preferences, OrangeHRM will provide the products and services you require.
If you have a complaint about the use of your personal information, please contact your application admin within the organization. If you have a complaint about the OrangeHRM service privacy policy or security, please contact our DPO at dpo@orangehrm.com.
We may update this privacy statement to reflect changes in our information practices. If we make any material changes, we will notify you by means of a notice on this site prior to the change taking effect. We encourage you to periodically review this page for the latest information on our privacy standards.